Common use of Data Processor Obligations Clause in Contracts

Data Processor Obligations. 4.1 GNI acknowledges that in carrying out services in connection with the GNI Data Processing Purposes, it will process Personal Data on behalf of the Shipper. In such circumstances GNI agrees: (a) that it will process such personal data solely in accordance with the instructions of the Shipper; (b) that it will implement such Technical and Organisational Security Measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data and that, having regard to the state of technological development and the costs of implementing any measures, will ensure a level of security appropriate to the harm that might result from such authorised or unlawful processing or accidental loss, destruction or damage and the nature of the personal data to be protected including as a minimum the security measures set out in Appendix 1 to this Agreement; (c) to provide access to the Shipper (or its authorised representative(s)) at reasonable times and on reasonable notice, to audit the Technical and Organisational Security Measures adopted by GNI to ensure that such measures comply with the data security obligations in the DPA; (d) to notify the Shipper as soon as reasonably practicable on becoming aware of any data security breach actual or suspected and to provide the Shipper with such reasonable co-operation and assistance as may be required to mitigate against the effects of any such breach; (e) to inform the Shipper immediately in the event of receiving a data subject access request and to provide all such co-operation and assistance as may be reasonably required to enable the Shipper to deal with any subject access request in accordance with the provisions of the DPA; (f) to provide the Shipper with full visibility of where personal data is being processed by GNI or its employees or subcontractors on behalf of the Shipper and to ensure that no personal data shall be transferred outside of the European Economic Area by GNI or any of its employees or subcontractors without the prior written consent of the Shipper which consent may be subject to terms and conditions including, without limitation, that GNI and any of its sub contractors enters into model clauses in the form approved by the European Commission and, where relevant, complies with the provisions regarding sub-processors contained in such model contracts in respect of its subcontractors; (g) subject to the provisions of clause 4.1(f), where any subcontractors of GNI will be processing personal data on behalf of the Shipper, GNI shall ensure that a written contract exists between GNI and the relevant subcontractor containing clauses equivalent to those imposed on GNI in this clause and GNI shall enter such contract on behalf of itself and as agent for the Shipper; (h) to promptly inform the Shipper if:- (a) any Personal Data processed on behalf of the Shipper is lost or destroyed, damaged or unusable and restore, where possible to do so, such Personal Data at its own cost; or (b) it becomes aware of any actual or suspected unauthorised or unlawful processing of the Personal Data processed on behalf of the Shipper. (i) GNI will indemnify the Shipper fully against all losses, damages, claims, demands and expenses suffered by the Shipper which arise in any way from any negligence, wilful default or breach of contract in relation with GNI, its directors or its employees’ obligations under this clause 4.1. 4.2 GNI further agree that it shall not, without the prior consent of the Shipper, process Shipper Personal Data for any purpose other than the GNI Data Processing Purposes. 4.2 A) The parties acknowledge and agree that any amendment to this Agreement shall be in accordance with section 1, Part I of the Code (Modifications). 4.3 The Shipper acknowledges that in carrying out services in connection with the Shipper Data Processing Purposes, it will process Personal Data on behalf of GNI. In such circumstances the Shipper agrees: (a) that it will process such personal data solely in accordance with the instructions of GNI; (b) that it will implement such Technical and Organisational Security Measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data and that, having regard to the state of technological development and the costs of implementing any measures, will ensure a level of security appropriate to the harm that might result from such authorised or unlawful processing or accidental loss, destruction or damage and the nature of the personal data to be protected including as a minimum the security measures set out in Appendix 1 to this Agreement; (c) to provide access to GNI (or its authorised representative(s)) at reasonable times and on reasonable notice, to audit the Technical and Organisational Security Measures adopted by the Shipper to ensure that such measures comply with the data security obligations in the DPA; (d) to notify GNI as soon as reasonably practicable on becoming aware of any data security breach, actual or suspected, and to provide GNI with such reasonable co-operation and assistance as may be required to mitigate against the effects of any such breach; (e) to inform GNI immediately in the event of receiving a data subject access request and to provide all such co-operation and assistance as may be reasonably required to enable GNI to deal with any subject access request in accordance with the provisions of the DPA; (f) to provide GNI with full visibility of where personal data is being processed by the Shippers or its employees or subcontractors on behalf of GNI and to ensure that no personal data shall be transferred outside of the European Economic Area by the Shipper or any of its employees or subcontractors without the prior written consent of GNI which consent may be subject to terms and conditions including, without limitation, that the Shipper and any of its subcontractors enters into model clauses in the form approved by the European Commission and, where relevant, complies with the provisions regarding sub-processors contained in such model contracts in respect of its subcontractors; (g) subject to the provisions of clause 4.3(f), where any subcontractors of the Shipper will be processing personal data on behalf of GNI, the Shipper shall ensure that a written contract exists between the Shipper and the relevant subcontractor containing clauses equivalent to those imposed on the Shipper in this clause and the Shipper shall enter such contract on behalf of itself and as agent for GNI; (h) to promptly inform GNI if:- (a) any Personal Data is lost or destroyed, damaged or unusable and restore such Personal Data at its own cost; or (b) it becomes aware of any actual or suspected unauthorised or unlawful processing of the Personal Data. (i) Notwithstanding clause 2.11.3, Part I of the Code, the Shipper will indemnify GNI fully against all losses, damages, claims, demands and expenses suffered by GNI which arise in any way from any negligence, wilful default or breach of contract in relation with the Shipper, its directors or its employees’ obligations under this clause 4.3 on the part of the Shipper or its directors or employees. 4.4 The Shipper further agree that it shall not, without the prior consent of GNI, process GNI Personal Data for any purpose other than the Shipper Data Processing Purposes.

Data Processor Obligations. 4.1 GNI acknowledges 2.4.1 To the extent that in carrying out services in connection with the GNI Data Processing Purposes, it will process either Party Processes any Personal Data as a Processor for and on behalf of the Shipper. In such circumstances GNI agreesother Party (as the Controller) it shall: (a) only Process the Personal Data for and on behalf of the Controller for the purposes of performing its obligations under this Agreement, and only in accordance with the terms of this Agreement and any documented instructions from the Controller; (b) keep a record of any Processing of the Personal Data it carries out on behalf of the Controller; (c) unless prohibited by law, notify the other party immediately (and in any event within twenty-four (24) hours of becoming aware of the same) if it considers, in its opinion (acting reasonably) that it will process such personal data solely is required by Applicable EU Law to act other than in accordance with the instructions of the Shipper;Controller, including where it believes that any of the Controller's (ba) that it will implement such Technical and Organisational Security Measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data and that, having regard to the state of technological development and the costs of implementing infringe any measures, will ensure a level of security appropriate to the harm that might result from such authorised or unlawful processing or accidental loss, destruction or damage and the nature of the personal data to be protected including as a minimum the security measures set out in Appendix 1 to this Agreement; (c) to provide access to the Shipper (or its authorised representative(s)) at reasonable times and on reasonable notice, to audit the Technical and Organisational Security Measures adopted by GNI to ensure that such measures comply with the data security obligations in the DPAData Protection Laws; (d) take, implement and maintain appropriate technical and organisational security measures and where requested provide to notify the Shipper Controller evidence of its compliance with such requirements; (e) within thirty (30) calendar days of a request from the Controller, allow its data processing facilities, procedures and documentation to be submitted for scrutiny, inspection or audit by the Controller (and/ or its representatives, including its appointed auditors) in order to ascertain compliance with the terms of this Schedule, and provide reasonable information, assistance and co-operation, including access to relevant Personnel and/ or, on the request of the Controller, provide the Controller with written evidence of its compliance with the requirements of this; (f) not disclose Personal Data to a third party (including a sub-contractor) in any circumstances without the Controller's prior written consent, save in relation to Third Party Requests where the Processor is prohibited by law or regulation from notifying the Controller, in which case it shall use reasonable endeavours to advise the Controller in advance of such disclosure and in any event as soon as reasonably practicable on becoming aware thereafter; (g) promptly comply with any request from the Controller to amend, transfer or delete any Personal Data; (h) notify the Controller promptly (and in any event within forty-eight (48) hours) following its receipt of any data security breach actual Data Subject Request or suspected ICO Correspondence and shall: (i) not disclose any Personal Data in response to any Data Subject Request or ICO Correspondence without first consulting with and obtaining the Controller's prior written consent; and (ii) provide the Shipper controller with such all reasonable co-operation and assistance as may be required in relation to mitigate against the effects of any such breachData Subject Request or ICO Correspondence; (ei) notify the Controller promptly (and in any event within twenty-four (24) hours) upon becoming aware of any actual or suspected, threatened or 'near miss' Personal Data Breach in relation to inform the Shipper immediately Personal Data (and follow-up in writing) and shall: (i) conduct or support the event Controller in conducting such investigations and analysis that it reasonably requires in respect of receiving such Personal Data Breach; (ii) implement any actions or remedial measures necessary to restore the security of compromised Personal Data; and (iii) assist the Controller to make any notifications to the ICO and affected Data Subjects; (j) comply with the obligations imposed upon a data subject access request and to provide Processor under the Data Protection Laws; (k) use all such co-operation and assistance as may be reasonably required to enable the Shipper to deal with any subject access request reasonable endeavours, in accordance with Good Industry Practice, to assist the provisions of Controller to comply with the DPAobligations imposed on the Controller by the Data Protection Laws, including: (i) compliance with the Security Requirements; (fii) obligations relating to provide notifications required by the Shipper with full visibility of where personal data is being processed by GNI or its employees or subcontractors on behalf of Data Protection Laws to the Shipper and to ensure that no personal data shall be transferred outside of the European Economic Area by GNI ICO and/ or any relevant Data Subjects; (iii) undertaking any Data Protection Impact Assessments; and (iv) without undue delay and where feasible not later than 72 hours after having become aware of it notify Personal Data Breaches to the ICO unless the Personal Data Breach is unlikely to result in a risk to the rights and freedoms of natural persons. (l) upon the earlier of: (i) termination of this Agreement; and (ii) the date on which Personal Data is no longer relevant to, or necessary for, any obligations relating to the AO Programme; the Processor shall cease Processing all Personal Data and return and/ or permanently and securely destroy so that it is no longer retrievable (as directed in writing by the Controller) all Personal Data and all copies in its employees possession or subcontractors without control and, where requested by the Controller, certify that such destruction has taken place except to the extent required by Applicable EU Law to retain the Personal Data; (m) not make (nor instruct or permit a third party to make) a transfer of any Personal Data to a Restricted Country except with the prior written consent of the Shipper which consent may be subject to terms Data Controller and conditions including, without limitation, that GNI and any of its sub contractors enters into model clauses in the form approved by the European Commission and, where relevant, complies with the provisions regarding sub-processors contained in such model contracts in respect of its subcontractors; (g) subject to the provisions of clause 4.1(f), where any subcontractors of GNI will be processing personal data on behalf of the Shipper, GNI shall ensure that a written contract exists between GNI and the relevant subcontractor containing clauses equivalent to those imposed on GNI in this clause and GNI shall enter such contract on behalf of itself and as agent for the Shipper; (h) to promptly inform the Shipper if:- (a) any Personal Data processed on behalf of the Shipper is lost or destroyed, damaged or unusable and restore, where possible to do so, such Personal Data at its own cost; or (b) it becomes aware of any actual or suspected unauthorised or unlawful processing of the Personal Data processed on behalf of the Shipper. (i) GNI will indemnify the Shipper fully against all losses, damages, claims, demands and expenses suffered by the Shipper which arise in any way from any negligence, wilful default or breach of contract in relation with GNI, its directors or its employees’ obligations under this clause 4.1. 4.2 GNI further agree that it shall not, without the prior consent of the Shipper, process Shipper Personal Data for any purpose other than the GNI Data Processing Purposes. 4.2 A) The parties acknowledge and agree that any amendment to this Agreement shall be in accordance with section 1, Part I any terms the Data Controller may impose on such transfer as the Data Controller deems necessary to satisfy the requirements to ensure that transfers of Personal Data outside of the Code (Modifications). 4.3 The Shipper acknowledges that EEA have adequate protections in carrying out services in connection with the Shipper Data Processing Purposes, it will process Personal Data on behalf of GNI. In such circumstances the Shipper agrees: (a) that it will process such personal data solely in accordance with the instructions of GNI; (b) that it will implement such Technical and Organisational Security Measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data and that, having regard to the state of technological development and the costs of implementing any measures, will ensure a level of security appropriate to the harm that might result from such authorised or unlawful processing or accidental loss, destruction or damage and the nature of the personal data to be protected including place as a minimum the security measures set out in Appendix 1 to this Agreement; (c) to provide access to GNI (or its authorised representative(s)) at reasonable times and on reasonable notice, to audit the Technical and Organisational Security Measures adopted by the Shipper to ensure that such measures comply with the data security obligations in the DPA; (d) to notify GNI as soon as reasonably practicable on becoming aware of any data security breach, actual or suspected, and to provide GNI with such reasonable co-operation and assistance as may be required to mitigate against the effects of any such breach; (e) to inform GNI immediately in the event of receiving a data subject access request and to provide all such co-operation and assistance as may be reasonably required to enable GNI to deal with any subject access request in accordance with the provisions of the DPA; (f) to provide GNI with full visibility of where personal data is being processed by the Shippers or its employees or subcontractors on behalf of GNI and to ensure that no personal data shall be transferred outside of the European Economic Area by the Shipper or any of its employees or subcontractors without the prior written consent of GNI which consent may be subject to terms and conditions including, without limitation, that the Shipper and any of its subcontractors enters into model clauses in the form approved by the European Commission and, where relevant, complies with the provisions regarding sub-processors contained in such model contracts in respect of its subcontractors; (g) subject to the provisions of clause 4.3(f), where any subcontractors of the Shipper will be processing personal data on behalf of GNI, the Shipper shall ensure that a written contract exists between the Shipper and the relevant subcontractor containing clauses equivalent to those imposed on the Shipper in this clause and the Shipper shall enter such contract on behalf of itself and as agent for GNI; (h) to promptly inform GNI if:- (a) any Personal Data is lost or destroyed, damaged or unusable and restore such Personal Data at its own cost; or (b) it becomes aware of any actual or suspected unauthorised or unlawful processing of the Personal DataProtection Laws. (i) Notwithstanding clause 2.11.3, Part I of the Code, the Shipper will indemnify GNI fully against all losses, damages, claims, demands and expenses suffered by GNI which arise in any way from any negligence, wilful default or breach of contract in relation with the Shipper, its directors or its employees’ obligations under this clause 4.3 on the part of the Shipper or its directors or employees. 4.4 The Shipper further agree that it shall not, without the prior consent of GNI, process GNI Personal Data for any purpose other than the Shipper Data Processing Purposes.

Data Processor Obligations. 4.1 GNI acknowledges 2.3.1. In relation to any University Data that in carrying out services in connection with the GNI Data Processing Purposes, it will process Personal Data University provides or makes available to the Supplier or that the Supplier Processes for and on behalf of the Shipper. In University (the University acting as the Controller) the Supplier shall: a) only Process the University Data for and on behalf of the University for the purposes of performing its obligations under this Agreement, and only in accordance with the terms of this Agreement, any Data Transfer Agreement (where applicable) and any documented instructions from the University (unless required to do otherwise by Applicable Law, in which case it shall (unless prohibited from doing so by such circumstances GNI agrees:Applicable Law) inform the University of such legal requirement before Processing); b) keep a record of any Processing of the Personal Data it carries out on behalf of the University. c) unless prohibited by Applicable Law, notify the University immediately (and in any event (a) that it will process such personal data solely in accordance with the instructions infringe any of the ShipperData Protection Laws; (bd) that it will take, implement such Technical and Organisational Security Measures against unauthorised or unlawful processing of personal data maintain appropriate technical and against accidental loss or destruction of, or damage to, personal data and that, having regard to the state of technological development and the costs of implementing any measures, will ensure a level of security appropriate to the harm that might result from such authorised or unlawful processing or accidental loss, destruction or damage and the nature of the personal data to be protected including as a minimum the organisational security measures which are sufficient to comply with: (i) at least the obligations imposed on the University by the Security Requirements; and (ii) the obligations set out in Appendix 1 2 (Information Security); and at any time where requested provide to this Agreementthe University evidence of its compliance with such requirements promptly, and in any event within forty- eight (48) hours of the request; (ce) hold the University Data in such a manner that it is capable of being distinguished from other data or information processed by the Supplier; f) only disclose University Data to provide its Personnel who are required to assist it in meeting its obligations under this Agreement and ensure that no other Personnel shall have access to such University Data; g) take all reasonable steps to ensure the reliability and integrity of any of its Personnel who shall have access to the Shipper University Data, and ensure that each member of its Personnel shall have entered into appropriate contractually-binding confidentiality undertakings and that they receive periodic data security and privacy training. Such persons include those who Process the University Data or whose roles relate to procuring, developing and/or maintaining technical infrastructure or tools used to Process the University Data; h) within thirty (30) calendar days of a request from the University, allow its data processing facilities, procedures and documentation to be submitted for scrutiny, inspection or audit by the University (and/ or its authorised representative(srepresentatives, including its appointed auditors) in order to ascertain compliance with the terms of this Schedule 1 (Data Protection), and provide reasonable information, assistance and co-operation to the University, including access to relevant Personnel and/ or, on the request of the University, provide the University with written evidence of its compliance with the requirements of this Schedule 1 (Data Protection); i) at reasonable times and on reasonable noticesubject to Paragraph 2.3.1(k) not disclose University Data to a third party (including a Sub- Processor or any Group company or affiliate, or any Data Importer) in any circumstances without the University’s prior written consent, save in relation to: (i) transfers made pursuant to audit Paragraph 2.4 (Appointing Sub- Processors) and/or Paragraph 2.5 (International Transfers) of this Agreement; and/or (ii) Third Party Requests in which case it shall comply as applicable with the Technical and Organisational Security Measures adopted by GNI to ensure that such measures terms of Paragraph 2.6; j) promptly comply with any request from the data security obligations in the DPAUniversity to amend, transfer or delete any University Data; (dk) to notify the Shipper as soon as reasonably practicable on becoming aware University promptly (and in any event within forty-eight (48) hours) following its receipt of any data security breach actual Data Subject Request or suspected Regulator Correspondence and shall: (i) not respond to or disclose any University Data in response to any Data Subject Request or Regulator Correspondence without first obtaining the University’s prior written consent; and (ii) provide the Shipper University with such all reasonable co-operation and assistance as may be required by the University in relation to mitigate against the effects of any such breachData Subject Request or Regulator Correspondence; l) notify the University promptly (eand in any event within twenty-four (24) to inform the Shipper immediately in the event of receiving a data subject access request and to provide all such co-operation and assistance as may be reasonably required to enable the Shipper to deal with any subject access request in accordance with the provisions of the DPA; (fhours) to provide the Shipper with full visibility of where personal data is being processed by GNI or its employees or subcontractors on behalf of the Shipper and to ensure that no personal data shall be transferred outside of the European Economic Area by GNI or any of its employees or subcontractors without the prior written consent of the Shipper which consent may be subject to terms and conditions including, without limitation, that GNI and any of its sub contractors enters into model clauses in the form approved by the European Commission and, where relevant, complies with the provisions regarding sub-processors contained in such model contracts in respect of its subcontractors; (g) subject to the provisions of clause 4.1(f), where any subcontractors of GNI will be processing personal data on behalf of the Shipper, GNI shall ensure that a written contract exists between GNI and the relevant subcontractor containing clauses equivalent to those imposed on GNI in this clause and GNI shall enter such contract on behalf of itself and as agent for the Shipper; (h) to promptly inform the Shipper if:- (a) any Personal Data processed on behalf of the Shipper is lost or destroyed, damaged or unusable and restore, where possible to do so, such Personal Data at its own cost; or (b) it becomes upon becoming aware of any actual or suspected unauthorised or unlawful processing of the threatened Personal Data processed on behalf of Breach in relation to the Shipper.University Data ("Data Loss Event") (and follow-up in writing) and shall, within such timescale specified by the University (acting reasonably and in good faith): (i) GNI will indemnify seek to recover the Shipper fully against all losses, damages, claims, demands compromised data as soon as practicable and expenses suffered by implement any measures necessary to restore the Shipper which arise in any way from any negligence, wilful default or breach of contract in relation with GNI, its directors or its employees’ obligations under this clause 4.1. 4.2 GNI further agree that it shall not, without the prior consent security of the Shipper, process Shipper compromised Personal Data for any purpose other than the GNI Data Processing Purposes. 4.2 A) The parties acknowledge and agree that any amendment to this Agreement shall be in accordance with section 1, Part I of the Code (Modifications). 4.3 The Shipper acknowledges that in carrying out services in connection with the Shipper Data Processing Purposes, it will process Personal Data on behalf of GNI. In such circumstances the Shipper agrees: (a) that it will process such personal data solely in accordance with the instructions of GNIData; (bii) that it will implement such Technical and Organisational Security Measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data and that, having regard to promptly provide the state of technological development and the costs of implementing any measures, will ensure University with a level of security appropriate to the harm that might result from such authorised or unlawful processing or accidental loss, destruction or damage and report containing details about the nature of the personal data to be protected including Data Loss Event and provide the University further information as a minimum the security measures set out in Appendix 1 to this Agreementdetails become available; (ciii) to provide access to GNI (or investigate the incident and its authorised representative(s)) at reasonable times and on reasonable notice, to audit the Technical and Organisational Security Measures adopted by the Shipper to ensure that such measures comply with the data security obligations in the DPAcause; (div) assist the University to notify GNI as soon as reasonably practicable on becoming aware of make any data security breach, actual or suspected, notifications to the Regulator and to provide GNI with such reasonable co-operation and assistance as may be required to mitigate against the effects of any such breach;affected Data Subjects; and (ev) not make any public statements relating to inform GNI immediately in the event of receiving a data subject access request and to provide all such co-operation and assistance as may be reasonably required to enable GNI to deal with any subject access request in accordance with the provisions of the DPA; (f) to provide GNI with full visibility of where personal data is being processed by the Shippers or its employees or subcontractors on behalf of GNI and to ensure that no personal data shall be transferred outside of the European Economic Area by the Shipper or any of its employees or subcontractors incident without the prior written consent approval of GNI which consent may be subject the University; m) provide the University with reasonable assistance to terms and conditions including, without limitation, that the Shipper and any of its subcontractors enters into model clauses in the form approved by the European Commission and, where relevant, complies comply with the provisions regarding sub-processors contained in such model contracts in respect of its subcontractors; (g) subject to the provisions of clause 4.3(f), where any subcontractors of the Shipper will be processing personal data on behalf of GNI, the Shipper shall ensure that a written contract exists between the Shipper and the relevant subcontractor containing clauses equivalent to those obligations imposed on the Shipper in this clause and University by the Shipper shall enter such contract on behalf of itself and as agent for GNI; (h) to promptly inform GNI if:- (a) any Personal Data is lost or destroyedProtection Laws, damaged or unusable and restore such Personal Data at its own cost; or (b) it becomes aware of any actual or suspected unauthorised or unlawful processing of the Personal Data.including: (i) Notwithstanding clause 2.11.3, Part I of the Code, the Shipper will indemnify GNI fully against all losses, damages, claims, demands and expenses suffered by GNI which arise in any way from any negligence, wilful default or breach of contract in relation compliance with the ShipperSecurity Requirements; (ii) obligations relating to notifications required by the Data Protection Laws to the Regulator and/ or any relevant Data Subjects; (iii) undertaking any Data Protection Impact Assessments (and, where required by the Data Protection Laws, consulting with the Regulator and/or any other relevant regulatory body in respect of any such Data Protection Impact Assessments); and (iv) without undue delay and where feasible not later than seventy-two (72) hours after having become aware of it notify Personal Data Breaches to the Regulator and/or any other relevant regulatory body unless the Personal Data Breach is unlikely to result in a risk to the rights and freedoms of natural persons; n) not, whether by act or omission, cause the University to breach any of its directors or its employees’ obligations under this clause 4.3 on the part of the Shipper or its directors or employees. 4.4 The Shipper further agree that it shall not, without the prior consent of GNI, process GNI Personal Data for any purpose other than the Shipper Data Processing Purposes.Protection Laws;

Data Processor Obligations. 4.1 GNI acknowledges 2.3.1 To the extent that in carrying out services in connection with the GNI Data Processing Purposes, it will process Centre for Assessment Ltd Processes any Personal Data as a Processor on behalf of the Shipper. In such circumstances GNI agreesFirm/Organisation for the purpose of performing the Services under this Agreement, Centre for Assessment Ltd undertakes to the Firm/Organisation that Centre for Assessment Ltd shall: (a) that it will process such personal data solely only Process Personal Data for and on behalf of the Firm/Organisation for the purposes of performing its obligations under this Agreement and only in accordance with the Firm/Organisation's instructions of the Shipperfrom time to time, unless otherwise required by law; (b) that inform the Firm/Organisation immediately if it will considers any of the Firm/Organisation's instructions infringes Data Protection Laws; (c) implement such Technical and Organisational Security Measures maintain appropriate technical and organisational security measures to safeguard against any unauthorised or unlawful processing Processing of personal data Personal Data and against accidental loss or destruction of, or damage to, personal data Personal Data and that, having regard where requested provide to the state Firm/Organisation evidence of technological development and the costs of implementing any measures, will ensure a level of security appropriate to the harm that might result from its compliance with such authorised or unlawful processing or accidental loss, destruction or damage and the nature of the personal data to be protected including as a minimum the security measures set out in Appendix 1 to this Agreement; (c) to provide access to the Shipper (or its authorised representative(s)) at reasonable times and on reasonable notice, to audit the Technical and Organisational Security Measures adopted by GNI to ensure that such measures comply with the data security obligations in the DPArequirement; (d) take all reasonable steps to notify ensure the Shipper as soon as reasonably practicable on becoming aware reliability and integrity of any data security breach actual or suspected of its staff and independent contractors who have access to provide the Shipper with such reasonable co-operation Personal Data and assistance as may be ensure that only staff and contractors who are required to mitigate against assist in performing the effects of any Services have access to such breachPersonal Data; (e) ensure that any of its staff and/or contractors who have access to inform the Shipper immediately in the event of receiving a data subject access request and to provide all such co-operation and assistance as may be reasonably required to enable the Shipper to deal with any subject access request in accordance with the provisions of the DPAPersonal Data have entered into appropriate contractually binding confidentiality obligations; (f) not disclose Personal Data to provide a third party (including a sub-contractor or sub- processor) unless the Shipper with full visibility of where personal data is being processed by GNI or its employees or subcontractors on behalf of the Shipper and to ensure that no personal data shall be transferred outside of the European Economic Area by GNI or any of its employees or subcontractors without the prior written consent of the Shipper which consent may be subject third party agrees to terms and conditions including, without limitation, that GNI and any of its sub contractors enters into model clauses which are substantially the same as the terms set out in this Agreement or in response to Third Party Requests where Centre for Assessment Ltd is prohibited by law or regulation from notifying the form approved by the European Commission and, where relevant, complies with the provisions regarding sub-processors contained in such model contracts in respect of its subcontractorsFirm/Organisation; (g) subject at the Firm/Organisation’s reasonable request: (i) make available to the provisions other party evidence to demonstrate Centre for Assessment Ltd’s compliance with the requirements of clause 4.1(f), where any subcontractors this Paragraph 2.3.1; and/or (ii) allow for and contribute to audits of GNI will be processing personal data Centre for Assessment Ltd’s Processing activities pursuant to this Agreement conducted by or on behalf of the Shipper, GNI shall ensure that a written contract exists between GNI and the relevant subcontractor containing clauses equivalent to those imposed Firm/Organisation on GNI in this clause and GNI shall enter such contract on behalf of itself and as agent for the Shipperreasonable notice; (h) to promptly inform at the Shipper if:- Firm/Organisation’s direction, arrange for the prompt and safe return and/or secure permanent destruction of all Personal Data, together with all copies in its possession or control (aif any) any Personal Data processed on behalf within forty (40) days of the Shipper is lost or destroyed, damaged or unusable and restoresuch direction and, where possible requested by the Firm/Organisation, certify that such destruction has taken place, except where Centre for Assessment Ltd is required by Applicable Law or any regulatory body to do so, retain any of such Personal Data at its own cost; or (b) it becomes aware of any actual or suspected unauthorised or unlawful processing of the Personal Data processed on behalf of the Shipper.Data; (i) GNI will indemnify the Shipper fully against all losses, damages, claims, demands not transfer or otherwise process (and expenses suffered by the Shipper which arise in any way from any negligence, wilful default not instruct or breach of contract in relation with GNI, its directors permit a third party to transfer or its employees’ obligations under this clause 4.1. 4.2 GNI further agree that it shall not, without the prior consent otherwise process) Personal Data to a country outside of the Shipper, process Shipper Personal Data for any purpose other than the GNI Data Processing Purposes. 4.2 A) The parties acknowledge and agree that any amendment to this Agreement shall be UK unless such transfer is made in accordance with section 1, Part I of the Code (Modifications). 4.3 The Shipper acknowledges that in carrying out services in connection compliance with the Shipper Data Processing Purposes, it will process Personal Data on behalf of GNI. In such circumstances the Shipper agrees: (a) that it will process such personal data solely in accordance with the instructions of GNIProtection Laws; (b) that it will implement such Technical and Organisational Security Measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data and that, having regard to the state of technological development and the costs of implementing any measures, will ensure a level of security appropriate to the harm that might result from such authorised or unlawful processing or accidental loss, destruction or damage and the nature of the personal data to be protected including as a minimum the security measures set out in Appendix 1 to this Agreement; (c) to provide access to GNI (or its authorised representative(s)j) at the Firm/Organisation’s request use all reasonable times and on reasonable notice, endeavours to audit assist the Technical and Organisational Security Measures adopted by the Shipper Firm/Organisation to ensure that such measures comply with the data security obligations in the DPA; (d) to notify GNI as soon as reasonably practicable on becoming aware of any data security breach, actual or suspected, and to provide GNI with such reasonable co-operation and assistance as may be required to mitigate against the effects of any such breach; (e) to inform GNI immediately in the event of receiving a data subject access request and to provide all such co-operation and assistance as may be reasonably required to enable GNI to deal with any subject access request in accordance with the provisions of the DPA; (f) to provide GNI with full visibility of where personal data is being processed by the Shippers or its employees or subcontractors on behalf of GNI and to ensure that no personal data shall be transferred outside of the European Economic Area by the Shipper or any of its employees or subcontractors without the prior written consent of GNI which consent may be subject to terms and conditions including, without limitation, that the Shipper and any of its subcontractors enters into model clauses in the form approved by the European Commission and, where relevant, complies with the provisions regarding sub-processors contained in such model contracts in respect of its subcontractors; (g) subject to the provisions of clause 4.3(f), where any subcontractors of the Shipper will be processing personal data on behalf of GNI, the Shipper shall ensure that a written contract exists between the Shipper and the relevant subcontractor containing clauses equivalent to those imposed on the Shipper Firm/Organisation by or in this clause and the Shipper shall enter such contract on behalf of itself and as agent for GNI; (h) to promptly inform GNI if:- (a) any Personal Data is lost or destroyed, damaged or unusable and restore such Personal Data at its own cost; or (b) it becomes aware of any actual or suspected unauthorised or unlawful processing of the Personal Data.relation to: (i) Notwithstanding clause 2.11.3, Part I the rights of Data Subjects; (ii) assistance to the Code, ICO; and/or (iii) Data Protection Impact Assessments provided that any such assistance shall be provided to the Shipper will indemnify GNI fully against all losses, damages, claims, demands and expenses suffered by GNI which arise in any way from any negligence, wilful default or breach of contract in relation with Firm/Organisation subject to a fee payable to Centre for Assessment Ltd to be agreed between the Shipper, its directors or its employees’ obligations under this clause 4.3 on the part of the Shipper or its directors or employeesParties. 4.4 The Shipper further agree that it shall not, without the prior consent of GNI, process GNI Personal Data for any purpose other than the Shipper Data Processing Purposes.

Data Processor Obligations. 4.1 GNI acknowledges that 4.12.1 This Service Condition 4.11 only applies in carrying out services relation to any personal data in connection with the GNI Data Processing PurposesInput and Processing Output and, it will process Personal Data on behalf for the purposes of this Service Schedule only, shall take precedence over clause 8 of the Shipper. In such circumstances GNI agrees: (a) that it will process such personal data solely in accordance with the instructions of the Shipper; (b) that it will implement such Technical and Organisational Security Measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data and that, having regard to the state of technological development and the costs of implementing any measures, will ensure a level of security appropriate to the harm that might result from such authorised or unlawful processing or accidental loss, destruction or damage and the nature of the personal data to be protected including as a minimum the security measures set out in Appendix 1 to this Agreement; (c) to provide access to the Shipper (or its authorised representative(s)) at reasonable times and on reasonable notice, to audit the Technical and Organisational Security Measures adopted by GNI to ensure that such measures comply with the data security obligations in the DPA; (d) to notify the Shipper as soon as reasonably practicable on becoming aware of any data security breach actual or suspected and to provide the Shipper with such reasonable co-operation and assistance as may be required to mitigate against the effects of any such breach; (e) to inform the Shipper immediately General Terms in the event of receiving any inconsistency. 4.12.2 The parties acknowledge and agree that their respective statuses as controller or processor for the purposes of this Agreement are as set out in paragraph 4.10.1 and 4.10.2. 4.12.3 To the extent that TransUnion is acting as a data subject access request and to provide all such co-operation and assistance as may be reasonably required to enable the Shipper to deal with any subject access request in accordance with the provisions processor of the DPA; (f) to provide the Shipper with full visibility of where personal data is being processed by GNI or its employees or subcontractors on behalf of the Shipper and to ensure that no personal data shall be transferred outside of the European Economic Area by GNI or any of its employees or subcontractors without the prior written consent of the Shipper which consent may be subject to terms and conditions including, without limitation, that GNI and any of its sub contractors enters into model clauses in the form approved by the European Commission and, where relevant, complies with the provisions regarding sub-processors contained in such model contracts in respect of its subcontractors; (g) subject to the provisions of clause 4.1(f), where any subcontractors of GNI will be processing personal data on behalf of the ShipperClient in respect of this Service Schedule, GNI shall it shall: implement appropriate technical and organisational measures in such a manner that its processing of the personal data will meet the requirements of the Data Protection Legislation and ensure that a written contract exists between GNI and the protection of the rights of the relevant subcontractor containing clauses equivalent to those imposed data subjects; not engage another processor of the personal data without prior specific or general written authorisation of the controller and, where it relies on GNI in this clause and GNI shall enter such contract on behalf of itself and as agent for the Shipper; (h) to promptly a general authorisation, inform the Shipper if:- (a) controller of any Personal Data processed intended changes concerning the addition or replacement of other processors; where it engages another processor for carrying out processing activities on behalf of the Shipper is lost Client, impose obligations on that other processor that are substantially equivalent to the terms set out in this paragraph 4.11.3; process the personal data only on documented instructions from the Client or destroyed, damaged as otherwise required by Applicable Law; not transfer the personal data to an international organisation or unusable to a place outside [both the United Kingdom and restore, where possible to do so, such Personal Data at its own cost; or (b) it becomes aware of any actual or suspected unauthorised or unlawful processing the European Economic Area] [the United Kingdom] other than on the documented instructions of the Personal Data processed Client; where processing personal data otherwise than on behalf the basis of documented instructions from the Client, first inform the Client of the Shipper. (i) GNI will indemnify requirement to process it on grounds of Applicable Law, unless prohibited from doing so by Applicable Law; ensure that persons authorised to process the Shipper fully against all losses, damages, claims, demands and expenses suffered by the Shipper which arise in any way from any negligence, wilful default or breach of contract in relation with GNI, its directors or its employees’ obligations under this clause 4.1. 4.2 GNI further agree that it shall not, without the prior consent of the Shipper, process Shipper Personal Data for any purpose other than the GNI Data Processing Purposes. 4.2 A) The parties acknowledge and agree that any amendment to this Agreement shall be in accordance with section 1, Part I of the Code (Modifications). 4.3 The Shipper acknowledges that in carrying out services in connection with the Shipper Data Processing Purposes, it will process Personal Data on behalf of GNI. In such circumstances the Shipper agrees: (a) that it will process such personal data solely in accordance with the instructions have committed themselves to confidentiality or are under an appropriate statutory obligation of GNI; (b) that it will implement such Technical and Organisational Security Measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data and that, having regard to the state of technological development and the costs of implementing any measures, will ensure a level of security appropriate to the harm that might result from such authorised or unlawful processing or accidental loss, destruction or damage and confidentiality; taking into account the nature of the processing, assist the Client by appropriate technical and organisational measures, ins ofar as this is possible, for the fulfilment of the Client's obligation to respond to requests under the Data Protection Legislation in relation to the data subjects’ rights of access to personal data, rectification of personal data, erasure of personal data, restriction of personal data, data portabi lity, objection to processing of personal data, and in relation to automated individual decision-making. Any such assistance shall be requested by the Client as a Processor Request in accordance with clause 4.11.6; notify the Client without undue delay after becoming aware of a personal data breach affecting the data being processed; taking into account the nature of the processing and the information available to the processor, assist the Client in ensuring compliance with its obligations under the Data Protection Legislation in relation to security of processing, notification of personal data breaches to regulatory authorities and to data subjects, and carrying out and consulting with regulatory authorities in relation to data protection impact assessments. Any such assistance shall be requested by the Client as a Processor Request in accordance with clause 4.11.6; at the choice of the Client, delete or return the personal data to be protected the Client after the end of the provision of the Services, and delete existing copies unless required to store it by Applicable Law; make available to the Client all information necessary to demonstrate compliance with the obligations under the Data Protecti on Legislation in relation to the appointment and use of processors; allow for and contribute to audits, including as a minimum the security measures set out in Appendix 1 to this Agreement; (c) to provide access to GNI (or its authorised representative(s)) at reasonable times and on reasonable noticeinspections, to audit the Technical and Organisational Security Measures adopted conducted by the Shipper to ensure that such measures comply with Client or another auditor mandated by the data security obligations in the DPA; (d) to notify GNI as soon as reasonably practicable on becoming aware of any data security breachClient, actual or suspected, and to provide GNI with such reasonable co-operation and assistance as may be required to mitigate against the effects of any such breach; (e) to inform GNI immediately in the event of receiving a data subject access request and to provide all such co-operation and assistance as may be reasonably required to enable GNI to deal with any subject access request in accordance with the provisions clause 13 (Audit) of the DPA; (f) to provide GNI with full visibility of where personal data is being processed General Terms; and immediately inform the Client if, in its opinion, an instruction given by the Shippers Client infringes the Data Protection Legislation or its employees any other Applicable Law relating to data protection. 4.12.4 For the purposes of paragraph Error! Reference source not found.: the Client hereby gives TransUnion a general authorisation to appoint any other processor to process the Input and the Output in accordance with this Agreement; if the Client objects to the appointment of a processor, the parties shall enter into good faith negotiations, during which time TransUnion may suspend the supply of the Services, with a view to agreeing an alternative processor acceptable to the Client an d a variation to the Fees reflecting any consequential increase in TransUnion’s costs; and if the parties fail to reach an agreement under 4.11.4.2 within a period of 14 days, TransUnion may by written notice immediately terminate this Service Schedule (including all licences granted under it). 4.12.5 For the purposes of paragraphs 4.11.3.4, and 4.11.3.5, the terms of this Agreement (including the contents of the Data Processing Annex) are deemed to be documented instructions of the Client. 4.12.6 Where the Client wishes to make a change to the Services (including the documented instructions) or subcontractors on behalf request assistance under paragraph 4.11.3.8 or 4.11.3.10, the Client shall notify TransUnion in writing (a “Processor Request”). 4.12.7 As soon as practicable after receipt of GNI the Processor Request, TransUnion shall specify whether it is able to effect the change/provide the requested assistance and to ensure that no personal data if so what additional charge (if any) shall be transferred outside of levied on the European Economic Area Client. 4.12.8 Any Processor Request (and the appropriate charge to be levied) shall be agreed in writing between the parties and signed by the Shipper or any appropriately authorised representatives. 4.12.9 Nothing in this Agreement shall relieve TransUnion of its employees or subcontractors without own direct responsibilities and liabilities as a processor under the prior written consent of GNI which consent may be subject to terms and conditions including, without limitation, that the Shipper and any of its subcontractors enters into model clauses in the form approved by the European Commission and, where relevant, complies with the provisions regarding sub-processors contained in such model contracts in respect of its subcontractors; (g) subject to the provisions of clause 4.3(f), where any subcontractors of the Shipper will be processing personal data on behalf of GNI, the Shipper shall ensure that a written contract exists between the Shipper and the relevant subcontractor containing clauses equivalent to those imposed on the Shipper in this clause and the Shipper shall enter such contract on behalf of itself and as agent for GNI; (h) to promptly inform GNI if:- (a) any Personal Data is lost or destroyed, damaged or unusable and restore such Personal Data at its own cost; or (b) it becomes aware of any actual or suspected unauthorised or unlawful processing of the Personal DataProtection Legislation. (i) Notwithstanding clause 2.11.3, Part I of the Code, the Shipper will indemnify GNI fully against all losses, damages, claims, demands and expenses suffered by GNI which arise in any way from any negligence, wilful default or breach of contract in relation with the Shipper, its directors or its employees’ obligations under this clause 4.3 on the part of the Shipper or its directors or employees. 4.4 The Shipper further agree that it shall not, without the prior consent of GNI, process GNI Personal Data for any purpose other than the Shipper Data Processing Purposes.

Data Processor Obligations. 4.1 GNI acknowledges 2.3.1 In relation to the Services, to the extent that in carrying out services in connection with the GNI Data Processing Purposes, it will process BSI Processes any Personal Data as a Processor on behalf of Client for the Shipperpurpose of performing the Services under this Data Processing Addendum, BSI undertakes to the Client that BSI shall, per GDPR Art. In such circumstances GNI agrees28: (a) that it will process such personal data solely only Process Personal Data for and on behalf of Client for the purposes of performing its obligations under this Data Processing Agreement and only in accordance with the Client's instructions of the Shipperfrom time to time, unless otherwise required by law; (b) that inform the Client immediately if it will implement such Technical and Organisational Security Measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data and that, having regard to the state of technological development and the costs of implementing considers any measures, will ensure a level of security appropriate to the harm that might result from such authorised or unlawful processing or accidental loss, destruction or damage and the nature of the personal data to be protected including as a minimum the security measures set out in Appendix 1 to this AgreementClient's instructions infringes Data Protection Laws; (c) implement and maintain appropriate technical and organisational security measures to provide access to the Shipper (safeguard against any unauthorised or its authorised representative(s)) at reasonable times and on reasonable notice, to audit the Technical and Organisational Security Measures adopted by GNI to ensure that such measures comply with the data security obligations in the DPAunlawful Processing of Personal Data; (d) take all reasonable steps to notify ensure the Shipper as soon as reasonably practicable on becoming aware reliability and integrity of any data security breach actual or suspected of its Personnel who have access to Personal Data and to provide the Shipper with such reasonable co-operation and assistance as may be ensure that only Personnel who are required to mitigate against assist in performing the effects of any Services have access to such breachPersonal Data; (e) ensure that any of its staff and/or contractors who have access to inform the Shipper immediately in the event of receiving a data subject access request and to provide all such co-operation and assistance as may be reasonably required to enable the Shipper to deal with any subject access request in accordance with the provisions of the DPAPersonal Data have entered into appropriate contractually binding confidentiality undertakings; (f) not disclose Personal Data to provide a third party unless the Shipper with full visibility of where personal data is being processed by GNI or its employees or subcontractors on behalf of the Shipper and to ensure that no personal data shall be transferred outside of the European Economic Area by GNI or any of its employees or subcontractors without the prior written consent of the Shipper which consent may be subject third party agrees to terms and conditions including, without limitation, that GNI and any of its sub contractors enters into model clauses which are substantially the same as the terms set out in the form approved this Data Processing Addendum or in response to Third Party Requests where BSI is prohibited by the European Commission and, where relevant, complies with the provisions regarding sub-processors contained in such model contracts in respect of its subcontractorslaw or regulation from notifying Client; (g) subject to the provisions of clause 4.1(f)at Client’s direction, where any subcontractors of GNI will be processing personal data on behalf of the Shipper, GNI shall ensure that a written contract exists between GNI and the relevant subcontractor containing clauses equivalent to those imposed on GNI in this clause and GNI shall enter such contract on behalf of itself and as agent arrange for the Shipperprompt and safe return and/or secure permanent destruction of all Personal Data, together with all copies in its possession or control (if any) within twenty eight (28) days of such direction, except where BSI is required by applicable law to retain any of such Personal Data; (h) to promptly inform the Shipper if:- (a) not transfer any Personal Data processed on behalf of to a Restricted Country unless such transfer is made in compliance with the Shipper is lost or destroyed, damaged or unusable and restore, where possible to do so, such Personal Data at its own cost; or (b) it becomes aware of any actual or suspected unauthorised or unlawful processing of the Personal Data processed on behalf of the Shipper.Protection Laws; (i) GNI will indemnify at Client’s request use reasonable endeavours to assist Client to comply with the Shipper fully against all losses, damages, claims, demands and expenses suffered obligations imposed on Client by the Shipper which arise in any way from any negligence, wilful default or breach of contract in relation with GNI, its directors or its employees’ obligations under this clause 4.1. 4.2 GNI further agree that it shall not, without the prior consent of the Shipper, process Shipper Personal Data for any purpose other than the GNI Data Processing Purposes. 4.2 A) The parties acknowledge and agree that any amendment to this Agreement shall be in accordance with section 1, Part I of the Code (Modifications). 4.3 The Shipper acknowledges that in carrying out services in connection with the Shipper Data Processing Purposes, it will process Personal Data on behalf of GNI. In such circumstances the Shipper agreesto: (ai) that it will process such personal data solely in accordance with the instructions rights of GNIData Subjects; (bii) that it will implement such Technical and Organisational Security Measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data and that, having regard assistance to the state of technological development and the costs of implementing relevant Supervisory Authority; and/or (iii) data protection impact assessments provided that any measures, will ensure such assistance shall be provided to Client subject to a level of security appropriate fee payable to the harm that might result from such authorised or unlawful processing or accidental loss, destruction or damage and the nature of the personal data BSI to be protected including as a minimum agreed between the security measures set out in Appendix 1 to this Agreement;Parties; and (cj) to provide access to GNI (or its authorised representative(s)) at reasonable times and on reasonable notice, to audit the Technical and Organisational Security Measures adopted by the Shipper to ensure that such measures comply with the data security obligations in the DPA; (d) to notify GNI as soon as reasonably practicable on Client promptly upon becoming aware of any data security breach, actual or suspected, and to provide GNI with such reasonable co-operation and assistance as may be required to mitigate against the effects of any such breach; (e) to inform GNI immediately in the event of receiving a data subject access request and to provide all such co-operation and assistance as may be reasonably required to enable GNI to deal with any subject access request in accordance with the provisions of the DPA; (f) to provide GNI with full visibility of where personal data is being processed by the Shippers or its employees or subcontractors on behalf of GNI and to ensure that no personal data shall be transferred outside of the European Economic Area by the Shipper or any of its employees or subcontractors without the prior written consent of GNI which consent may be subject to terms and conditions including, without limitation, that the Shipper and any of its subcontractors enters into model clauses in the form approved by the European Commission and, where relevant, complies with the provisions regarding sub-processors contained in such model contracts in respect of its subcontractors; (g) subject to the provisions of clause 4.3(f), where any subcontractors of the Shipper will be processing personal data on behalf of GNI, the Shipper shall ensure that a written contract exists between the Shipper and the relevant subcontractor containing clauses equivalent to those imposed on the Shipper in this clause and the Shipper shall enter such contract on behalf of itself and as agent for GNI; (h) to promptly inform GNI if:- (a) any Personal Data is lost or destroyedBreach, damaged or unusable and restore such Personal Data at its own cost; or (b) it becomes aware of any actual or suspected unauthorised or unlawful processing of the Personal Data.and: (i) Notwithstanding clause 2.11.3, Part I implement any measures necessary to restore the security of compromised Personal Data; and (ii) assist Client to make any notifications to the Code, the Shipper will indemnify GNI fully against all losses, damages, claims, demands relevant Supervisory Authority and expenses suffered by GNI which arise in any way from any negligence, wilful default or breach of contract in relation with the Shipper, its directors or its employees’ obligations under this clause 4.3 on the part of the Shipper or its directors or employeesaffected Data Subjects. 4.4 The Shipper further agree that it shall not, without the prior consent of GNI, process GNI Personal Data for any purpose other than the Shipper 2.3.2 This Data Processing PurposesAddendum shall not affect any services (or the obligations owed in respect of them) under the Agreement that are not related to the Processing of Personal Data.

Data Processor Obligations. 4.1 GNI acknowledges 2.3.1. In relation to any University Data that in carrying out services in connection with the GNI Data Processing Purposes, it will process Personal Data University provides or makes available to the Supplier or that the Supplier Processes for and on behalf of the Shipper. In University (the University acting as the Controller) the Supplier shall: a) only Process the University Data for and on behalf of the University for the purposes of performing its obligations under this Agreement, and only in accordance with the terms of this Agreement, any Data Transfer Agreement (where applicable) and any documented instructions from the University (unless required to do otherwise by Applicable Law, in which case it shall (unless prohibited from doing so by such circumstances GNI agrees:Applicable Law) inform the University of such legal requirement before Processing); b) keep a record of any Processing of the Personal Data it carries out on behalf of the University. c) unless prohibited by Applicable Law, notify the University immediately (and in any event within twenty-four (24) hours of becoming aware of the same) if it considers, in its opinion (acting reasonably) that any of the University’s instructions under Paragraph 2.3.1 (a) that it will process such personal data solely in accordance with the instructions infringe any of the ShipperData Protection Laws; (bd) that it will take, implement such Technical and Organisational Security Measures against unauthorised or unlawful processing of personal data maintain appropriate technical and against accidental loss or destruction of, or damage to, personal data and that, having regard to the state of technological development and the costs of implementing any measures, will ensure a level of security appropriate to the harm that might result from such authorised or unlawful processing or accidental loss, destruction or damage and the nature of the personal data to be protected including as a minimum the organisational security measures which are sufficient to comply with: (i) at least the obligations imposed on the University by the Security Requirements; and (ii) the obligations set out in Appendix 1 2 (Information Security); and at any time where requested provide to this Agreementthe University evidence of its compliance with such requirements promptly, and in any event within forty-eight (48) hours of the request; (ce) hold the University Data in such a manner that it is capable of being distinguished from other data or information processed by the Supplier; f) only disclose University Data to provide its Personnel who are required to assist it in meeting its obligations under this Agreement and ensure that no other Personnel shall have access to such University Data; g) take all reasonable steps to ensure the reliability and integrity of any of its Personnel who shall have access to the Shipper University Data, and ensure that each member of its Personnel shall have entered into appropriate contractually-binding confidentiality undertakings and that they receive periodic data security and privacy training. Such persons include those who Process the University Data or whose roles relate to procuring, developing and/or maintaining technical infrastructure or tools used to Process the University Data; h) within thirty (30) calendar days of a request from the University, allow its data processing facilities, procedures and documentation to be submitted for scrutiny, inspection or audit by the University (and/ or its authorised representative(srepresentatives, including its appointed auditors) in order to ascertain compliance with the terms of this Schedule 1 (Data Protection), and provide reasonable information, assistance and co-operation to the University, including access to relevant Personnel and/ or, on the request of the University, provide the University with written evidence of its compliance with the requirements of this Schedule 1 (Data Protection); i) at reasonable times and on reasonable noticesubject to Paragraph 2.3.1(k) not disclose University Data to a third party (including a Sub-Processor or any Group company or affiliate, or any Data Importer) in any circumstances without the University’s prior written consent, save in relation to: (i) transfers made pursuant to audit Paragraph 2.4 (Appointing Sub- Processors) and/or Paragraph 2.5 (International Transfers) of this Agreement; and/or (ii) Third Party Requests in which case it shall comply as applicable with the Technical and Organisational Security Measures adopted by GNI to ensure that such measures terms of Paragraph 2.6; j) promptly comply with any request from the data security obligations in the DPAUniversity to amend, transfer or delete any University Data; (dk) to notify the Shipper as soon as reasonably practicable on becoming aware University promptly (and in any event within forty-eight (48) hours) following its receipt of any data security breach actual Data Subject Request or suspected Regulator Correspondence and shall: (i) not respond to or disclose any University Data in response to any Data Subject Request or Regulator Correspondence without first obtaining the University’s prior written consent; and (ii) provide the Shipper University with such all reasonable co-operation and assistance as may be required by the University in relation to mitigate against the effects of any such breachData Subject Request or Regulator Correspondence; l) notify the University promptly (eand in any event within twenty-four (24) to inform the Shipper immediately in the event of receiving a data subject access request and to provide all such co-operation and assistance as may be reasonably required to enable the Shipper to deal with any subject access request in accordance with the provisions of the DPA; (fhours) to provide the Shipper with full visibility of where personal data is being processed by GNI or its employees or subcontractors on behalf of the Shipper and to ensure that no personal data shall be transferred outside of the European Economic Area by GNI or any of its employees or subcontractors without the prior written consent of the Shipper which consent may be subject to terms and conditions including, without limitation, that GNI and any of its sub contractors enters into model clauses in the form approved by the European Commission and, where relevant, complies with the provisions regarding sub-processors contained in such model contracts in respect of its subcontractors; (g) subject to the provisions of clause 4.1(f), where any subcontractors of GNI will be processing personal data on behalf of the Shipper, GNI shall ensure that a written contract exists between GNI and the relevant subcontractor containing clauses equivalent to those imposed on GNI in this clause and GNI shall enter such contract on behalf of itself and as agent for the Shipper; (h) to promptly inform the Shipper if:- (a) any Personal Data processed on behalf of the Shipper is lost or destroyed, damaged or unusable and restore, where possible to do so, such Personal Data at its own cost; or (b) it becomes upon becoming aware of any actual or suspected unauthorised or unlawful processing of the threatened Personal Data processed on behalf of Breach in relation to the Shipper.University Data ("Data Loss Event") (and follow-up in writing) and shall, within such timescale specified by the University (acting reasonably and in good faith): (i) GNI will indemnify seek to recover the Shipper fully against all losses, damages, claims, demands compromised data as soon as practicable and expenses suffered by implement any measures necessary to restore the Shipper which arise in any way from any negligence, wilful default or breach of contract in relation with GNI, its directors or its employees’ obligations under this clause 4.1. 4.2 GNI further agree that it shall not, without the prior consent security of the Shipper, process Shipper compromised Personal Data for any purpose other than the GNI Data Processing Purposes. 4.2 A) The parties acknowledge and agree that any amendment to this Agreement shall be in accordance with section 1, Part I of the Code (Modifications). 4.3 The Shipper acknowledges that in carrying out services in connection with the Shipper Data Processing Purposes, it will process Personal Data on behalf of GNI. In such circumstances the Shipper agrees: (a) that it will process such personal data solely in accordance with the instructions of GNIData; (bii) that it will implement such Technical and Organisational Security Measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data and that, having regard to promptly provide the state of technological development and the costs of implementing any measures, will ensure University with a level of security appropriate to the harm that might result from such authorised or unlawful processing or accidental loss, destruction or damage and report containing details about the nature of the personal data to be protected including Data Loss Event and provide the University further information as a minimum the security measures set out in Appendix 1 to this Agreementdetails become available; (ciii) to provide access to GNI (or investigate the incident and its authorised representative(s)) at reasonable times and on reasonable notice, to audit the Technical and Organisational Security Measures adopted by the Shipper to ensure that such measures comply with the data security obligations in the DPAcause; (div) assist the University to notify GNI as soon as reasonably practicable on becoming aware of make any data security breach, actual or suspected, notifications to the Regulator and to provide GNI with such reasonable co-operation and assistance as may be required to mitigate against the effects of any such breach;affected Data Subjects; and (ev) not make any public statements relating to inform GNI immediately in the event of receiving a data subject access request and to provide all such co-operation and assistance as may be reasonably required to enable GNI to deal with any subject access request in accordance with the provisions of the DPA; (f) to provide GNI with full visibility of where personal data is being processed by the Shippers or its employees or subcontractors on behalf of GNI and to ensure that no personal data shall be transferred outside of the European Economic Area by the Shipper or any of its employees or subcontractors incident without the prior written consent of GNI which consent may be subject to terms and conditions including, without limitation, that the Shipper and any of its subcontractors enters into model clauses in the form approved by the European Commission and, where relevant, complies with the provisions regarding sub-processors contained in such model contracts in respect of its subcontractors; (g) subject to the provisions of clause 4.3(f), where any subcontractors approval of the Shipper will be processing personal data on behalf of GNI, the Shipper shall ensure that a written contract exists between the Shipper and the relevant subcontractor containing clauses equivalent to those imposed on the Shipper in this clause and the Shipper shall enter such contract on behalf of itself and as agent for GNIUniversity; (h) to promptly inform GNI if:- (a) any Personal Data is lost or destroyed, damaged or unusable and restore such Personal Data at its own cost; or (b) it becomes aware of any actual or suspected unauthorised or unlawful processing of the Personal Data. (i) Notwithstanding clause 2.11.3compliance with the Security Requirements; (ii) obligations relating to notifications required by the Data Protection Laws to the Regulator and/ or any relevant Data Subjects; (iii) undertaking any Data Protection Impact Assessments (and, Part I where required by the Data Protection Laws, consulting with the Regulator and/or any other relevant regulatory body in respect of any such Data Protection Impact Assessments); and (iv) without undue delay and where feasible not later than seventy-two (72) hours after having become aware of it notify Personal Data Breaches to the Regulator and/or any other relevant regulatory body unless the Personal Data Breach is unlikely to result in a risk to the rights and freedoms of natural persons; n) not, whether by act or omission, cause the University to breach any of its obligations under the Data Protection Laws; o) comply with the obligations imposed upon a Processor under the Data Protection Laws and to the extent that the Processor is subject to Applicable Law which requires a higher level of protection for Personal Data than the Data Protection Laws, also comply with such Applicable Law; and p) upon the earlier of: (i) termination or expiry of this Agreement or the relevant Data Transfer Agreement (as applicable); and (ii) the date on which the University Data is no longer relevant to, or necessary for, the provision of the CodeServices, cease Processing all University Data and return and/or permanently and securely destroy the Shipper will indemnify GNI fully against University Data and all lossescopies in its possession or control (such that the University Data is no longer retrievable), damagesas directed in writing by the University and, claimswhere requested by the University, demands certify that such destruction has taken place (promptly, and expenses suffered by GNI which arise in any way from any negligence, wilful default or breach of contract in relation with the Shipper, its directors or its employees’ obligations under this clause 4.3 on the part event within forty-eight (48) hours of the Shipper request) except to the extent required by Applicable Law to retain the University Data; 2.3.2. Except as otherwise provided, this Agreement does not transfer ownership of, or its directors create any licences (implied or employeesotherwise), in any intellectual property rights in any Personal Data. 4.4 The Shipper further agree that it shall not, without the prior consent of GNI, process GNI Personal Data for any purpose other than the Shipper Data Processing Purposes.

Data Processor Obligations. 4.1 GNI acknowledges 2.3.1. In relation to any University Data that in carrying out services in connection with the GNI Data Processing Purposes, it will process Personal Data University provides or makes available to the Supplier or that the Supplier Processes for and on behalf of the Shipper. In University (the University acting as the Controller) the Supplier shall: a) only Process the University Data for and on behalf of the University for the purposes of performing its obligations under this Agreement, and only in accordance with the terms of this Agreement, any Data Transfer Agreement (where applicable) and any documented instructions from the University (unless required to do otherwise by Applicable Law, in which case it shall (unless prohibited from doing so by such circumstances GNI agrees:Applicable Law) inform the University of such legal requirement before Processing); b) keep a record of any Processing of the Personal Data it carries out on behalf of the University. c) unless prohibited by Applicable Law, notify the University immediately (and in any event within twenty-four (24) hours of becoming aware of the same) if it considers, in its opinion (a) that it will process such personal data solely in accordance with the instructions infringe any of the ShipperData Protection Laws; (bd) that it will take, implement such Technical and Organisational Security Measures against unauthorised or unlawful processing of personal data maintain appropriate technical and against accidental loss or destruction of, or damage to, personal data and that, having regard to the state of technological development and the costs of implementing any measures, will ensure a level of security appropriate to the harm that might result from such authorised or unlawful processing or accidental loss, destruction or damage and the nature of the personal data to be protected including as a minimum the organisational security measures which are sufficient to comply with: (i) at least the obligations imposed on the University by the Security Requirements; and (ii) the obligations set out in Appendix 1 2 (Information Security); and at any time where requested provide to this Agreementthe University evidence of its compliance with such requirements promptly, and in any event within forty- eight (48) hours of the request; (ce) hold the University Data in such a manner that it is capable of being distinguished from other data or information processed by the Supplier; f) only disclose University Data to provide its Personnel who are required to assist it in meeting its obligations under this Agreement and ensure that no other Personnel shall have access to such University Data; g) take all reasonable steps to ensure the reliability and integrity of any of its Personnel who shall have access to the Shipper University Data, and ensure that each member of its Personnel shall have entered into appropriate contractually-binding confidentiality undertakings and that they receive periodic data security and privacy training. Such persons include those who Process the University Data or whose roles relate to procuring, developing and/or maintaining technical infrastructure or tools used to Process the University Data; h) within thirty (30) calendar days of a request from the University, allow its data processing facilities, procedures and documentation to be submitted for scrutiny, inspection or audit by the University (and/ or its authorised representative(srepresentatives, including its appointed auditors) in order to ascertain compliance with the terms of this Schedule 1 (Data Protection), and provide reasonable information, assistance and co-operation to the University, including access to relevant Personnel and/ or, on the request of the University, provide the University with written evidence of its compliance with the requirements of this Schedule 1 (Data Protection); i) at reasonable times and on reasonable noticesubject to Paragraph 2.3.1(k) not disclose University Data to a third party (including a Sub- Processor or any Group company or affiliate, or any Data Importer) in any circumstances without the University’s prior written consent, save in relation to: (i) transfers made pursuant to audit Paragraph 2.4 (Appointing Sub- Processors) and/or Paragraph 2.5 (International Transfers) of this Agreement; and/or (ii) Third Party Requests in which case it shall comply as applicable with the Technical and Organisational Security Measures adopted by GNI to ensure that such measures terms of Paragraph 2.6; j) promptly comply with any request from the data security obligations in the DPAUniversity to amend, transfer or delete any University Data; (dk) to notify the Shipper as soon as reasonably practicable on becoming aware University promptly (and in any event within forty-eight (48) hours) following its receipt of any data security breach actual Data Subject Request or suspected Regulator Correspondence and shall: (i) not respond to or disclose any University Data in response to any Data Subject Request or Regulator Correspondence without first obtaining the University’s prior written consent; and (ii) provide the Shipper University with such all reasonable co-operation and assistance as may be required by the University in relation to mitigate against the effects of any such breachData Subject Request or Regulator Correspondence; l) notify the University promptly (eand in any event within twenty-four (24) to inform the Shipper immediately in the event of receiving a data subject access request and to provide all such co-operation and assistance as may be reasonably required to enable the Shipper to deal with any subject access request in accordance with the provisions of the DPA; (fhours) to provide the Shipper with full visibility of where personal data is being processed by GNI or its employees or subcontractors on behalf of the Shipper and to ensure that no personal data shall be transferred outside of the European Economic Area by GNI or any of its employees or subcontractors without the prior written consent of the Shipper which consent may be subject to terms and conditions including, without limitation, that GNI and any of its sub contractors enters into model clauses in the form approved by the European Commission and, where relevant, complies with the provisions regarding sub-processors contained in such model contracts in respect of its subcontractors; (g) subject to the provisions of clause 4.1(f), where any subcontractors of GNI will be processing personal data on behalf of the Shipper, GNI shall ensure that a written contract exists between GNI and the relevant subcontractor containing clauses equivalent to those imposed on GNI in this clause and GNI shall enter such contract on behalf of itself and as agent for the Shipper; (h) to promptly inform the Shipper if:- (a) any Personal Data processed on behalf of the Shipper is lost or destroyed, damaged or unusable and restore, where possible to do so, such Personal Data at its own cost; or (b) it becomes upon becoming aware of any actual or suspected unauthorised or unlawful processing of the threatened Personal Data processed on behalf of Breach in relation to the Shipper.University Data ("Data Loss Event") (and follow-up in writing) and shall, within such timescale specified by the University (acting reasonably and in good faith): (i) GNI will indemnify seek to recover the Shipper fully against all losses, damages, claims, demands compromised data as soon as practicable and expenses suffered by implement any measures necessary to restore the Shipper which arise in any way from any negligence, wilful default or breach of contract in relation with GNI, its directors or its employees’ obligations under this clause 4.1. 4.2 GNI further agree that it shall not, without the prior consent security of the Shipper, process Shipper compromised Personal Data for any purpose other than the GNI Data Processing Purposes. 4.2 A) The parties acknowledge and agree that any amendment to this Agreement shall be in accordance with section 1, Part I of the Code (Modifications). 4.3 The Shipper acknowledges that in carrying out services in connection with the Shipper Data Processing Purposes, it will process Personal Data on behalf of GNI. In such circumstances the Shipper agrees: (a) that it will process such personal data solely in accordance with the instructions of GNIData; (bii) that it will implement such Technical and Organisational Security Measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data and that, having regard to promptly provide the state of technological development and the costs of implementing any measures, will ensure University with a level of security appropriate to the harm that might result from such authorised or unlawful processing or accidental loss, destruction or damage and report containing details about the nature of the personal data to be protected including Data Loss Event and provide the University further information as a minimum the security measures set out in Appendix 1 to this Agreementdetails become available; (ciii) to provide access to GNI (or investigate the incident and its authorised representative(s)) at reasonable times and on reasonable notice, to audit the Technical and Organisational Security Measures adopted by the Shipper to ensure that such measures comply with the data security obligations in the DPAcause; (div) assist the University to notify GNI as soon as reasonably practicable on becoming aware of make any data security breach, actual or suspected, notifications to the Regulator and to provide GNI with such reasonable co-operation and assistance as may be required to mitigate against the effects of any such breach;affected Data Subjects; and (ev) not make any public statements relating to inform GNI immediately in the event of receiving a data subject access request and to provide all such co-operation and assistance as may be reasonably required to enable GNI to deal with any subject access request in accordance with the provisions of the DPA; (f) to provide GNI with full visibility of where personal data is being processed by the Shippers or its employees or subcontractors on behalf of GNI and to ensure that no personal data shall be transferred outside of the European Economic Area by the Shipper or any of its employees or subcontractors incident without the prior written consent approval of GNI which consent may be subject the University; m) provide the University with reasonable assistance to terms and conditions including, without limitation, that the Shipper and any of its subcontractors enters into model clauses in the form approved by the European Commission and, where relevant, complies comply with the provisions regarding sub-processors contained in such model contracts in respect of its subcontractors; (g) subject to the provisions of clause 4.3(f), where any subcontractors of the Shipper will be processing personal data on behalf of GNI, the Shipper shall ensure that a written contract exists between the Shipper and the relevant subcontractor containing clauses equivalent to those obligations imposed on the Shipper in this clause and University by the Shipper shall enter such contract on behalf of itself and as agent for GNI; (h) to promptly inform GNI if:- (a) any Personal Data is lost or destroyedProtection Laws, damaged or unusable and restore such Personal Data at its own cost; or (b) it becomes aware of any actual or suspected unauthorised or unlawful processing of the Personal Data.including: (i) Notwithstanding clause 2.11.3, Part I of the Code, the Shipper will indemnify GNI fully against all losses, damages, claims, demands and expenses suffered by GNI which arise in any way from any negligence, wilful default or breach of contract in relation compliance with the ShipperSecurity Requirements; (ii) obligations relating to notifications required by the Data Protection Laws to the Regulator and/ or any relevant Data Subjects; (iii) undertaking any Data Protection Impact Assessments (and, where required by the Data Protection Laws, consulting with the Regulator and/or any other relevant regulatory body in respect of any such Data Protection Impact Assessments); and (iv) without undue delay and where feasible not later than seventy-two (72) hours after having become aware of it notify Personal Data Breaches to the Regulator and/or any other relevant regulatory body unless the Personal Data Breach is unlikely to result in a risk to the rights and freedoms of natural persons; n) not, whether by act or omission, cause the University to breach any of its directors or its employees’ obligations under this clause 4.3 on the part of the Shipper or its directors or employees. 4.4 The Shipper further agree that it shall not, without the prior consent of GNI, process GNI Personal Data for any purpose other than the Shipper Data Processing Purposes.Protection Laws;

Data Processor Obligations. 4.1 GNI acknowledges 2.3.1. In relation to any University Data that in carrying out services in connection with the GNI Data Processing Purposes, it will process Personal Data University provides or makes available to the Supplier or that the Supplier Processes for and on behalf of the Shipper. In University (the University acting as the Controller) the Supplier shall: a) only Process the University Data for and on behalf of the University for the purposes of performing its obligations under this Agreement, and only in accordance with the terms of this Agreement, any Data Transfer Agreement (where applicable) and any documented instructions from the University (unless required to do otherwise by Applicable Law, in which case it shall (unless prohibited from doing so by such circumstances GNI agrees:Applicable Law) inform the University of such legal requirement before Processing); b) keep a record of any Processing of the Personal Data it carries out on behalf of the University. c) unless prohibited by Applicable Law, notify the University immediately (and in any event within twenty-four (24) hours of becoming aware of the same) if it considers, in its opinion (acting reasonably) that any of the University’s instructions under Paragraph 2.3.1 (a) that it will process such personal data solely in accordance with the instructions infringe any of the ShipperData Protection Laws; (bd) that it will take, implement such Technical and Organisational Security Measures against unauthorised or unlawful processing of personal data maintain appropriate technical and against accidental loss or destruction of, or damage to, personal data and that, having regard to the state of technological development and the costs of implementing any measures, will ensure a level of security appropriate to the harm that might result from such authorised or unlawful processing or accidental loss, destruction or damage and the nature of the personal data to be protected including as a minimum the organisational security measures which are sufficient to comply with: (i) at least the obligations imposed on the University by the Security Requirements; and (ii) the obligations set out in Appendix 1 2 (Information Security); and at any time where requested provide to this Agreementthe University evidence of its compliance with such requirements promptly, and in any event within forty-eight (48) hours of the request; (ce) hold the University Data in such a manner that it is capable of being distinguished from other data or information processed by the Supplier; f) only disclose University Data to provide its Personnel who are required to assist it in meeting its obligations under this Agreement and ensure that no other Personnel shall have access to such University Data; g) take all reasonable steps to ensure the reliability and integrity of any of its Personnel who shall have access to the Shipper University Data, and ensure that each member of its Personnel shall have entered into appropriate contractually-binding confidentiality undertakings and that they receive periodic data security and privacy training. Such persons include those who Process the University Data or whose roles relate to procuring, developing and/or maintaining technical infrastructure or tools used to Process the University Data; h) within thirty (30) calendar days of a request from the University, allow its data processing facilities, procedures and documentation to be submitted for scrutiny, inspection or audit by the University (and/ or its authorised representative(srepresentatives, including its appointed auditors) in order to ascertain compliance with the terms of this Schedule 1 (Data Protection), and provide reasonable information, assistance and co-operation to the University, including access to relevant Personnel and/ or, on the request of the University, provide the University with written evidence of its compliance with the requirements of this Schedule 1 (Data Protection); i) at reasonable times and on reasonable noticesubject to Paragraph 2.3.1(k) not disclose University Data to a third party (including a Sub-Processor or any Group company or affiliate, or any Data Importer) in any circumstances without the University’s prior written consent, save in relation to: (i) transfers made pursuant to audit Paragraph 2.4 (Appointing Sub- Processors) and/or Paragraph 2.5 (International Transfers) of this Agreement; and/or (ii) Third Party Requests in which case it shall comply as applicable with the Technical and Organisational Security Measures adopted by GNI to ensure that such measures terms of Paragraph 2.6; j) promptly comply with any request from the data security obligations in the DPAUniversity to amend, transfer or delete any University Data; (dk) to notify the Shipper as soon as reasonably practicable on becoming aware University promptly (and in any event within forty-eight (48) hours) following its receipt of any data security breach actual Data Subject Request or suspected Regulator Correspondence and shall: (i) not respond to or disclose any University Data in response to any Data Subject Request or Regulator Correspondence without first obtaining the University’s prior written consent; and (ii) provide the Shipper University with such all reasonable co-operation and assistance as may be required by the University in relation to mitigate against the effects of any such breachData Subject Request or Regulator Correspondence; l) notify the University promptly (eand in any event within twenty-four (24) to inform the Shipper immediately in the event of receiving a data subject access request and to provide all such co-operation and assistance as may be reasonably required to enable the Shipper to deal with any subject access request in accordance with the provisions of the DPA; (fhours) to provide the Shipper with full visibility of where personal data is being processed by GNI or its employees or subcontractors on behalf of the Shipper and to ensure that no personal data shall be transferred outside of the European Economic Area by GNI or any of its employees or subcontractors without the prior written consent of the Shipper which consent may be subject to terms and conditions including, without limitation, that GNI and any of its sub contractors enters into model clauses in the form approved by the European Commission and, where relevant, complies with the provisions regarding sub-processors contained in such model contracts in respect of its subcontractors; (g) subject to the provisions of clause 4.1(f), where any subcontractors of GNI will be processing personal data on behalf of the Shipper, GNI shall ensure that a written contract exists between GNI and the relevant subcontractor containing clauses equivalent to those imposed on GNI in this clause and GNI shall enter such contract on behalf of itself and as agent for the Shipper; (h) to promptly inform the Shipper if:- (a) any Personal Data processed on behalf of the Shipper is lost or destroyed, damaged or unusable and restore, where possible to do so, such Personal Data at its own cost; or (b) it becomes upon becoming aware of any actual or suspected unauthorised or unlawful processing of the threatened Personal Data processed on behalf of Breach in relation to the Shipper.University Data ("Data Loss Event") (and follow-up in writing) and shall, within such timescale specified by the University (acting reasonably and in good faith): (i) GNI will indemnify seek to recover the Shipper fully against all losses, damages, claims, demands compromised data as soon as practicable and expenses suffered by implement any measures necessary to restore the Shipper which arise in any way from any negligence, wilful default or breach of contract in relation with GNI, its directors or its employees’ obligations under this clause 4.1. 4.2 GNI further agree that it shall not, without the prior consent security of the Shipper, process Shipper compromised Personal Data for any purpose other than the GNI Data Processing Purposes. 4.2 A) The parties acknowledge and agree that any amendment to this Agreement shall be in accordance with section 1, Part I of the Code (Modifications). 4.3 The Shipper acknowledges that in carrying out services in connection with the Shipper Data Processing Purposes, it will process Personal Data on behalf of GNI. In such circumstances the Shipper agrees: (a) that it will process such personal data solely in accordance with the instructions of GNIData; (bii) that it will implement such Technical and Organisational Security Measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data and that, having regard to promptly provide the state of technological development and the costs of implementing any measures, will ensure University with a level of security appropriate to the harm that might result from such authorised or unlawful processing or accidental loss, destruction or damage and report containing details about the nature of the personal data to be protected including Data Loss Event and provide the University further information as a minimum the security measures set out in Appendix 1 to this Agreementdetails become available; (ciii) to provide access to GNI (or investigate the incident and its authorised representative(s)) at reasonable times and on reasonable notice, to audit the Technical and Organisational Security Measures adopted by the Shipper to ensure that such measures comply with the data security obligations in the DPAcause; (div) assist the University to notify GNI as soon as reasonably practicable on becoming aware of make any data security breach, actual or suspected, notifications to the Regulator and to provide GNI with such reasonable co-operation and assistance as may be required to mitigate against the effects of any such breach;affected Data Subjects; and (ev) not make any public statements relating to inform GNI immediately in the event of receiving a data subject access request and to provide all such co-operation and assistance as may be reasonably required to enable GNI to deal with any subject access request in accordance with the provisions of the DPA; (f) to provide GNI with full visibility of where personal data is being processed by the Shippers or its employees or subcontractors on behalf of GNI and to ensure that no personal data shall be transferred outside of the European Economic Area by the Shipper or any of its employees or subcontractors incident without the prior written consent approval of GNI which consent may be subject the University; m) provide the University with reasonable assistance to terms and conditions including, without limitation, that the Shipper and any of its subcontractors enters into model clauses in the form approved by the European Commission and, where relevant, complies comply with the provisions regarding sub-processors contained in such model contracts in respect of its subcontractors; (g) subject to the provisions of clause 4.3(f), where any subcontractors of the Shipper will be processing personal data on behalf of GNI, the Shipper shall ensure that a written contract exists between the Shipper and the relevant subcontractor containing clauses equivalent to those obligations imposed on the Shipper in this clause and University by the Shipper shall enter such contract on behalf of itself and as agent for GNI; (h) to promptly inform GNI if:- (a) any Personal Data is lost or destroyedProtection Laws, damaged or unusable and restore such Personal Data at its own cost; or (b) it becomes aware of any actual or suspected unauthorised or unlawful processing of the Personal Data.including: (i) Notwithstanding clause 2.11.3compliance with the Security Requirements; (ii) obligations relating to notifications required by the Data Protection Laws to the Regulator and/ or any relevant Data Subjects; (iii) undertaking any Data Protection Impact Assessments (and, Part I where required by the Data Protection Laws, consulting with the Regulator and/or any other relevant regulatory body in respect of any such Data Protection Impact Assessments); and (iv) without undue delay and where feasible not later than seventy-two (72) hours after having become aware of it notify Personal Data Breaches to the Regulator and/or any other relevant regulatory body unless the Personal Data Breach is unlikely to result in a risk to the rights and freedoms of natural persons; n) not, whether by act or omission, cause the University to breach any of its obligations under the Data Protection Laws; o) comply with the obligations imposed upon a Processor under the Data Protection Laws and to the extent that the Processor is subject to Applicable Law which requires a higher level of protection for Personal Data than the Data Protection Laws, also comply with such Applicable Law; and p) upon the earlier of: (i) termination or expiry of this Agreement or the relevant Data Transfer Agreement (as applicable); and (ii) the date on which the University Data is no longer relevant to, or necessary for, the provision of the CodeServices, cease Processing all University Data and return and/or permanently and securely destroy the Shipper will indemnify GNI fully against University Data and all lossescopies in its possession or control (such that the University Data is no longer retrievable), damagesas directed in writing by the University and, claimswhere requested by the University, demands certify that such destruction has taken place (promptly, and expenses suffered by GNI which arise in any way from any negligence, wilful default or breach of contract in relation with the Shipper, its directors or its employees’ obligations under this clause 4.3 on the part event within forty-eight (48) hours of the Shipper request) except to the extent required by Applicable Law to retain the University Data; 2.3.2. Except as otherwise provided, this Agreement does not transfer ownership of, or its directors create any licences (implied or employeesotherwise), in any intellectual property rights in any Personal Data. 4.4 The Shipper further agree that it shall not, without the prior consent of GNI, process GNI Personal Data for any purpose other than the Shipper Data Processing Purposes.

Data Processor Obligations. 4.1 GNI acknowledges 2.2.1 To the extent that in carrying out services in connection with the GNI Data Processing Purposes, it will process Service Provider Processes any Personal Data as a Processor for and on behalf of The University (as the Shipper. In such circumstances GNI agreesController) it shall: (a) only Process the Personal Data for and on behalf of The University for the purposes of performing its obligations under this Agreement, and only in accordance with the terms of this Agreement and any documented instructions from The University; (b) unless prohibited by law, notify The University immediately (and in any event within twenty-four (24) hours of becoming aware of the same) if it considers, in its opinion (acting reasonably) that it will process such personal data solely is required by Applicable EU Law to act other than in accordance with the instructions of The University, including where it (a) infringe any of the ShipperData Protection Laws; (bc) that it will take, implement such Technical and Organisational Security Measures against unauthorised or unlawful processing of personal data maintain appropriate technical and against accidental loss or destruction of, or damage to, personal data and that, having regard to the state of technological development and the costs of implementing any measures, will ensure a level of security appropriate to the harm that might result from such authorised or unlawful processing or accidental loss, destruction or damage and the nature of the personal data to be protected including as a minimum the organisational security measures which are sufficient to comply with: (i) at least the obligations imposed on The University by the Security Requirements; and (ii) the obligations set out in Appendix 1 B (Information Security); and where requested provide to The University evidence of its compliance with such requirements; (d) within thirty (30) calendar days of a request from The University, allow its data processing facilities, procedures and documentation to be submitted for scrutiny, inspection or audit by The University (and/ or its representatives, including its appointed auditors) in order to ascertain compliance with the terms of this Agreement and provide reasonable information, assistance and co- operation to The University, including access to relevant Personnel and/ or, on the request of The University, provide The University with written evidence of its compliance with the requirements of this Agreement; (ce) not disclose Personal Data to provide access a third party (including a sub-contractor) in any circumstances without The University's prior written consent, save in relation to Third Party Requests where the Shipper (Service Provider is prohibited by law or its authorised representative(s)) at regulation from notifying The University, in which case it shall use reasonable times endeavours to advise The University in advance of such disclosure and on reasonable notice, to audit the Technical and Organisational Security Measures adopted by GNI to ensure that such measures comply with the data security obligations in the DPAany event as soon as practicable thereafter; (df) promptly comply with any request from The University to amend, transfer or delete any Personal Data; (g) notify the Shipper as soon as reasonably practicable on becoming aware The University promptly (and in any event within forty-eight (48) hours) following its receipt of any data security breach actual Data Subject Request or suspected ICO Correspondence and shall: (i) not disclose any Personal Data in response to any Data Subject Request or ICO Correspondence without first consulting with and obtaining The University's prior written consent; and (ii) provide the Shipper The University with such all reasonable co-operation and assistance as may be required by The University in relation to mitigate against the effects of any such breach; (e) to inform the Shipper immediately in the event of receiving a data subject access request and to provide all such co-operation and assistance as may be reasonably required to enable the Shipper to deal with any subject access request in accordance with the provisions of the DPA; (f) to provide the Shipper with full visibility of where personal data is being processed by GNI Data Subject Request or its employees or subcontractors on behalf of the Shipper and to ensure that no personal data shall be transferred outside of the European Economic Area by GNI or any of its employees or subcontractors without the prior written consent of the Shipper which consent may be subject to terms and conditions including, without limitation, that GNI and any of its sub contractors enters into model clauses in the form approved by the European Commission and, where relevant, complies with the provisions regarding sub-processors contained in such model contracts in respect of its subcontractors; (g) subject to the provisions of clause 4.1(f), where any subcontractors of GNI will be processing personal data on behalf of the Shipper, GNI shall ensure that a written contract exists between GNI and the relevant subcontractor containing clauses equivalent to those imposed on GNI in this clause and GNI shall enter such contract on behalf of itself and as agent for the ShipperICO Correspondence; (h) to notify The University promptly inform the Shipper if:- (aand in any event within twenty-four (24) any Personal Data processed on behalf of the Shipper is lost or destroyed, damaged or unusable and restore, where possible to do so, such Personal Data at its own cost; or (bhours) it becomes upon becoming aware of any actual or suspected unauthorised or unlawful processing of threatened Personal Data Breach in relation to the Personal Data processed on behalf of the Shipper.(and follow-up in writing) and shall: (i) GNI will indemnify the Shipper fully against all losses, damages, claims, demands conduct or support The University in conducting such investigations and expenses suffered by the Shipper which arise analysis that The University reasonably requires in any way from any negligence, wilful default or breach respect of contract in relation with GNI, its directors or its employees’ obligations under this clause 4.1. 4.2 GNI further agree that it shall not, without the prior consent of the Shipper, process Shipper such Personal Data for any purpose other than the GNI Data Processing Purposes. 4.2 A) The parties acknowledge and agree that any amendment to this Agreement shall be in accordance with section 1, Part I of the Code (Modifications). 4.3 The Shipper acknowledges that in carrying out services in connection with the Shipper Data Processing Purposes, it will process Personal Data on behalf of GNI. In such circumstances the Shipper agrees: (a) that it will process such personal data solely in accordance with the instructions of GNIBreach; (bii) that it will implement such Technical and Organisational Security Measures against unauthorised any actions or unlawful processing remedial measures necessary to restore the security of personal data and against accidental loss or destruction of, or damage to, personal data and that, having regard compromised Personal Data; and (iii) assist The University to make any notifications to the state of technological development ICO and the costs of implementing any measures, will ensure a level of security appropriate to the harm that might result from such authorised or unlawful processing or accidental loss, destruction or damage and the nature of the personal data to be protected including as a minimum the security measures set out in Appendix 1 to this Agreementaffected Data Subjects; (c) to provide access to GNI (or its authorised representative(s)) at reasonable times and on reasonable notice, to audit the Technical and Organisational Security Measures adopted by the Shipper to ensure that such measures comply with the data security obligations in the DPA; (d) to notify GNI as soon as reasonably practicable on becoming aware of any data security breach, actual or suspected, and to provide GNI with such reasonable co-operation and assistance as may be required to mitigate against the effects of any such breach; (e) to inform GNI immediately in the event of receiving a data subject access request and to provide all such co-operation and assistance as may be reasonably required to enable GNI to deal with any subject access request in accordance with the provisions of the DPA; (f) to provide GNI with full visibility of where personal data is being processed by the Shippers or its employees or subcontractors on behalf of GNI and to ensure that no personal data shall be transferred outside of the European Economic Area by the Shipper or any of its employees or subcontractors without the prior written consent of GNI which consent may be subject to terms and conditions including, without limitation, that the Shipper and any of its subcontractors enters into model clauses in the form approved by the European Commission and, where relevant, complies with the provisions regarding sub-processors contained in such model contracts in respect of its subcontractors; (g) subject to the provisions of clause 4.3(f), where any subcontractors of the Shipper will be processing personal data on behalf of GNI, the Shipper shall ensure that a written contract exists between the Shipper and the relevant subcontractor containing clauses equivalent to those imposed on the Shipper in this clause and the Shipper shall enter such contract on behalf of itself and as agent for GNI; (h) to promptly inform GNI if:- (a) any Personal Data is lost or destroyed, damaged or unusable and restore such Personal Data at its own cost; or (b) it becomes aware of any actual or suspected unauthorised or unlawful processing of the Personal Data. (i) Notwithstanding clause 2.11.3comply with the obligations imposed upon a Processor under the Data Protection Laws; (j) use all reasonable endeavours, Part I in accordance with Good Industry Practice, to assist The University to comply with the obligations imposed on The University by the Data Protection Laws, including: (i) compliance with the Security Requirements; (ii) obligations relating to notifications required by the Data Protection Laws to the ICO and/ or any relevant Data Subjects; (iii) undertaking any Data Protection Impact Assessments (and, where required by the Data Protection Laws, consulting with the ICO in respect of any such Data Protection Impact Assessments); and (iv) without undue delay and where feasible not later than 72 hours after having become aware of it notify Personal Data Breaches to the CodeICO unless the Personal Data Breach is unlikely to result in a risk to the rights and freedoms of natural persons; (k) Upon the earlier of: (i) termination or expiry of this Agreement (as applicable); and (ii) the date on which Personal Data is no longer relevant to, or necessary for, the Shipper will indemnify GNI fully against Permitted Purpose the Service Provider shall cease Processing all losses, damages, claims, demands Personal Data and expenses suffered by GNI which arise in any way from any negligence, wilful default return and/ or breach of contract in relation with the Shipper, its directors or its employees’ obligations under this clause 4.3 on the part of the Shipper or its directors or employees. 4.4 The Shipper further agree permanently and securely destroy so that it shall not, without the prior consent of GNI, process GNI is no longer retrievable (as directed in writing by The University) all Personal Data for and all copies in its possession or control and, where requested by The University, certify that such destruction has taken place except to the extent required by Applicable EU Law to retain the Personal Data; (l) not make (nor instruct or permit a third party to make) a transfer of any purpose other than the Shipper Personal Data Processing Purposesto a Restricted Country.