For the purposes of this Agreement “Data Protection Laws” means all applicable nation and EU data
protection laws, regulations and guidelines, including by not limited to Regulation (EU) 2016/679 on
the protection of natural persons with regard to the processing of personal data and on the free
movement of such data, and repealing Directive 95/46/EC (the “General Data Protection Regulation”),
and any guidelines and codes of practice issued by the Office of the Data Protection Commissioner
or other supervisory authority for data protection in Ireland from time to time.
The Contractor undertakes to comply with all directions of the Organisation regarding the use and
application of all and any Confidential Information or data (including personal data as defined in the
Data Protection Act 1988 Revised, and the EU General Data Protection Regulation (EU Regulation 679/2016)
(the“GDPR”).
The Contractor agrees that this Agreement shall in all aspects be governed by and construed in
accordance with the laws of Ireland and the Contractor hereby further agrees that the courts of
Ireland have exclusive jurisdiction to hear and determine any disputes arising out of or in
connection with this Agreement.
A. In this Agreement, the following terms shall have the meanings respectively ascribed to them:
“Data Controller” has the meaning given under the Data Protection Laws;
“Data Processor” has the meaning given under the Data Protection Laws;
“Data Subject” has the meaning given under the Data Protection Laws;
“Data Subject Access Requested” means a request made by a Data Subject in accordance with
rights granted under the Data Protection Laws to access his or her Personal Data;
“Personal Data” has the meaning given under Data Protection Laws;
“Processing” has the meaning given under Data Protection Laws;
B. The Contractor shall comply with all applicable requirements of the Data Protection Laws.
C. The parties acknowledge that for the purposes of the Data Protection Laws, the Organisation
is the Data Controller and the Contractor is the Data Processor in respect of Confidential
Information which is Personal Data.
D. The Contractor shall, in relation to any Confidential Information which is Personal Data:-
- process that Personal Data only on written instructions of the Organisation;
- ensure that is has in place appropriate technical and organisational measures,
reviewed and approved by the Organisation, to protect against unauthorised or unlawful
processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to
the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction
or damage and the nature of the data to be protected, having regard to the state of technological
development and the cost of implementing any measures (those measures may include, where appropriate,
pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and
resilience of its systems and services, ensuring that availability of and access to Personal Data can be
restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the
technical and organisational measures adopted by it);
- ensure that all personnel who have access to and / or process Personal Data are
obliged to keep the Personal Data confidential;
- not transfer any Personal Data outside of the European Economic Area unless the
prior written consent of the Organisation has been obtained and
E. The Contractor shall promptly notify the Organisation if it receives a Data Subject Access
Request to have access to any Personal Data or any other complaint, correspondence, notice, request
any order of the Court or request of any regulatory or government body relating to the Organisation’s obligations
under the Data Protection Laws and provide full co-operation and assistance to the Organisation in
relation to any such complaint, order or request (including, without limitation, by allowing Data
Subjects to have access to their Data).
F. The Contractor shall without undue delay report in writing to the Organisation any data
compromise involving Personal Data, or any circumstances that could have resulted in unauthorised
access to or disclosure of Personal Data.
G. The Contractor shall assist the Organisation in ensuring compliance with its obligations
under the Data Protection Laws with respect to security, impact assessments and consultations with
supervisory authorities and regulators
H. The Contractor shall at the written direction of the Organisation, amend, delete or return
Personal Data and copies thereof to the Organisation on termination of this Agreement.
I. The Contractor shall fully comply with and implement policies which are communicated or
notified to the Contractor by the Organisation from time to time.
J. The Contractor shall take all reasonable precautions to preserve the integrity of any
Personal Data which it processes and to prevent any corruption or loss of such Personal Data;
M. The Organisation does not consent to the Contractor appointing any third-party processor of
Personal Data under this agreement.