41. PROTECTION OF PERSONAL DATA
41.1 With respect to the parties' rights and obligations under this Agreement, the parties agree that the Authority is the Data Controller and that the Contractor is the Data Processor.
41.2 The Contractor shall:
41.2.1 Process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Agreement or as otherwise notified by the Authority to the Contractor during the Term);
41.2.2 Process the Personal Data only to the extent, and in such manner, as is necessary for the provision of the Services or as is required by Law or any Regulatory Body;
41.2.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;
41.2.4 take reasonable steps to ensure the reliability of any Contractor Personnel who have access to the Personal Data;
41.2.5 obtain prior written consent from the Authority in order to transfer the Personal Data to any Sub-contractors or Affiliates for the provision of the Services;
41.2.6 ensure that all Contractor Personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 41;
41.2.7 ensure that none of Contractor Personnel publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority;
41.2.8 notify the Authority (within [five] Working Days) if it receives:
41.2.8.1 a request from a Data Subject to have access to that person's Personal Data; or
41.2.8.2 a complaint or request relating to the Authority's obligations under the Data Protection Legislation;
41.2.9 provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by:
41.2.9.1 providing the Authority with full details of the complaint or request;
41.2.9.2 complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions;
41.2.9.3 providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority); and
41.2.9.4 providing the Authority with any information requested by the Authority;
41.2.10 permit the Authority or the Authority Representative (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit, in accordance with Clause 24(Audits), the Contractor's data Processing activities (and/or those of its agents, subsidiaries and Sub-contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Contractor is in full compliance with its obligations under this Agreement;
41.2.11 provide a written description of the technical and organisational methods employed by the Contractor for processing Personal Data (within the timescales required by the Authority); and
41.2.12 [not Process or otherwise transfer any Personal Data outside of [the European Economic Area]. If, after the Effective Date, the Contractor (or any Sub-contractor) wishes to Process and/or transfer any Personal Data outside the [European Economic Area], the following provisions shall apply:
41.2.12.1 the Contractor shall submit a [Change Request] to the Authority which shall be dealt with in accordance with the Change Control Procedure and Clauses 41.2.12.2 to 41.2.12.4 below;
41.2.12.2 the Contractor shall set out in its [Change Request] details of the following:
(a) the Personal Data which will be Processed and/or transferred outside the [European Economic Area];
(b) the country or countries in which the Personal Data will be Processed and/or to which the Personal Data will be transferred outside the [European Economic Area];
(c) any Sub-contractors or other third parties who will be Processing and/or transferring Personal Data outside the [European Economic Area]; and
(d) how the Contractor will ensure an adequate level of protection and adequate safeguards (in accordance with the Data Protection Legislation and in particular so as to ensure the Authority's compliance with the Data Protection Legislation) in respect of the Personal Data that will be Processed and/or transferred outside the European Economic Area;
41.2.12.3 in providing and evaluating the [Change Request] the parties shall ensure that they have regard to and comply with the then-current Authority, [Information Commissioner Office] policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing and/or transfers of Personal Data outside the [European Economic Area] and/or overseas generally; and
41.2.12.4 the Contractor shall comply with such other instructions and shall carry out such other actions as the Authority may notify in writing, including:
(a) incorporating standard and/or model Clauses (which are approved by the [European Commission] as offering adequate safeguards under the Data Protection Legislation) in this Agreement or a separate data processing agreement between the parties; and
(b) procuring that any Sub-contractor or other third party who will be Processing and/or transferring the Personal Data outside the [European Economic Area] enters into a direct data processing agreement with the Authority on such terms as may be required by the Authority, which the Contractor acknowledges may include the incorporation of standard and/or model Clauses (which are approved by the [European Commission] as offering adequate safeguards under the Data Protection Legislation).]
41.3 The Contractor shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation.