When providing the Goods to the Buyer, the seller may gain access to and/or acquire the ability to transfer, store or process personal data of employees of the Buyer.
The parties agree that where such processing of personal data takes place, the Buyer shall be ‘data controller’ and the Seller shall be the ‘data processor’ as defined in the General Data Protection Regulation (GDPR) as may be amended, extended and/or re-enacted from time to time.
For the avoidance of doubt, ‘Personal Data’, ‘Processing’, ‘Data Controller’, ‘Data Processor’ and ‘Data Subject’ shall have the same meaning as the GDPR.
The Seller shall only process Personal Data to the extent reasonably required to enable it to provide the Goods as mentioned in these terms and conditions or as requested by and agreed with the Buyer, shall not retain any Personal Data longer than necessary for the processing and refrain from Processing any Personal Data for its own or for any third party’s purposes.
The Seller shall not disclose Personal Data to any third parties other than employees, directors, agents, subcontractors or advisors on a strict “need-to-know” basis and only under the same (or more extensive) conditions as set out in the terms and conditions.
The Seller shall implement and maintain technical and organisational security measures as are required to protect Personal Data Processed by the Seller on behalf of the Buyer. Further information about the Seller’s approach to data protection are specified in its Data Protection Policy, which can be found on request at firstname.lastname@example.org