Data Protection, Confidentiality and GDPR Compliance

In the course of providing its consulting services, the Consultant may have access to, collect, process, or otherwise handle confidential information belonging to the Client, including personal data within the meaning of Regulation (EU) 2016/679 of 27 April 2016 (General Data Protection Regulation — GDPR). The Consultant acknowledges the sensitive nature of such data and undertakes to process them with the highest level of care, confidentiality, and security.
The Consultant commits to full compliance with the GDPR and all applicable data protection laws.
Personal data shall be processed lawfully, fairly, and transparently, for specified and legitimate purposes directly related to the execution of the services, and limited to what is strictly necessary for those purposes. The Consultant shall ensure that personal data are accurate, kept up to date where necessary, and retained only for the duration required to fulfill the contractual obligations or as mandated by applicable law.
Depending on the nature of the engagement, the Consultant may act either as a data processor on behalf of the Client or, where applicable, as an independent data controller. When acting as a data processor, the Consultant shall process personal data solely on documented instructions from the Client and shall not use such data for any purpose other than the performance of the services.
The Consultant shall ensure that any person authorized to process personal data is bound by a strict duty of confidentiality and has received appropriate training regarding data protection and information security.
The Consultant has designated a Data Protection Officer (DPO), responsible for overseeing compliance with data protection obligations and acting as a point of contact for the Client and supervisory authorities with regard to GDPR-related matters.
The identity and contact details of the DPO shall be communicated to the Client upon request or specified in the contractual documentation.
The Consultant undertakes to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks associated with the processing of personal data.
Such measures include, where appropriate, access controls, secure authentication mechanisms, data encryption, secure storage, controlled data transmission, and procedures to prevent unauthorized access, loss, alteration, or disclosure of personal data.
In the event of a personal data breach, the Consultant shall notify the Client without undue delay after becoming aware of the breach and shall provide all information reasonably required to enable the Client to comply with its obligations under the GDPR, including breach notification to supervisory authorities and data subjects where applicable.
The Consultant shall not transfer personal data outside the European Union or the European Economic Area without the prior written authorization of the Client and without ensuring that appropriate safeguards are in place in accordance with the GDPR.
Upon termination or completion of the services, the Consultant shall, at the Client's choice, return all personal data to the Client or securely delete them, unless retention is required by law.
This data protection and confidentiality commitment shall remain in force for the entire duration of the contractual relationship and shall survive its termination for as long as the Consultant retains or processes personal data on behalf of the Client.