Undertakings of both Parties. 2.1 The Supplier and the Buyer each undertake that they shall: report to the other Party every [insert number] months on: the volume of Data Subject Request (or purported Data Subject Requests) from Data Subjects (or third parties on their behalf); the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data; any other requests, complaints or communications from Data Subjects (or third parties on their behalf) relating to the other Party’s obligations under applicable Data Protection Legislation; any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and any requests from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law, that it has received in relation to the subject matter of the Contract during that period; notify each other immediately if it receives any request, complaint or communication made as referred to in Clauses 2.1(a)(i) to (v); provide the other Party with full cooperation and assistance in relation to any request, complaint or communication made as referred to in Clauses 2.1(a)(iii) to (v) to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation; not disclose or transfer the Personal Data to any third party unless necessary for the provision of the Services and, for any disclosure or transfer of Personal Data to any third party, (save where such disclosure or transfer is specifically authorised under the Contract or is required by Law) ensure consent has been obtained from the Data Subject prior to disclosing or transferring the Personal Data to the third party. For the avoidance of doubt the third party to which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Annex; request from the Data Subject only the minimum information necessary to provide the Services and treat such extracted information as Confidential Information; ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data; take all reasonable steps to ensure the reliability and integrity of any of its Personnel who have access to the Personal Data and ensure that its Personnel: are aware of and comply with their ’s duties under this Annex 2 (Joint Controller Agreement) and those in respect of Confidential Information are informed of the confidential nature of the Personal Data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the Personal Data to any third party where the that Party would not be permitted to do so; have undergone adequate training in the use, care, protection and handling of Personal Data as required by the applicable Data Protection Legislation; ensure that it has in place Protective Measures as appropriate to protect against a Data Loss Event having taken account of the: nature of the data to be protected; harm that might result from a Data Loss Event; state of technological development; and cost of implementing any measures;
Appears in 4 contracts
Samples: www.contractsfinder.service.gov.uk, www.contractsfinder.service.gov.uk, assets.crowncommercial.gov.uk
Undertakings of both Parties. 2.1 The Supplier and the Buyer each undertake that they shall: :
(a) report to the other Party every [insert numberx] months on: :
(i) the volume of Data Subject Request Access Requests (or purported Data Subject Access Requests) from Data Subjects (or third parties on their behalf); behalf);
(ii) the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data; ;
(iii) any other requests, complaints or communications from Data Subjects (or third parties on their behalf) relating to the other Party’s obligations under applicable Data Protection Legislation; Legislation;
(iv) any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and and
(v) any requests from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law, that it has received in relation to the subject matter of the Contract during that period; Law,
(b) notify each other immediately if it receives any request, complaint or communication made as referred to in Clauses Paragraphs 2.1(a)(i) to (v); ) of this Part B – Joint Controller Agreement of Annex 1 – Processing Personal Data;
(c) provide the other Party with full cooperation and assistance in relation to any request, complaint or communication made as referred to in Clauses 2.1(a)(iiiin
(d) to (v) to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation; not disclose or transfer the Personal Data to any third party unless necessary for the provision of the Services Deliverables and, for any disclosure or transfer of Personal Data to any third party, (save where such disclosure or transfer is specifically authorised under the Contract or is required by Law) ensure consent has been obtained from the Data Subject prior to disclosing that disclosure or transferring the transfer of Personal Data is otherwise considered to be lawful processing of that Personal Data in accordance with Article 6 of the third partyUK GDPR or EU GDPR (as the context requires). For the avoidance of doubt doubt, the third party to which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Annex; of this of this Part B – Joint Controller Agreement of Annex 1 – Processing Personal Data;
(e) request from the Data Subject only the minimum information necessary to provide the Services Deliverables and treat such extracted information as Confidential Information; ;
(f) ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful Processing processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data; take ;
(g) use all reasonable steps endeavours to ensure the reliability and integrity of any of its Processor Personnel who have access to the Personal Data and ensure that its Processor Personnel: :
(i) are aware of and comply with their ’s duties under this Annex 2 (of this Part B – Joint Controller Agreement) Agreement of Annex 1 – Processing Personal Data; and those in respect of Confidential Information Information
(ii) are informed of the confidential nature of the Personal Data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the Personal Data to any third party where the that Party would not be permitted to do so; ;
(iii) have undergone adequate training in the use, care, protection and handling of Personal Data personal data as required by the applicable Data Protection Legislation; ;
(h) ensure that it has in place Protective Measures the capability (whether technological or otherwise), to the extent required by Data Protection Legislation, to provide or correct or delete at
(i) ensure that it notifies the other Party as appropriate soon as it becomes aware of a Personal Data Breach;
(j) where the Personal Data is subject to protect against a UK GDPR, not transfer such Personal Data Loss Event having taken account of the: nature outside of the data UK unless the prior written consent of the non-transferring Party has been obtained and the following conditions are fulfilled:
(i) the transfer is in accordance with Article 45 of the UK GDPR or DPA 2018 Section 73; or
(ii) the transferring Party has provided appropriate safeguards in relation to be protected; harm that might result the transfer (whether in accordance with Article 46 of the UK GDPR or DPA 2018 Section 75) as agreed with the non-transferring Party which could include the relevant parties entering into International Data Transfer Agreement (the “IDTA”), or International Data Transfer Agreement Addendum to the European Commission’s SCCs (the “Addendum”), as published by the Information Commissioner’s office from a Data Loss Event; state of technological development; and cost of implementing time to time, as well as any additional measures;
(iii) the Data Subject has enforceable rights and effective legal remedies;
(iv) the transferring Party complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the non-transferring Party in meeting its obligations); and
(v) the transferring Party complies with any reasonable instructions notified to it in advance by the non-transferring Party with respect to the processing of the Personal Data; and
(k) where the Personal Data is subject to EU GDPR, not transfer such Personal Data outside of the EU unless the prior written consent of the non-transferring Party has been obtained and the following conditions are fulfilled:
(i) the transfer is in accordance with Article 45 of the EU GDPR; or
(ii) the transferring Party has provided appropriate safeguards in relation to the transfer in accordance with Article 46 of the EU GDPR as determined by the non-transferring Party which could include relevant parties entering into Standard Contractual Clauses in the European Commission’s decision 2021/914/EU or such updated version of such Standard Contractual Clauses as are published by the European Commission from time to time as well as any additional measures;
(iii) the Data Subject has enforceable rights and effective legal remedies;
(iv) the transferring Party complies with its obligations under the EU GDPR by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the non-transferring Party in meeting its obligations); and
(v) the transferring Party complies with any reasonable instructions notified to it in advance by the non-transferring Party with respect to the Processing of the Personal Data.
2.2 Each Joint Controller shall use its reasonable endeavours to assist the other Controller to comply with any obligations under applicable Data Protection Legislation and shall not perform its obligations under this Annex in such a way as to cause the other Joint Controller to breach any of its obligations under applicable Data Protection Legislation to the extent it is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations.
Appears in 1 contract
Samples: www.contractsfinder.service.gov.uk
Undertakings of both Parties. 2.1 The Supplier and the Buyer each undertake that they shall: :
(a) report to the other Party every [insert number] months on: :
(i) the volume of Data Subject Request (or purported Data Subject Requests) from Data Subjects (or third parties on their behalf); ;
(ii) the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data; ;
(iii) any other requests, complaints or communications from Data Subjects (or third parties on their behalf) relating to the other Party’s obligations under applicable Data Protection Legislation; ;
(iv) any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and and
(v) any requests from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law, that it has received in relation to the subject matter of the Contract during that period; ;
(b) notify each other immediately if it receives any request, complaint or communication made as referred to in Clauses 2.1(a)(i) to (v); ;
(c) provide the other Party with full cooperation and assistance in relation to any request, complaint or communication made as referred to in Clauses 2.1(a)(iii) to (v) to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation; ;
(d) not disclose or transfer the Personal Data to any third party unless necessary for the provision of the Services and, for any disclosure or transfer of Personal Data to any third party, (save where such disclosure or transfer is specifically authorised under the Contract or is required by Law) ensure consent has been obtained from the Data Subject prior to disclosing or transferring the Personal Data to the third party. For the avoidance of doubt the third party to which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Annex; ;
(e) request from the Data Subject only the minimum information necessary to provide the Services and treat such extracted information as Confidential Information; ;
(f) ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data; ;
(g) take all reasonable steps to ensure the reliability and integrity of any of its Personnel who have access to the Personal Data and ensure that its Personnel: :
(i) are aware of and comply with their ’s duties under this Annex 2 (Joint Controller Agreement) and those in respect of Confidential Information Information
(ii) are informed of the confidential nature of the Personal Data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the Personal Data to any third party where the that Party would not be permitted to do so; ;
(iii) have undergone adequate training in the use, care, protection and handling of Personal Data as required by the applicable Data Protection Legislation; ;
(h) ensure that it has in place Protective Measures as appropriate to protect against a Data Loss Event having taken account of the: :
i. nature of the data to be protected; ;
ii. harm that might result from a Data Loss Event; ;
iii. state of technological development; and and
iv. cost of implementing any measures;
(i) ensure that it has the capability (whether technological or otherwise), to the extent required by Data Protection Legislation, to provide or correct or delete at the request of a Data Subject all the Personal Data relating to that Data Subject that it holds; and
(j) ensure that it notifies the other Party as soon as it becomes aware of a Data Loss Event.
2.2 Each Joint Controller shall use its reasonable endeavours to assist the other Controller to comply with any obligations under applicable Data Protection Legislation and shall not perform its obligations under this Annex in such a way as to cause the other Joint Controller to breach any of its obligations under applicable Data Protection Legislation to the extent it is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations
Appears in 1 contract
Samples: www.contractsfinder.service.gov.uk
Undertakings of both Parties. 2.1 The Supplier and the Buyer each undertake that they shall: :
(a) report to the other Party every [insert enter number] months on: :
(i) the volume of Data Subject Request (or purported Data Subject Requests) from Data Subjects (or third parties on their behalf); ;
(ii) the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data; ;
(iii) any other requests, complaints or communications from Data Subjects (or third parties on their behalf) relating to the other Party’s obligations under applicable Data Protection Legislation; ;
(iv) any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and and
(v) any requests from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law, that it has received in relation to the subject matter of the Contract during that period; ;
(b) notify each other immediately if it receives any request, complaint or communication made as referred to in Clauses 2.1(a)(i) to (v); ;
(c) provide the other Party with full cooperation and assistance in relation to any request, complaint or communication made as referred to in Clauses 2.1(a)(iiiClauses
2.1 (a)(iii) to (v) to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation; ;
(d) not disclose or transfer the Personal Data to any third party unless necessary for the provision of the Services and, for any disclosure or transfer of Personal Data to any third party, (save where such disclosure or transfer is specifically authorised under the Contract or is required by Law) ensure consent has been obtained from the Data Subject prior to disclosing or transferring the Personal Data to the third party. For the avoidance of doubt the third party to which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Annex; ;
(e) request from the Data Subject only the minimum information necessary to provide the Services and treat such extracted information as Confidential Information; ;
(f) ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data; ;
(g) take all reasonable steps to ensure the reliability and integrity of any of its Personnel personnel who have access to the Personal Data and ensure that its Personnel: personnel:
(i) are aware of and comply with their ’s duties under this Annex 2 (Joint Controller Agreement) and those in respect of Confidential Information Information
(ii) are informed of the confidential nature of the Personal Data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the Personal Data to any third party where the that Party would not be permitted to do so; ;
(iii) have undergone adequate training in the use, care, protection and handling of Personal Data as required by the applicable Data Protection Legislation; ;
(h) ensure that it has in place Protective Measures as appropriate to protect against a Data Loss Event having taken account of the: :
(i) nature of the data to be protected; ;
(ii) harm that might result from a Data Loss Event; ;
(iii) state of technological development; and and
(iv) cost of implementing any measures;
(i) ensure that it has the capability (whether technological or otherwise), to the extent required by Data Protection Legislation, to provide or correct or delete at the request of a Data Subject all the Personal Data relating to that Data Subject that the Supplier holds; and
(i) ensure that it notifies the other Party as soon as it becomes aware of a Data Loss Event.
2.2 Each Joint Controller shall use its reasonable endeavours to assist the other Controller to comply with any obligations under applicable Data Protection Legislation and shall not perform its obligations under this Annex in such a way as to cause the other Joint Controller to breach any of its obligations under applicable Data Protection Legislation to the extent it is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations
Appears in 1 contract
Samples: www.contractsfinder.service.gov.uk
Undertakings of both Parties. 2.1 The Supplier and the Buyer each undertake that they shall: :
(a) report to the other Party every [insert enter number] months on: :
(i) the volume of Data Subject Request (or purported Data Subject Requests) from Data Subjects (or third parties on their behalf); ;
(ii) the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data; ;
(iii) any other requests, complaints or communications from Data Subjects (or third parties on their behalf) relating to the other Party’s obligations under applicable Data Protection Legislation; ;
(iv) any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and and
(v) any requests from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law, that it has received in relation to the subject matter of the Contract during that period; ;
(b) notify each other immediately if it receives any request, complaint or communication made as referred to in Clauses 2.1(a)(i) to (v); ;
(c) provide the other Party with full cooperation and assistance in relation to any request, complaint or communication made as referred to in Clauses 2.1(a)(iii) to (v) to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation; ;
(d) not disclose or transfer the Personal Data to any third party unless necessary for the provision of the Services and, for any disclosure or transfer of Personal Data to any third party, (save where such disclosure or transfer is specifically authorised under the Contract or is required by Law) ensure consent has been obtained from the Data Subject prior to disclosing or transferring the Personal Data to the third party. For the avoidance of doubt the third party to which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Annex; ;
(e) request from the Data Subject only the minimum information necessary to provide the Services and treat such extracted information as Confidential Information; ;
(f) ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data; ;
(g) take all reasonable steps to ensure the reliability and integrity of any of its Personnel personnel who have access to the Personal Data and ensure that its Personnel: personnel:
(i) are aware of and comply with their ’s duties under this Annex 2 (Joint Controller Agreement) and those in respect of Confidential Information Information
(ii) are informed of the confidential nature of the Personal Data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the Personal Data to any third party where the that Party would not be permitted to do so; ;
(iii) have undergone adequate training in the use, care, protection and handling of Personal Data as required by the applicable Data Protection Legislation; ;
(h) ensure that it has in place Protective Measures as appropriate to protect against a Data Loss Event having taken account of the: :
(i) nature of the data to be protected; ;
(ii) harm that might result from a Data Loss Event; ;
(iii) state of technological development; and and
(iv) cost of implementing any measures;
(i) ensure that it has the capability (whether technological or otherwise), to the extent required by Data Protection Legislation, to provide or correct or delete at the request of a Data Subject all the Personal Data relating to that Data Subject that the Supplier holds; and
(i) ensure that it notifies the other Party as soon as it becomes aware of a Data Loss Event.
2.2 Each Joint Controller shall use its reasonable endeavours to assist the other Controller to comply with any obligations under applicable Data Protection Legislation and shall not perform its obligations under this Annex in such a way as to cause the other Joint Controller to breach any of its obligations under applicable Data Protection Legislation to the extent it is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations
Appears in 1 contract
Samples: www.contractsfinder.service.gov.uk
Undertakings of both Parties. 2.1 The Supplier and the Buyer each undertake that they shall: :
(a) report to the other Party every [insert enter number] months on: :
(i) the volume of Data Subject Request (or purported Data Subject Requests) from Data Subjects (or third parties on their behalf); ;
(ii) the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data; ;
(iii) any other requests, complaints or communications from Data Subjects (or third parties on their behalf) relating to the other Party’s obligations under applicable Data Protection Legislation; ;
(iv) any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and and
(v) any requests from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law, that it has received in relation to the subject matter of the Contract during that period; ;
(b) notify each other immediately if it receives any request, complaint or communication made as referred to in Clauses 2.1(a)(i) to (v); ;
(c) provide the other Party with full cooperation and assistance in relation to any request, complaint or communication made as referred to in Clauses 2.1(a)(iii) to (v) to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation; ;
(d) not disclose or transfer the Personal Data to any third party unless necessary for the provision of the Services and, for any disclosure or transfer of Personal Data to any third party, (save where such disclosure or transfer is specifically authorised under the Contract or is required by Law) ensure consent has been obtained from the Data Subject prior to disclosing or transferring the Personal Data to the third party. For the avoidance of doubt the third party to which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Annex; ;
(e) request from the Data Subject only the minimum information necessary to provide the Services and treat such extracted information as Confidential Information; ;
(f) ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data; ;
(g) take all reasonable steps to ensure the reliability and integrity of any of its Personnel personnel who have access to the Personal Data and ensure that its Personnel: personnel:
(i) are aware of and comply with their ’s duties under this Annex 2 (Joint Controller Agreement) and those in respect of Confidential Information Information
(ii) are informed of the confidential nature of the Personal Data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the Personal Data to any third party where the that Party would not be permitted to do so; ;
(iii) have undergone adequate training in the use, care, protection and handling of Personal Data as required by the applicable Data Protection Legislation; ;
(h) ensure that it has in place Protective Measures as appropriate to protect against a Data Loss Event having taken account of the: :
(i) nature of the data to be protected; ;
(ii) harm that might result from a Data Loss Event; (iii) state of technological development; and cost of implementing any measures;and
Appears in 1 contract
Samples: www.contractsfinder.service.gov.uk
