In this Appendix, the following terms shall have the meanings set against them below:
1.1 Each party will comply with all applicable requirements of the Data Protection Legislation. This Appendix is in addition to, and does not relieve, remove or replace, a party's obligations or rights under the Data Protection Legislation.
1.2 The parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the Controller and the Provider is the Processor. The types of Personal Data and categories of Data Subject will be determined by the Customer (as a result of uploading data onto Gorilla) and processing will be limited to the extent necessary to the provision of our services until the Customer deletes the Personal Data from Gorilla or Gorilla deletes it at the Customer’s request.
1.3 Without prejudice to the generality of clause 1.1, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to the Provider for the duration and purposes of the Agreement.
1.4 Without prejudice to the generality of clause 1.1, the Provider shall, in relation to any Personal Data processed in connection with the performance by the Provider of its obligations under this agreement:
(a) process that Personal Data only on the documented written instructions of the Customer unless the Provider is required by Applicable Laws to otherwise process that Personal Data. Where the Provider is relying on Applicable Laws as the basis for processing Personal Data, the Provider shall promptly notify the Customer of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit the Provider from so notifying the Customer;
(b) ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it);
(c) ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential; and
(d) not transfer any Personal Data outside the UK/European Economic Area unless the prior written consent of the Customer has been obtained and the following conditions are fulfilled:
(i) the Customer or the Provider has provided appropriate safeguards in relation to the transfer;
(ii) the data subject has enforceable rights and effective legal remedies;
(iii) the Provider complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and
(iv) the Provider complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data;
(e) assist the Customer, at the Customer's cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
(f) notify the Customer without undue delay and in any event within 72 hours on becoming aware of a Personal Data Breach;
(g) at the written direction of the Customer and its cost, delete or return Personal Data and copies thereof to the Customer on termination of the Agreement unless required by Applicable Law to store the Personal Data. The Customer acknowledges and agrees that it is solely responsible for obtaining the consent of all stakeholders in its research to any deletion; and
(h) maintain complete and accurate records and information to demonstrate its compliance with this Appendix and allow for audits of them by the Customer or the Customer's designated auditor and immediately inform the Customer if, in the opinion of the Provider, an instruction infringes the Data Protection Legislation;
(i) implement and maintain appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access;
(j) process Personal Data only for as long as necessary for the purposes set out in this Agreement and in accordance with the Customer's instructions;
(k) ensure that all personnel handling Personal Data are trained in their privacy obligations at least annually;
(l) if handling sensitive data, ensure that personnel have been subject to appropriate background checks;
(m) cooperate with the Customer in the event the Customer initiates a data protection impact assessment related to the services provided under this Agreement.
1.5 The Customer consents to the Provider appointing our List Of Suppliers as third-party processors of Personal Data under this agreement. The Provider shall notify the Customer of any change to its third-party processors and the Customer shall be entitled to object to any such change, provided that the Provider shall not be liable to the Customer for any failure to provide any element of Gorilla as a result of such objection. The Provider confirms that it has entered or (as the case may be) will enter with each third-party processor into a written agreement incorporating terms which are substantially similar to those set out in this Appendix. As between the Customer and the Provider, the Provider shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this clause 1.5.
1.6 The Provider acknowledges that the Personal Data received from the Customer remains the property of the Customer at all times unless ownership is explicitly shared or transferred by a written agreement.
1.7 The Provider shall not engage in onward transfers of Personal Data to additional countries outside of the EEA without the explicit permission of the Customer, in advance.
1.8 The Provider's Data Protection Officer's contact details are displayed prominently on the Provider's website privacy notice.
1.9 The Provider shall cooperate with relevant Regulators in the event of an enquiry related to the Personal Data processed under this Agreement.