a) Unless explicitly stated otherwise, any and all references made to any section or schedule shall be deemed to be a section or schedule of this Agreement;
b) The headings in this Agreement are used for convenience only and do not affect its interpretation;
c) A Party includes a reference to that Party’s successors and permitted assigns; references to a person shall include both the legal entities and natural persons;
2.1 Under this Agreement, the Processor shall carry out the Processing on behalf of the Controller.
2.2 The Parties hereby undertake to comply with all applicable requirements of the Data Protection Legislation. This Article 2.2 is in addition to, and does not relieve, remove or replace, a Party’s obligations under the Data Protection Legislation.
2.3 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Controller is the controller and the Processor is the processor as defined in the Data Protection Legislation.
2.4 Without prejudice to the generality of Article 2.2, the Controller shall ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Customer Personal Data to the Processor for the duration and purposes of this Agreement.
2.6 Without prejudice to the generality of Article 2.2, the Processor shall, in relation to any Personal Data processed in connection with the performance by the Processor or its obligations under this Agreement:
2.6.1 process the Customer Personal Data only on documented instructions of the Controller unless the Processor is required by the Data Protection Legislation. Where the Processor is relying on the Data Protection Legislation as the basis for processing the Customer Personal Data, the Processor shall promptly notify the Controller of this before performing the Processing required by the Data Protection Legislation unless the Data Protection Legislation prohibit the Processor from so notifying the Controller on important grounds of public interest;
2.6.2 ensure that it has in place appropriate technical and organizational measures, reviewed and approved by the Controller, to protect against unauthorized or unlawful processing of the Customer Personal Data and against accidental loss or destruction of, or damage to, the Customer Personal Data, appropriate to the harm that might result from the unauthorized or unlawful Processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymizing and encrypting the Customer Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to the Customer Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organizational measures adopted by it);
2.6.3 ensure that all personnel of the Processor who have access to and/or process the Customer Personal Data are obliged to keep the Customer Personal Data confidential; and
2.6.4 assist the Controller in responding to any request from a data subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
2.6.5 notify the Controller without any undue delay on becoming aware of a Customer Personal Data breach;
2.6.6 at the written direction of the Controller, delete or return the Customer Personal Data and copies thereof to the Controller on termination of the Agreement unless required by the Data Protection Legislation to store the Customer Personal Data; and
2.6.7 maintain complete and accurate records and information to demonstrate its compliance with this clause 2.6 and to allow for audits by the Controller or the Controller 's designated auditor.
4.1 The Controller authorizes the Processor to engage third-party processors in fulfilling the Processor’s obligation hereunder, including processing of the Customer Personal Data. The Controller specifically authorizes the Processor to engage any of the third-party processors listed in Schedule 2 hereto (List of Sub-processors).
4.2 The Processor shall inform the Controller of any intended changes concerning the addition or replacement of any of the third-party processors, thereby giving the Controller the opportunity to object to such changes.
5.1 This Agreement is governed by the laws of the country or territory stipulated for this purpose in the Terms of Service.
5.2 Schedules to this Agreement: