- RSG shall implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the Data Protection Laws and ensure the protection of the rights of the data subject and the standard of protection will be at least comparable to the protection required under the relevant data protection laws.
- RSG shall not engage another processor without prior specific or general written authorisation of Customer. In the case of general written authorisation, RSG shall inform Customer of any intended changes concerning the addition or replacement of other processors, thereby giving Customer the opportunity to object to such changes in the manner more specifically set forth herein.
- Processing by RSG shall be governed by this DPA, in particular, RSG will:
- process the personal data only on documented instructions from Customer, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by the Union, UK or Member State law to which RSG is subject; in such a case, RSG shall inform Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
- ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
- take all measures required pursuant to Article 32 of the GDPR;
- respect the conditions referred to in paragraphs 2 and 5 in this section C for engaging another processor;
- considering the nature of the processing, assist Customer by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to requests for exercising the data subject's rights as required under the relevant data protection laws.
- assist Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR considering the nature of processing and the information available to RSG;
- at the choice of Customer, delete or return all the personal data to Customer after the end of the provision of services relating to processing and delete existing copies unless Union, UK or Member State law requires storage of the personal data;
- make available to Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR, and allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer. RSG shall immediately inform Customer if, in its opinion, an instruction from Customer to RSG infringes the GDPR or other Union, UK or Member State data protection provisions.
- Where RSG engages another processor for carrying out specific processing activities on behalf of Customer, the same data protection obligations as set out in this DPA shall be imposed on that other processor by way of a contract or other legal act under Union, UK or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR.Where that other processor fails to fulfil those data protection obligations, RSG shall (subject to the terms of the Agreement) remain fully liable to Customer for the performance of that other processor's obligations.
- The subject matter of the processing is the personal data provided in respect of the Services under this Agreement. The duration of the processing is the duration of the provision of the Services under the Agreement. The nature and purpose of the processing is in connection with the provision of the Services under the Agreement. RSG is prohibited from retaining, using or disclosing the personal data for any purpose other than for the specific purpose of performing the Services under the Agreement, or as otherwise permitted by the Data protection laws, including retaining, using or disclosing the personal data for a commercial purpose other than providing the Services. The types of personal data processed under the Agreement may include contact information, professional information, unique identifiers, and other types of personal data submitted by or at the direction of Customer as part of the Services. The categories of data subjects are Customer representatives, users of the Services, and/or clients, prospects, suppliers, business partners and others whose personal data may be submitted by or at the direction of Customer as part of the Services.
- The Agreement including this DPA, along with Customer use and configuration in the Services, are the complete and final documented instructions to RSG for the processing of the personal data. Additional or alternate instructions must be agreed upon separately by the parties. RSG will ensure that its personnel engaged in the processing of the personal data will process such data only on documented instructions provided by Customer, unless required to do so by Union, UK, Member State or other applicable law.
- Upon the expiration or termination of Customer’s use of the products and services, unless applicable law requires storage of the personal data, Customer will instruct RSG to delete or return the personal data in accordance with the terms and timelines, if any, for the products and services set forth in the Agreement. Where the Agreement provides Customer the choice to delete or return the personal data and Customer does not make that choice within 30 days following the termination of the Agreement, Customer will instruct RSG to delete the personal data, unless applicable law requires storage of the personal data.