15. Confidentiality
15.1 Each Party shall maintain the confidentiality of the other Party’s Confidential Information and shall not, without the prior written consent of the other, use, disclose, copy or modify the other Party’s Confidential Information (or permit others to do so) other than as necessary for the performance of its rights and obligations under a Service Contract.
15.2 Each Party undertakes to disclose the other Party’s Confidential Information only to those of its officers, employees, agents, contractors and professional advisers or to other members of the Group of companies to which it belongs and their officers, employees, agents, contractors and professional advisers to whom, and to the extent to which, such disclosure is necessary for the purposes contemplated under a Service Contract and to procure that such persons are made aware of and are bound by obligations of confidentiality.
15.3 Each Party shall give notice to the other of any unauthorised misuse, disclosure, theft or other loss of the other Party’s Confidential Information immediately upon becoming aware of the same.
15.4 The provisions of this clause 15 shall not apply to Confidential Information which:
15.4.1 is or comes into the public domain through no fault of the recipient, its officers, employees, agents or contractors;
15.4.2 is lawfully received from a third party free of any obligation of confidence at the time of its disclosure;
15.4.3 is demonstrably independently developed by the recipient, its officers, employees, agents or contractors;
15.4.4 is required by law, by court or governmental order to be disclosed provided that, to the extent permitted by law, prior to any disclosure, as far as is reasonably and lawfully practicable the recipient notifies the disclosing Party and, at the disclosing Party’s request and cost, assists the disclosing Party in opposing any such disclosure.
16. Use of data
16.1 Any Member Data will be considered non-confidential and non-proprietary and the Member consents to GS1 UK making available to third parties, data relating to the Member, including Member Data and GS1 UK Numbers/GLNs (but excluding Member Product Data unless the Member elects to do so as part of the Member Online Services or otherwise), subject always to the provisions of Data Protection Legislation.
16.2 GS1 UK has the right to disclose the Member’s, Admin User or User’s identity to any third party who is claiming that any material posted or uploaded by the Member, Admin User or User constitutes a violation of their intellectual property rights or of their right to privacy.
17 Personal data
17.1 GS1 UK and the Member may each be a Data Controller and/or a Data Processor of personal data, in relation to a Service Contract.
17.2 Without limiting this clause 17, both Parties will comply with all applicable Data Protection Legislation and otherwise protect personal data and will not use, disclose, or transfer across borders personal data (unless the Framework Agreement or the Service Terms and Conditions states otherwise) throughout the duration of the Framework Term.
17.3 Each Party shall ensure that personal data it holds is kept secure and in an encrypted form, and shall use all reasonable security practices and systems applicable to the use of personal data to prevent, and take prompt and proper remedial action against, unauthorised access, copying modification, storage, reproduction, display or distribution of personal data. Each Party shall take reasonable precautions to preserve the integrity of any personal data processed by it and to prevent any corruption or loss of such personal data.
17.4 Where a Party is a Data Controller and it is providing information to the other Party for the purpose of processing in accordance with the terms of this Framework Agreement and/or a Service Contract, it shall warrant that:
17.4.1 It has the right to license the processing of personal data;
17.4.2 as far as it is aware, the processing of personal data will not infringe the Intellectual Property Rights of any third party;
17.4.3 it is entitled to process (or have processed by a Data Processor on its behalf as Data Controller) personal data and such use will comply with all Data Protection Legislation;
17.4.4 all data subjects relating to personal data have given their valid written consent and, where required under Data Protection Legislation, their explicit consent to the transfer of their personal data;
17.4.5 all personal data is necessary, accurate and up-to-date; and
17.4.6 it has valid registrations as required under Data Protection Legislation and shall maintain these for the duration of this Framework Agreement.
17.5 Where GS1 UK are processing personal data they shall do so in accordance with their Privacy Policy https://www.gs1uk.org/privacy-policy .Where a Party is a Data Processor, it shall:
17.5.1 be entitled to share such personal data with those of its agents, contractors, or companies within its Group which need to access or process the information to enable the other Party to discharge its obligations under a Service Contract, and in the case of GS1 UK, to enable it to deliver the Services; 17.5.2 process the personal data only on behalf of the Data Controller, only for the purposes of performing this its obligations under Framework Agreement or a Service Contract and only in accordance with instructions contained in the Service Contract or received from the Data Controller from time to time;
17.5.3 not otherwise modify, amend or alter the contents of the personal data or disclose or permit the disclosure of any of the personal data to any third party unless specifically authorised in writing by the Data Controller;
17.5.4 having regard to the state of technological development and the cost of implementing any measures, take appropriate technical and organisational measures against the unauthorised or unlawful processing of personal data to ensure a level of security appropriate to:
17.5.4.1 the harm that might result from such unauthorised or unlawful Processing or accidental loss, destruction or damage;
17.5.4.2 the nature of the personal data to be protected;
17.5.4.3 take reasonable steps to ensure compliance with those measures; and
17.5.4.4 discharge its obligations under a Service Contract with all due skill, care and diligence;
17.5.5 take reasonable steps to ensure the reliability of any of the processing Party’s personnel who have access to the personal data;
17.5.6 ensure that only those of the processing Party’s personnel (or those of any member of the Group of companies to which the Processing Party belongs) who need to have access to the personal data are granted access to such data and only for the purposes of the performance of the Service Contract and all of the Processing Party’s Personnel required to access the personal data are informed of the confidential nature of the personal data and comply with the obligations set out in this clause 17;
17.5.7 not transfer personal data outside the European Economic Area without the prior written consent of the Data Controller;
17.5.8 notify the Data Controller (as soon as reasonably possible but in any event within 2 Business Days) if it receives or becomes aware of:
17.5.8.1 a request from a Data Subject to have access to that person’s personal data; or
17.5.8.2 a complaint or request relating to the data controller obligations under the Data Protection Legislation; or
17.5.8.3 a security breach; or
17.5.8.4 any other communication relating directly or indirectly to the processing of any personal data in connection with a Service Contract;
17.5.9 provide the Data Controller with full co-operation and assistance in relation to any complaint, security breach or request made in respect of any personal data, including by:
17.5.9.1 providing the Data Controller with full details of the complaint, security breach or request;
17.5.9.2 complying with a data access request within the relevant timescales set out in the Data Protection Legislation but strictly in accordance with the Data Controller’s instructions;
17.5.9.3 providing the Data Controller with any personal data it holds in relation to a Data Subject making a complaint or request within the timescales required by GS1 UK; and
17.5.9.4 providing the Data Controller with any information requested by the Data Controller.
17.6 The Parties shall, and the processing Party shall procure that each of its sub-contractors shall, comply at all times with the Data Protection Legislation and shall not perform their obligations under the Service Contract in such a way as to cause either Party to breach any of its obligations under the Data Protection Legislation. The processing Party shall as soon as reasonably possible notify the Data Controller in the event that it becomes aware of any breach of the Data Protection Legislation by the processing Party or any of its sub-contractors in connection with the Service Contract.