Both parties will comply with all applicable requirements of the Data Protection Legislation. This clause is in addition to, and does not relieve, remove or replace, a party’s obligations under the Data Protection Legislation.
The parties acknowledge that for the purposes of the Data Protection Legislation, the CLIENT is the data controller and IQ in IT LTD is the data processor (where Data Controller and Data Processor have the meanings as defined in the Data Protection Legislation. Schedule 34 sets out the scope, nature and purpose of processing by IQ in IT LTD, the duration of the processing and the types of Personal Data and categories of Data Subject (both as defined in the Data Protection Legislation).
The CLIENT will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to IQ in IT LTD for the duration and purposes of this agreement. IQ in IT LTD shall adhere to the CLIENT’s Data Protection policy and the CLIENT shall be solely responsible for providing this policy to IQ in IT LTD. In the absence of a policy being provided by the CLIENT, IQ in IT LTD shall adhere to their own Data Protection policy.
IQ in IT LTD shall, in relation to any Personal Data processed in connection with the performance by IQ in IT LTD of its obligations under this agreement:
(a) process that Personal Data only on the written instructions of the CLIENT unless IQ in IT LTD is required by the laws of any member of the European Union or by the laws of the European Union applicable to IQ in IT LTD to process Personal Data (Applicable Data Processing Laws). Where IQ in IT LTD is relying on laws of a member of the European Union or European Union law as the basis for processing Personal Data, IQ in IT LTD shall promptly notify the CLIENT of this before performing the processing required by the Applicable Data Processing Laws unless those Applicable Data Processing Laws prohibit IQ in IT LTD from so notifying the CLIENT;
(b) ensure that it has in place appropriate technical and organisational measures, reviewed and approved by the CLIENT, to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it);
(c) ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential; and
(d) not transfer any Personal Data outside of the European Economic Area unless the prior written consent of the CLIENT has been obtained and the following conditions are fulfilled:
(i) the CLIENT or IQ in IT LTD has provided appropriate safeguards in relation to the transfer;
(ii) the data subject has enforceable rights and effective legal remedies;
(iii) IQ in IT LTD complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and
(iv) IQ in IT LTD complies with reasonable instructions notified to it in advance by the CLIENT with respect to the processing of the Personal Data;
(e) assist the CLIENT, at the CLIENT’s cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; and
at the written direction of the CLIENT, delete or return Personal Data and copies thereof to the CLIENT on termination of the agreement unless required by Applicable Data Processing Law to store the Personal Data.