“Data Breach”
Means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed;
“Data Protection Laws”
Means any and all laws, statutes, enactments, orders or regulations or other similar instruments of general application and any other rules, instruments or provisions in force from time to time relating to the processing of personal data and privacy applicable to the performance of this Agreement, including where applicable the Data Protection Act 1998, the Data Protection Bill, the Regulation of Investigatory Powers Act 2000, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2426/2003) and the GDPR (Regulation (EU) 2016/679), as amended or superseded; “Personal Data” has the meaning given in the Data Protection Laws.
2.1. Where Client, pursuant to this Agreement, processes Personal Data it receives pursuant to this Agreement, the Parties acknowledge and agree that the Client shall be acting as a Data Controller and Contentive shall also be acting as a Data Controller.
COMPLIANCE WITH DATA PROTECTION LAWS
3.1. The Client warrants that it has complied, and shall continue to comply, with the requirements of the applicable Data Protection Laws and all other data protection legislation in any jurisdiction relevant to the exercise of its rights or the performance of its obligations under this Agreement.
4.1.1. have in place and at all times maintain appropriate technical and organisational measures in such a manner as is designed to ensure the protection of the rights of the data subject and to ensure a level of security appropriate to the risk and shall implement any reasonable security measures as requested by Contentive from time to time;
4.1.2. not engage any sub-processor without the prior specific or general written authorisation of Contentive or the data subject (and in the case of general written authorisation; the Client shall inform Contentive of any intended changes concerning the addition or replacement of other processors and Contentive shall have the right to object to such changes);
4.1.3. ensure that each of the Client’s employees, agents, consultants, subcontractors and subprocessors are made aware of the Client’s obligations under this Schedule and enter into binding obligations with the Client to maintain the levels of security and protection required under this Schedule. The Client shall ensure that the terms of this Schedule are incorporated into each agreement with any sub-processor, subcontractor, agent or consultant to the effect that the sub-processor, subcontractor, agent or consultant shall be obligated to act at all times in accordance with duties and obligations of the Client under this Schedule. The Client shall at all times be and remain liable to Contentive for any failure of any employee, agent, consultant, subcontractor or sub-processor to act in accordance with the duties and obligations of the Client under this Schedule;
4.1.4. (at no additional cost to Contentive) within 7 days following the end of the term of this Agreement, deliver to Contentive (in such format as Contentive may require) a full and complete copy of all Personal Data, and, following confirmation of receipt from Contentive permanently remove the Personal Data (and copies) from the Client’s systems, and the Client shall certify to Contentive that it has complied with these requirements, and such Personal Data shall remain confidential in perpetuity;
4.1.5. ensure that all persons authorised to access the Personal Data are subject to obligations of confidentiality and receive training to ensure compliance with this Agreement and the Data Protection Laws;
4.1.6. provide assistance to Contentive, within such timescales as Contentive may require from time to time, at no charge to Contentive, in connection with the fulfilment of Contentive’s obligation as Data Controller to respond to requests for the exercise of data subjects’ rights pursuant to Chapter III of the GDPR to the extent applicable;
4.1.7. provide Contentive with assistance in ensuring compliance with articles 32 to 36 (inclusive) of the GDPR (concerning security of processing, data breach notification, communication of a personal data breach to the data subject, data protection impact assessments, and prior consultation with supervisory authorities) to the extent applicable to Contentive, taking into account the nature of the processing and the information available to the Client;
4.1.8. at no additional cost to Contentive, deal promptly and properly with all enquiries or requests from Contentive relating to the Personal Data and the data processing activities, promptly provide to Contentive in such form as Contentive may request, a copy of any Personal Data requested by Contentive;
4.1.9. (at no additional cost to Contentive) assist Contentive (where requested by Contentive) in connection with any regulatory or law enforcement authority audit, investigation or enforcement action in respect of the Personal Data;
4.1.10. immediately notify Contentive in writing about: a) any Data Breach or any accidental loss, disclosure or unauthorised access of which the Client
becomes aware in respect of Personal Data that it receives from Contentive; b) any request for disclosure of the Personal Data by a law enforcement authority (unless otherwise prohibited); c) any access request or complaint received directly from a data subject (without responding other than to acknowledge receipt).