Common use of Without prejudice to the generality of Clause Clause in Contracts

Without prejudice to the generality of Clause. 13.1, the Provider shall, in relation to any Personal Data processed in connection with the performance by the Provider of its obligations under this agreement: (a) process that Personal Data only on the written instructions of the Council (as set out in Schedule 7), unless the Provider is required by the laws of any member of the European Union or by the laws of the European Union (Applicable Laws) applicable to the Provider to otherwise process the Personal Data. Where the Provider is so required, it shall promptly notify the Council before processing the Personal Data, unless prohibited by the applicable laws; (b) ensure that it has in place appropriate technical and organisational measures, reviewed and approved by the Council, to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it); (c) not transfer any Personal Data outside of the European Economic Area unless the prior written consent of the Council has been obtained and the following conditions are fulfilled: i. the Council or the Provider has provided appropriate safeguards in relation to the transfer; ii. the Data Subject has enforceable rights and effective remedies; iii. the Provider complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and iv. the Provider complies with the reasonable instructions notified to it in advance by the Council with respect to the processing of the Personal Data; (d) notify the Council immediately if it receives: i. a request from a Data Subject to have access to that person's Personal Data; ii. a request to rectify, block or erase any Personal Data; iii. receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation (including any communication from the Information Commissioner); (e) assist the Council in responding to any request from a Data Subject and in ensuring compliance with the Council's obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; (f) notify the Council immediately and in any event within 24 hours on becoming aware of a Personal Data breach including without limitation any event that results, or may result, in unauthorised access, loss, destruction, or alteration of Personal Data in breach of this agreement; (g) at the written direction of the Council, delete or return Personal Data and copies thereof to the Service User on termination or expiry of the agreement unless required by the applicable laws to store the Personal Data; (h) maintain complete and accurate records and information to demonstrate its compliance with this clause 13 and allow for audits by the Council or the Council's designated auditor pursuant to clause 10;

Without prejudice to the generality of Clause. 13.115.1, where the Provider shall, in relation to any Contractor processes Personal Data processed as a Data Processor on behalf of the Authority as Data Controller in connection with the performance by the Provider Contractor of its obligations under this agreementContractor Licence, the Personal Data shall be specified in the Schedule and the Contractor shall: (a) 15.3.1 process that Personal Data only on the documented written instructions of the Council (as set out in Schedule 7), Authority unless the Provider Contractor is required by the laws of any member of the European Union or by the laws of the European Union (Applicable Laws) applicable to the Provider Laws to otherwise process the that Personal Data. Where the Provider Contractor is so requiredrelying on Applicable Laws as the basis for processing Personal Data, it the Contractor shall promptly notify the Council Authority of this before performing the processing the Personal Data, unless prohibited required by the applicable lawsApplicable Laws unless those Applicable Laws prohibit the Contractor from so notifying the Authority; (b) 15.3.2 ensure that it has in place appropriate technical and organisational measures, reviewed and approved by the Council, to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it); (c) 15.3.3 ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential; and 15.3.4 not transfer any Personal Data outside of the European Economic Area unless the prior written consent of the Council Authority has been obtained and the following conditions are fulfilled: i. the Council or the Provider has provided appropriate safeguards in relation to the transfer; ii. the Data Subject has enforceable rights and effective remedies; iii. the Provider complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and iv. the Provider complies with the reasonable instructions notified to it in advance by the Council with respect to the processing of the Personal Data; (d) notify the Council immediately if it receives: i. a request from a Data Subject to have access to that person's Personal Data; ii. a request to rectify, block or erase any Personal Data; iii. receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation (including any communication from the Information Commissioner); (e) assist the Council in responding to any request from a Data Subject and in ensuring compliance with the Council's obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; (f) notify the Council immediately and in any event within 24 hours on becoming aware of a Personal Data breach including without limitation any event that results, or may result, in unauthorised access, loss, destruction, or alteration of Personal Data in breach of this agreement; (g) at the written direction of the Council, delete or return Personal Data and copies thereof to the Service User on termination or expiry of the agreement unless required by the applicable laws to store the Personal Data; (h) maintain complete and accurate records and information to demonstrate its compliance with this clause 13 and allow for audits by the Council or the Council's designated auditor pursuant to clause 10;

Without prejudice to the generality of Clause. 13.115.1, the Provider AvISO shall, in relation to any Personal Data processed in connection with the performance by the Provider AvISO of its obligations under this agreementAgreement: (a) 15.4.1 process that Personal Data only on the written instructions of the Council (as set out in Schedule 7), Client unless the Provider AvISO is required by the laws of any member of the European Union or by the laws of the European Union applicable to AvISO to process Personal Data (Applicable Laws) applicable to ). Where AvISO is relying on laws of a member of the Provider to otherwise process European Union or European Union law as the basis for processing Personal Data. Where the Provider is so required, it AvISO shall promptly notify the Council Client of this before performing the processing the Personal Data, unless prohibited required by the applicable lawsApplicable Laws unless those Applicable Laws prohibit AvISO from so notifying the Client; (b) 15.4.2 ensure that it has in place appropriate technical and organisational measures, reviewed and approved by the CouncilClient, to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it); (c) 15.4.3 ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential; and 15.4.4 not transfer any Personal Data outside of the European Economic Area UK unless the prior written consent of the Council Client has been obtained and the following conditions are fulfilled: i. 15.4.4.1 the Council Client or the Provider AvISO has provided appropriate safeguards in relation to the transfer; ii. 15.4.4.2 the Data Subject data subject has enforceable rights and effective legal remedies; iii. the Provider 15.4.4.3 AvISO complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and iv. the Provider 15.4.4.4 AvISO complies with the reasonable instructions notified to it in advance by the Council Client with respect to the processing of the Personal Data; (d) notify the Council immediately if it receives: i. a request from a Data Subject to have access to that person's Personal Data; ii. a request to rectify, block or erase any Personal Data; iii. receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation (including any communication from the Information Commissioner); (e) 15.4.5 assist the Council Client, at the Client's cost, in responding to any request from a Data Subject and in ensuring compliance with the Council's its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; (f) 15.4.6 notify the Council immediately and in any event within 24 hours Client without undue delay on becoming aware of a Personal Data breach including without limitation any event that results, or may result, in unauthorised access, loss, destruction, or alteration of Personal Data in breach of this agreementbreach; (g) 15.4.7 at the written direction of the CouncilClient, delete or return Personal Data and copies thereof to the Service User Client on termination or expiry of the agreement Agreement unless required by the applicable laws Applicable Law to store the Personal Data;; and (h) 15.4.8 maintain complete and accurate records and information to demonstrate its compliance with this clause 13 and allow for audits by the Council or the Council's designated auditor pursuant to clause 10;15.

Without prejudice to the generality of Clause. 13.112.2, the Provider Manager shall, in relation to any Personal Data processed in connection with the performance by the Provider Manager of its obligations under this agreementAgreement: (a) 12.4.1 process that Personal Data only on the written instructions of the Council (as set out in Schedule 7), General Partner unless the Provider Manager is required by the laws of any member of the European Union or by the laws of the European Union (Applicable Laws) applicable to the Provider Manager to otherwise process the Personal DataData (“Applicable Laws”). Where the Provider Manager is so requiredrelying on laws of a member of the European Union or European Union law as the basis for processing Personal Data, it the Manager shall promptly notify the Council General Partner of this before performing the processing the Personal Data, unless prohibited required by the applicable lawsApplicable Laws unless those Applicable Laws prohibit the Manager from so notifying the General Partner; (b) 12.4.2 ensure that it has in place appropriate technical and organisational measures, reviewed and approved by the Council, measures to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring measures; 12.4.3 ensure that availability of and all personnel who have access to and/or process Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating are obliged to keep the effectiveness of the technical and organisational measures adopted by it)Personal Data confidential; (c) 12.4.4 not transfer any Personal Data outside of the European Economic Area unless the prior written consent of the Council has been obtained and the following conditions are fulfilled: i. (a) the Council or the Provider Manager has provided appropriate safeguards in relation to the transfer; ii. (b) the Data Subject data subject has enforceable rights and effective legal remedies; iii. (c) the Provider Manager complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and iv. (d) the Provider Manager complies with the reasonable instructions notified to it in advance by the Council General Partner with respect to the such processing of the Personal Data; (d) notify the Council immediately if it receives: i. a request from a Data Subject to have access to that person's Personal Data; ii. a request to rectify, block or erase any Personal Data; iii. receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation (including any communication from the Information Commissioner); (e) 12.4.5 assist the Council General Partner, at the Manager's cost, in responding to any request from a Data Subject data subject and in ensuring compliance with the Council's its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; (f) 12.4.6 notify the Council immediately General Partner without undue delay (and in any event within 24 hours on becoming hours) in the event that it suspects or becomes aware of a any Personal Data breach including without limitation any event that results, or may result, in unauthorised access, loss, destruction, or alteration of Personal Data in breach of this agreementany Data Protection Legislation by the Manager in connection with the Agreement, and shall, at the Manager’s cost: (i) investigate the incident and provide the General Partner, on an ongoing basis, with detailed information about the breach; and (ii) take all reasonable steps to mitigate the effects of the breach and to minimise any damage resulting from the breach; and (iii) co-operate with General Partner to provide information in connection with the breach or any notice required to be sent out to any third party in connection with the breach; (g) 12.4.7 at the written direction of the CouncilGeneral Partner, delete or return Personal Data and copies thereof to the Service User General Partner (or its nominee) on expiry or termination or expiry of the agreement Agreement unless required by the applicable laws Applicable Law to store the Personal Data;; and (h) 12.4.8 maintain complete and accurate records and information to demonstrate its compliance with this clause 13 Clause 12 and allow for audits by the Council General Partner or the Council's its designated auditor pursuant to clause 10;auditor.

Without prejudice to the generality of Clause. 13.120.1, the Provider Supplier shall, in relation to any Personal Data processed in connection with the performance by the Provider Supplier of its obligations under this agreement: (a) process that Personal Data only on the written instructions of the Council (as set out in Schedule 7), Customer unless the Provider Supplier is required by the laws of any member of the European Union or by the laws of the European Union applicable to the Supplier to process Personal Data (Applicable Laws) applicable to the Provider to otherwise process the Personal Data). Where the Provider Supplier is so requiredrelying on laws of a member of the European Union or European Union law as the basis for processing Personal Data, it the Supplier shall promptly notify the Council Customer of this before performing the processing the Personal Data, unless prohibited required by the applicable lawsApplicable Laws unless those Applicable Laws prohibit the Supplier from so notifying the Customer; (b) ensure that it has in place appropriate technical and organisational measures, reviewed and approved by the Council, to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it); (c) ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential; (d) excluding any access to or use of the Supplier Software by any of the Licensed Users from a country outside of the European Economic Area (EEA) or routing of emails outside of the Supplier’s control, not transfer any Personal Data outside of the European Economic Area EEA unless the prior written consent of the Council has been obtained and the following conditions are fulfilled: i. (i) the Council Customer or the Provider Supplier has provided appropriate safeguards in relation to the transfer; (ii. ) the Data Subject data subject has enforceable rights and effective legal remedies; (iii. ) the Provider Supplier complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and (iv. ) the Provider Supplier complies with the reasonable instructions notified to it in advance by the Council Customer with respect to the processing of the Personal Data; (d) notify the Council immediately if it receives: i. a request from a Data Subject to have access to that person's Personal Data; ii. a request to rectify, block or erase any Personal Data; iii. receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation (including any communication from the Information Commissioner); (e) assist the Council Customer, at the Customer's cost, in responding to any request from a Data Subject and in ensuring compliance with the Council's its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; (f) notify the Council immediately and in any event within 24 hours Customer without undue delay on becoming aware of a Personal Data breach including without limitation any event that results, or may result, in unauthorised access, loss, destruction, or alteration of Personal Data in breach of this agreementbreach; (g) at the written direction of the CouncilCustomer, delete or return Personal Data and copies thereof to the Service User Customer on termination or expiry of the agreement unless required by the applicable laws Applicable Law to store the Personal Data;; and (h) maintain complete and accurate records and information to demonstrate its compliance with this clause 13 and allow for audits by the Council or the Council's designated auditor pursuant to clause 10;20.

Without prejudice to the generality of Clause. 13.123.1, the Provider Supplier shall, in relation to any Personal Data processed in connection with the performance by the Provider Supplier of its obligations under this agreement: (a) process that Personal Data only on the written instructions of the Council (as set out in Schedule 7)Authority, unless the Provider Supplier is required to do otherwise by the laws of any member of the European Union or by the laws of the European Union (Applicable Laws) applicable to the Provider to otherwise process the Personal DataLaw. Where the Provider If it is so required, it the Supplier shall promptly notify the Council Authority before processing the Personal Data, unless prohibited by the applicable lawsLaws; (b) ensure that it has in place appropriate technical and organisational measures, measures which have been reviewed and approved by the CouncilAuthority, to protect against unauthorised or unlawful processing a Data Loss Event having taken account of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the the: (i) nature of the data to be protected, having regard to ; (ii) harm that might result from a Data Loss Event; (iii) the state of technological development and development; and (iv) the cost of implementing any measures measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to c) the Supplier’s Personnel do not process Personal Data can be restored except in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it)accordance with this Agreement; (cd) it takes all reasonable steps to ensure the reliability and integrity of any Supplier’s Personnel who have access to the Personal Data and ensure that they: (i) are aware of and comply with the Supplier’s duties under this clause; (ii) are subject to appropriate confidentiality undertakings with the Supplier or any Sub-Processor (iii) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority or as otherwise permitted by this Agreement; and (iv) have undergone adequate training in the use, care, protection and handling of Personal Data; and (e) not transfer any Personal Data outside of the European Economic Area EU unless the prior written consent of the Council Authority has been obtained and the following conditions are fulfilled: i. (i) the Council Authority or the Provider Supplier has provided appropriate safeguards in relation to the transfer; (ii. ) the Data Subject has enforceable rights and effective remedies; (iii. ) the Provider Supplier complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and (iv. ) the Provider Supplier complies with the reasonable instructions notified to it in advance by the Council Authority with respect to the processing of the Personal Data; (d) notify the Council immediately if it receives: i. a request from a Data Subject to have access to that person's Personal Data; ii. a request to rectify, block or erase any Personal Data; iii. receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation (including any communication from the Information Commissioner); (e) assist the Council in responding to any request from a Data Subject and in ensuring compliance with the Council's obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; (f) notify the Council immediately and in any event within 24 hours on becoming aware of a Personal Data breach including without limitation any event that results, or may result, in unauthorised access, loss, destruction, or alteration of Personal Data in breach of this agreement; (g) at the written direction of the CouncilAuthority, delete or return Personal Data (and any copies thereof of it) to the Service User Authority on termination or expiry of the agreement Agreement unless the Supplier is required by the applicable laws Law to store retain the Personal Data; (h) maintain complete and accurate records and information to demonstrate its compliance with this clause 13 and allow for audits by the Council or the Council's designated auditor pursuant to clause 10;.

Without prejudice to the generality of Clause. 13.111.1, the Provider Supplier shall, in relation to any Personal Data processed in connection with the performance by the Provider Supplier of its obligations under this agreementAgreement: (a) process that Personal Data only on the written instructions of the Council (as set out in Schedule 7), Client unless the Provider Supplier is required by the laws of any member of the European Union or by the laws of the European Union (Applicable Laws) applicable to the Provider Supplier to otherwise process the Personal DataData (“Applicable Laws”). Where the Provider Supplier is so requiredrelying on Applicable Law as the basis for processing Personal Data, it the Supplier shall promptly notify the Council Client of this before performing the processing the Personal Data, unless prohibited required by the applicable lawsApplicable Laws unless those Applicable Laws prohibit the Supplier from so notifying the Client; (b) ensure that it has in place appropriate technical and organisational measures, reviewed and approved by the Council, to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it); (c) not transfer any Personal Data outside of the European Economic Area EEA unless the prior written consent of the Council has been obtained and the following conditions are fulfilled: i. (i) the Council Client or the Provider Supplier has provided appropriate safeguards in relation to the transfer. If cross border transfer of Personal Data occurs, the Client authorises the Supplier to enter into SCC with the third-party processors in the Client’s name and on its behalf, when these are necessary. Standard Contractual Clauses (SCC) means the European Commission's Standard Contractual Clauses for the transfer of Personal Data from the European Union to processors established in third countries (controller-to-processor transfers), as set out in the Annex to Commission Decision 2010/87/EU as adapted for the UK; (ii. ) the Data Subject has enforceable rights and effective legal remedies; (iii. ) the Provider Supplier complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and (iv. ) the Provider Supplier complies with the reasonable instructions notified to it in advance by the Council Client with respect to the processing of the Personal Data; (d) notify the Council immediately if it receives: i. a request from a Data Subject to have access to that person's Personal Data; ii. a request to rectify, block or erase any Personal Data; iii. receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation (including any communication from the Information Commissioner); (e) assist the Council Client, at the Client's cost, in responding to any request from a Data Subject and in ensuring compliance with the Council's its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; (fe) notify the Council immediately and in any event within 24 hours Client without undue delay on becoming aware of a Personal Data breach including without limitation any event that results, or may result, in unauthorised access, loss, destruction, or alteration of Personal Data in breach of this agreementbreach; (gf) at the written direction of the CouncilClient, delete or return Personal Data and copies thereof to the Service User Client on termination or expiry of the agreement Agreement unless required by the applicable laws Applicable Law to store the Personal Data;; and (hg) maintain complete and accurate records and information to demonstrate its compliance with this clause 13 and allow for audits by the Council or the Council's designated auditor pursuant to clause 10;Clause 11.