34.1 Both Parties will comply with all applicable requirements of the Data Protection Legislation.
34.2 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the data controller and KDDI is the data processor (where “Data Controller” and “Data Processor” have the meanings as defined in the Data Protection Legislation). A Schedule accompanying these General Terms and Conditions (“Terms”) sets out the scope, nature and purpose of processing by KDDI, the duration of the processing and the types of Personal Data and categories of Data Subject (“Data Processing Schedule”).
34.3 Without prejudice to the generality of clause 34.1, the Customer will ensure that it has appropriate consents and notices in place to enable lawful transfer of the Personal Data to KDDI for the purposes of these Terms.
34.4 Without prejudice to the generality of clause 34.1, KDDI shall, in relation to any personal data (as defined in the Data Protection Legislation, “Personal Data”) processed in connection with the performance by KDDI of its obligations under these Terms:
34.4.1 process Personal Data only on the written instructions of the Customer unless KDDI is required by the laws of any member of the European Union or by the laws of the European Union applicable to KDDI to process Personal Data (“Applicable Law”). KDDI shall promptly notify the Customer of this prior to performing the processing required by such Applicable Laws unless those Applicable Laws prohibit KDDI from so notifying the Customer;
34.4.2 ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage, to Personal Data, appropriate to the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (such measures may include, where appropriate, pseudonymizing and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organization measures adopted by it);
34.4.3 ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential and take reasonable steps to ensure the reliability of any of KDDI’s personnel who have access to Personal Data; and
34.4.4 not transfer any Personal Data outside of the European Economic Area without the prior written consent of the Customer and where the Customer consents to transfer, to comply with:
(i) the obligation of the Customer under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and
(ii) any reasonable instructions notified to it by the Customer with respect to the processing of the Personal Data.
34.4.5 assist the Customer, at the Customer’s cost, in responding to any request from a Data Subject and in ensuring compliance of its obligations under the Data Protection Legislation with respect to [security, breach notifications, impact assessments and consultations with supervisory authorities or regulators];
34.4.6 notify the Customer without undue delay on becoming aware of a Personal Data breach;
34.4.7 as soon as reasonably practical delete or return [or render anonymised] Personal Data and copies thereof to the Customer on completion of the Services and any termination of any Contract unless required by any Applicable Law to store the Personal Data; and
34.4.8 maintain complete and accurate records to demonstrate its compliance with this clause 34 and permit the Customer, or its designated auditor, to inspect and have access to any premises (and to the computer equipment located there) at or on which Personal Data are being processed, and have access to any records kept in connection with this Agreement, for the purposes of ensuring that KDDI is complying with the terms of this Agreement (“Regulatory Assistance”), provided that the Customer provides at least five (5) Business Days’ notice to KDDI of such inspections, which shall take place during normal business hours of 9am – 5pm Monday – Friday excluding bank and public holidays in relevant countries. Customer will be entitled to receive, and KDDI will provide, up to five (5) hours of Regulatory Assistance in aggregate without further charge. Such Regulatory Assistance hours unspent in any calendar year may not be carried over to any subsequent year. For hours of Regulatory Assistance in excess of those hours in any calendar year, Customer shall reimburse KDDI for the time spent on the basis of KDDI charges then in force.
34.5 If KDDI wishes to appoint a third party to carry out any of its obligations under these Terms (in whole or in part) so that such third party is processing Personal Data on KDDI's behalf, then KDDI shall seek the Customer’s consent to the appointment of such a third party processor. If the Customer consents to the processing, KDDI shall enter into a written agreement with such third party incorporating terms which are substantially similar to those set out in this clause 34. As between the Customer and KDDI, KDDI shall remain fully liable for all acts or omissions of any third party processor appointed by it pursuant to this clause 34.
34.6 If, during the term of any Contract, the U.K. ceases to be a member of the European Union and/or the European Economic Area (“Brexit”), the terms of this clause 34 shall continue to apply and KDDI shall continue to comply with the Data Protection Legislation and all written instructions of the Customer. KDDI acknowledges that Brexit may adversely affect the obligations imposed on Data Processors under the Data Protection Legislation and that the Customer may seek to amend these Terms to ensure its continued compliance with its obligations as a Data Controller. In such circumstances, KDDI and the Customer shall negotiate in good faith to agree appropriate amendments to this clause 34.