Where one Party is Controller and the other Party its Processor. 14.9.1 Where a Party is a Processor, the only processing that the Processor is authorised to do is listed in Part A Authorised Processing Template of Annex 1 – Processing Personal Data by the Controller and may not be determined by the Processor. The term “processing” and any associated terms are to be read in accordance with Article 4 of the UK GDPR and EU GDPR (as applicable). 14.9.2 The Processor must notify the Controller immediately if it thinks the Controller's instructions breach the Data Protection Legislation. 14.9.3 The Processor must give all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment before starting any processing, which may include, at the discretion of the Controller: 14.9.3.1 a systematic description of the expected processing and its purpose; 14.9.3.2 the necessity and proportionality of the processing operations; 14.9.3.3 the risks to the rights and freedoms of Data Subjects; and 14.9.3.4 the intended measures to address the risks, including safeguards, security measures and mechanisms to protect Personal Data. 14.9.4 The Processor must, in in relation to any Personal Data processed under this Contract: 14.9.4.1 process that Personal Data only in accordance with Part A Authorised Processing Template of Annex 1 – Processing Personal Data unless the Processor is required to do otherwise by Law. If lawful to notify the Controller, the Processor must promptly notify the Controller if the Processor is otherwise required to process Personal Data by Law before processing it. 14.9.4.2 put in place appropriate Protective Measures to protect against a Data Loss Event which must be approved by the Controller.
Appears in 8 contracts
Samples: Short Form Contract for the Supply of Goods and/or Services, Supply of Goods and/or Services, Short Form Contract for the Supply of Goods and/or Services
