Common use of Where one Party is Controller and the other Party its Processor Clause in Contracts

Where one Party is Controller and the other Party its Processor. Where a Party is a Processor, the only processing that it is authorised to do is listed in Annex 1 (Processing Personal Data) by the Controller. The Processor shall notify the Controller immediately if it considers that any of the Controller’s instructions infringe the Data Protection Legislation. The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any Processing. Such assistance may, at the discretion of the Controller, include: a systematic description of the envisaged Processing and the purpose of the Processing; an assessment of the necessity and proportionality of the Processing in relation to the Solution; an assessment of the risks to the rights and freedoms of Data Subjects; and the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. The Processor shall, in relation to any Personal Data Processed in connection with its obligations under this Agreementt: Process that Personal Data only in accordance with Annex 1 (Processing Personal Data), unless the Processor is required to do otherwise by Law. If it is so required, the Processor shall promptly notify the Controller before Processing the Personal Data unless prohibited by Law; ensure that it has in place appropriate technical and organisational measures which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the technical and organisational measures) having taken account of the: nature of the data to be protected; harm that might result from a Data Breach; state of technological development; and cost of implementing any measures; ensure that: the Processor Personnel do not Process Personal Data except in accordance with this Agreement (and in particular Annex 1 (Processing Personal Data)); it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they are: are aware of and comply with the Processor’s duties under this Fourth Schedule and Clause 24 (Confidential Information); are subject to appropriate confidentiality undertakings with the Processor or any Sub-processor; are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Controller or as otherwise permitted by this Agreement; and have undergone adequate training in the use, care, protection and handling of Personal Data; not transfer Personal Data outside of the EU unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled: the Controller or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Controller; the Data Subject has enforceable rights and effective legal remedies; the Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the Processing of the Personal Data; and at the written direction of the Controller, delete or return Personal Data (and any copies of it) to the Controller on termination of this Agreement unless the Processor is required by Law to retain the Personal Data. Subject to paragraph 7 of this Fourth Schedule, the Processor shall notify the Controller immediately if in relation to it Processing Personal Data under or in connection with this Agreement it: receives a Data Subject Request (or purported Data Subject Request); receives a request to rectify, block or erase any Personal Data; receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data Processed under this Agreement; receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or becomes aware of a Data Breach. The Processor’s obligation to notify under paragraph 6 of this Fourth Schedule shall include the provision of further information to the Controller in phases, as details become available. Taking into account the nature of the Processing, the Processor shall provide the Controller with reasonable assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under paragraph 6 of this Fourth Schedule (and insofar as possible within the timescales reasonably required by the Controller) including by promptly providing: the Controller with full details and copies of the complaint, communication or request; such assistance as is reasonably requested by the Controller to enable it to comply with a Data Subject Request within the relevant timescales set out in the Data Protection Legislation; the Controller, at its request, with any Personal Data it holds in relation to a Data Subject; assistance as requested by the Controller following any Data Breach; and/or assistance as requested by the Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Controller with the Information Commissioner's Office. The Processor shall maintain complete and accurate records and information to demonstrate its compliance with this Fourth Schedule. The Processor shall allow for audits of its Processing activity by the Controller or the Controller’s designated auditor. The Parties shall designate a Data Protection Officer if required by the Data Protection Legislation. Before allowing any Subprocessor to Process any Personal Data related to this Agreement, the Processor must: notify the Controller in writing of the intended Subprocessor and Processing; obtain the written consent of the Controller; enter into a written agreement with the Subprocessor which give effect to the terms set out in this Fourth Schedule such that they apply to the Subprocessor; and provide the Controller with such information regarding the Subprocessor as the Controller may reasonably require. The Processor shall remain fully liable for all acts or omissions of any of its Subprocessors. The End User may, at any time on not less than 30 Working Days’ notice, revise this Fourth Schedule by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Agreement). The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The End User may on not less than 30 Working Days’ notice to the Supplier amend this Agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office.

Where one Party is Controller and the other Party its Processor. Where a Party is a Processor, the only processing that it is authorised to do is listed in Annex 1 (Processing Personal Data) by the Controller. The Processor shall notify the Controller immediately if it considers that any of the Controller’s instructions infringe the Data Protection Legislation. The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any Processing. Such assistance may, at the discretion of the Controller, include: a systematic description of the envisaged Processing and the purpose of the Processing; an assessment of the necessity and proportionality of the Processing in relation to the SolutionServices; an assessment of the risks to the rights and freedoms of Data Subjects; and the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. The Processor shall, in relation to any Personal Data Processed in connection with its obligations under this Agreementtthe Call Off Contract: Process that Personal Data only in accordance with Annex 1 (Processing Personal Data), unless the Processor is required to do otherwise by Law. If it is so required, required the Processor shall promptly notify the Controller before Processing the Personal Data unless prohibited by Law; ensure that it has in place appropriate technical and organisational Protective Measures, including in the case of the Supplier the measures set out in Clause 34.6 of the Call Off Contract, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the technical and organisational measuresProtective Measures) having taken account of the: nature of the data to be protected; harm that might result from a Data BreachLoss Event; state of technological development; and cost of implementing any measures; ensure thatthat : the Processor Personnel do not Process Personal Data except in accordance with this Agreement the Call Off Contract (and in particular Annex 1 (Processing Personal Data)); it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they arethey: are aware of and comply with the Processor’s duties under this Fourth Schedule 16 and Clause 24 34.6 (Confidential InformationData protection); are subject to appropriate confidentiality undertakings with the Processor or any Sub-processor; are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Controller or as otherwise permitted by this Agreementthe Call Off Contract; and have undergone adequate training in the use, care, protection and handling of Personal Data; not transfer Personal Data outside of the EU unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled: the Controller or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Controller; the Data Subject has enforceable rights and effective legal remedies; the Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the Processing of the Personal Data; and at the written direction of the Controller, delete or return Personal Data (and any copies of it) to the Controller on termination of this Agreement the Call Off Contract unless the Processor is required by Law to retain the Personal Data. Subject to paragraph 7 of this Fourth ScheduleSchedule 16, the Processor shall notify the Controller immediately if in relation to it Processing Personal Data under or in connection with this Agreement the Call Off Contract it: receives a Data Subject Request (or purported Data Subject Request); receives a request to rectify, block or erase any Personal Data; receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data Processed under this Agreement; receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or becomes aware of a Data Breach. The Processor’s obligation to notify under paragraph 6 of this Fourth Schedule shall include the provision of further information to the Controller in phases, as details become available. Taking into account the nature of the Processing, the Processor shall provide the Controller with reasonable assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under paragraph 6 of this Fourth Schedule (and insofar as possible within the timescales reasonably required by the Controller) including by promptly providing: the Controller with full details and copies of the complaint, communication or request; such assistance as is reasonably requested by the Controller to enable it to comply with a Data Subject Request within the relevant timescales set out in the Data Protection Legislation; the Controller, at its request, with any Personal Data it holds in relation to a Data Subject; assistance as requested by the Controller following any Data Breach; and/or assistance as requested by the Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Controller with the Information Commissioner's Office. The Processor shall maintain complete and accurate records and information to demonstrate its compliance with this Fourth Schedule. The Processor shall allow for audits of its Processing activity by the Controller or the Controller’s designated auditor. The Parties shall designate a Data Protection Officer if required by the Data Protection Legislation. Before allowing any Subprocessor to Process any Personal Data related to this Agreement, the Processor must: notify the Controller in writing of the intended Subprocessor and Processing; obtain the written consent of the Controller; enter into a written agreement with the Subprocessor which give effect to the terms set out in this Fourth Schedule such that they apply to the Subprocessor; and provide the Controller with such information regarding the Subprocessor as the Controller may reasonably require. The Processor shall remain fully liable for all acts or omissions of any of its Subprocessors. The End User may, at any time on not less than 30 Working Days’ notice, revise this Fourth Schedule by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Agreement). The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The End User may on not less than 30 Working Days’ notice to the Supplier amend this Agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office.:

Where one Party is Controller and the other Party its Processor. Where a Party is a Processor, the only processing Processing that it is authorised to do is listed in Annex 1 Schedule 13 (Processing Processing, Personal DataData and Data Subjects) by the Controller. The Processor shall notify the Controller immediately if it considers that any of the Controller’s instructions infringe the Data Protection Legislation. The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any Processing. Such assistance may, at the discretion of the Controller, include: a systematic description of the envisaged Processing operations and the purpose of the Processing; an assessment of the necessity and proportionality of the Processing operations in relation to the SolutionServices; an assessment of the risks to the rights and freedoms of Data Subjects; and the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. The Processor shall, in relation to any Personal Data Processed processed in connection with its obligations under this AgreementtContract: Process process that Personal Data only in accordance with Annex 1 Schedule 13 (Processing Processing, Personal DataData and Data Subjects), unless the Processor is required to do otherwise by Law. If it is so required, required the Processor shall promptly notify the Controller Authority before Processing the Personal Data unless prohibited by Law; ensure that it has in place appropriate technical and organisational Protective Measures, including in the case of the Controller the measures set out in Clause 11 (Authority Data), which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the technical and organisational measuresProtective Measures) having taken account of the: nature of the data to be protected; harm that might result from a Data BreachLoss Event; state of technological development; and cost of implementing any measures; ensure that: the Processor Personnel do not Process process Personal Data except in accordance with this Agreement Contract (and in particular Annex 1 Schedule 13 (Processing Processing, Personal DataData and Data Subjects)); it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they arethey: are aware of and comply with the Processor’s duties under this Fourth Schedule Clause 12 (Protection of Personal Data), Clause 11 (Authority Data) and Clause 24 27 (Confidential Information)) of this Schedule 2; are subject to appropriate confidentiality undertakings with the Processor or any Sub-processor; are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party Party unless directed in writing to do so by the Controller or as otherwise permitted by this AgreementContract; and have undergone adequate training in the use, care, protection and handling of Personal Data; not transfer Personal Data outside of the EU EU, other than to the Controller, unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled: the Controller or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 of the GDPR or LED Article 37Section 75 of the DPA 2018) as determined by the Controller; the Data Subject has enforceable rights and effective legal remedies; the Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the Processing of the Personal Data; and at the written direction of the Controller, delete or return Personal Data (and any copies of it) to the Controller on termination of this Agreement the Contract unless the Processor is required by Law to retain the Personal Data. Subject to paragraph 7 Clause 12.7 of this Fourth ScheduleSchedule 2, the Processor shall notify the Controller immediately if in relation to it Processing Personal Data under or in connection with this Agreement it: receives a Data Subject Request (or purported Data Subject Request); receives a request to rectify, block or erase any Personal Data; receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data Processed processed under this AgreementContract; receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or becomes aware of a Data BreachLoss Event. The Processor’s obligation to notify under paragraph 6 Clause 12.6 of this Fourth Schedule 2 shall include the provision of further information to the Controller in phases, as details become available. Taking into account the nature of the Processing, the Processor shall provide the Controller with reasonable assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under paragraph 6 Clause 12.6 of this Fourth Schedule 2 (and insofar as possible within the timescales reasonably required by the Controller) including by promptly providing: the Controller with full details and copies of the complaint, communication or request; such assistance as is reasonably requested by the Controller to enable it to comply with a Data Subject Request within the relevant timescales set out in the Data Protection Legislation; the Controller, at its request, with any Personal Data it holds in relation to a Data Subject; assistance as requested by the Controller following any Data BreachLoss Event; and/or assistance as requested by the Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Controller with the Information Commissioner's Office. The Processor shall maintain complete and accurate records and information to demonstrate its compliance with this Fourth ScheduleClause. This requirement does not apply where the Processor employs fewer than 250 staff, unless: the Controller determines that the Processing is not occasional; the Controller determines the Processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; or the Controller determines that the Processing is likely to result in a risk to the rights and freedoms of Data Subjects. The Processor shall allow for audits of its Processing activity by the Controller or the Controller’s designated auditor. The Parties shall designate a Data Protection Officer if required by the Data Protection Legislation. Before allowing any Subprocessor Sub-processor to Process process any Personal Data related to this AgreementContract, the Processor must: notify the Controller in writing of the intended Subprocessor Sub-processor and Processing; obtain the written consent of the Controller; enter into a written agreement with the Subprocessor Sub-processor which give effect to the terms set out in this Fourth Schedule Clause 12 (Protection of Personal Data) such that they apply to the SubprocessorSub-processor; and provide the Controller with such information regarding the Subprocessor Sub-processor as the Controller may reasonably require. The Processor shall remain fully liable for all acts or omissions of any of its SubprocessorsSub-processors. The End User Authority may, at any time on not less than 30 Working Days’ notice, revise this Fourth Schedule Clause by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this AgreementContract). The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The End User Authority may on not less than 30 Working Days’ notice to the Supplier Contractor amend this Agreement Contract to ensure that it complies with any guidance issued by the Information Commissioner’s Office.