Where Personal Data relating to an EU Data Subject is transferred outside of the EEA it shall be processed in accordance with the provisions of the Standard Contractual Clauses, unless the processing takes place: (i) in a third country or territory recognised by the EU Commission to have an adequate level of protection; or (ii) by an organisation located in a country which has other legally recognised appropriate safeguards in place, such as the EU-US Privacy Shield or Binding Corporate Rules.
Where Personal Data is transferred from Europe to a country outside of Europe, the parties acknowledge that steps must be taken to ensure that such data transfers comply with European Data Protection Laws. The parties acknowledge that similar obligations can apply for international transfers of Personal Data from a non-European country and shall in good faith take the steps required where necessary under Data Protection Laws to ensure the transfer complies with Data Protection Laws.
Where Personal Data is Processed by SysAid its agents, sub-contractors or employees under or in connection with the Agreement, SysAid shall, and shall procure that its agents, sub-contractors and employees shall:
1.2.1 not Process, transfer, modify, amend or alter the Personal Data or disclose or permit the disclosure of the Personal Data to any Third Party other than:
1.2.1.1 in accordance with Your instructions (that result directly from the provisions of the Agreement or that are reasonably required for proper performance by SysAid of its obligations); or
1.2.1.2 where required by EU or Member State law to which SysAid is subject, in which case SysAid shall inform You of that legal requirement before Processing that Personal Data, unless that law prohibits such information being provided on important grounds of public interest;
1.2.2 take reasonable steps to ensure that all of its employees, agents and sub-contractors who may have access to the Personal Data:
1.2.2.1 are informed of the confidential nature of the Personal Data; and
1.2.2.2 are subject to confidentiality undertakings or professional or statutory obligations of confidentiality that apply with respect to the Processing of such Personal Data;
1.2.3 from and including 25 May 2018, except where statutory guidance indicates that a Personal Data Breach is not required to be notified by a Processor to a Controller, notify You without undue delay upon becoming aware of a Personal Data Breach, and otherwise assist You, taking into account the nature of Processing and the information available to SysAid, in meeting its obligations regarding the notification, investigation, mitigation and remediation of a Personal Data Breach under the Data Protection Legislation, without prejudice to SysAid's right to charge You any reasonable costs for such assistance;
1.2.4 co-operate as reasonably requested by You to the extent necessary to enable You to comply with any exercise of rights by a Data Subject under the Data Protection Legislation in respect of Personal Data Processed by SysAid under the Agreement or comply with any assessment, enquiry, notice or investigation under the Data Protection Legislation, including by any regulator, subject to reasonable advance notice and without prejudice to SysAid’s right to charge You any reasonable costs for such assistance;
1.2.5 only authorize sub-contractors to Process the Personal Data ("Sub- Processor") where not objected to by You, subject to:
1.2.5.1 informing You of the identity ...
Where Personal Data relating to a Data Subject are collected from the Data Subject, or, someone other than the Data Subject, by either of the Controllers, the Controller obtaining the Personal Data shall, at the time when Personal Data is obtained, be it from the other Controller, Data Subject or any other party provide the Data Subject with all of the following information:-
(a) the identity and the contact details of the Controller and, where applicable, of the Controller’s representative;
(b) the contact details of the Data Protection Officer, where applicable;
(c) the purposes of the processing for which the Personal Data are intended as well as the legal basis for the processing;
(d) the legitimate interests pursued by the Controller or by a third party;
(e) the recipients or categories of recipients of the Personal Data, if any;
(f) the categories of Personal Data concerned (this relates to Personal Data obtained from someone other than the Data Subject only);
(g) where applicable, the fact that the Controller intends to transfer Personal Data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or where a transfer requires safeguards under Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available; and
(h) the existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the Data Subject (this only relates when the Personal Data has not been obtained from the Data Subject).
Where Personal Data relating to an EU Data Subject is transferred outside of the EEA it shall be processed only by entities which:
Where Personal Data is Processed pursuant to this Agreement, the type of Personal Data and the subject matter, duration, nature and purpose of the Processing, and the categories of Data Subjects, are as described in the relevant Order Form.
Where Personal Data is Processed by the Operator under or in connection with this agreement, the Operator, as Data Processor, shall:
18.2.1 not Process, transfer, modify, amend or alter the Personal Data or disclose or permit the disclosure of the Personal Data to any third party other than:
18.2.1.1 as required to meet Pub Owner (as Data Controller) lawful, documented and reasonable instructions (which shall unless otherwise agreed be to process Personal Data as necessary to enable the Services to be provided pursuant to the terms of this agreement), provide that no Personal Data will be transferred outside the EEA by the Operator without the prior written consent of the Pub Owner; or
18.2.1.2 as required to comply with an EU or Member State law to which the Data Processor is subject, in which case the Data Processor shall (to the extent permitted by law) inform the Data Controller of that legal requirement before Processing that Personal Data;
18.2.2 upon becoming aware of a Personal Data Breach:
18.2.2.1 notify the Data Controller without undue delay; and
18.2.2.2 co-operate with the Data Controller and take such reasonable commercial steps as are directed by the Data Controller to assist in the investigation, mitigation and remediation of that Personal Data Breach;
18.2.3 upon receiving any request, complaint or communication relating to the Data Controller's obligations under the Data Protection Laws:
18.2.3.1 notify the Data Controller as soon as reasonably practicable;
Where Personal Data relating to the Customer and its employees, directors and other officers and those of Local Affiliates, End Users and third parties is received by the Supplier from the Customer under or in connection with this Agreement, the Customer warrants and undertakes that such Personal Data has been collected, processed and transferred in accordance with applicable data privacy laws and that the Customer has provided all notices and obtained all consents required by applicable law to enable:
i. the legal transfer of such Personal Data to and Processing by the Supplier and its subcontractors for the purposes of enabling the Supplier to perform its obligations under this Agreement (including but not limited to the transfer of such Personal Data outside the European Economic Area); and
ii. the legal transfer to and further Processing by the Supplier of such Personal Data as a Data Controller for the purposes of research, statistical analysis and sales and marketing of the Supplier’s own products and services; and
iii. the Customer will fully indemnify the Supplier in respect of any loss or damages to the Supplier and its subcontractors arising from any breach of this Clause by the Customer.
Where Personal Data is transferred outside the UK due to a request by the Client for LTT to book arrangements for the Client in a location outside the UK, where LTT is not able to put into place any of the safeguards stipulated at 5.2(a)-(f), or they are otherwise inappropriate in the circumstances, LTT shall rely on the derogation under Article 49 of the UK GDPR to legalise the transfer of data outside the UK, on the basis the transfer relates to the performance of a contract for the benefit of the Data Subject.
Where Personal Data is to be exported outside the EEA as part of any processing by or on behalf of the Providers, the Providers must obtain prior written consent from the Owner. Any such consent given by the Owner will be subject to additional requirements in relation to the processing of Personal Data set out in the EU Standard Contract Clauses published by the European Commission.