9.1 Each Party to this Licence shall comply with its respective obligations under the provisions of the Data Protection Act 1998 (Act). The Member shall be regarded as the Data Controller and the Company as the Data Processor.
9.2 Where the Company processes personal data (as defined in the Act) on behalf of the Member, the Company shall:
(a) process such data solely in accordance with the Member’s instructions from time to time (consistent with its duties under the Act);
(b) implement, employ and maintain throughout the Term appropriate technical and operational measures for keeping data, both in terms of the technology used and how it is managed, secure, having regard to the state of technological development and the cost of implementing any measures, the measures must ensure a level of security appropriate to the harm that might result from unauthorised or unlawful processing or accidental loss, destruction or damage. In addition, the Company will provide the Member, at the Member’s reasonable cost, with any assurance in respect of the security of any personal data processed by the Company as may reasonably be required by the Member to comply with its obligations under the Act; and
(c) shall not transfer or process any personal data (as defined in the Act) outside the European Economic Area (EEA) without the parties’ prior written consent.
9.3 The Company shall cooperate with the Member and will on reasonable request by the Member, meet with the Member (or its nominated third party supplier) to discuss the appropriate technical and organisational measures by which personal data may be kept secure and up to date. The Company shall use its best endeavors to enable the Member to ascertain and monitor compliance by the Company with its obligations under this Clause including allowing the Member, the SWW and/or the Member’s auditors to have access to any processes, procedures, documentation, and/or any premises where processing of personal data is carried out.
9.5 The Company shall , on request , provide information regarding back-up of the Confidential Information and any business continuity arrangements and all such commercially prudent options that the Member may be able to take in order to mitigate the risk of any loss of such Confidential Information
9.6 The Company shall:
(a) ensure that only those employees of the Company and its permitted contractors, who are required by the Company to assist it in providing the Products under this Agreement, shall have access to personal data. In addition, the Company shall ensure that all employees used by it to provide the Products have undergone training (and receive on-going training as required) in data protection law and in the care of handling personal data; and
(b) not, without the prior written consent of the Member, divulge any personal data to any person, firm or company, or make use of it, unless disclosure or use is required to comply with a statutory obligation or order of court and only after the Company has (where reasonably practicable) notified the Member of the intended disclosure.
9.7 All data, including personal data, processed by the Company whilst providing the Products to the Member is, and shall remain, under the exclusive ownership of the Member and/or the Client, as appropriate.
9.8 The Company shall immediately notify the Member of any accidental, unauthorised or unlawful access, loss, destruction, theft, use, disclosure or alteration of any data, including personal data or other Confidential Information, or any other non-compliance with this Clause. The Company shall promptly provide the Member with a detailed written report setting out the reasons for the accidental, unauthorised or unlawful access, loss, destruction, theft, use, disclosure or alteration of personal data or other Confidential Information or other non-compliance with this Clause. Under no circumstances will the Company report any such occurrence to the Information Commissioner’s Office or to any other law enforcement body unless instructed to do so by the Member, unless it is required to do so by applicable Legislation.
9.9 The Company shall immediately pass to the Member any requests, notices or other communications from data subjects, the Information Commissioner’s Office or any other law enforcement body it receives, for the Member to respond. The Company shall, at the Member’s reasonable cost, provide the Member with such assistance as the Member may reasonably require, and within the timescales reasonably specified by the Member, to enable the Member to respond.
9.10 The Company shall not transfer or permit any transfer of personal data to any third party unless the Member provides its prior written consent.