Data Processor shall take the appropriate technical and organizational measures to adequately protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.3.2. Confidentiality
Data Processor shall ensure that any personnel whom the Data Processor authorizes to process Personal Data on Data Processor’s behalf is subject to confidentiality obligations with respect to that Personal Data. The undertaking of confidentiality shall continue after the termination of the above-entitled activities. Data Processor ensures that its personnel who access Personal Data are subject to confidentiality obligations that restrict their ability to disclose Data Controller Personal Data.3.3. Personal Data Breaches
Data Processor is obliged to notify the Data Controller about a Personal Data Breach not later than 72 hours after having become aware of it unless Data Processor can prove that the breach is not likely to result in a risk to the rights and freedoms of natural persons.3.4. Data Subject Requests
Data Processor shall respond to any request from Data Subjects seeking to exercise their rights under the Data Protection Law with respect to Personal Data (including access, rectification, restriction, deletion, or portability of Personal Data), to the extent permitted by the law.3.5. Sub-processors
Data Processor may hire other companies to provide limited services on its behalf. Any such sub-processors will be permitted to process Personal Data only to deliver the services Data Processor has retained them to provide, and they shall be prohibited from using Personal Data for any other purpose. Data Processor remains responsible for its sub-processors compliance with the obligations of this DPA. Any subcontractors to whom Data Processor transfers Personal Data will have entered into written agreements with Data Processor requiring that they abide by terms substantially similar to this DPA. If Data Controller requires prior notification of any updates to the list of sub-processors, Data Controller may request such notification in writing by emailing at [email protected]
Data Processor will update the list within seventy-two (72) hours of any such notification if Data Controller does not legitimately object within that time frame. Legitimate objections must contain reasonable and documented grounds relating to a subcontractor’s non-compliance with applicable Data Protection Legislation. If in Data Processor’s reasonable opinion, such objections are not legitimate, the Data Controller may, by providing written notice to Data Processor, terminate the Agreement.3.6. Data Transfers
Upon termination or expiration of the Agreement or upon the request, the Data Processor will delete or return to Data Controller all individual- and account-related Personal Data that is in its possession or control (including any Data subcontracted to a third party for processing). This requirement will not apply to the extent that Data Processor is required by any EU (or any EU Member State) law to retain some or all of the Data, in which event Data Processor will isolate and protect the Data from any further processing except to the extent required by such law.