Data Controller shall be responsible for determining the purpose of processing under this agreement. If Data Controller is itself a processor, Data Controller represents that the controller of the data has determined the purpose of processing and that the processing under this agreement is permitted based on the controller’s instructions.
With respect to this agreement, Data Controller’s processing instructions are to process data according to the Master Services Agreement between Controller and Processor. The Data Processor will process the Personal Data only as set forth in Data Controller’s written instructions and no Personal Data will be processed unless explicitly instructed by the Controller.
Should the Data Processor reasonably believe that a specific processing activity beyond the scope of the Data Controller’s instructions is required to comply with a legal obligation to which the Data Processor is subject, the Data Processor shall inform the Data Controller of that legal obligation and seek explicit authorization from the Data Controller before
undertaking such processing. The Data Processor shall never process the Personal Data in a manner inconsistent with the Data Controller’s documented instructions. The Data Processor shall immediately notify the Data Controller if, in its 3 opinion, any instruction infringes this Regulation or other Union or Member State data protection provisions. Such notification will not constitute a general obligation on the part of the Data Processor to monitor or interpret the laws applicable to the Data Controller, and such notification will not constitute legal advice to the Data Controller.
The Data Controller warrants that it has all necessary rights to provide the Personal Data to the Data Processor for the Processing to be performed in relation to the Services, and that one or more lawful bases set forth in EU Data Protection Law support the lawfulness of the Processing. To the extent required by EU Data Protection Law, the Data Controller is responsible for ensuring that all necessary privacy notices are provided to data subjects, and unless another legal basis set forth in EU Data Protection Law supports the lawfulness of the processing, that any necessary data subject consents to the Processing are obtained, and for ensuring that a record of such consents is maintained. Should such a consent be revoked by a data subject, the Data Controller is responsible for communicating the fact of such revocation to the Data Processor, and the Data Processor remains responsible for implementing Data Controller’s instruction with respect to the processing of that Personal Data.