41. When supplying the Services to the Customer, the Service Provider may gain access to and/or acquire the ability to transfer, store or process personal data of employees of the Customer.
42. The parties agree that where such processing of personal data takes place, the Customer shall be the 'data controller' and the Service Provider shall be the 'data processor' as defined in the General Data Protection Regulation (GDPR) as may be amended, extended and/or re-enacted from time to time.
43. For the avoidance of doubt, 'Personal Data', 'Processing', 'Data Controller', 'Data Processor' and 'Data Subject' shall have the same meaning as in the GDPR.
44. The Service Provider shall only Process Personal Data to the extent reasonably required to enable it to supply the Services as mentioned in these terms and conditions or as requested by and agreed with the Customer, shall not retain any Personal Data longer than necessary for the Processing and refrain from Processing any Personal Data for its own or for any third party's purposes.
45. The Service Provider shall not disclose Personal Data to any third parties other than employees, directors, agents, sub-contractors or advisors on a strict 'need-to-know' basis and only under the same (or more extensive) conditions as set out in these terms and conditions or to the extent required by applicable legislation and/or regulations.
46. The Service Provider shall implement and maintain technical and organisational security measures as are required to protect Personal Data Processed by the Service Provider on behalf of the Customer.
47. Further information about the Service Provider's approach to data protection are specified in its Data Protection Policy, which can be found on our website. For any enquiries or complaints regarding data privacy, you can email: firstname.lastname@example.org