15.1 The parties agree that the provisions of this clause 15 shall apply where the parties process any Shared Personal Data and/or either party processes any other personal data in connection with the performance of these Conditions.
Processing by Controller
15.2 Where the parties process:
(a) any Shared Personal Data as data controllers in common; and/or
(b) any other personal data as data controllers; in connection with the performance of these Conditions the provisions of clauses 15.2 to 15.5 (inclusive) shall apply.
15.3 Each party shall comply with all applicable controller obligations under the Data Protection Law and shall provide assistance in respect of the other’s compliance with such obligations, in particular in relation to the Shared Personal Data, where reasonable and permitted by Data Protection Law including notification of and consultation and co-operation with the other party over fair processing notices for, and where necessary consents and compliance with rights requests from, data subjects, as well as responses to any actual or suspected personal data breach and any contact with of from any supervisory authorities or regulators.
15.4 When disclosing any Shared Personal Data to the other party, the disclosing party shall ensure that it has compliant fair processing notices, and where necessary consents, in place to enable the lawful transfer to and processing (including any onward transfer) by the other party and the Permitted Recipients of the Shared Personal Data for the Agreed Purposes.
15.5 Without limitation of the above, when receiving any Shared Personal Data from the other party, the receiving party shall:
(a) process, and procure that Permitted Recipients process, the Shared Personal Data only for the Agreed Purposes;
(b) not disclose or allow access to the Shared Personal Data to anyone other than the Permitted Recipients except as permitted by the Data Protection Law;
(c) ensure that all Permitted Recipients are subject to written contractual obligations concerning the Shared Personal Data (including obligations of confidentiality) which are no less onerous than those imposed by these Conditions;
(d) ensure that it has in place appropriate technical and organisational security measures, in accordance with the Data Protection Law; and
(e) not transfer any Shared Personal Data outside the European Union unless the transfer is to a country approved by the European Commission, or there are appropriate safeguards in place or an applicable derogation for a specific situation, as provided for under the Data Protection Law.
Processing by Processor
15.6 Where either party processes any Shared Personal Data as data processor (the Processor) acting on behalf of the other party as data controller (the Controller), in connection with the performance of these Conditions the provisions of clauses 15.6 to 15.10 (inclusive) shall apply.
15.7 The Controller shall ensure that it has compliant fair processing notices, and where necessary consents, in place to enable the lawful transfer to and processing by the Processor of the Shared Personal Data for the Agreed Purposes.
15.8 The Processor shall in relation to the Shared Personal Data processed by it in connection with the performance of these Conditions:
(a) process the Shared Personal Data only on the written and lawful instructions of the Controller (unless the Processor is required by the Data Protection Law to process the Shared Personal Data in which case it shall promptly notify the Controller before doing so unless prevented by the Data Protection Law);
(b) ensure that all personnel who have access to and/or process the Shared Personal Data are obliged to keep the Shared Personal Data confidential;
(c) ensure that it has in place appropriate technical and organisational security measures as required by the Data Protection Law;
(d) be generally authorised to appoint third party sub-processors on terms which are substantially similar to those set out here including any sub-processors identified in these Conditions;
(e) assist the Controller in responding to any request from a data subject and in ensuring compliance with the Controller’s obligations under the Data Protection Law with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
(f) notify the Controller without undue delay on becoming aware of a personal data breach and assist the Controller with its Data Protection Law obligations in respect thereof taking into account the nature of the processing and information available to it;
(g) at the written direction of the Controller, delete or return the Shared Personal Data and copies thereof to the Controller on termination of these Conditions unless required by the Data Protection Law to store the Shared Personal Data; and
(h) maintain complete and accurate records and information to demonstrate its compliance with the above and allow for audits by the Controller or the Controller’s designated auditor.
15.9 The Processor shall not transfer any Shared Personal Data outside the European Union without the prior approval of the Controller.
15.10 In respect of the Shared Personal Data:
(a) the scope, nature, purpose and duration of processing;
(b) the types of personal data and
(c) the categories of data subject; are as set out in this clause or in, or agreed under, these Conditions.
15.11 For the avoidance of doubt, when the Services involve the provision of newsletters on Your behalf, the Supplier shall not be responsible for ensuring that the recipients of the newsletters consent to such receipt in accordance with the Data Protection Law. You shall be responsible for ensuring there is a legal basis upon which to contact, and specifically send newsletters to, such recipients, and the Supplier accepts no responsibility in this regard.
15.12 In this clause 15:
(a) Agreed Purposes: means the processing necessary for the performance of these Conditions as identified herein;
(b) Controller, data subject, personal data, personal data breach, processor and processing: are as defined in the GDPR (and process and process shall be construed accordingly);
(c) Data Protection Law: means the General Data Protection Regulation (EU) 2016/679 (GDPR), the UK Data Protection Act (as amended or replaced) and any other applicable data protection or electronic privacy laws, regulations and decisions in force from time to time;
(d) Permitted Recipients: means the parties to these Conditions and (as necessary) the employees, personnel and advisers of each party and third parties engaged to perform obligations in connection with these Conditions; and
(e) Shared Personal Data: means the personal data to be shared between the parties as necessary for the performance of these Conditions as identified herein.