7. Data Breach
Processor will without undue delay notify Client if it becomes aware of any Personal Data Breach.
Where Processor becomes aware of a Personal Data Breach, it shall, without undue delay, also provide Client upon request with the following information:
- (a) description of the nature of (a) and/or (b), including the categories and approximate number of both Data Subjects and Personal Data records concerned;
- (b) the likely consequences; and
- (c) description of the measures taken, or proposed to be taken to address (a) and/or (b), including measures to mitigate its possible adverse effects.
Immediately following any unauthorized or unlawful Personal Data processing or Personal Data Breach, the parties will co-ordinate with each other to investigate the matter. Processor will reasonably co-operate with Client in Client's handling of the matter, including:
- (a) assisting with any investigation;
- (b) providing Client with physical access to any facilities and operations affected;
- (c) facilitating interviews with Processor's employees, former employees and others involved in the matter;
- (d) making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by Client; and
- (e) taking reasonable and prompt steps to mitigate the effects and to minimize any damage resulting from the Personal Data Breach or unlawful Personal Data processing.
Processor will not inform any third party of any Personal Data Breach without first obtaining Client's prior written consent, except when required to do so by Data Protection Laws.
Processor agrees that Client has the sole right, subject to Data Protection Laws, to determine:
- (a) whether to provide notice of the Personal Data Breach to any Data Subjects, supervisory authorities, regulators, law enforcement agencies or others, as required by law or regulation or in Client's discretion, including the contents and delivery method of the notice; and
- (b) whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy.
Processor will cover all reasonable expenses associated with the performance of the obligations under this section 7 unless the matter arose from Client's specific instructions, negligence, willful default or breach of this Agreement, in which case Client will cover all reasonable expenses.
Processor will also reimburse Client for actual reasonable expenses that Client incurs when responding to a Personal Data Breach to the extent that Processor caused such a Personal Data Breach, including all costs of notice and any remedy.