1.1 The Parties acknowledge that the subject-matter, duration and nature and purpose of processing are related only to the provision of the Services pursuant to the NBI Purchase Order Terms and Conditions. Data subjects and categories of personal data will mean any relevant information about a person, staff member, contractor or otherwise that is required for the fulfilment of the Services subject to the NBI Purchase Order Terms and Conditions.
1.2 If and to the extent that the Supplier processes personal data pursuant to the NBI Purchase Order Terms and Conditions, the Parties acknowledge and agree that the Supplier shall act as a processor (as such term is defined in the Data Protection Legislation) on behalf of NBI. In such circumstances, the Supplier shall, and shall procure that the Supplier Personnel shall, at all times:
(a) process personal data at all times in accordance with the Data Protection Legislation, for the provision of the Service and on the documented instructions of NBI (including with regard to transfers of personal data to a third country or an international organisation) unless otherwise required to do so by law (which service provider shall inform NBI of that requirement prior to processing, unless prohibited by law from doing so);
(b) take all security measures, both technical and organizational, as appropriate and required pursuant to Article 32 of the GDPR to protect personal data;
(c) notify NBI without undue delay after becoming aware of a personal data breach and provide NBI with all relevant information and assistance in relation to the data breach to allow NBI fulfil its contractual or regulatory legal obligations. Supplier shall further make all efforts to remedy the breach, restore the personal data and reimburse NBI for any expenses incurred because of the breach.
(d) ensure that Supplier Personnel authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
(e) assist NBI by:
1. adopting appropriate technical and organisational measures to respond to data subject rights exercised pursuant to the Data Protection Legislation
2. Providing assistance with NBI pursuing compliance with its obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to the Supplier
(f) make available to NBI all information necessary to demonstrate the Supplier’s compliance with its obligations in this Data Processing Agreement
(g) and allow for and contribute to audits, including access to and inspections of any business premises, personnel or systems relevant to the provision of the Services, conducted by NBI or another auditor mandated by NBI.
(h) Supplier shall notify NBI as soon as reasonably practicable of:
i. any instruction from NBI that infringes Data Protection Legislation;
ii. any legally binding request for disclosure of Personal Data by a law enforcement or other competent authority unless prohibited by law from doing so;
iii. any request received directly from a Data Subject, without responding to that request, unless required by law to respond or where Supplier has been otherwise authorised by NBI to respond;
iv. any correspondence, notice or other communication whether orally or in writing received from the relevant data protection regulator or any other regulator or person, relating to the Personal Data; or
v. any breach of the NBI Purchase Order Terms and Conditions of which it is aware.
(i) cease processing the personal data immediately upon the termination or expiry of the Services subject to NBI Purchase Order Terms and Conditions, and as soon as possible thereafter, at NBI’s option, either (i) return to NBI in an easily accessible format, or (ii) delete from its systems, or destroy and make permanently unusable all personal data and the Supplier shall confirm in writing that this Clause (h) has been complied with in full;
(j) NBI hereby extends general authorisation to the Supplier to employ third parties (“Sub-processor(s)”) to process the personal data being processed for or on behalf of NBI provided that:
i. The Supplier provides notification to NBI prior to giving any Sub-processor access to personal data.
ii. NBI may reasonably object to the appointment by the Supplier of any Sub-processor prior to appointment of that Sub-processor.
iii. The Sub-processor’s contract is on terms which are substantially similar to those set out in this Schedule (Data Protection); and
iv. Supplier shall be fully liable to NBI for the performance, acts and omissions of that Sub-processor. Nothing in this NBI Purchase Order Terms and Conditions shall relieve Sub-Processor of any liability for the acts or omissions of its Personnel in relation to personal data;
(k) not transfer or process any personal data outside the European Economic Area, including any transfer via electronic media, without the express prior written consent of NBI (and subject then in any event to the execution of an appropriate data transfer mechanism as required by law and subject to a risk assessment undertaken by Sub Contractor and relevant mitigations reasonably required by NBI);
