15.1 In this Clause the terms “Controller”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Processor” and “Processing” shall have the meanings set out in the GDPR (and “Process” and “Processed” shall be construed accordingly). “Sensitive Personal Data” means Personal Data that reveals such categories of data as are listed in Article 9(1) of the GDPR. For the purposes of this Agreement, Personal Data includes Sensitive Personal Data.
15.2 Each Party shall comply with its applicable obligations under the Data Protection Legislation.
15.3 Subject to Clause 15.4, the Intermediary shall ensure that potential Policyholders are provided with sufficient fair processing notices and that it has obtained all appropriate consents required to:
(a) Allow it to transfer the Personal Data to the Insurer for the purposes of this Agreement; and
(b) Enable the Insurer (and any third Parties acting on its behalf) to Process the Personal Data in connection with this Agreement.
15.4 The Intermediary will ensure that it is not subject to prohibitions or restrictions which would restrict it from complying with the Data Protection Legislation, or which would restrict either Party from Processing the Personal Data under this Agreement.
15.5 The Parties shall implement and maintain appropriate technical and organisational measures sufficient to comply with the Security Requirements.
15.6 Each Party shall cooperate with the other Party and use its best endeavours to assist the other Party in all data reporting obligations in the event of a breach of the Data Protection Legislation in connection with this Agreement and each Party further undertakes to notify the other Party of any breach of the Data Protection Legislation, this Clause (Data Protection) or of any actual, suspected, threatened or ‘near miss’ Personal Data Breach which may have occurred in connection with this Agreement as soon as reasonably practicable (and in any event, within twenty four (24) hours) upon becoming aware of the same, and:
(a) Implement any measures necessary to restore the security of compromised Personal Data; and
(b) Assist the other Party to make any notifications to the Regulatory Body and affected Data Subjects.
15.7 Each Party shall take reasonable steps to ensure the reliability of any of its Staff who shall have access to the Personal Data for the purposes of this Agreement and ensure that each member of Staff shall have: (i) undergone, and shall continue to receive on an annual basis, reasonable levels of training in Data Protection Legislation and in the care and handling of Personal Data; and (ii) entered into appropriate contractually-binding confidentiality undertakings.
15.8 Each Party shall notify the other Party promptly (and in any event within forty-eight (48) hours) following its receipt of any Data Subject Request or Regulatory Correspondence that relates to the Processing of the Personal Data under this Agreement.
15.9 The Parties do not anticipate that either will be acting as a Processor in respect of the Personal Data; however, to the extent that a Party (the “Processing Party”) is Processing the Personal Data on behalf of the other Party (the “Controlling Party”) under this Agreement, the Processing Party agrees and warrants that it shall, in addition to its obligations in Clauses 15 3-8 (inclusive):
(a) Process Personal Data only on behalf of the Controlling Party in compliance with the Controlling Party’s instructions from time to time and this Agreement;
(b) unless prohibited by law, notify the Controlling Party immediately (and in any event within twenty-four (24) hours of becoming aware of the same) if it considers, in its opinion (acting reasonably) that it is required by Applicable EU Law to act other than in accordance with the instructions of the Controlling Party, including where it believes that any of the Controlling Party’s instructions under Clause 15.9(a) infringes any of the Data Protection Legislation;
(c) within thirty (30) calendar days of a request from the Controlling Party, allow its data processing facilities, procedures and documentation to be submitted for scrutiny, inspection or audit by the Controlling Party (and/ or its representatives, including its appointed auditors) in order to ascertain compliance with the terms of this Clause (Data Protection), and provide reasonable information, assistance and co-operation to the Controlling Party, including access to relevant Staff and/ or, on the request of the Controlling Party, provide the Controlling Party with written evidence of its compliance with the requirements of this Clause (Data Protection);
(d) not disclose Personal Data to a third party (including a sub-contractor) in any circumstances without the Controlling Party’s prior written consent, save in relation to Third Party Requests in which case it shall use reasonable endeavours to advise the Controlling Party in advance of such disclosure, unless the Processing Party is prohibited by law or regulation from notifying the Controlling Party, in which case as soon as practicable thereafter;
(e) Not sub-contract the performance of any of its obligations under this Agreement without the prior written consent of the Controlling Party;
(f) Following such a notification provided in Clause 15.8, it shall:
(i)not disclose any Personal Data in response to any Data Subject Request or Regulatory Correspondence without the Controlling Party’s prior written consent; and
(ii) It will give reasonable assistance required by the Controlling Party in respect of any such Data Subject Request or Regulatory Correspondence;
(g) except to the extent required by Applicable EU Law, upon the date on which the Personal Data is no longer relevant to, or necessary for, the purpose of performing its obligations under this Agreement, the Processing Party shall cease Processing all Personal Data and return and/ or permanently and securely destroy so that it is no longer retrievable (as directed in writing by the Controlling Party) all Personal Data and all copies in its possession or control;
(h) use all reasonable endeavours, in accordance with Good Industry Practice, to assist the Controlling Party to comply with the obligations imposed on the Controlling Party by the Data Protection Legislation; and
(i) Not make a Data Transfer save where authorised or instructed by us in writing to do so and has been provided and the appropriate EU Model Clauses have been completed and signed by the appropriate Parties prior to any such Data Transfer taking place.
15.10 The Processing Party shall indemnify the Controlling Party against all claims and proceedings and all liability, loss, costs and expenses incurred in connection therewith incurred by the Controlling Party as a result of any claim made or brought by any individual or other legal person in respect of any loss, damage or distress caused to that individual or any other legal person as a result of a Personal Data Breach or other unauthorised Processing, unlawful Processing, destruction of, and/or damage to, any Personal Data Processed by the Processing Party, its employees or agents in their performance of this Agreement.