14.5 Data Protection
(a) Each Party shall comply with all applicable requirements of the Data Protection Legislation. This clause 14.5 is in addition to, and does not relieve, remove or replace, a Party’s obligations under the Data Protection Legislation.
(b) The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the data controller and the Supplier is the data processor (where Data Controller, Data Processor and Personal Data have the meanings as defined in the Data Protection Legislation).
(c) Without prejudice to the generality of clause 14.5.(a), to the extent that the Services involve the processing of any Personal Data, the Customer shall ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of any Personal Data to the Supplier for the duration and purposes of this Agreement.
(d) Without prejudice to the generality of clause 14.5.(a), the Supplier shall, in relation to any Personal Data processed in connection with the performance by the Supplier of its obligations under this Agreement: .
(i) process that Personal Data only on the written instructions of the Customer unless the Supplier is required by the laws of any member of the European Union or by the laws of the European Union applicable to the Supplier to process Personal Data (Applicable Laws). Where the Supplier is relying on laws of a member of the European Union or European Union law as the basis for processing Personal Data, the Supplier shall promptly notify the Customer of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit the Supplier from so notifying the Customer;
(ii) ensure that it has in place appropriate technical and organisational measures, reviewed and approved by the Customer, to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it);
(iii) ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential; and
(iv) not transfer any Personal Data outside of the European Economic Area unless the following conditions are fulfilled:
(iv.i) the Customer or the Supplier has provided appropriate safeguards in relation to the transfer;
(iv.ii) the data subject has enforceable rights and effective legal remedies;
(iv.iii) the Supplier complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and
(iv.iv) the Supplier complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data;
(v) assist the Customer, at the Customer’s cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
(vi) notify the Customer without undue delay on becoming aware of a Personal Data breach;
(vii) at the written direction of the Customer, delete or return Personal Data and copies thereof to the Customer on termination of the agreement unless required by Applicable Law to store the Personal Data; and
(viii) maintain complete and accurate records and information to demonstrate its compliance with this clause 14.5.
(e) Either Party may, at any time on not less than 30 days’ notice, revise this clause 14.5 by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when replaced by attachment to this agreement).
(f) From time to time the Supplier may contact the Customer about products and services from the Supplier and its business partners. The Customer may opt-out of receiving mailings by contacting the Supplier at firstname.lastname@example.org
(g) The Supplier may with the prior written approval of Customer
(i) identify the Customer as its Customer,
(ii) use the Customer’s name, logo and other identifying information or image in connection with emails, communications, and proposals to other prospective Customers, and
(iii) disclose the terms of this Agreement as may be required by law.