Common use of Application of Standard Contractual Clauses Clause in Contracts

Application of Standard Contractual Clauses. (a) Module Two (Transfer Controller to Processor) of the Standard Contractual Clauses and the additional terms in this clause 9 will apply to Processing of Personal Data that is transferred f rom within the EEA, the United Kingdom (subject to Attachment 4 – UK Addendum to the EU Standard Contractual Clauses), Switzerland (Subject to Attachment 5 – Switzerland Addendum to the EU Standard Contractual Clauses), or any other jurisdiction which accepts the Standard Contractual Clauses (subject to Section 9.2(e) below), either directly or via onward transfer, to any recipient (i) not located in a country recognised by the European Commission or the UK Government as applicable as providing an adequate level of protection for Personal Data or (ii) not covered by a f ramework recognised by the relevant authorities or courts as providing an adequate level of protection for Personal Data, including but not limited to Binding Corporate Rules or the Trans-Atlantic Data Privacy Framework (each such recipient, a “Third Country Recipient”). (b) The Standard Contractual Clauses shallbe deemed executed by virtue of deemed acceptance by conduct of the Principal Agreement by Supplier providing the Services and Customer paying for such Services in accordance with the purchase order to which the Princ ipal Agreement is attached, by: (i) Customer and/or any Affiliate to whom Supplier provides the Services that transfers Personal Data to a Third Country Recipient (the “Data Exporter”); and (ii) Supplier or other relevant Third Country Recipient (the “Data Importer”). . (c) The Standard Contractual Clauses shall constitute a separate agreement between each Data Exporter and Data Importer. If so required by Data Privacy Laws, the parties shall execute or re-execute the Standard Contractual Clauses as separate documents setting out the proposed transfers of Personal Data in such manner as may be required by Data Privacy Laws. (d) The parties agree to amend the Standard Contractual Clauses if required in accordance with a relevant European Commission or UK/Swiss government decision or Data Privacy Laws. Nothing in this DPA or the Agreement shall contradict, directly or indirectly, the Standard Contractual Clauses, or prejudice the fundamental rights or freedoms of Data Subjects. In the event of such a contradiction, the Standard Contractual Clauses shall prevail. (e) Where the Standard Contractual Clauses apply to a transfer of Personal Data from any other jurisdiction which accepts the Standard Contractual Clauses as appropriate safeguards under Data Privacy Laws, Annex 6 (Transfer Requirements for Other Jurisdictions) shall apply, and any amendments required by such jurisdiction’s Regulator shall be deemed to be made to the Standard Contractual Clauses as are necessary to comply with Data Privacy Laws.

Application of Standard Contractual Clauses. (a) Module Two (Transfer Controller to Processor) of the The Standard Contractual Clauses and the additional terms in this clause 9 relating to Personal Data that is transferred outside the EEA will apply to Processing of Personal Data that is transferred f rom within outside the EEA, the United Kingdom (subject to Attachment 4 – UK Addendum to the EU Standard Contractual Clauses), Switzerland (Subject to Attachment 5 – Switzerland Addendum to the EU Standard Contractual Clauses), or any other jurisdiction which accepts the Standard Contractual Clauses (subject to Section 9.2(e) below), either directly or via onward transfer, to any recipient not (i) not located in a country recognised by the European Commission or the UK Government as applicable as providing an adequate level of protection for Personal Data personal data or (ii) not covered by a f ramework framework recognised by the relevant authorities or courts as providing an adequate level of protection for Personal Datapersonal data, including but not limited to Binding Corporate Rules or the Trans-Atlantic Data E.U.-U.S. Privacy Shield Framework (each such recipient, a “Third Country Recipient”). (b) . The Standard Contractual Clauses shallbe deemed shall be executed by virtue of deemed acceptance by conduct of the Principal Agreement by Supplier providing the Services and by: Customer paying for such Services in accordance with the purchase order to which the Princ ipal Agreement is attached, by: (i) Customer [and/or any Affiliate to whom Supplier provides the Services that transfers Personal Data to a Third Country Recipient Recipient] (the “Data Exporter”); and (ii) and Supplier or other relevant Third Country Recipient (the “Data Importer”). . (c) The Standard Contractual Clauses shall constitute a separate agreement between each Data Exporter and Data Importer. If so required by Data Privacy Laws, the parties shall execute or re-execute the Standard Contractual Clauses as separate documents setting out the proposed transfers of Personal Data in such manner as may be required by Data Privacy Laws. (d) The parties agree to amend the Standard Contractual Clauses if required in accordance with a relevant European Commission or UK/Swiss government decision or Data Privacy Protection Laws. Nothing in this DPA or For the Agreement shall contradict, directly or indirectly, purposes of the Standard Contractual Clauses, the instructions to Data Importer shall be any instructions issued in accordance with clause 3.3(a). Clause 6 of this DPA shall apply in respect of any sub-processing by the Data Importer. The parties agree that upon Data Exporter’s request, Data Importer will provide the copies of the Subcontractor agreements that must be sent by the Data Importer to the Data Exporter pursuant to Clause 5(j) of the Standard Contractual Clauses, and that Data Importer may remove or prejudice redact all commercial information or clauses unrelated to the fundamental rights Standard Contractual Clauses or freedoms of their equivalent beforehand. Controls on transfers from non-EEA countries Where the Supplier transfers Personal Data Subjects. In the event originating in a non-EEA country to another country, it shall: put in place reasonable, appropriate and legally compliant safeguards for protection of such Personal Data in accordance with good industry practice; to the extent required by applicable Data Protection Law, enter into (or procure the entry into) such agreement with the Customer or, if applicable, the Customer Affiliate, as requested by the Customer; and comply with, and assist the Customer or, if applicable, the Customer Affiliate to comply with, any other obligations under applicable Data Protection Law relating to the transfer. The Supplier shall also ensure that any onward transfer of Personal Data originally transferred pursuant to this clause 9.3 shall be made in compliance with the requirements of the applicable Data Protection Law and, if applicable, the data transfer mechanism relied upon pursuant to this clause 9.3. Changes in Data Protection Laws Should a contradictionchange in Data Protection Laws occur, or a decision of a competent authority in connection with Data Protection Laws be made, which might affect the validity of an international transfer or adequacy of an international transfer method (including, but not limited to, the Standard Contractual Clauses shall prevail. or the E.U.-U.S. Privacy Shield Framework), then the Supplier agrees to promptly co-operate (eand ensure that any affected Subcontractors promptly co- operate) Where the Standard Contractual Clauses apply with Customer to a transfer of Personal Data from ensure that any variations or other jurisdiction which accepts the Standard Contractual Clauses as appropriate safeguards under Data Privacy Laws, Annex 6 (Transfer Requirements for Other Jurisdictions) shall apply, and any amendments required by agreements necessary to restore such jurisdiction’s Regulator shall be deemed validity or adequacy are promptly agreed to allow such international transfers to be made (or continue to be made) without breach of that change or decision regarding that Data Protection Law. Co-operation with Regulators and Conduct of Claims Supplier shall promptly notify Customer of all enquiries from a Regulator that Supplier receives which relate to the Standard Contractual Clauses Processing of Customer Data, the provision or receipt of the Services or either party's obligations under this Agreement, unless prohibited from doing so at law or by the Regulator. Unless a Customer notifies Supplier that Supplier will be responsible for handling a particular communication or correspondence with a Regulator or a Regulator requests in writing to engage directly with Supplier, Customer will handle all communications and correspondence relating to Customer Data and the provision or receipt of the Services. Customer shall have the right, at its sole discretion, to assume control of the defence and settlement of any third-party claim that relates to the Processing of Personal Data, including claims against Supplier or its Subcontractors, provided that Customer shall not enter into any settlement of such claim or compromise any such claim without Supplier’s prior written consent if such compromise or settlement would assert any liability against Supplier, increase the liability (including under an indemnity) of Supplier, or impose any obligations or restrictions on Supplier, such as are necessary imposing an injunction or other equitable relief upon Supplier. Where required, such consent shall not be unreasonably withheld or delayed. Customer’s exercise of such right under this clause 10.3 shall (a) not be construed to require Customer to bear the costs of such defence and settlement and (b) be without prejudice to its contractual, legal, equitable or other rights to seek recovery of such costs. Where Supplier interacts directly with a Regulator in accordance with clause 10.2, Supplier shall do so in an open and co-operative way at its own expense and in consultation with Customer. With respect to such interaction with a Regulator, Supplier shall (and shall cause its personnel and Subcontractors to): make itself readily available for meetings with the Regulator as reasonably requested; subject to clause 11.4 (c) below, answer the Regulator’s questions truthfully, fully and promptly; and provide the Regulator with such information and co-operation as the Regulator may require; and where permitted by law, notify Customer of any Regulator’s request for information relating to Customer or the Personal Data and before disclosing such requested information, co- operate with Customer’s efforts to prevent the disclosure of, or obtain protective treatment for, such information, and comply with Customer’s reasonable instructions regarding the response to such request. Any confidential information disclosed by the Supplier in accordance with clause 10.4 shall be disclosed subject to the Agreement’s confidentiality provisions. Supplier shall provide Customer with such assistance and information as Customer may reasonably request in order for Customer to comply with Data Privacy Lawsany obligation to carry out a data protection impact assessment or consult with a Regulator pursuant to Articles 35 and 36 of GDPR, as well as other applicable privacy laws respectively.

Application of Standard Contractual Clauses. (aThis Agreement incorporates by reference the Standard Contractual Clauses. • The Standard Contractual Clauses apply to all Personal Data, in particular Personal Data relating to the Client‘s employees, users, customers, vendors or other individuals in connection with the Agreement, that is transferred from or accessed remotely from outside the EEA, Switzerland or any country whose laws require an adequacy means for such international transfer or access and the required adequacy means can be met by entering into the Standard Contractual Clauses, either directly or via onward transfer to any country or recipient, in each case, where such transfer or access would be prohibited by Data Protection Laws in the absence of the Standard Contractual Clauses. • The Standard Contractual Clauses apply to: o the Client affiliates listed in Appendix 4, each as a data exporter; o the Supplier, as a data importer; and o any other person, including Supplier Affiliates and subcontractors of the Supplier that have access to Personal Data in the course of providing any Services under the Agreement, each as Sub-processor. • For the purposes of Clause 5(a) Module Two (Transfer Controller of the Standard Contractual Clauses, the Services provided under the Agreement set out the Processing instructions of each respective data exporter to Processorthe Supplier as data importer for the Processing of Personal Data. The Client, in its sole discretion, may provide additional or alternate instructions for the Processing of Personal Data under its control. • The Parties agree that the copies of the Sub-processor agreements that must be sent by the Supplier to the Client pursuant to Clause 5(j) of the Standard Contractual Clauses and the additional terms in this clause 9 will apply may have all commercially sensitive or confidential information redacted. • In relation to Processing each transfer of Personal Data that is transferred f rom within the EEA, the United Kingdom (subject to Attachment 4 – UK Addendum from a data exporter listed in Appendix 2 to the EU Supplier, as data importer, and for the purposes of Clause 9 (Governing Law) of the Standard Contractual Clauses), Switzerland (Subject to Attachment 5 – Switzerland Addendum any dispute or claim arising out of or in connection with its interpretation shall be governed by the national law of the respective data exporter. • The Supplier shall, upon reasonable request, make available to the EU Client a list of all Sub-processors currently providing Services under the Agreement, and make available for inspection all agreements with such Sub-processors as required under Clause 11(1) of the Standard Contractual Clauses). The Client shall bear its own costs in relation to such audit and inspection, or any other jurisdiction unless a discrepancy is identified, in which accepts case the Standard Contractual Clauses (subject to Section 9.2(e) below), either directly or via onward transfer, to any recipient (i) not located in a country recognised cost of such audit and inspection shall be borne by the European Commission or the UK Government as applicable as providing an adequate level of protection for Personal Data or (ii) not covered by a f ramework recognised by the relevant authorities or courts as providing an adequate level of protection for Personal Data, including but not limited to Binding Corporate Rules or the Trans-Atlantic Data Privacy Framework (each such recipient, a “Third Country Recipient”). (b) The Standard Contractual Clauses shallbe deemed executed by virtue of deemed acceptance by conduct of the Principal Agreement by Supplier providing the Services and Customer paying for such Services in accordance with the purchase order to which the Princ ipal Agreement is attached, by: (i) Customer and/or any Affiliate to whom Supplier provides the Services that transfers Personal Data to a Third Country Recipient (the “Data Exporter”); and (ii) Supplier or other relevant Third Country Recipient (the “Data Importer”)Supplier. . (c) • The Standard Contractual Clauses shall constitute a separate agreement be interpreted in light of the provisions of this Agreement. In the event of any conflict or inconsistency between each Data Exporter this Agreement and Data Importer. If so required by Data Privacy Laws, the parties shall execute or re-execute the Standard Contractual Clauses as separate documents setting out the proposed transfers of Personal Data in such manner as may be required by Data Privacy Laws. (d) The parties agree to amend the Standard Contractual Clauses if required in accordance with a relevant European Commission or UK/Swiss government decision or Data Privacy Laws. Nothing in this DPA or the Agreement shall contradict, directly or indirectly, the Standard Contractual Clauses, or prejudice the fundamental rights or freedoms following order of Data Subjects. In the event of such a contradiction, precedence shall apply: o the Standard Contractual Clauses Clauses; o this Agreement. • Notwithstanding the foregoing, each Party shall prevail. promptly, on request from a national data protection authority, do all things necessary including executing such further documents and/or completing such further formalities (ewhether in the form of authorisation, registration or otherwise) Where the Standard Contractual Clauses apply to a transfer of Personal Data from any other jurisdiction which accepts the Standard Contractual Clauses as appropriate safeguards under Data Privacy Laws, Annex 6 (Transfer Requirements for Other Jurisdictions) shall apply, and any amendments required by such jurisdiction’s Regulator shall may be deemed to be made to the Standard Contractual Clauses as are necessary to give effect to this Agreement and/or comply with Data Privacy Lawsapplicable laws.

Application of Standard Contractual Clauses. (aThis Agreement incorporates by reference the Standard Contractual Clauses. • The Standard Contractual Clauses apply to all Personal Data, in particular Personal Data relating to the Client‘s employees, users, customers, vendors or other individuals in connection with the Agreement, that is transferred from or accessed remotely from outside the EEA, Switzerland or any country whose laws require an adequacy means for such international transfer or access and the required adequacy means can be met by entering into the Standard Contractual Clauses, either directly or via onward transfer to any country or recipient, in each case, where such transfer or access would be prohibited by Data Protection Laws in the absence of the Standard Contractual Clauses. • The Standard Contractual Clauses apply to: o the Client affiliates listed in Appendix 2, each as a data exporter; o the Supplier, as a data importer; and o any other person, including Supplier Affiliates and subcontractors of the Supplier that have access to Personal Data in the course of providing any Services under the Agreement, each as Sub-processor. • For the purposes of Clause 5(a) Module Two (Transfer Controller of the Standard Contractual Clauses, the Services provided under the Agreement set out the Processing instructions of each respective data exporter to Processorthe Supplier as data importer for the Processing of Personal Data. The Client, in its sole discretion, may provide additional or alternate instructions for the Processing of Personal Data under its control. • The Parties agree that the copies of the Sub-processor agreements that must be sent by the Supplier to the Client pursuant to Clause 5(j) of the Standard Contractual Clauses and the additional terms in this clause 9 will apply may have all commercially sensitive or confidential information redacted. • In relation to Processing each transfer of Personal Data that is transferred f rom within the EEA, the United Kingdom (subject to Attachment 4 – UK Addendum from a data exporter listed in Appendix 2 to the EU Supplier, as data importer, and for the purposes of Clause 9 (Governing Law) of the Standard Contractual Clauses), Switzerland (Subject to Attachment 5 – Switzerland Addendum any dispute or claim arising out of or in connection with its interpretation shall be governed by the national law of the respective data exporter. • The Supplier shall, upon reasonable request, make available to the EU Client a list of all Sub-processors currently providing Services under the Agreement, and make available for inspection all agreements with such Sub-processors as required under Clause 11(1) of the Standard Contractual Clauses). The Client shall bear its own costs in relation to such audit and inspection, or any other jurisdiction unless a discrepancy is identified, in which accepts case the Standard Contractual Clauses (subject to Section 9.2(e) below), either directly or via onward transfer, to any recipient (i) not located in a country recognised cost of such audit and inspection shall be borne by the European Commission or the UK Government as applicable as providing an adequate level of protection for Personal Data or (ii) not covered by a f ramework recognised by the relevant authorities or courts as providing an adequate level of protection for Personal Data, including but not limited to Binding Corporate Rules or the Trans-Atlantic Data Privacy Framework (each such recipient, a “Third Country Recipient”). (b) The Standard Contractual Clauses shallbe deemed executed by virtue of deemed acceptance by conduct of the Principal Agreement by Supplier providing the Services and Customer paying for such Services in accordance with the purchase order to which the Princ ipal Agreement is attached, by: (i) Customer and/or any Affiliate to whom Supplier provides the Services that transfers Personal Data to a Third Country Recipient (the “Data Exporter”); and (ii) Supplier or other relevant Third Country Recipient (the “Data Importer”)Supplier. . (c) • The Standard Contractual Clauses shall constitute a separate agreement be interpreted in light of the provisions of this Agreement. In the event of any conflict or inconsistency between each Data Exporter this Agreement and Data Importer. If so required by Data Privacy Laws, the parties shall execute or re-execute the Standard Contractual Clauses as separate documents setting out the proposed transfers of Personal Data in such manner as may be required by Data Privacy Laws. (d) The parties agree to amend the Standard Contractual Clauses if required in accordance with a relevant European Commission or UK/Swiss government decision or Data Privacy Laws. Nothing in this DPA or the Agreement shall contradict, directly or indirectly, the Standard Contractual Clauses, or prejudice the fundamental rights or freedoms following order of Data Subjects. In the event of such a contradiction, precedence shall apply: o the Standard Contractual Clauses Clauses; o this Agreement. • Notwithstanding the foregoing, each Party shall prevail. promptly, on request from a national data protection authority, do all things necessary including executing such further documents and/or completing such further formalities (ewhether in the form of authorisation, registration or otherwise) Where the Standard Contractual Clauses apply to a transfer of Personal Data from any other jurisdiction which accepts the Standard Contractual Clauses as appropriate safeguards under Data Privacy Laws, Annex 6 (Transfer Requirements for Other Jurisdictions) shall apply, and any amendments required by such jurisdiction’s Regulator shall may be deemed to be made to the Standard Contractual Clauses as are necessary to give effect to this Agreement and/or comply with Data Privacy Lawsapplicable laws.