scope:

General

The Personal Data to be processed by the Contractor on behalf of the Authority under the Contract is set out in the completed DEFFORM 532 attached to the Contract. The completed DEFFORM 532 forms part of the Specification for the Contract. In respect of that Personal Data, the Authority is the Data Controller and the Contractor is the Data Processor.

In the performance of the Contract, the Authority shall comply with its obligations as a Data Controller under the Act.

The Contractor shall in relation to the Personal Data transferred or acquired as referenced in Clause 2:

a. process the Personal Data on behalf of the Authority only in accordance with instructions from the Authority as set out in the Contract;

b. process the Personal Data only to the extent, and in a manner, necessary for the performance of the Contract and as the Act requires;

c. process the Personal Data only for the period necessary to meet the Contractor's obligations under the Contract and dispose of the Personal Data in accordance with the Authority's reasonable written instructions. The Authority shall respond to a request from the Contractor for disposal instructions for the Personal Data within twenty working days except where otherwise stated in the Contract;

d. not process Personal Data outside the European Economic Area without the prior written consent of the Authority;

e. take reasonable steps to ensure that any employees and agents of the Contractor who have access to the Personal Data have the necessary probity by undertaking the Government's Baseline Personnel Security Standard or other standard as specified in the Contract;

f. procure that all subcontracts for the Processing of Personal Data under the Contract are subject to terms substantially the same as and no less stringent than the terms contained in this Condition.