1. In this agreement:
Data Protection Legislation means the Data Protection Act 2018 (DPA), the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) when in force, and any UK statute, regulations or secondary legislation supplementing or replacing the DPA or the GDPR, or otherwise regulating data protection, in each case as amended or updated from time to time; and
any expression defined in the Data Protection Legislation has the same meaning in this agreement.
2. The Supplier:
2.1 warrants and undertakes to the Customer that it has in place, and will at all times during the period of this agreement maintain appropriate technical and organisational measures to ensure that the processing of Customer Data pursuant to this agreement will meet the requirements of the Data Protection Legislation; and
2.2 undertakes that it will:
- process the Customer Data only on the written instructions of the Customer or its Authorised Users, unless the Supplier is otherwise required to do so by applicable laws, in which case the Supplier will promptly notify the Customer of this requirement before performing the processing required by the applicable laws, unless the applicable laws prohibit the Supplier from so notifying the Customer;
- inform the Customer if, in its opinion, an instruction given by the Customer infringes the Data Protection Legislation;
- ensure that all persons authorised by the Supplier to process Customer Data are subject to an appropriate obligation of confidentiality, and do not process the Customer Data except on instructions from the Customer, unless required to do so by law;
- implement appropriate technical and organisational measures to ensure a level of security for the Customer Data which is appropriate to the risk involved in the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Customer Data;
- assist the Customer by appropriate technical and organisational measures, insofar as this is possible, in ensuring compliance with the Customer’s obligations to respond to requests by data subjects for exercising their rights under the Data Protection Legislation;
- assist the Customer, taking into account the nature of processing and the information available to the Supplier, in ensuring compliance with the Customer’s obligations under the Data Protection Legislation with respect to the security of processing, notification of a personal data breach to the supervisory authority, communication of a personal data breach to the data subject, carrying out data protection impact assessments, and consulting with the supervisory authority prior to processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the Customer to mitigate the risk;
- notify the Customer without undue delay on becoming aware of a data breach with respect to any of the Customer Data;
- at the written direction of the Customer, delete or return the Customer Data and any copies of it to the Customer on termination of this Agreement, unless the Supplier is required by Applicable Laws to store the Customer Data for any period (and then only for that period, upon the termination of which it will delete or return the Customer Data and any copies of it to the Customer); and
- maintain and make available to the Customer on request complete and accurate records (as required by the Data Protection Legislation) of its processing of Customer Data and all information necessary to demonstrate the Supplier’s compliance with this Schedule, and allow for and contribute to audits, including inspections, by the Customer or the Customer’s designated auditor.
3. The Supplier further undertakes that:
3.1 it will only appoint a third-party as a processor of Customer Data under this Agreement in accordance with the Data Protection Legislation; and
3.2 it will not transfer any Customer Data outside of the European Economic Area (or, if the United Kingdom is no longer part of the European Economic Area, outside of the United Kingdom, unless the transfer is to a country that is a member of the European Union) unless the transfer is otherwise permitted under the Data Protection Legislation.