9.1 The Supplier hereby warrants to the Client that:
9.1.1 all printed matter supplied is fit for purpose, conforms to the specifications agreed by the Client, or supplied by the Client, to quality levels and tolerances agreed with the Client, or in absence of such agreement, to accepted trade standards.
9.1.2 it will do nothing to bring the name or reputation of the Client into disrepute in any way whatsoever;
9.1.3 it will execute each Order from the Client with reasonable care and skill.
9.2 Unless otherwise specifically agreed by the parties in writing, the Supplier shall not be responsible for checking the property or data received from, or on behalf of, the Client and shall be entitled to assume that such property or data meets the Client’s requirements in all respects.
9.3 The Supplier shall use all reasonable care and skill in the execution of each Order from the Client under this Agreement which involves data processing, but the Supplier is unable to guarantee total accuracy in relation thereto.
9.4 Where the Supplier provides space on its file transfer system (FTP site) for the client, it is the responsibility of the client to distribute the access details within the client’s organisation as required. It is also the responsibility of the client to ensure that access details to the FTP site are only available to authorised client personnel. It is the client’s responsibility to submit a change request to the Supplier to amend access details where the client suspects any possible security breach.
10.1 The parties confirm that where the services provided comprise of the Supplier's processing of Client personal data (as defined in Data Privacy laws (see below)), the Supplier shall be the processor and the Client shall be the controller with respect to such processing.
10.2 If, as a consequence of the Supplier's provision of the services, a party considers that the relationship between them no longer corresponds to the intention of the parties, then it shall notify the other party and the parties shall discuss and agree in good faith such steps that may be required to confirm the parties’ intention.
10.3 Each party shall comply with the obligations imposed on it by the General Data Protection Regulation (2016/679) ("GDPR") and all local laws or regulations implementing or supplementing the GDPR ("Data Privacy Law") with regard to Client personal data processed by it in connection with the performance of the services.
10.4 Each party shall ensure that where the services require the processing of Client personal data, the description of the services includes the subject matter and duration of the processing; the nature and purpose of the processing; a description of the type(s) of Client personal data processed; and a description of the categories of the data subjects comprised within the Client personal data referred to in this clause. The information referred to in this clause will be reviewed annually to ensure the information is up-to-date and relevant.
10.5 The Supplier shall:
10.5.1 only process the Client Personal Data in accordance with the documented instructions of the Client. including transfers of Client Personal Data outside the European Economic Area, unless required to do so by EU Law to which the Supplier is subject, in which event the Supplier shall inform the Client of such legal requirement unless prohibited from doing so by EU Law on important grounds of public interest;
10.5.2 only process the Client Personal Data in accordance with the documented instructions of the Client. including transfers of Client Personal Data outside the European Economic Area, unless required to do so by EU Law to which the Supplier is subject, in which event the Supplier shall inform the Client of such legal requirement unless prohibited from doing so by EU Law on important grounds of public interest;
10.5.3 only process the Client Personal Data in accordance with the documented instructions of the Client. including transfers of Client Personal Data outside the European Economic Area, unless required to do so by EU Law to which the Supplier is subject, in which event the Supplier shall inform the Client of such legal requirement unless prohibited from doing so by EU Law on important grounds of public interest;
10.5.4 implement appropriate technical and organisational measures to ensure that the Client personal data is subject to a level of security appropriate to the risks arising from its processing by the Supplier or its sub-processors; and
10.5.5 notify the Client without undue delay and no later than 72 hours after becoming aware of a personal data breach (as defined in the GDPR).
10.6 Taking into account the nature of the processing the Supplier shall assist the Client by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Client’s obligation to respond to requests for exercising a data subject's rights under the GDPR.
10.7 Taking into account the nature of the processing and the information available to the Supplier, the Supplier shall assist the Client with regard to the Client’s compliance with its obligations set out in Articles 32 - 36 of the GDPR.
10.8 Upon termination of the services that required the processing of Client personal data (in whole or in part) the Supplier shall, at the election of the Client, deliver up or destroy such Client personal data which is in the possession of, or under the control of, the Supplier unless EU law requires the Supplier to store such Client personal data.
10.9 The Supplier shall, at the written request of the Client, provide the Client with all information necessary to demonstrate a party’s compliance with its obligations under this clause and shall allow for and contribute to audits and inspections conducted by or on behalf of the Client.
10.10 Where required to do so by the GDPR, the Supplier shall maintain written records of its processing of the Client personal data in accordance with the requirements set out in Data Privacy Laws and shall make such records available to a supervisory authority on request.
10.11 The Client shall ensure that:
10.11.1 the supply to the Supplier of Client personal data by or on behalf of the Client for the purposes of processing undertaken by the Supplier and its permitted sub-processors where such processing is authorised by the Client shall comply with the Data Privacy Laws; and
10.11.2 the instructions given by the Client to the Supplier by operation of this clause 10.11 shall comply with the Data Privacy Laws.
10.12 Where the Supplier is obliged to provide assistance to the Client, or to third parties at the request of the Client (including submission to an audit or inspection and/or the provision of information), such assistance shall be provided at the sole cost and expense of the Client, save where such assistance directly arises from the Supplier's breach of its obligations under this Contract, in which event the costs of such assistance shall be borne by the Supplier.
10.13 Notwithstanding any other provision of this Contract, the Supplier shall be entitled to sub-contract any part of the services requiring the processing of Client personal data, provided that the Supplier shall notify the Client in writing of its intention to engage such sub-contractor. Such notice shall give details of the identity of such sub-contractor and the services to be supplied by it. The Client shall be deemed to have approved the engagement of the sub-contractor if it has not served a notice in writing on the Supplier objecting (acting reasonably) to such appointment within 7 days of the date that the notice is deemed to be received by the Client.
10.14 The Supplier shall ensure that any sub-contracts it enters into shall be on the same terms to those set out in this Contract and in particular it shall ensure the sub-processor provides sufficient guarantees to implement appropriate technical and organisational measures in order that any processing of Supplier personal data is performed in accordance with the GDPR.
10.15 Where, in accordance with the provisions Article 82(3) of the GDPR, both parties are responsible for the act, or omission to act, resulting in the payment of Losses by a party or both parties, then a party shall only be liable for that part of such losses which is in proportion to its respective responsibility.
10.16 Both parties agree to indemnify and keep indemnified the other in full against any claim that the indemnified party has infringed the Data Privacy Laws as a result of any act, omission or negligence of the other party or use of information or data supplied by the other party.