Common use of Assistance to the Data Controller Clause in Contracts

Assistance to the Data Controller. 1. Taking into account the nature of the processing, the data processor shall assist the data controller by appropriate technical and organizational measures, insofar as this is possible, in the fulfilment of the data controller’s obligations to respond to requests for exercising the data subject’s rights laid down in Chapter III GDPR. This entails that the data processor shall, insofar as this is possible, assist the data con- troller in the data controller’s compliance with: a. the right to be informed when collecting personal data from the data subject b. the right to be informed when personal data have not been obtained from the data subject c. the right of access by the data subject d. the right to rectification e. the right to erasure (‘the right to be forgotten’) f. the right to restriction of processing g. notification obligation regarding rectification or erasure of personal data or re- striction of processing h. the right to data portability i. the right to object j. the right not to be subject to a decision based solely on automated processing, including profiling 2. In addition to the data processor’s obligation to assist the data controller pursuant to Clause 6.3., the data processor shall furthermore, taking into account the nature of the processing and the information available to the data processor, assist the data controller in ensuring compliance with: a. The data controller’s obligation to without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the competent supervisory authority, the Danish Data Protection Agency, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons; b. the data controller’s obligation to without undue delay communicate the personal data breach to the data subject, when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons; c. the data controller’s obligation to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (a data pro- tection impact assessment); d. the data controller’s obligation to consult the competent supervisory authority, the Danish Data Protection Agency, prior to processing where a data protection im- pact assessment indicates that the processing would result in a high risk in the absence of measures taken by the data controller to mitigate the risk. 3. The parties shall define in Appendix C the appropriate technical and organizational measures by which the data processor is required to assist the data controller as well as the scope and the extent of the assistance required. This applies to the obligations fore- seen in Clause 9.1. and 9.2.

Assistance to the Data Controller. 1. Taking into account the nature of the processing, the data processor shall assist Data Processor assists the data controller Data Controller by appropriate technical and organizational organisational measures, insofar as this is possible, in the fulfilment of the data controllerData Controller’s obligations to respond to requests for exercising the data subjectData Subject’s rights laid down in Chapter III GDPR. 2. This entails that the data processor shallData Processor should, insofar as this is possible, assist the data con- troller Data Controller in the data controllerData Controller’s compliance with: a. the right to be informed when collecting personal data from the data subjectData Subject b. the right to be informed when personal data have not been obtained from the data subjectData Subject c. the right of access by the data subjectData Subject d. the right to rectification e. the right to erasure (‘the right to be forgotten’) f. the right to restriction of processing g. notification obligation regarding rectification or erasure of personal data or re- striction restriction of processingpro- cessing h. the right to data portability i. the right to object j. the right not to be subject to a decision based solely on automated processing, including profiling 23. In addition to the data processorData Processor’s obligation to assist the data controller Data Controller pursuant to Clause 6.3.Term 6.4, the data processor shall Data Processor should furthermore, taking into account the nature of the processing and the information infor- mation available to the data processorData Processor, assist the data controller Data Controller in ensuring compliance with: a. The data controllerthe Data Controller’s obligation to without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the competent supervisory authority, the authority (‘The Danish Data Protection Agency’), unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons; b. the data controllerData Controller’s obligation to without undue delay communicate the personal data breach to the data subjectData Subject, when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons; c. the data controllerData Controller’s obligation to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (a data pro- tection protection impact assessmentassess- ment); d. the data controllerData Controller’s obligation to consult the competent supervisory authority, the Danish Data Protection Agency, prior to processing where a data protection im- pact impact assessment indicates in- dicates that the processing would result in a high risk in the absence of measures taken by the data controller Data Controller to mitigate the risk. 34. The parties shall define in Appendix C the appropriate technical and organizational organisational measures by which the data processor Data Processor is required to assist the data controller Data Controller as well as the scope and the extent of the assistance required. required is defined in Appendix C. This applies to the obligations fore- seen in Clause foreseen under Term 9.1. and 9.2.

Assistance to the Data Controller. 1. Taking The Data Processor, taking into account the nature of the processing, the data processor shall shall, as far as possi- ble, assist the data controller by Data Controller with appropriate technical and organizational organisational measures, insofar as this is possible, in the fulfilment of the data controllerData Controller’s obligations to respond to requests for exercising the exercise of the data subject’s subjects’ rights laid down in pursuant to Chapter III GDPR3 of the General Data Protection Regula- tion. This entails that the data processor shall, insofar Data Processor should as this is possible, far as possible assist the data con- troller Data Controller in the data controllerData Controller’s compliance with: a. the right to be informed notification obligation when collecting personal data from the data subject b. the right to be informed when notification obligation if personal data have not been obtained from the data subjectsub- ject c. the right of access by the data subject d. the right to rectification rectification e. the right to erasure (‘the right to be forgotten’) f. the right to restriction of restrict processing g. notification obligation regarding rectification or erasure of personal data or re- striction of processing h. the right to data portability portability i. the right to object j. the right not to be subject object to a decision based solely on the result of automated processingindividual decision-making, including profiling 2. In addition to the data processor’s obligation to The Data Processor shall assist the data controller Data Controller in ensuring compliance with the Data Controller’s obligations pursuant to Clause 6.3., Articles 32-36 of the data processor shall furthermore, General Data Protection Regu- lation taking into account the nature of the processing and the information data made available to the data processorData Processor, assist the data controller in ensuring compliance with:cf. Article 28, sub-section 3, para f. a. The data controller’s the obligation to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk associated with the processing b. the obligation to report personal data breaches to the supervisory authority (▇▇▇- ish Data Protection Agency) without undue delay and, where feasibleif possible, not later than within 72 hours after having become aware of it, notify the personal data Data Controller discovering such breach to the competent supervisory authority, the Danish Data Protection Agency, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons; b. c. the data controller’s obligation to – without undue delay - to communicate the personal data breach to the data subject, subject when the personal data such breach is likely to result in a high risk to the rights and freedoms of natural persons; c. d. the data controller’s obligation to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (a data pro- tection impact assessment); d. the data controller’s obligation to consult the competent supervisory authority, the Danish Data Protection Agency, prior to processing where a data protection im- pact impact assessment indicates that the processing would if a type of pro- cessing is likely to result in a high risk to the rights and freedoms of natural persons e. the obligation to consult with the supervisory authority (Danish Data Protection Agency) prior to processing if a data protection impact assessment shows that the processing will lead to high risk in the absence lack of measures taken by the data controller Data Controller to mitigate the limit risk. 3. The parties shall define in Appendix C Parties’ possible regulation/agreement on remuneration etc. for the appropriate technical and organizational measures by which the data processor is required to assist the data controller as well as the scope and the extent of the Data Processor’s assistance required. This applies to the obligations fore- seen Data Controller shall be specified in Clause 9.1. and 9.2the Parties’ ‘Master Agreement’ Betingelser for brug ▇▇ ▇▇▇▇▇▇.

Assistance to the Data Controller. ‌ 1. Taking into account the nature of the processing, the data processor shall assist the data controller by appropriate technical and organizational measures, insofar as this is possible, in the fulfilment of the data controller’s obligations to respond to requests for exercising the data subject’s rights laid down in Chapter III GDPR. This entails that the data processor shall, insofar as this is possible, assist the data con- troller controller in the data controller’s compliance with: a. the right to be informed when collecting personal data from the data subject b. the right to be informed when personal data have not been obtained from the data subjectsubjects c. the right of access by the data subjectsubjects d. the right to rectification e. the right to erasure (‘the right to be forgotten’) f. the right to restriction of processing g. notification obligation regarding rectification or erasure of personal data or re- striction restriction of processing h. the right to data portability i. the right to object j. the right not to be subject to a decision based solely on automated processingpro- cessing, including profiling 2. In addition to the data processor’s obligation to assist the data controller pursuant to Clause 6.3., the data processor shall furthermore, taking into account the nature of the processing and the information available to the data processor, assist the data controller in ensuring compliance with: a. The data controller’s obligation to without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the competent supervisory authority, namely the supervisory authority in the country in which the data controller is established, for exam- ple Datatilsynet (Danish Data Protection Agency) in Denmark, unless the personal per- ▇▇▇▇▇ data breach is unlikely to result in a risk to the rights and freedoms of natural persons; b. the data controller’s obligation to without undue delay communicate the personal per- ▇▇▇▇▇ data breach to the data subject, when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons; c. the data controller’s obligation to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (a data pro- tection protection impact assessment); d. the data controller’s obligation to consult the competent supervisory authorityauthor- ity, namely the Danish Data Protection Agencysupervisory authority in the country in which the data controller is established, prior to processing where a data protection im- pact assessment impact assess- ment indicates that the processing would result in a high risk in the absence of measures taken by the data controller to mitigate the risk. 3. The parties shall define in Appendix C the appropriate technical and organizational measures by which the data processor is required to assist the data controller as well as the scope and the extent of the assistance required. This applies to the obligations fore- seen foreseen in Clause 9.1. and 9.2.

Assistance to the Data Controller. 111.1 The Data Processor shall promptly notify the Data Controller of any request it has received from a data subject to exercise any of their rights under the Data Protection Law. Taking into account The Data Processor must not respond to the nature of request itself, unless authorised to do so by the processing, the data processor Data Controller. 11.2 The Data Processor shall assist the data controller by appropriate technical and organizational measures, insofar as this is possible, Data Controller in the fulfilment of the data controller’s fulfilling its obligations to respond to data subjects’ requests for exercising the data subject’s to exercise their rights laid down in Chapter III GDPR. This entails that the data processor shall, insofar as this is possible, assist the data con- troller in the data controller’s compliance with: a. the right to be informed when collecting personal data from the data subject b. the right to be informed when personal data have not been obtained from the data subject c. the right of access by the data subject d. the right to rectification e. the right to erasure (‘the right to be forgotten’) f. the right to restriction of processing g. notification obligation regarding rectification or erasure of personal data or re- striction of processing h. the right to data portability i. the right to object j. the right not to be subject to a decision based solely on automated processing, including profiling 2. In addition to the data processor’s obligation to assist the data controller pursuant to Clause 6.3., the data processor shall furthermoreunder Data Protection Law, taking into account the nature of the processing. In fulfilling its obligations in accordance with this Section 11 the Data Processor shall comply with the Data Controller instructions. 11.3 The Data Processor shall assist the Data Controller in responding to, or cooperating with, the UK Information Commissioner’s Office in relation to any matter concerned with this Agreement. 11.4 In addition to the Data Processor’s obligation to assist the Data Controller pursuant to this Section 11, the Data Processor shall assist the Data Controller in ensuring compliance with the following obligations, taking into account the nature of the data processing and the information available to the data processor, assist the data controller in ensuring compliance withData Processor: a. The data controller’s obligation to without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify (a) the personal data breach to the competent supervisory authority, the Danish Data Protection Agency, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons; b. the data controller’s obligation to without undue delay communicate the personal data breach to the data subject, when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons; c. the data controller’s obligation to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (a ‘data pro- tection protection impact assessment)’) where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons; d. (b) the data controller’s obligation to consult the competent supervisory authority, /ies (in the Danish Data Protection Agency, UK this is the Information Commissioners Office) prior to processing where a data protection im- pact impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the data controller Data Controller to mitigate the risk; and (c) the obligation to ensure that personal data is accurate and up to date, by informing the Data Controller without delay if the Data Processor becomes aware that the Personal Data it is processing is inaccurate or has become outdated. 3. The parties shall define (d) any other obligations as specified in Appendix C the appropriate technical and organizational measures by which the data processor is required to assist the data controller as well as the scope and the extent of the assistance required. This applies to the obligations fore- seen in Clause 9.1. and 9.2Data Protection Law.

Assistance to the Data Controller. 1. Taking into account the nature of the processing, the data processor Data Processor shall assist the data controller Data Controller by appropriate technical and organizational organisational measures, insofar as this is possible, in the fulfilment of the data controllerData Controller’s obligations to respond to requests for exercising the data subject’s rights laid down in Chapter III GDPR. This entails that the data processor Data Processor shall, insofar as this is possible, assist the data con- troller Data Controller in the data controllerData Controller’s compliance with: a. the right to be informed when collecting personal data from the data subject b. the right to be informed when personal data have not been obtained from the data subject subject c. the right of access by the data subject d. the right to rectification e. the right to erasure (‘the right to be forgotten’) f. the right to restriction of processing g. notification obligation regarding rectification or erasure of personal data or re- striction restriction of processing h. the right to data portability i. the right to object j. the right not to be subject to a decision based solely on automated processing, including profiling 2. In addition to the data processorData Processor’s obligation to assist the data controller Data Controller pursuant to Clause 6.3., the data processor Data Processor shall furthermore, taking into account the nature of the processing and the information available to the data processorData Processor, assist the data controller Data Controller in ensuring compliance with: a. The data controllerData Controller’s obligation to without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the competent supervisory authority, the Danish Data Protection Agency, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons; b. the data controllerThe Data Controller’s obligation to - without undue delay - communicate the personal data breach to the data subject, when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons; c. the data controllerThe Data Controller’s obligation to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (a data pro- tection protection impact assessment); d. the data controllerThe Data Controller’s obligation to consult the competent supervisory authority, the Danish Data Protection Agency, prior to processing where a data protection im- pact impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the data controller Data Controller to mitigate the risk. 3. The parties Parties shall define in Appendix C the appropriate technical and organizational organisational measures by which the data processor Data Processor is required to assist the data controller Data Controller as well as the scope and the extent of the assistance required. This applies to the obligations fore- seen foreseen in Clause 9.1. and 9.2.

Assistance to the Data Controller. 1. Taking into account the nature of the processing, the data processor shall assist the data controller by appropriate ap- propriate technical and organizational organisational measures, insofar as this is possible, in the fulfilment of the data controllercon- troller’s obligations to respond to requests for exercising the data subject’s rights laid down in Chapter III GDPR and UK GDPR. This entails that the data processor shall, insofar as this is possible, assist the data con- troller controller in the data controller’s compliance with: a. the right to be informed when collecting personal data from the data subject b. the right to be informed when personal data have not been obtained from the data subject c. the right of access by the data subject d. the right to rectification e. the right to erasure (‘the right to be forgotten’) f. the right to restriction of processing g. notification obligation regarding rectification or erasure of personal data or re- striction restriction of processing h. the right to data portability i. the right to object j. the right not to be subject to a decision based solely on automated processing, including profiling 2. In addition to the data processor’s obligation to assist the data controller pursuant to Clause 6.3., the data processor shall furthermore, taking into account the nature of the processing and the information available to the data processor, assist the data controller in ensuring compliance with: a. The data controller’s obligation to without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the competent supervisory authority, au- thority of the Danish Data Protection Agencydata controller as set out in the first page, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons; b. the data controller’s obligation to without undue delay communicate the personal data breach to the data subject, when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons; c. the data controller’s obligation to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (a data pro- tection protection impact assessment); d. the data controller’s obligation to consult the competent supervisory authority, of the Danish Data Protection Agencydata controller as set out in the first page, prior to processing where a data protection im- pact impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the data controller to mitigate the risk. 3. The parties shall define in Appendix C the appropriate technical and organizational organisational measures by which the data processor is required to assist the data controller as well as the scope and the extent of the assistance required. This applies to the obligations fore- seen foreseen in Clause 9.1. and 9.2.

Assistance to the Data Controller. 18.1. Taking into account the nature of the processing, the data processor shall assist the data controller by appropriate technical and organizational organisational measures, insofar as this is possible, in the fulfilment of the data controller’s obligations to respond to requests for exercising the data subject’s rights laid down in Chapter III GDPR. This entails that the data processor shall, insofar as this is possible, assist the data con- troller controller in the data controller’s compliance with: a. (a) the right to be informed when collecting personal data from the data subject b. (b) the right to be informed when personal data have not been obtained from the data subject c. (c) the right of access by the data subject d. (d) the right to rectification e. (e) the right to erasure (‘the right to be forgotten’) f. (f) the right to restriction of processing g. (g) notification obligation regarding rectification or erasure of personal data or re- striction restriction of processing h. (h) the right to data portability i. (i) the right to object j. object (j) the right not to be subject to a decision based solely on automated processing, including profiling 28.2. In addition to the data processor’s obligation to assist the data controller pursuant to Clause 6.3., the data processor shall furthermore, taking into account the nature of the processing and the information available to the data processor, assist the data controller in ensuring compliance with: a. (a) The data controller’s obligation to without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the competent supervisory authority, the Datatilsynet / The Danish Data Protection Agency, Agency – ▇▇▇.▇▇▇▇▇▇▇▇▇▇▇▇.▇▇ unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons; b. (b) the data controller’s obligation to without undue delay communicate the personal data breach to the data subject, when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons; c. (c) the data controller’s obligation to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (a data pro- tection impact protection im- pact assessment); d. (d) the data controller’s obligation to consult the competent supervisory authority, the Datatilsynet / The Danish Data Protection AgencyAgency – ▇▇▇.▇▇▇▇▇▇▇▇▇▇▇▇.▇▇, prior to processing where a data protection im- pact impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the data controller to mitigate the risk. 38.3. The parties shall define in Appendix C the appropriate technical and organizational organisational measures by which the data processor is required to assist the data controller as well as the scope and the extent of the assistance required. This applies to the obligations fore- seen foreseen in Clause 9.1. and 9.2.

Assistance to the Data Controller. 1. Taking into account Considering the nature of the processingprocessing and to the extent possible, the data processor shall assist the data controller Data Processor shall, by means of appropriate technical and organizational measures, insofar as this is possible, assist the Data Controller in the fulfilment of the data controller’s obligations fulfilling its obligation to respond to requests for exercising made by the data subject’s subject in order to exercise its rights laid down set out in Chapter III of the GDPR. This entails means that the data processor Data Processor shall, insofar as this is to the extent possible, assist the data con- troller Data Controller in the data controller’s its compliance with: a. the right to be informed when collecting personal data is collected from the data subject; b. the right to be informed when personal data have is not been obtained collected from the data subject; c. the data subject's right of access by the data subjectaccess; d. the right to rectification; e. the right to erasure (‘'the right to be forgotten’'); f. the right to restriction of restrict processing; g. notification the obligation regarding to notify in the event of rectification or erasure of personal data or re- striction restriction of processing; h. the right to data portability; i. the right to object object; j. the right not to be subject to a decision based solely on automated processing, including profiling. 2. In addition to the data processor’s Data Processor's obligation to assist the data controller pursuant to Clause Data Controller in accordance with point 6.3., the data processor Data Processor shall furthermorefurther, taking into account the nature of the processing and the information available to the data processorData Processor, assist the data controller Data Controller in ensuring compliance with: a. The data controller’s the Data Controller's obligation to notify the supervisory authority of a personal data breach without undue delay and, where feasibleif possible, not no later than 72 hours after having become becoming aware of it, notify the personal data breach to the competent supervisory authority, the Danish Data Protection Agency, unless the personal data breach is unlikely to result in pose a risk to the rights and freedoms of natural persons; b. the data controller’s Data Controller's obligation to without undue delay communicate inform the data subject of the personal data breach to the data subjectwithout undue delay, when where the personal data breach is likely to result in pose a high risk to the rights and freedoms of natural persons; c. the data controller’s Data Controller's obligation to carry out an a data protection impact assessment (DPIA) of the impact of the envisaged planned processing operations on the protection of personal data (a data pro- tection impact assessment)operations; d. the data controller’s Data Controller's obligation to consult with the competent supervisory authorityauthority before processing, the Danish Data Protection Agency, prior to processing where if a data protection im- pact assessment DPIA indicates that the processing would result in involve a high risk in if the absence of Data Controller does not take measures taken by the data controller to mitigate reduce the risk. 3. The parties shall define in Appendix C the appropriate technical and organizational measures by which the data processor is required to assist the data controller as well as the scope and the extent of the assistance required. This applies to the obligations fore- seen in Clause 9.1. and 9.2.

Assistance to the Data Controller. 1. 9.1 Taking into account the nature of the processing, the data processor shall assist the data controller by appropriate technical and organizational organisational measures, insofar as this is possible, in the fulfilment of the data controller’s 's obligations to respond to requests for exercising the data subject’s 's rights laid down in Chapter III GDPR. This entails that the data processor shall, insofar as this is possible, assist the data con- troller controller in the data controller’s 's compliance with: a. a) the right to be informed when collecting personal data from the data subject b. b) the right to be informed when personal data have not been obtained from the data subject c. c) the right of access by the data subject d. d) the right to rectification e. e) the right to erasure (‘'the right to be forgotten’') f. f) the right to restriction of processing g. g) notification obligation regarding rectification or erasure of personal data or re- striction restriction of processing h. h) the right to data portability i. i) the right to object j. j) the right not to be subject to a decision based solely on automated processing, including profiling 2. 9.2 In addition to the data processor’s 's obligation to assist the data controller pursuant to Clause 6.3., the data processor shall furthermore, taking into account the nature of the processing and the information available to the data processor, assist the data controller in ensuring compliance with: a. The a) the data controller’s 's obligation to without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the competent supervisory authority, the The Danish Data Protection AgencyAgency (Datatilsynet), unless the personal per- ▇▇▇▇▇ data breach is unlikely to result in a risk to the rights and freedoms of natural personsper- sons; b. b) the data controller’s 's obligation to without undue delay communicate the personal data breach to the data subject, when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons; c. c) the data controller’s 's obligation to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (a data pro- tection protection impact assessmentassess- ment); d. d) the data controller’s 's obligation to consult the competent supervisory authority, the The Danish Data Protection AgencyAgency (Datatilsynet), prior to processing where a data protection im- pact impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the data controller to mitigate the risk. 3. 9.3 The parties shall define in Appendix C the appropriate technical and organizational organisational measures by which the data processor is required to assist the data controller as well as the scope and the extent of the assistance required. This applies to the obligations fore- seen foreseen in Clause 9.1. and 9.2.

Assistance to the Data Controller. 1. Taking into account Considering the nature of the processingprocessing and to the extent possible, the data processor shall assist the data controller Data Processor shall, by means of appropriate technical and organizational organisational measures, insofar as this is possible, assist the Data Controller in the fulfilment of the data controller’s obligations fulfilling its obligation to respond to requests for exercising made by the data subject’s subject in order to exercise its rights laid down set out in Chapter III of the GDPR. This entails means that the data processor Data Processor shall, insofar as this is to the extent possible, assist the data con- troller Data Controller in the data controller’s its compliance with: a. the right to be informed when collecting personal data is collected from the data subject; b. the right to be informed when personal data have is not been obtained collected from the data subject; c. the data subject's right of access by the data subjectaccess; d. the right to rectification; e. the right to erasure (‘'the right to be forgotten’'); f. the right to restriction of restrict processing; g. notification the obligation regarding to notify in the event of rectification or erasure of personal data or re- striction restriction of processing; h. the right to data portability; i. the right to object object; j. the right not to be subject to a decision based solely on automated processing, including profiling. 2. In addition to the data processor’s Data Processor's obligation to assist the data controller pursuant to Clause Data Controller in accordance with point 6.3., the data processor Data Processor shall furthermorefurther, taking into account the nature of the processing and the information available to the data processorData Processor, assist the data controller Data Controller in ensuring compliance with: a. The data controller’s the Data Controller's obligation to notify the supervisory authority of a personal data breach without undue delay and, where feasibleif possible, not no later than 72 hours after having become becoming aware of it, notify the personal data breach to the competent supervisory authority, the Danish Data Protection Agency, unless the personal data breach is unlikely to result in pose a risk to the rights and freedoms of natural persons; b. the data controller’s Data Controller's obligation to without undue delay communicate inform the data subject of the personal data breach to the data subjectwithout undue delay, when where the personal data breach is likely to result in pose a high risk to the rights and freedoms of natural persons; c. the data controller’s Data Controller's obligation to carry out an a data protection impact assessment (DPIA) of the impact of the envisaged planned processing operations on the protection of personal data (a data pro- tection impact assessment)operations; d. the data controller’s Data Controller's obligation to consult with the competent supervisory authorityauthority before processing, the Danish Data Protection Agency, prior to processing where if a data protection im- pact assessment DPIA indicates that the processing would result in involve a high risk in if the absence of Data Controller does not take measures taken by the data controller to mitigate reduce the risk. 3. The parties shall define in Appendix C the appropriate technical and organizational measures by which the data processor is required to assist the data controller as well as the scope and the extent of the assistance required. This applies to the obligations fore- seen in Clause 9.1. and 9.2.

Assistance to the Data Controller. 1. Taking The Data Processor, taking into account the nature of the processing, the data processor shall shall, as far as possible, assist the data controller by Data Controller with appropriate technical and organizational organisational measures, insofar as this is possible, in the fulfilment of the data controllerData Controller’s obligations to respond to requests for exercising the exercise of the data subject’s subjects’ rights laid down in pursuant to Chapter III GDPR3 of the General Data Protection Regulation. This entails that the data processor shall, insofar Data Processor should as this is possible, far as possible assist the data con- troller Data Controller in the data controllerData Controller’s compliance with: a. the right to be informed 1. Notification obligation when collecting personal data from the data subject b. the right to be informed when 2. Notification obligation if personal data have not been obtained from the data subject c. the 3. The right of access by the data subject d. the 4. The right to rectification e. the 5. The right to erasure (‘the right to be forgotten’) f. the 6. The right to restriction of restrict processing g. notification 7. Notification obligation regarding rectification or erasure of personal data or re- striction restriction of processing h. the 8. The right to data portability i. the 9. The right to object 10. The right to object j. to the right not to be subject to a result of automated individual decision based solely on automated processingmaking, including profiling 2. In addition to the data processor’s obligation to profiling The Data Processor shall assist the data controller Data Controller in ensuring compliance with the Data Controller’s obligations pursuant to Clause 6.3., Articles 32-36 of the data processor shall furthermore, General Data Protection Regulation taking into account the nature of the processing and the information data made available to the data processorData Processor, cf. Article 28, subsection 3, para f. This entails that the Data Processor should, considering the nature of the processing, as far as possible assist the data controller Data Controller in ensuring the Data Controller’s compliance with: a. : The data controller’s obligation to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk associated with the processing. The obligation to report personal data breaches to the supervisory authority (Danish Data Protection Agency) without undue delay and, where feasibleif possible, not later than within 72 hours after having become aware of it, notify the personal data Data Controller discovering such breach to the competent supervisory authority, the Danish Data Protection Agency, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons; b. the data controller’s . The obligation to – without undue delay - to communicate the personal data breach to the data subject, subject when the personal data such breach is likely to result in a high risk to the rights and freedoms of natural persons; c. the data controller’s . The obligation to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (a data pro- tection impact assessment); d. the data controller’s obligation to consult the competent supervisory authority, the Danish Data Protection Agency, prior to processing where a data protection im- pact impact assessment indicates that the if a type of processing would is likely to result in a high risk to the rights and freedoms of natural persons. The obligation to consult with the supervisory authority (Danish Data Protection Agency) prior to processing if a data protection impact assessment shows that the processing will lead to high risk in the absence lack of measures taken by the data controller Data Controller to mitigate the limit risk. 3. The parties Parties’ possible regulation/agreement on remuneration etc. for the Data Processor’s assistance to the Data Controller shall define be specified in the Parties’ ‘Product Agreement’ or in Appendix C the appropriate technical and organizational measures by which the data processor is required D to assist the data controller as well as the scope and the extent of the assistance required. This applies to the obligations fore- seen in Clause 9.1. and 9.2this Data Processing Agreement.

Assistance to the Data Controller. 1‌ 8.1. Taking into account the nature of the processing, the data processor shall assist the data controller by appropriate technical and organizational organisational measures, insofar as this is possible, in the fulfilment of the data controller’s obligations to respond to requests for exercising the data subject’s rights laid down in Chapter III GDPR. This entails that the data processor shall, insofar as this is possible, assist the data con- troller controller in the data controller’s compliance with: a. (a) the right to be informed when collecting personal data from the data subject b. (b) the right to be informed when personal data have not been obtained from the data subject c. (c) the right of access by the data subject d. (d) the right to rectification e. (e) the right to erasure (‘the right to be forgotten’) f. (f) the right to restriction of processing g. (g) notification obligation regarding rectification or erasure of personal data or re- striction restriction of processing h. (h) the right to data portability i. (i) the right to object j. object (j) the right not to be subject to a decision based solely on automated processing, including includ- ing profiling 28.2. In addition to the data processor’s obligation to assist the data controller pursuant to Clause 6.3., the data processor shall furthermore, taking into account the nature of the processing and the information available to the data processor, assist the data controller in ensuring compliance with: a. (a) The data controller’s obligation to without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the competent supervisory authority, the Datatilsynet / The Danish Data Protection Agency, Agency – ▇▇▇.▇▇▇▇▇▇▇▇▇▇▇▇.▇▇ unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons; b. (b) the data controller’s obligation to without undue delay communicate the personal data breach to the data subject, when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons; c. (c) the data controller’s obligation to carry out an assessment of the impact of the envisaged envis- aged processing operations on the protection of personal data (a data pro- tection impact protection im- pact assessment); d. (d) the data controller’s obligation to consult the competent supervisory authority, the Datatil- synet / The Danish Data Protection AgencyAgency – ▇▇▇.▇▇▇▇▇▇▇▇▇▇▇▇.▇▇, prior to processing where a data protection im- pact impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the data controller to mitigate the risk. 38.3. The parties shall define in Appendix C the appropriate technical and organizational organisational measures by which the data processor is required to assist the data controller as well as the scope and the extent of the assistance required. This applies to the obligations fore- seen foreseen in Clause 9.1. and 9.2.

Assistance to the Data Controller. 1. Taking into account the nature of the processing, the data processor shall assist the data controller as far as possible by appropriate technical and organizational measures, insofar as this is possible, organisational measures in the fulfilment of compliance with the data controller’s obligations 's obligation to respond to requests for exercising the exercise of data subject’s subjects' rights laid down as set out in Chapter III GDPRof the General Data Protection Regulation. This entails that means that, to the extent possible, the data processor shall, insofar as this is possible, must assist the data con- troller controller in the data controller’s compliance complying with: a. the right duty to be informed inform the data subject when collecting personal data is collected from the data subject; b. the right duty to be informed when inform the data subject if personal data have has not been obtained from the data subject; c. the right of access by the data subjectaccess; d. the right to of rectification; e. the right to of erasure (‘"the right to be forgotten’"); f. the right to restriction of processing; g. notification obligation regarding rectification the duty to inform in connection with the correction or erasure deletion of personal data or re- striction restriction of processing; h. the right to data portability; i. the right to object object; j. the right not to be the subject to of a decision based solely on automated automatic processing, including profiling 2. In addition to the data processor’s obligation to assist the data controller pursuant to Clause 6.3., the data processor shall furthermore, taking Taking into account the nature of the processing and the information available to the data processor, the data processor shall also assist the data controller in ensuring compliance withwith the following: a. The the obligation of the data controller’s obligation controller to without undue delay and, where feasible, not later than 72 hours after having become aware report the breach of it, notify the personal data breach security to the competent supervisory authority, the Danish Data Protection AgencyX, without undue delay and, if possible, no later than 72 hours after the breach, unless it is unlikely that the breach of personal data breach is unlikely to result in security poses a risk to the rights and freedoms of natural persons;' rights or freedoms b. the obligation of the data controller’s obligation controller to notify the data subject of a breach of personal data security without undue delay communicate the personal data breach to the data subject, when the personal data breach is likely to result in entail a high risk to the rights and freedoms of natural persons; c. the obligation of the data controller’s obligation controller to carry out an assessment analysis of the impact consequences of the envisaged intended processing operations on activities for the protection of personal data prior to processing (a data pro- tection impact assessment); d. the data controller’s 's obligation to consult the competent supervisory authority, the Danish Data Protection AgencyX, prior to before processing where a if an impact analysis regarding data protection im- pact assessment indicates shows that the processing would result in will lead to a high risk in the absence of measures taken by the data controller to mitigate the limit said risk. 3. The parties Parties shall define set out in Appendix Annex C the appropriate necessary technical and organizational organisational measures by with which the data processor is required to assist the data controller controller, as well as the scope and the extent of the assistance requiredthese. This applies to the obligations fore- seen in Clause 9.1that follow from Provisions 8.1. and 9.28.2.

Assistance to the Data Controller. 18.1. Taking into account the nature of the processing, the data processor shall assist the data controller by appropriate technical and organizational organisational measures, insofar as this is possible, in the fulfilment of the data controller’s obligations to respond to requests for exercising the data subject’s rights laid down in Chapter III GDPR. This entails that the data processor shall, insofar as this is possible, assist the data con- troller controller in the data controller’s compliance with: a. (a) the right to be informed when collecting personal data from the data subject b. (b) the right to be informed when personal data have not been obtained from the data subject c. (c) the right of access by the data subject d. (d) the right to rectification e. (e) the right to erasure (‘the right to be forgotten’) f. (f) the right to restriction of processing g. (g) notification obligation regarding rectification or erasure of personal data or re- striction restriction of processing h. (h) the right to data portability i. (i) the right to object j. object (j) the right not to be subject to a decision based solely on automated processing, including includ- ing profiling 28.2. In addition to the data processor’s obligation to assist the data controller pursuant to Clause 6.3., the data processor shall furthermore, taking into account the nature of the processing and the information available to the data processor, assist the data controller in ensuring compliance with: a. (a) The data controller’s obligation to without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the competent supervisory authority, the Datatilsynet / The Danish Data Protection Agency, Agency – ▇▇▇.▇▇▇▇▇▇▇▇▇▇▇▇.▇▇ unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons; b. (b) the data controller’s obligation to without undue delay communicate the personal data breach to the data subject, when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons; c. (c) the data controller’s obligation to carry out an assessment of the impact of the envisaged envis- aged processing operations on the protection of personal data (a data pro- tection impact protection im- pact assessment); d. (d) the data controller’s obligation to consult the competent supervisory authority, the Datatil- synet / The Danish Data Protection AgencyAgency – ▇▇▇.▇▇▇▇▇▇▇▇▇▇▇▇.▇▇, prior to processing where a data protection im- pact impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the data controller to mitigate the risk. 38.3. The parties shall define in Appendix C the appropriate technical and organizational organisational measures by which the data processor is required to assist the data controller as well as the scope and the extent of the assistance required. This applies to the obligations fore- seen foreseen in Clause 9.1. and 9.2.

Assistance to the Data Controller. 1. Taking The Data Processor, taking into account the nature of the processing, the data processor shall shall, as far as possi‐ ble, assist the data controller by Data Controller with appropriate technical and organizational organisational measures, insofar as this is possible, in the fulfilment of the data controllerData Controller’s obligations to respond to requests for exercising the exercise of the data subject’s subjects’ rights laid down in pursuant to Chapter III GDPR3 of the General Data Protection Regula‐ tion. This entails that the data processor shall, insofar Data Processor should as this is possible, far as possible assist the data con- troller Data Controller in the data controllerData Controller’s compliance with: a. the right to be informed notification obligation when collecting personal data from the data subject b. the right to be informed when notification obligation if personal data have not been obtained from the data subjectsub‐ ject c. the right of access by the data subject d. the right to rectification rectification e. the right to erasure (‘the right to be forgotten’) f. the right to restriction of restrict processing g. notification obligation regarding rectification or erasure of personal data or re- re‐ striction of processing h. the right to data portability portability i. the right to object j. the right not to be subject object to a decision based solely on the result of automated processingindividual decision‐making, including profiling 2. In addition to the data processor’s obligation to The Data Processor shall assist the data controller Data Controller in ensuring compliance with the Data Controller’s obligations pursuant to Clause 6.3., Articles 32‐36 of the data processor shall furthermore, General Data Protection Regula‐ tion taking into account the nature of the processing and the information data made available to the data processorData Processor, cf. Article 28, sub‐section 3, para f. This entails that the Data Processor should, taking into account the nature of the pro‐ cessing, as far as possible assist the data controller Data Controller in ensuring the Data Controller’s compliance with: a. The data controller’s the obligation to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk associated with the processing b. the obligation to report personal data breaches to the supervisory authority (▇▇▇‐ ish Data Protection Agency) without undue delay and, where feasibleif possible, not later than within 72 hours after having become aware of it, notify the personal data Data Controller discovering such breach to the competent supervisory authority, the Danish Data Protection Agency, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons; b. c. the data controller’s obligation to – without undue delay ‐ to communicate the personal data breach to the data subject, subject when the personal data such breach is likely to result in a high risk to the rights and freedoms of natural persons; c. d. the data controller’s obligation to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (a data pro- tection impact assessment); d. the data controller’s obligation to consult the competent supervisory authority, the Danish Data Protection Agency, prior to processing where a data protection im- pact impact assessment indicates that the processing would if a type of pro‐ cessing is likely to result in a high risk to the rights and freedoms of natural persons e. the obligation to consult with the supervisory authority (Danish Data Protection Agency) prior to processing if a data protection impact assessment shows that the processing will lead to high risk in the absence lack of measures taken by the Data Controller to limit risk 1. On discovery of personal data controller breach at the Data Processor’s facilities or a sub‐processor’s facilities, the Data Processor shall without undue delay notify the Data Controller. The Data Processor’s notification to mitigate the riskData Controller shall, if possible, take place within 24 hours after the Data Processor has discovered the breach to enable the Data Controller to comply with his obligation, if applicable, to report the breach to the supervisory author‐ ity within 72 hours. 32. The parties According to Clause 9.2., para b, of this Data Processing Agreement, the Data Processor shall define in Appendix C – taking into account the appropriate technical nature of the processing and organizational measures by which the data processor available – assist the Data Controller in the reporting of the breach to the supervisory authority. This may mean that the Data Processor is required to assist in obtaining the information listed below which, pursuant to Article 33, sub‐section 3, of the General Data Protection Regulation, shall be stated in the Data Controller’s report to the supervisory authority: a. The nature of the personal data controller as well as breach, including, if possible, the scope categories and the extent approximate number of affected data subjects and the categories and the ap‐ proximate number of affected personal data records b. Probable consequences of a personal data breach c. Measures which have been taken or are proposed to manage the personal data breach, including, if applicable, measures to limit its possible damage 1. On termination of the assistance required. This applies processing services, the Data Processor shall be under obligation, at the Data Controller’s discretion, to erase or return all the personal data to the obligations fore- seen in Clause 9.1. Data Con‐ troller and 9.2to erase existing copies unless EU law or Member State law requires storage of the personal data.

Assistance to the Data Controller. 1. Taking The Data Processor, taking into account the nature of the processing, the data processor shall shall, as far as possible, assist the data controller Data Controller by appropriate technical and organizational measures, insofar as this is possible, in with the fulfilment obligation of the data controller’s obligations Data Controller to respond to requests for exercising the exercise of the data subject’s subjects´ rights as laid down in Chapter III GDPR3 of the Data Protection Regulation. This entails that the data processor shallimplies that, insofar as this is far as possible, the Data Processor shall assist the data con- troller Data Controller in connection with the data controller’s Data Controller being responsible for ensuring compliance with: a. the right to be informed when The disclosure obligation for collecting personal data from the data subject b. the right to be informed when The disclosure obligation whose personal data have not been obtained from the data subject c. the right of access collected by the data subject. c. The data subject´s right of insight d. the The right to rectification rectification e. the The right to erasure (‘delete “the right to be forgotten’)” f. the The right to restriction limitation of processingtreatment g. notification Notification obligation regarding rectification in connection with the correction or erasure deletion of personal data or re- striction limitation of processingtreatment h. the The right to data portability i. the The right of objection j. The right to object j. to the right not to be subject to a decision based solely on automated processingresult of automatic individual decisions, including profiling 2. In addition to The Data Processor assists the data processor’s obligation to assist Data Controller in ensuring compliance with the data controller Data Controller´s obligations pursuant to Clause 6.3., Article 32-36 of the data processor shall furthermoreData Protection Regulation, taking into account the nature of the processing and the information available to the data processorData Processor, cf. Article 28 3 (f). This implies that, in consideration of the nature of the processing, the Data Processor must assist the data controller Data Controller in ensuring that the Data Controller is responsible for ensuring compliance with: a. k. The data controller’s obligation to implement appropriate technical and organizational measures to ensure a level of safety that fits the risks associated with treatment l. The obligation to report personal data breach to the Supervisory Authority (Data Inspectorate) without undue delay and, where feasibleif possible, not later than within 72 hours after having become aware the Data Controller has been notified of itthe breach, notify unless it is unlikely that the breach of personal data breach to the competent supervisory authority, the Danish Data Protection Agency, unless the personal data breach is unlikely to result in security implies a risk to natural person’s rights or freedoms. Document issued by: Project/Client reference: Document revision: Document issue date: Confidentiality level ▇▇▇▇▇ ▇▇▇▇▇▇▇▇ 2018.03.02 2018-05-25 Commercial-in-confidence m. The obligation to – without undue delay – notify the registered data breach of personal data security when such a breach is likely to entail a high risk of the rights and freedoms of natural persons; b. the data controller’s n. The obligation to without undue delay communicate the personal conduct an impact assessment on data breach to the data subject, when the personal data breach protection if one type of treatment is likely to result in entail a high risk to the rights and freedoms of natural persons;´ rights and freedoms c. the data controller’s obligation to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (a data pro- tection impact assessment); d. the data controller’s o. The obligation to consult the competent supervisory authority, the Danish authority (Data Protection Agency, prior to Inspectorate) before processing where a if an impact assessment on data protection im- pact assessment indicates shows, that the processing would result in a treatment will lead to high risk in the absence of measures taken by the data controller Data Controller to mitigate limit the risk. 3. The parties shall define in Appendix C the appropriate technical and organizational measures by which the data processor is required to assist the data controller as well as the scope and the extent risk Any adjustment / settlement of the assistance required. This applies parties to the obligations fore- seen agreement or the like in Clause 9.1. and 9.2connection with the Data Processor´s assistance to the Data Controller will appear from the parties´ “Main Agreement” or from Appendix D of this agreement.

Assistance to the Data Controller. 1. Taking into account Considering the nature of the data processing, the data processor shall assist the data controller by appropriate technical and organizational measures, insofar as this is possible, pos- sible. And in the fulfilment fulfillment of the data controller’s obligations to respond to requests for exercising the data subject’s rights laid down in Chapter III GDPR. This entails that the data processor shall, insofar as this is possible, assist the data con- troller controller in the data controller’s compliance with: a. the right to be informed when collecting personal data from the data subject. b. the right to be informed when personal data have not been obtained from the data subject. c. the right of access by the data subject d. the right to rectification rectification e. the right to erasure (‘the right to be forgotten’) f. the right to restriction of processing g. notification obligation regarding rectification or erasure of personal data or re- striction restriction of processing h. the right to data portability i. the right to object j. the right not to be subject to a decision based solely on automated processingpro- cessing, including profiling. 2. In addition to the data processor’s obligation to assist the data controller pursuant to Clause 6.3., the data processor shall furthermore, taking into account furthermore consider the nature of the processing data pro- cessing and the information available to the data processor, and assist the data controller con- troller in ensuring compliance with: a. The data controller’s obligation to without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the competent supervisory authority, the The Danish Data Protection Pro- tection Agency, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons; b. the data controller’s obligation to without undue delay communicate the . personal data breach to the data subject, subject when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons; c. the data controller’s obligation to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (a data pro- tection impact assessment); d. the data controller’s obligation to consult the competent supervisory authority, the Danish Data Protection Agency, prior to processing where a data protection im- pact assessment indicates that the processing would result in a high risk in the absence of measures taken by the data controller to mitigate the risk. 3. The parties shall define in Appendix C the appropriate technical and organizational measures by which the data processor is required to assist the data controller as well as the scope and the extent of the assistance required. This applies to the obligations fore- seen in Clause 9.1. and 9.2.

Assistance to the Data Controller. ‌ 1. Taking into account the nature of the processing, the data processor shall assist the data controller by appropriate technical and organizational organisational measures, insofar as this is possible, in the fulfilment of the data controller’s obligations to respond to requests for exercising the data subject’s rights laid down in Chapter III GDPR. This entails that the data processor shall, insofar as this is possible, assist the data con- troller controller in the data controller’s compliance with: a. the right to be informed when collecting personal data from the data subject b. the right to be informed when personal data have not been obtained from the data subject c. the right of access by the data subject d. the right to rectification e. the right to erasure (‘the right to be forgotten’) f. the right to restriction of processing g. notification obligation regarding rectification or erasure of personal data or re- striction restriction of processing h. the right to data portability i. the right to object j. the right not to be subject to a decision based solely on automated processing, including profiling 2. In addition to the data processor’s obligation to assist the data controller pursuant to Clause 6.3., the data processor shall furthermore, taking into account considering the nature of the processing and the information available to the data processor, assist the data controller in ensuring compliance with: a. The data controller’s obligation to without undue delay and, where feasible, not later than 72 seventy-two (72) hours after having become aware of it, notify the personal data breach to the competent supervisory authority, the Danish Data Protection Agency, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons; b. the data controller’s obligation to without undue delay communicate communicating the personal data breach to the data subject, subject when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons; c. the data controller’s obligation to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (a data pro- tection protection impact assessment); d. the data controller’s obligation to consult the competent supervisory authority, the Danish Data Protection Agency, prior to processing where a data protection im- pact impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the data controller to mitigate the risk. 3. The parties shall define in Appendix C the appropriate technical and organizational organisational measures by which the data processor is required to assist the data controller as well as the scope and the extent of the assistance required. This applies to the obligations fore- seen foreseen in Clause 9.1. and 9.2.

Assistance to the Data Controller. 1. Taking into account the nature of the processing, the data processor shall assist the data controller by appropriate ap- propriate technical and organizational organisational measures, insofar as this is possible, in the fulfilment of the data controllercon- troller’s obligations to respond to requests for exercising the data subject’s rights laid down in Chapter III GDPR and UK GDPR. This entails that the data processor shall, insofar as this is possible, assist the data con- troller controller in the data controller’s compliance with: a. the right to be informed when collecting personal data from the data subject b. the right to be informed when personal data have not been obtained from the data subject c. the right of access by the data subject d. the right to rectification e. the right to erasure (‘the right to be forgotten’) f. the right to restriction of processing g. notification obligation regarding rectification or erasure of personal data or re- striction restriction of processing h. the right to data portability i. the right to object j. the right not to be subject to a decision based solely on automated processing, including profiling 2. In addition to the data processor’s obligation to assist the data controller pursuant to Clause 6.3., the data processor shall furthermore, taking into account the nature of the processing and the information available to the data processor, assist the data controller in ensuring compliance with: a. The data controller’s obligation to without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the competent supervisory authority, au- thority of the Danish Data Protection Agencydata controller as set out in the first page, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons; b. the data controller’s obligation to without undue delay communicate the personal data breach to the data subject, when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons; c. the data controller’s obligation to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (a data pro- tection impact assessment);processing d. the data controller’s obligation to consult the competent supervisory authority, of the Danish Data Protection Agencydata controller as set out in the first page, prior to processing where a data protection im- pact impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the data controller to mitigate the risk. 3. The parties shall define in Appendix C the appropriate technical and organizational organisational measures by which the data processor is required to assist the data controller as well as the scope and the extent of the assistance required. This applies to the obligations fore- seen foreseen in Clause 9.1. and 9.2.