1.0 DATA PROTECTION "Data Protection Laws” mean all applicable laws from time to time relating to the processing of personal data and /or privacy, including, when, and to the extent in force, (a) the Data Protection Act 1998, (b) the General Data Protection Regulation (Regulation (EU) 2016/679) (the "GDPR") and,(c) the Privacy paragraphs of this Condition 14.5 is not within and Electronic Communications Regulations 2003;
"controller", "processor”, "data subject", "personal data" and "processing" shall have the meanings ascribed to them in the Data Protection Laws;
"Data" means all personal data provided by You, or on Your behalf, to Us for the purposes of performance of the Services, other than personal data relating to You or Your employees, staff or agents (in respect of which We are a data controller);
1.2 You shall comply at all times with the Data Protection Laws. You confirm that You have provided all notices and obtained all consents and- rights- necessary for-Us to process Data pursuant to this Agreement and the Data Protection Laws.
1.3 The table below in Condition 1.5 sets out the type of Data and categories of data subjects which it is intended shall be processed by Us under this Agreement for You, as well as the permitted nature, purpose and duration of that processing.
1.4 We, to the extent that We are a data processor for You in relation to any Data, shall:
1.4.1 only process Data for the purpose of providing the Services and shall comply with our obligations set out in, and in accordance with, the provisions of this Agreement, and in accordance with the table below in Condition 1.5 (which We acknowledge are Your documented instructions), unless We are required to process otherwise by applicable law to which We are subject;
1.4.2 except if appropriate safeguards are in place, not transfer any Data to a country outside of the European Economic Area ("EEA") or to a person based outside the EEA (unless required to do so by applicable EU or member state law to which We are subject and in such circumstances We shall inform you of such requirement (unless prohibited by applicable EU or member state law on 1.4.8 keep, and make available to You on important grounds of public interest). You agree that if We or a sub processor of ours enters into EU Standard Contractual Clauses (or their equivalent in the UK) with a third party outside the EEA to whom Data is being transferred that will be deemed "appropriate safeguards" for the purposes of this Condition 1.4.2 and that we may enter into such Standard Contractual Clauses on our own behalf or on your behalf and as your agent;
1.4.3 implement appropriate technical and organisational measures in relation to the Data to ensure a level of security appropriate to the level of risk;
1.4.4 not authorise any third party to process any Data without your written consent, which consent shall not be unreasonably withheld already consented to those third parties listed in the table below in Condition 1.5), and subject to written terms being put in place with each such third party which are equivalent to those in this Agreement;
1.4.5 ensure that any persons authorised by Us to process Data are bound by appropriate written or statutory confidentiality obligations in relation thereto;
1.4.6 taking into account the nature of the processing and the information available to Us, and at Your cost, assist You in (i) ensuring compliance with your obligations relating to data security, data breach and data protection impact assessments under Article 32 to 36 of the GDPR, and (ii) by appropriate technical and organisational measures and in so far as possible, in responding to requests from data subjects in relation to the exercise of those data subjects' rights with respect to their personal data under the Data Protection Laws;
1.4.7 at Your choice, delete or return all the Data in Our possession or control to You after the end of the provision of the Services, unless applicable law requires storage of the Data;
1.4.8 keep, and make available to You on Your request all such documentation and information as is reasonably necessary to demonstrate our compliance with Our obligations under Article 28 of the GDPR in relation to the Data;
1.4.9 allow for and contribute to audits (including inspections) conducted by You or another independent auditor mandated by You to verify our compliance with Our obligations under Article 28 of the GDPR in relation to the Data, provided that
(i) such audits shall only take place on reasonable prior notice during normal business hours and shall not take place more than once per annum and/or
(ii) such mandated auditor shall enter into a confidentiality agreement with Us prior to each such audit taking place and the costs incurred by Us in facilitating and enabling such audits shall be met by You; and
1.4.10 inform You if We become aware of a personal data breach under the Data Protection Laws relating to the Data, and/or if in Our opinion an instruction from You infringes the Data Protection Laws.