General Terms and Conditions of Business for Open Enrolment Training and Development Solutions

 

1. Interpretation and Application of Terms

1.1. The provision by Control Risks of its training courses and workshops (the “Services”) to a person or company (the “Client”) is subject to these terms and conditions (the “Terms and Conditions”).

1.2. “Control Risks” shall refer to the contracting party in the Control Risks Group. “Control Risks Group” shall be defined as Control Risks International Limited, its subsidiaries and their respective branches. “Client Group” shall where applicable refer to the Client, its holding company or companies, and their respective subsidiaries and branches.

1.3. These Terms and Conditions set out the entire agreement (the “Agreement”) and understanding of the parties and supersede all prior oral and written agreements, negotiations, understandings or arrangements between the parties relating to the training courses and workshops.

1.4. The Agreement shall be deemed to be effective as of the date of confirmation by Control Risks of registration onto a training course or workshop.

1.5. Unless instructed otherwise, Control Risks shall assume that all of the Client’s employees, directors and officers who give instructions to Control Risks are authorised to do so, and that Control Risks may act on oral instructions.Our 3-day security guard force training package includes presentations, interactive group discussions and practical exercises focusing on the key operational roles and responsibilities of the security guard force and how they should report, manage and monitor security related incidents and events whilst on duty.

 

2. Services

2.1. The Services may be varied only by written agreement between the parties. The Services shall be provided at times, on dates and at the place(s) as confirmed by Control Risks

2.2. Control Risks shall provide the Services using reasonable care and skill.

2.3. Control Risks reserves the right to make changes to the Services which are necessary to comply with statutory requirements or which do not materially affect the nature or quality of the Services and to reject a booking on any of its courses or workshops.

2.4. The Client acknowledges that Control Risks may from time to time engage the services of subcontractors to assist in carrying out particular aspects of the Services. Control Risks undertakes that any subcontractor shall be bound by the same confidentiality obligations as Control Risks and that Control Risks shall remain liable for the acts or omissions of its subcontractors.

2.5. Reports (where they form part of the Services) will be delivered in PDF format by email, unless otherwise specified by the Client, in which case the Client shall cover any additional costs that may be incurred. The Client accepts that the use of email may be less secure than delivery of a hard copy of reports and shall notify Control Risks in writing if any particular privacy markings or security arrangements are required with regard to correspondence relating to the provision of the Services. Each party shall be responsible for protecting its own IT systems and neither party shall be responsible to the other for any loss, damage or omission in any way arising from the use of electronic data (including email) as a form of communication.

2.6. Unless otherwise expressly agreed in writing, the Services are provided solely for the benefit of the Client. Control Risks accepts no responsibility to any other party.

2.7. The Client acknowledges that Control Risks’ Services do not guarantee any particular outcome in relation to any dispute or investigation and shall not in any way constitute recommendations or advice regarding the Client’s ultimate commercial decision, which shall, in all respects, remain the Client’s own.

2.8. Control Risks aims to ensure that our courses are accessible to all. If there is a specific need such as dietary or access requirements for courses on our premises, please advise to EMEA.Training@controlrisks.com at the earliest possible time and we will contact you to discuss requirements. Control Risks accepts no liability for losses, damages or injuries resulting from a Clients own negligence or undeclared medical condition.

2.9. The Services provided by Control Risks will be made available in English unless otherwise stated. It is the responsibility of the Client to ensure that delegates have a good standard of English language (or other delivery languages) so they can benefit from the training course or workshop. Any translation thereof, the English version shall be the definitive one.

2.10. Control Risks accepts that wear and tear may occur to equipment, however, if damage is deliberately wilful or a result of gross negligence by the delegate or Client, there may be a charge to reimburse Control Risks for some or all of the replacement costs.

 

3. Obligations of the Client

3.1. Throughout the duration of the Agreement and in order for Control Risks to carry out the Services in a prompt, effective and professional manner, the Client shall provide full assistance to Control Risks including, without limitation, the provision of information, documentation and other materials relevant to the provision of the Services in a timely manner. The Client shall keep Control Risks fully apprised of any developments and/or information which may come to its attention and which may be of relevance to the provision of the Services.

3.2. The Client acknowledges that Control Risks shall be entitled to rely on any information, documentation or other materials that may be provided by the Client to Control Risks, and that relate to the Client’s own business, as being accurate and complete in all material respects. Control Risks shall not be liable for any loss, damage, costs, expenses or other claims for compensation arising from the inaccuracy or incompleteness of any such materials.

3.3. Subject to clause 11, neither party shall be liable for any accidental loss or damage howsoever caused to any property, data, systems, documents or materials provided to it by the other party or to which the other party gives it access.

3.4. Where relevant, the Client shall afford Control Risks such access to the Client’s premises at which Control Risks is to provide the Services (the “Premises”) as Control Risks may reasonably require. Furthermore, the Client shall:

(a) advise Control Risks of the rules and regulations which are then in force for the conduct of personnel at the Premises, and Control Risks shall ensure that its personnel comply with any such rules and regulations;

(b) make available such working space and facilities at the Premises as Control Risks may reasonably require;

(c) make available appropriate personnel to liaise with Control Risks; and

(d) secure and otherwise keep safe all and any property of Control Risks which Control Risks may reasonably require at the Premises for the provision of the Services.

 

4. Fees

4.1. Control Risks reserves the right to amend or cancel any Course, Course times, dates or published prices. Changes to course prices, times and dates will be advised before the Course start date and any Course already paid for in full will not be subject to an increase in price . As a Course may be cancelled at any time up to four weeks prior to the start date, we recommend that delegates do not make travel or accommodation arrangements before this time. Any travel, accommodation or subsistence costs incurred (including incidental costs such as car parking) are entirely the responsibility of the delegate or the delegate’s organisation. Control Risks does not accept liability for reimbursement of any costs incurred whatsoever in relation to its training Courses or events. Where a Couse has been cancelled, delegates will be offered an alternative date or a refund. Places on Control Risks training courses are not confirmed until full payment is received.

4.2. The Client shall pay to Control Risks the fees, together with any applicable expenses as referenced in clause 4.4 below, without any deduction (whether by way of set-off, counterclaim, discount or otherwise) The Client must ensure payment is received in advance of the course start date. Notwithstanding the foregoing, Control Risks shall be entitled to request a payment on account prior to commencing, or extending the period of, work, whether in the form of a retainer or to cover the incurrence of immediate upfront expenses. Any applicable value added tax, sales tax, withholding tax or other local equivalent shall be added to the fees and expenses and invoiced accordingly. If the Client is required to deduct or withhold from the amount due to Control Risks any sum on account of taxes or charges, Control Risks reserves the right to require the Client to pay it such additional sum as will ensure that Control Risks receives payment in full of its invoice.

4.3. The Client acknowledges and agrees that the timely payment of invoices within the immediate payment term is a critical condition to the Services being provided. Control Risks reserves the right to charge daily interest on the total sum outstanding beyond the relevant due date at the rate of the higher of: (i) eight percent (8%) per annum; and (ii) two percent (2%) per annum above the annual base rate published by Barclays Bank PLC at the time, subject in both cases to any statutory limitation which may apply.

4.4. Fees will be payable in the currency quoted by Control Risks. Where the Client requests a different currency for payment, Control Risks reserves the right to charge the Client for any losses which Control Risks may incur on foreign currency fees, disbursements and expenses as a result of fluctuations in exchange rates between the date of this Agreement and the date of actual payment of the invoice where such variation is greater than ten percent (10%).

4.5. In the event the Client terminates the provision of Services at any point in time (whether or not such termination is concurrent with a formal termination of the Agreement), Control Risks shall invoice the Client for any fees and/or expenses incurred to date and the Client shall settle the invoice in accordance with this clause 4. Control Risks reserves the right to make reasonable charges for costs associated with, or fees that are foregone as a result of, any cancellation and/or postponement of the Services at the request of, or imposed by, the Client as detailed under Clause 10. If any amount owed by the Client to Control Risks remains outstanding for more than thirty (30) days after the date of the relevant invoice, then until all amounts have been paid, Control Risks reserves the right to cease providing the Services with immediate effect and to retain data and documents belonging to the Client until such time as any outstanding amounts have been paid in full.

 

5. Intellectual Property

5.1. In this Agreement:

(a) “Client IP” means all intellectual property rights of whatsoever nature that are the property of, or are licensed to, the Client and includes any derivatives, improvements, enhancements or extensions thereto developed during the course of the provision of the Services; and

(b) “Control Risks IP” means all intellectual property rights of whatsoever nature (including, for the avoidance of doubt, the copyright in its reports, training materials and proprietary software) that are the property of, or are licensed to, Control Risks and includes any derivatives, improvements, enhancements or extensions thereto developed during the course of the provision of the Services.

5.2. The Client IP shall belong to and remain the property of the Client but Control Risks shall be entitled, during the term of this Agreement, to use the Client IP to the extent necessary for, and in connection with, the performance of the Services.

5.3. The Control Risks IP shall belong to and remain the property of Control Risks, but the Client shall be entitled to use the Control Risks IP that was created or provided in connection with the Services for legitimate business purposes by way of a non-exclusive worldwide non-transferable licence, subject to payment in full of all sums payable under this Agreement

5.4. Each party warrants that it, or any person making disclosure of information on its behalf, has the right to supply all the information being supplied to the other party and that the supply of such information, and its receipt and use by such other party, will not infringe any rights, including any intellectual property rights, held by any third party or result in a breach by the disclosing party (or any person making disclosure on its behalf) of any law, regulatory obligation or fiduciary duty owed to any third party. Each party agrees to indemnify the other party against any loss it may suffer as a result of the breach of this warranty by the disclosing party (or any person making disclosure on its behalf).

6. Data Protection

6.1. In this clause 6 and in the Appendix (Data Processing Agreement):
“Data Protection Laws” means the EU Data Protection Laws and the laws of other states and territories that create and regulate substantially similar concepts and legal principles as are contained in the EU Data Protection Laws in relation to the processing of personal data and sensitive personal data;
“EU Data Protection Laws” means, up to and including 24 May 2018, any legislation in force from time to time which implements the EU Directive 95/46/EC and, with effect on and from 25 May 2018, means the EU General Data Protection Regulation 2016/679 (“GDPR”) and any legislation in force in EU member states from time to time which implements GDPR;
“data subject”, “personal data”, “sensitive personal data”, “consent”, “controller”, “processor” and “processing” mean those concepts, roles and activities as defined in EU Data Protection Laws (and on and from 25 May 2018 “sensitive personal data” means those classes of personal data that are described in article 9 of GDPR) or, where relevant, equivalent concepts, roles and activities as described in other Data Protection Laws.

6.2. Each party warrants that any personal data and sensitive personal data that is provided to the other party, or which it requests the other party to process, for the purposes of the provision of the Services has been collected and is being disclosed in accordance with the provisions of any applicable Data Protection Laws and that, where required by applicable Data Protection Laws, consent to the processing by and / or transfer of such personal data to the other party, and by such other party to reputable third parties, has been obtained.

6.3. Each party warrants and undertakes that:

(a) (i) in respect of personal data it has collected from or in relation to a data subject before the date of this agreement it has provided to that data subject at the time of collection, and (ii) in respect of personal data it collects from or in relation to a data subject after the date of this Agreement it will provide to that data subject at the time of collection, in each case where required, a fair processing notice which satisfies the requirements of any applicable Data Protection Laws (and in particular Articles 13 and 14 of GDPR); and

(b) any fair processing notice provided or to be provided in accordance with clause 6.3(a) did or shall contain sufficient information that, in accordance with Article 14(5)(a) of GDPR or any similar provision in applicable Data Protection Laws, the other party shall be under no obligation to provide additional information to the data subject.

6.4. Each party undertakes that any personal data or sensitive personal data provided to it by the other party shall be processed in a manner consistent with such receiving party’s obligations under applicable Data Protection Laws and that the receiving party shall treat such personal data and / or sensitive personal data in a manner consistent with the principles set out in such applicable Data Protection Laws.

6.5. Where it acts as a controller, Control Risks undertakes that it will not transfer personal data or sensitive personal data to any member of the Control Risks Group established in a country outside the EEA unless such member has signed an agreement with Control Risks containing provisions that are in conformity with EU guidelines relating to such transfers.

6.6. The Client acknowledges that Control Risks will retain reports and other documents related to the Services in accordance with the provisions of its data retention policy, as may be amended from time to time.

6.7. On and from 25 May 2018, to the extent that the Services comprise the processing of personal data or sensitive personal data where Control Risks is the processor and the Client is the controller and the processing of personal data or sensitive personal data is subject to GDPR, the provisions of the Appendix (Data Processing Agreement) to these Terms and Conditions shall apply.

 

7. Anti-Bribery and Anti-Corruption

7.1. Control Risks hereby warrants and agrees that:

(a) it shall not (and shall ensure that its directors and employees shall not) engage in any activity, practice or conduct which would constitute an offence under the U.S. Foreign Corrupt Practices Act of 1977, the U.K. Bribery Act 2010, legislation implementing the 1997 OECD Convention on Combating Bribery of Foreign Public Officials in International Business Transactions or the United Nations Convention Against Corruption and/or the anti-corruption or anti-money laundering laws of any country in which it conducts business; and

(b) it has and shall maintain in place throughout the term of the Agreement, appropriate policies, procedures and training including, but not limited to, adequate procedures under the U.K. Bribery Act 2010 designed to prevent acts of bribery by its directors and employees.

 

8. Limitation of Liability

8.1. Nothing in this Agreement shall limit or exclude the liability of either party for:

(a) death or personal injury resulting from its negligence;

(b) fraud or fraudulent misrepresentation; or

(c) any liability which cannot be excluded or limited by law.

8.2. Subject to clause 8.1, Control Risks’ entire liability for all amounts payable under this Agreement including all losses suffered by the Client arising out of or in connection with the provision of Services and/or the Agreement (including any liability for the acts or omissions of its employees, agents and subcontractors), shall be limited as follows:

(a) Control Risks shall not be liable for any of the following losses suffered by the Client: loss of profit; loss of revenue; loss of anticipated savings; loss of business opportunity; loss of goodwill; loss of and/or corruption of data; and/or any indirect or consequential losses; and

(b) Control Risks’ maximum aggregate liability for any other loss suffered by the Client shall be limited to 125% of the amount of Control Risks’ fees received for the provision of the Services.

8.3. Control Risks shall have no liability to the Client for any matter which falls outside the scope of the instructions provided by the Client in relation to the Services.

 

9. Term and Termination

9.1. The Agreement is effective as of the date indicated in clause 1.4 and shall continue until the Services have been completed and paid for in full, unless terminated by either party in accordance with clauses 9 and 10.

9.2. Either party may terminate the Agreement at any time upon thirty (30) days’ written notice to the other party.

9.3. Either party may terminate the Agreement with immediate effect upon written notice to the other party:

(a) if the other party commits any continuing or material breach of any of the provisions of the Agreement and, in the case of such a breach that is capable of remedy, fails to remedy the same within fifteen (15) days after receipt of a written notice by the terminating party giving full particulars of the breach and requiring it to be remedied;

(b) if the other party becomes insolvent or is unable to pay its debts as they fall due or goes into liquidation either voluntarily or as required by law; and/or

(c) under the circumstances described in clause 13.1.
9.4. Control Risks supports the UN Guiding Principles on Business and Human Rights and is a signatory to the UN Global Compact and the International Code of Conduct for Private Security Service Providers under which Control Risks has undertaken to ensure that it operates in a manner which respects human rights. Accordingly, either party may terminate the Agreement with immediate effect upon written notice to the other party if, in its sole discretion, a continuation of the Agreement will or may cause it to be complicit in any abuse of human rights.

9.5. On termination of this Agreement for any reason:

(a) the Client shall immediately pay to Control Risks all of Control Risks’ outstanding unpaid invoices and any interest thereon and, in respect of Services supplied and costs incurred but for which no invoice has been submitted, Control Risks shall be entitled to submit an invoice, which shall be payable immediately on receipt; and

(b) the accrued rights and liabilities of the parties as at termination shall not be affected, and any provision of this Agreement relating to or necessary to enable the enforcement of such rights and discharge of such liabilities shall survive termination, as shall the provisions of clause 8 (Limitation of Liability), clause 11 (Confidentiality) and clause 12 (Non-solicitation) as well as any other provisions necessary to give effect to the Agreement or the intentions of the parties thereunder.

 

10. Cancellation, transfer, substitutions and refunds

10.1. The Client may cancel the course by notifying Control Risks in writing by email to EMEATrainingOps@controlrisks.com. Cancellation notification shall take place from the next working day (defined as 9am-5pm in the United Kingdom and excludes public holidays) as acknowledged by Control Risks.

10.2. Control Risks will endeavour to accommodate requests by the Client to substitute one delegate for another providing any pre-requisites to attend the course are met or move delegates to other course dates where available.

10.3. In the event of a cancellation by the Client of a confirmed course booking, the Client shall be liable to pay a cancellation fee as follows:

• 50% of total course cost - cancellation is within 2 weeks of the start of the course
• 75% of total course cost - cancellation is within 1 week of the start of the course
• 100% of total course cost - cancellation is within 48 hours or less of the start of the course

10.4. Control Risks will refund fees paid according to the cancellation fee table at 10.3. Refunds will be made back to the same card or company who paid for the course. We are not able to pay another company or refund to a different card.

 

11. Confidentiality

11.1. As used herein, “Confidential Information” shall mean, with respect to either party, any proprietary or confidential information or data concerning the business, technology, products or affairs of such party furnished or made available by it (the “Disclosing Party”) to the other party (the “Receiving Party”) in connection with this Agreement but does not include reports, and their subject matter, prepared by Control Risks (“Reports”).

11.2. Each party will prevent unauthorised use or disclosure of Reports. Reports are for the benefit of the Client only (including its directors, officers and employees) and may not be disclosed to any third parties without the prior written consent of Control Risks (such consent not to be unreasonably withheld). Disclosure to third parties shall at all times be subject to the reasonable instructions of Control Risks and shall require such third parties to sign a non-disclosure agreement with Control Risks. It is a condition of the Agreement that the Client shall not use any Report other than for legitimate business purposes and agrees to indemnify Control Risks and each member of the Control Risks Group against any third party claims that may arise from, or losses or liabilities that Control Risks or any member of the Control Risks Group may sustain as a result of, the Client’s misuse of, or disclosure of, such Reports (including reasonable legal and preparation costs).

11.3. A Receiving Party shall not disclose the Disclosing Party’s Confidential Information to any third party without the prior written consent of the Disclosing Party, except in connection with its performance under this Agreement or pursuant to clause 10.5, and shall protect the Disclosing Party’s Confidential Information against unauthorised use or disclosure using at least those measures that it takes to protect its own Confidential Information of a similar nature, but no less than reasonable care. Notwithstanding the foregoing, disclosure of Confidential Information is permitted on a need to know basis to the directors, officers, employees, subcontractors, professional advisers and insurers of the Client Group or, as the case may be, the Control Risks Group, provided that each such person is made aware of the confidential and proprietary nature thereof and agrees to abide by confidentiality obligations no less onerous than those contained herein.

11.4. The parties agree that “Confidential Information” does not include information which:

(a) was available to the Receiving Party on a non-confidential basis at the time of or prior to the receipt of the information by it;

(b) is or becomes publicly available on a non-confidential basis through no fault of the Receiving Party;

(c) is received in good faith by the Receiving Party from a third party, provided that such third party is not bound by a confidentiality agreement with the Disclosing Party or otherwise legally prohibited from transmitting the information; and/or

(d) is, or can reasonably be proved to have been, developed independently by the Receiving Party.
11.5. In the event the Receiving Party receives an order to disclose any Confidential Information by a court of competent jurisdiction, a recognised stock exchange, governmental department or agency or other regulatory body to which it is subject, it shall promptly notify the Disclosing Party in writing and use reasonable good faith efforts to: (a) disclose only the specific Confidential Information legally required to be disclosed; and (b) assist the Disclosing Party (at the Disclosing Party’s request) in obtaining a protective order or other appropriate assurances that the confidential nature of the Confidential Information shall be protected and preserved. Any costs incurred by Control Risks in resisting or complying with the disclosure efforts described in this clause 10.5 (including reasonable legal costs) shall be borne by the Client.

 

12. Non-solicitation
Neither party shall (during the term of this Agreement or for a period of twelve (12) months after its termination, whether due to the completion of Services or otherwise) directly or indirectly solicit, encourage for employment, employ or otherwise engage the services of any employee, consultant or subcontractor of the other party that was introduced to such party in connection with the Services provided hereunder, except with the prior written consent of the introducing party. In the event of any such employment or engagement, the hiring party agrees to reimburse the other party, promptly on demand, a recruitment fee equal to thirty percent (30%) (exclusive of value added tax, if applicable) of the first year’s gross salary and the value of benefits-in-kind of such hired person. This clause 12 shall not prohibit employment solicitation methods aimed at the general public and not specifically targeted at personnel of the other party.

 

13. General

13.1. Force majeure
Neither party shall be liable to the other for any loss or any failure or delay to perform any obligation under the Agreement which is due to causes beyond its reasonable control (including, without limitation, acts of God, industrial disputes, protests, fire, flood, storm, epidemic, explosion, breakdown of plant or machinery, failure of any Internet service provider or the lack of availability of the Internet, act of terrorism, war, national emergency, military operations, compliance with any law or governmental order, regulation or rule, or acts of government and situations where the rendering of Services is prohibited or delayed by local laws, regulators, government bodies or agencies). Should such circumstances continue for more than ninety (90) days, either party may terminate the Agreement in accordance with clause 9 above. An event of force majeure does not affect the obligation to pay fees (or make any other payment) in accordance with the terms of this Agreement.

13.2. Amendment
No amendment to this Agreement shall be effective unless expressly agreed in writing and signed by a duly authorised representative of each party.

13.3. Waiver
All waivers shall be in writing. Any failure by either party to exercise (or any delay in exercising) a right or remedy provided by this Agreement or by law does not constitute a waiver of the right or remedy or a waiver of any other rights or remedies available to such party.

13.4. Assignment
This Agreement may not be assigned in whole or in part by either party without the prior written consent of the other party, except that Control Risks may assign the Agreement to any member of the Control Risks Group and the Client may assign the Agreement to any member of the Client Group.

13.5. Counterparts
This Agreement may be executed in counterpart, each of which shall constitute an original, but which taken together shall constitute one and the same agreement.

13.6. Third party rights
Other than as may be expressly provided in this Agreement, the parties do not intend that any person who is not a party to the Agreement shall have any rights under the Contracts (Rights of Third Parties) Act 1999 or otherwise to enforce any term hereof.

13.7. No partnership or agency
Nothing in this Agreement is intended to or shall operate to create a partnership or joint venture of any kind between Control Risks and the Client or to authorise either Control Risks or the Client to act as agent for the other, and neither Control Risks nor the Client shall have authority to act in the name or on behalf of or otherwise to bind the other in any way (including, but not limited to, the making of any representation or warranty, the assumption of any obligation or liability and the exercise of any right or power).

13.8. Severance

(a) If any provision of this Agreement shall be found by any court or administrative body of competent jurisdiction to be invalid or unenforceable, such invalidity or unenforceability shall not affect the other provisions of this Agreement which shall remain in full force and effect.

(b) If any provision of this Agreement is so found to be invalid or unenforceable but would be valid or enforceable if some part of the provision were deleted, the provision in question shall apply with such modification(s) as may be necessary to make it valid.

13.9. Notices
Any notice (including a consent or waiver) given under the Agreement shall be in writing and signed by or on behalf of the party giving it and may be served by delivering it personally or sending it by recorded delivery, registered mail, a commercial courier company or fax to the address of the relevant party notified by that party to the other or it shall be sent by email to the email addresses previously exchanged by the parties. Any such notice shall be deemed to have been received:

(a) if delivered personally, at the time of delivery;

(b) in the case of recorded delivery or registered mail within the same country, on the second business day after posting;

(c) in the case of a commercial courier, on the date and at the time that the courier’s delivery receipt is signed;

(d) in the case of fax, at the time of successful transmission (to be evidenced by confirmation of facsimile transmission); and

(e) in the case of email, when receipt of such notice is acknowledged by the recipient in any manner described in this clause 13.9 or upon electronic confirmation of delivery, if the relevant IT system is capable of such facility.

13.10. Governing law and jurisdiction
This Agreement shall be governed by and construed in accordance with the laws of England and Wales and any dispute or claim, including in relation to non-contractual matters, arising under or in connection with this Agreement shall be submitted to the non-exclusive jurisdiction of the English courts.

 

Appendix (Data Processing Agreement)

The provisions of this Appendix (the “Data Processing Agreement”) form part of the Agreement to the extent that clause 6.8 of the Agreement applies.
Control Risks shall:

(a) process the personal data only on documented instructions from the controller for the purposes of providing the training course of workshop, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by European Union or the national law of an EU member state to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;

(b) ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

(c) implement appropriate organisational and technical measures as required pursuant to Article 32 (security of processing) of GDPR;

(d) respect the conditions for engaging another processor referred to in paragraphs 2 and 4 of Article 28 (processor) of GDPR;

(e) taking into account the nature of the processing, assist the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of GDPR;

(f) assist the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of GDPR taking into account the nature of the processing and the information available to the processor;

(g) at the choice of the controller, delete or return all the personal data to the controller after the end of the provision of services relating to processing, and delete existing copies unless European Union law or the national law of an EU member state to which the processor is subject requires storage of the personal data; and

(h) make available to the controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 (processor) of GDPR and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller (in each case at the controllers cost).

Control Risks acknowledges that nothing in the Data Processing Agreement relieves it of its own direct responsibilities and liabilities under GDPR.