2. In respect of any Processing under this Agreement for which Promtoer and RA are joint Controllers:
2.1. Each party will provide the other party any co-operation reasonably requested to enable the other party’s compliance with Data Regulation;
Transparency
2.2. Each party shall take appropriate measures to provide Data Subjects with information about how Personal Data is being processed by or on behalf of that party, which shall include, subject to any applicable exemptions, all the information required by Articles 13, 14 and 26 of the GDPR;
Personnel
2.3. Each party shall take reasonable steps to ensure the reliability of any employee, agent or contractor who may have access to Personal Data, ensuring in each case that access is:
2.3.1. strictly limited to those individuals who need to know and/or access the relevant Personal Data; and
2.3.2. as strictly necessary for the purposes of this Agreement and to comply with Data Regulation in the context of that party's duties.
2.4. Each party shall ensure that all individuals referred to in Clause 2.3 are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
2.5. Each party shall in relation to Personal Data, implement appropriate technical and organisational measures to ensure an appropriate level of security, including, as appropriate, the measures referred to in Article 32(1) of the GDPR. In doing so, each party shall take into account:
2.5.1. the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing; and
2.5.2. the risk of varying likelihood and severity for the rights and freedoms of natural persons.
2.6. In assessing the appropriate level of security, each party shall in particular take account of the risks that are presented by Processing, including from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise Processed.
Sub-processors
2.7. With respect to a proposed Subprocessor, each party shall:
2.7.1. before the Subprocessor first Processes Personal Data, carry out adequate due diligence to ensure that the Subprocessor is capable of providing the level of protection for Personal Data required by applicable Data Regulation; and
2.7.2. ensure that the arrangement with such a Subprocessor, is governed by a written contract including terms meet the requirements of Article 28(3) of the GDPR.
Data Subject Rights
2.8. Each party shall fulfil their obligations to respond to requests to exercise Data Subject rights under the Data Regulation. Each party will provide the other party any co-operation reasonably requested to enable the other party’s compliance with this clause.
Personal Data Breach
2.9. Each party shall:
2.9.1. notify the other party without undue delay upon becoming aware of a Personal Data Breach; and
2.9.2. provide the other party with sufficient information to allow it to meet any obligations to report or inform Data Subjects or Supervisory Authorities of the Personal Data Breach under or in connection with the Data Regulation;
2.9.3. meaningfully consult with the other party in respect of the external communications and public relations strategy related to the Personal Data Breach;
2.9.4. insofar as permitted by the Data Regulation, not notify any data protection regulator of the Personal Data Breach without having obtained prior written consent of the other party (such consent not to be unreasonably conditioned, withheld or delayed); and
2.9.5. in the case of the Promoter, not issue a press release or communicate with any member of the press in respect of the Personal Data Breach, without having obtained prior written approval of RA (such approval not to be unreasonably conditioned, withheld or delayed).
2.10. The notification set out in Clause 2.9.1 above, shall as a minimum:
2.10.1. describe the nature of the Personal Data Breach, the categories and numbers of Data Subjects concerned, and the categories and numbers of Personal Data records concerned;
2.10.2. describe the likely consequences of the Personal Data Breach; and
2.10.3. describe the measures taken or proposed to be taken to address the Personal Data Breach.
2.11. The Promoter shall co-operate with RA and take such reasonable commercial steps as are directed by RA to assist in the investigation, mitigation and remediation of each Personal Data Breach.
Data Transfers
3. The Promoter warrants and undertakes that any Processing under this Agreement, undertaken by RA acting as a Data Processor on behalf of the Promoter acting as a Data Controller, and in accordance with the Agreement, complies with Data Regulation.
4. To the extent that RA is a Data Controller and the Promoter is a Data Processor, (or, as applicable, RA is a Data Processor and the Promoter is a Subprocessor) the Promoter will:
4.1. Process Personal Data only in accordance with RA’s documented instructions, including this Agreement, and including in respect of the deletion or return of Personal Data;
4.2. assist us in all respect necessary to enable or assist us to comply with Data Regulations including by notifying us where the Promoter believes that an instruction of RA’s in connection with Processing Personal Data does not comply with Data Regulation;
4.3. make available to us all requested information in respect of Personal Data, including, on at least 14 days prior written notice and during normal business hours, permitting us, or any of RA’s auditors or advisors, to attend the Promoter’s premises in order to inspect the Promoter’s systems and records to the extent determined by us to be necessary to demonstrate the Promoter's compliance with this clause 7, and the Agreement; and
4.4. comply with clauses 2.2, 2.3, 2.4, 2.5, 2.6, 2.7, 2.9, 2.10, 2.11 and 2.12.
5. The Promoter will not do or omit to do any act which may cause us to be in breach of any of RA’s obligations under the Data Regulation.
6. DEFINITIONS
6.1. The terms, “Commission”, “Data Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, and “Processing” shall have the meanings given to them in the GDPR.
6.2. “Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;
6.3. “Data Regulation” means UK Data Protection Laws and (for so long as and to the extent that the law of the European Union has legal effect in the UK) the General Data Protection Regulation ((EU) 2016/679) and any other directly applicable European Union regulation relating to privacy;
6.4. “EEA” means the European Economic Area;
6.5. “EU Data Protection Laws” means the EU Directive 95/46/EC and EU Directive 2002/58/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;
6.6. “GDPR” means the EU General Data Protection Regulation 2016/679;
6.7. “Promoter” shall take the meaning set out in the Resident Advisor Promoter Terms;
6.8. “RA” shall take the meaning set out in the Resident Advisor Promoter Terms;
6.9. “Subprocessor” means any person (excluding an employee of the relevant party) appointed by or on behalf of either party to Process Personal Data on behalf of such party.