DATA PRIVACY AND PROTECTION Clause Samples

DATA PRIVACY AND PROTECTION. All SDCOE content/data (to include but not limited to: students, teachers, interns, aides, Principals, and other administrative personnel) involved in this agreement shall continue to be the property of and under the control of the SDCOE. All content/data created by the SDCOE or by its students or personnel using the service(s) provided by Contractor pursuant to this Agreement will cease to be retained by the Contractor at the conclusion of this Agreement and will, in fact, be removed from the Contractor’s records. The Contractor will not use any information in a student or personnel record for any purposes other than those required or specifically permitted by this Agreement. Any other use of the SDCOE’s student and personnel information will not be undertaken without the express, written consent of the SDCOE. The Contractor certifies it uses and adheres to the following methods to ensure the privacy and security of all electronically stored information: ● transmission of student and personnel information is always via secure protocols (SFTP, SSL and/or encryption) ● no data transmission occurs via email ● student and personnel data are stored in an encrypted form and programmatic access to that data is done using secure coding standards without visible account or password information ● all server systems including data storage are maintained in a locked, secure, environmentally controlled facility ● all server systems have been hardened with industry standard recommended measures for security protection The Contractor will notify the SDCOE within 24 hours of the Contractor discovering an unauthorized access or disclosure of SDCOE data. The Contractor and the SDCOE will work together to ensure compliance with FERPA regulations as applicable.

DATA PRIVACY AND PROTECTION. 7.1. In performing the Cloud Services, We will comply with the Incident IQ Privacy Policy, which is available at ▇▇▇▇▇://▇▇▇.▇▇▇▇▇▇▇▇▇▇.▇▇▇/privacy-policy and incorporated herein by reference, as well as the additional requirements detailed in paragraph 8, below. The Incident IQ Privacy Policy is subject to change at Our discretion; however, policy changes will not result in a material reduction in the level of protection provided for Your Data during the Services Period described in Your Order Form. 7.2. We will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Your Data. Those safeguards will include, but will not be limited to, measures for preventing access, use, modification or disclosure of Your Data by Our personnel except (a) to provide the purchased Cloud Services and prevent or address service or technical problems, (b) as compelled by law in accordance with Section 6.3 above, or (c) as You expressly permit in writing.

DATA PRIVACY AND PROTECTION. 10.1 The Customer shall own all rights, title and interest in and to all of the Customer Data and shall have sole responsibility of the legality, reliability, integrity, accuracy and quality of the Customer Data. 10.2 In the event of any loss or damage to Customer Data, the Customer’s sole and exclusive remedy shall be for the Supplier to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data if maintained by the Supplier and if relevant considering the nature of the Service. 10.3 The Customer shall ensure that its use of the Service and its treatment of Customer Data complies with all applicable laws, rules, regulations and orders. 10.4 The Customer expressly warrants and undertakes that it shall at all times comply with any contractual terms and conditions or legal requirements applicable to the use of location based services and hereby indemnify and hold the Supplier harmless against any damages, losses, liabilities, settlements and expenses of whatsoever nature howsoever arising whether in delict, contract or statute. 10.5 To the extent that the Supplier’s acts or omissions could impact on the security of the Customer’s card holder data environment, it is recorded that the Supplier has been assessed and found to be in compliance with the relevant PCI DSS standard. The Customer acknowledges and agrees that the Service does not by itself ensure compliance with PCI DSS and that they remain responsible to ensure that they comply therewith.

DATA PRIVACY AND PROTECTION. 13.1 The Service Provider acknowledges that in providing the Services to Sentech, the Service Provider may be exposed to Sentech’s Data, including Data of any of Sentech’s clients and/or other third parties. 13.2 The Parties specifically record that all Data provided by Sentech to the Service Provider, or to which the Service Provider may be exposed, shall constitute Confidential Information and as such, the Service Provider shall comply with all the provisions of clause 10 with regard to such Data. 13.3 The Service Provider hereby warrants in favour of Sentech that it shall at all times strictly comply with all applicable legislation and with all the provisions and requirements of the Sentech's Data protection policies and procedures, as may be updated from time to time, and any further requirements of which Sentech may, from time to time, advise the Service Provider in writing, or which may be required by legislation, regulation or any relevant industry body, whether within the Republic of South Africa or elsewhere in the world. 13.4 The Service Provider hereby warrants and undertakes that it shall not, at any time copy, compile, collect, collate, process, mine, store, transfer, alter, delete, interfere with or in any other manner use Data for any purpose other than with the express prior written consent of Sentech, and to the extent necessary to provide the Services to Sentech. All data and software, including Sentech Data, provided by Sentech or accessed (or accessible) by Service Provider Staff members shall be used by such Staff members only in connection with the provision of the Services and shall not be commercially exploited by the Service Provider in any manner whatsoever. 13.5 The Service Provider further warrants that it shall ensure that all its systems and operations which it uses to provide the Services, including all systems on which Data is copied, compiled, collected, collated, processed, mined, stored, transmitted, altered or deleted or otherwise used as part of providing the Services, shall at all times be of a minimum standard required by law and further be of a standard no less than the standards which are in compliance with the international best practice for the protection, control and use of Data. 13.6 The Service Provider indemnifies and holds harmless Sentech for any loss, whether direct or indirect, arising out of a failure to process any Sentech Data in accordance with the applicable laws.

DATA PRIVACY AND PROTECTION. The Seller shall (i) comply with all applicable data protection laws in respect of the Processing of Personal Data, including the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (“GDPR”); (ii) only Process Personal Data to the extent necessary to perform its obligations under this GTCoP and for no other purpose; and (iii) implement and maintain appropriate technical, organizational and security measures to ensure that Personal Data is adequately protected against unauthorized Processing, disclosure, loss or misuse. The Seller shall not transfer any Personal Data to any recipient without the Buyer’s prior written consent. The Seller shall promptly notify the Buyer if it suspects, or is aware of, any data breach involving Personal Data within 24 hours after having become aware of it, in which case, the Buyer shall be entitled to terminate all transactions and business relationship with the Seller. As used in this clause, “Personal Data” and “Process/Processing” have the meanings set out in the GDPR. The Seller shall comply with all directions and/or requirements of the Buyer pertaining to any mandatory breach of Personal Data notification requirements under any applicable law.

DATA PRIVACY AND PROTECTION a. The default WageKey configuration covered by this Agreement does not include features or capabilities which (1) permit remote systems to access the local systems or data; (2) compromise or weaken firewall, network or machine security; or (3) submit or post any union member or contractor data to any off-site system, machine or party, with the exceptions of electronic WD-10 survey submissions and any deliberate data synchronizations and posted backups (both compressed & encrypted with passwords) initiated by WageKey users. Licensee may choose to have special or custom features enabled which are not included within the default WageKey configuration, and these special or custom features may access remote servers and submit processed data, software user entries or requests to specific secure remote servers for the purpose of accessing specific data services required by Licensee. b. If Licensee shall send data files to LaborKey for assistance with data processing, LaborKey shall only process these data files on systems protected with levels of security which prevent unauthorized persons from accessing these data files. LaborKey shall maintain data files for 30 to 60 days, and the data files shall only be used to support Licensee if and when Licensee shall request or require additional assistance with data files. Any files provided by Licensee in the possession of LaborKey shall be and forever remain exclusively the property of Licensee.

DATA PRIVACY AND PROTECTION. 11.1. DMB Data shall- 11.1.1. use its best efforts to keep Personal Information confidential and shall not disclose any Personal Information to any other person except as required by law, save to the extent set out herein. The Customer grants DMB Data the right to disclose Personal Information to its Affiliates for the purposes of providing the Services; 11.1.2. utilize security technologies and techniques in accordance with best industry practice for the purpose of complying with its obligations in terms of clause 11.1.1; 11.1.3. at all times strictly comply with any applicable laws, regulation or code relating to data protection in South Africa, or other requirements enforced by any relevant industry or self-regulatory body within the Republic of South Africa in the provision of the Services; and 11.1.4. not, at any time copy, compile, collect, collate, process, mine, store, transfer, alter, delete, interfere with or in any other manner use Data for any purpose other than providing the Services to the Customer other than with the express prior written consent of the Customer. 11.2. The Parties record that all Data, in whatever form, is the Customer’s Intellectual Property. Accordingly, the Customer retains all right, title and interest in and to the Data. 11.3. The Customer acknowledges that it is primarily responsible for complying with any data protection obligations imposed in terms of any law, including the common law, in relation to any Personal Information and shall obtain any consents necessary for the disclosure of Personal Information to DMB Data for the purposes of this Agreement. 11.4. The Customer shall separate any Personal Information from any other Data provided to DMB Data for the purpose of providing the Service and shall designate the Personal Information as such before disclosing or otherwise making it available to DMB Data.

DATA PRIVACY AND PROTECTION a. The Parties hereby declare that they will comply with the applicable laws in force concerning data privacy and data protection within the scope of their activities under this MoU. Parties also agree to adhere to respective privacy policies of the Parties. Parties agree not to share externally any personal data/sensitive personal data/information relating to an identifiable individual (hereinafter referred to as “Personal Data”) obtained or collected for the purposes of this MoU, without obtaining prior written permission of the Party who owns such data (“Data Subject”). The Parties agree that the Data Subject(s) who may suffer damage arising from non-compliance with the respective obligations set forth in this MoU may be entitled to receive compensation for the damage suffered due to such non- compliance. b. Parties agree that: • Personal Data will be accessed processed solely for the purposes of this MoU only; • Personal Data will be handled with necessary security controls & measures; • Any incident of Personal Data breach shall be reported duly to the other Party and the owner of the data and take necessary steps as per applicable laws and policies; • Personal Data will not be retained for longer than required for the purposes of this MoU; • If Personal Data access is legally required by competent authorities, Parties will promptly notify the data owner. c. Partner Institute shall duly intimate the students/candidates regarding the collection of their Personal Data for the purposes of this MoU and ensure that the applicable privacy policy of the Foundation and/or any third party is adhered to. The Personal Data will be shared with the Foundation or any other third-party on behalf of the Foundation, which will comply with applicable data privacy and data protection laws and maintain same level of data protection security measures. Partner Institute shall duly obtain the express consent from the students/candidates/data owner as per the attached Annexure V – Personal Data d. The Data collected by Foundation under this MoU will be retained during the term of this MoU, entire enrollment period and thirty-six (36) months post completion of the enrolled courses under the Program, whichever is later. Foundation may require Partner Institute/students/candidates/data owners for additional/further information for impact assessments of the Program. e. In the event of a conflict with the remainder of this MoU or the MoU becomes void, this clause will prevail as ...

DATA PRIVACY AND PROTECTION. (a) VI shall, in relation to any processing of personal data by it or VE, maintain a framework and make arrangements to allow the VE Members to comply with EU data protection laws, including the Data Protection Directive 95/46/EC and any legislation in force from time to time which implements the Data Protection Directive 95/46/EC and its successors (the “EU Member State Data Protection Laws”), particularly in connection with the transfer of personal data outside of the European Economic Area (“Trans-Border Dataflow”) and the evolving privacy landscape (including EU privacy norms). (b) The parties agree that the current compliance model (a “Privacy Compliance Model”) maintained by VI and VE (under which VE acts as data controller with responsibility for Trans-Border Dataflow) allows the VE Members to comply with EU Member State Data Protection Laws (as such current Privacy Compliance Model is set out in the VE operating regulations in force immediately prior to the Closing, the VE Constitutional Documents and membership deeds between the VE Members and VE). VI shall ensure that the current Privacy Compliance Model will remain in place following the Closing by entering into a deed poll substantially in the form attached hereto as Exhibit K (the “Deed Poll”), and procuring that VE enters into the Deed Poll, for the benefit of all VE Members, which obliges VE to maintain in place, and comply with, the current Privacy Compliance Model (notwithstanding any termination of the VE Constitutional Documents and membership deeds between the VE Members and VE) until an alternative compliance solution has been implemented pursuant to Section 6.12(c) or (d) below. The Deed Poll shall be governed by English law and VI and VE shall irrevocably submit to the jurisdiction of the courts of England in connection with any proceedings arising out of or in connection with the deed poll and waive any objection to proceedings in any such court on the ground of venue or on the ground that proceedings have been brought in an inconvenient forum. (c) VI may implement an alternative Privacy Compliance Model under which: (i) the VE Members contract directly with VI, and VI offers to enter into direct EU Model Contracts (such EU Model Contracts to be in a form approved by the European Commission) with each VE Member; or (ii) the VE Members enter into new contracts with VE whereby VE acts as data controller with sole responsibility for any Trans-Border Dataflow, such new contracts between...