2. ROLES AND RESPONSIBILITIES OF THE PARTIES
2.1 Both parties shall, in connection with the Agreement, only Process Relevant Personal Data in accordance with the requirements of applicable Data Protection Laws.
2.2 The parties hereby acknowledge and agree that either party may, from time to time, as expressly permitted by the Agreement, act as a Controller in respect of Relevant Personal Data it receives from the other party[, in which case the party receiving the Relevant Personal Data shall:
- only Process the Relevant Personal Data for limited and specified purposes consistent with the consent provided by the Data Subject or another lawful basis under applicable Data Protection Laws;
- provide the same level of protection for the Relevant Personal Data as the Privacy Shield Principles, not including the requirement to be a Privacy Shield organization or have an independent recourse mechanism, provided it makes available an equivalent mechanism; and
- if it makes a determination that it can no longer provide protection in accordance with Section 2.2(b), notify the other party and cease Processing or take other reasonable and appropriate steps to remediate.
2.3 The parties hereby acknowledge and agree that, in the event that a party Processes Relevant Personal Data on behalf of the other party, the party performing such Processing shall be a Processor (the "Processor Party
") on behalf of the other party (the "Controller Party
"). The Processor Party shall, in relation to such Processing:
- Process Relevant Personal Data (including any transfers of Relevant Personal Data to recipients located outside the European Economic Area) only for limited and specified purposes on behalf of and in accordance with the Controller Party's prior written instructions, which shall be deemed to include an instruction to Process Relevant Personal Data as necessary to perform the Processor Party's obligations under the Agreement, unless such instruction is amended in writing by the Controller Party;
- if at any point the Processor Party is unable to comply with the Controller Party's instructions regarding the Processing of Relevant Personal Data (whether as a result of a change in applicable Data Protection Laws, or a change in the Controller Party's instructions, or howsoever), the Processor Party shall promptly: (i) notify the Controller Party of such inability, providing a reasonable level of detail as to the instructions with which it cannot comply and the reasons why it cannot comply, to the greatest extent permitted by applicable law; and (ii) cease all Processing of the affected Relevant Personal Data (other than merely storing and maintaining the security of the affected Relevant Personal Data) until such time as the Controller Party issues new instructions with which the Processor Party is able to comply;
- ensure that its employees, officers, representatives, advisers or consultants, and any Sub-processors, have committed themselves to ensuring the confidentiality of all Relevant Personal Data that they Process;
- implement appropriate technical and organizational measures, taking into account in particular the risks presented by Processing, in particular from accidental or unlawful loss, alteration, unauthorized disclosure or access to Relevant Personal Data. Such measures shall ensure a level of security appropriate to the risk;
- in each instance in which the Processor Party engages a Sub-processor: (i) only appoint such Sub-processor in accordance with the prior written authorization of the Controller Party (such authorization not to be unreasonably withheld, conditioned or delayed), including as permitted pursuant to the Agreement; (ii) keep the Controller Party informed of any change to the role or status of any Sub-processor; (iii) enter into a binding written agreement with the Sub-processor that imposes on the Sub-processor the same obligations that apply to the Processor Party under the Agreement, including this DPA, with respect to the Processing of Relevant Personal Data; and (iv) remain primarily liable and responsible for the acts and omissions of each Sub-processor that breach such Sub-processor's data protection obligations as if they were acts and omissions of the Processor Party;
- at the Controller Party's request and expense, promptly provide the Controller Party with all reasonable assistance necessary to respond appropriately to requests from Data Subjects to exercise their rights;
- taking into account the nature of the Processing, assist the Controller Party by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller Party's obligation to respond to requests for exercising a data subject's rights under applicable Data Protection Laws;
- promptly provide the Controller Party with all information necessary to enable the Controller Party to demonstrate compliance with its obligations under Applicable Data Protection Laws, to the extent that the Processor Party is able to provide such information;
- (i) permanently and securely delete (or, at the election of the Controller Party, return) all Relevant Personal Data in the possession or control of the Processor Party or any of its Sub-processors, within thirty (30) calendar days after the termination or expiration of the Agreement, unless otherwise required by any applicable law of the EU or an member state of the EU; and (ii) procure that its Sub-processors shall do the same;
- at the Controller Party's request and expense: (i) promptly provide the Controller Party with all information necessary to enable the Controller Party to demonstrate compliance with its obligations under applicable Data Protection Laws, to the extent that the Processor Party is able to provide such information; and (ii) allow for and contribute to audits, conducted by the Controller Party or an independent auditor selected by the Controller Party and bound by a duty of confidentiality, including inspection, of any documentation, responses to questions and other written information reasonably requested by the Controller Party or such auditor;
- upon the Controller Party's reasonable request, promptly provide the Controller Party with all reasonable assistance necessary to enable the Controller Party to: (i) notify relevant breaches of applicable Data Protection Laws to the relevant Supervisory Authorities and/or affected Data Subjects; and (ii) obtain any necessary authorizations from Supervisory Authorities;
- provide at least the same level of privacy protection as is required by the Privacy Shield Principles and, upon reasonable notice, undertake reasonable and appropriate steps to stop and remediate unauthorized Processing;
- notify the Controller Party if the Processor Party makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Privacy Shield Principles;
- Process the Personal Data in a manner consistent with the Controller Party's obligations (if any) under the Privacy Shield Principles; and
- taking into account the nature of the Processing, assist the Controller Party in responding to individuals exercising their rights under the Privacy Shield Principles.