GDPR Terms

Data Protection and Monitoring

2.16 In this Clause, the following terms shall have the meanings given in Regulation 2016/679 (the General Data Protection Regulation (GDPR, together with any relevant national implementing or supplement legislation, "Applicable Data Protection Law"): "controller", "processor", "personal data", "data subject" and "processing" (and "process").

• If the Client (the controller) appoints the Licensor as a processor to process the personal data under this Licence Agreement (the "Personal Data"), the Licensor shall only process the Personal Data solely as necessary to perform its obligations under this Licence Agreement and strictly in accordance with the Client’s instructions (the "Permitted Purpose").
• The Licensor shall, if it transfers the Personal Data outside any country, ensure the transfer is in compliance with Applicable Data Protection Law.
• The Licensor shall ensure that any person that it authorises to process the Personal Data (including its staff, agents and subcontractors) shall be subject to a strict duty of confidentiality and that they shall only process the Personal Data for the Permitted Purpose.
• The Licensor shall implement appropriate technical and organisational measures to protect the Personal Data (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorised disclosure of, or access to the Personal Data (a "Security Incident"). If it becomes aware of a Security Incident, Licensor shall inform the Client without undue delay and shall provide all such timely information and cooperation as the Client may require in order for the Client to fulfil its data breach reporting obligations under Applicable Data Protection Law.  The Licensor shall further take all such measures and actions as are necessary to remedy or mitigate the effects of the Security Incident and shall keep the Client of all developments in connection with the Security Incident.
• The Licensor shall provide all reasonable and timely assistance to the Client to enable the Client to respond to: (i) any request from a data subject to exercise any of its rights under Applicable Data Protection Law; and (ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Personal Data.
• Upon termination or expiry of this Licence Agreement, the Licensor shall (at the Client's option) destroy or return to the Client all the Personal Data in its or a sub-contractor's possession or control.