Common use of Data Protection Clause in Contracts

Data Protection. The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the Controller and the Supplier is the Processor unless otherwise specified in Contract Schedule 7. The only processing that the Processor is authorised to do is listed in Contract Schedule 7 by the Controller and may not be determined by the Processor. The Processor shall notify the Controller immediately if it considers that any of the Controller's instructions infringe the Data Protection Legislation. The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller, include: a systematic description of the envisaged processing operations and the purpose of the processing; an assessment of the necessity and proportionality of the processing operations in relation to the Services; an assessment of the risks to the rights and freedoms of Data Subjects; and the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. The Processor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: process that Personal Data only in accordance with Contract Schedule 7, unless the Processor is required to do otherwise by Law. If it is so required the Processor shall promptly notify the Controller before processing the Personal Data unless prohibited by Law; ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), having taken account of the: nature of the data to be protected; harm that might result from a Data Loss Event; state of technological development; and cost of implementing any measures; ensure that : the Processor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 7); it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they:

Data Protection. 11.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer Buyer is the Controller and the Supplier is the Processor unless otherwise specified in Contract Schedule 7Processor. The only processing that the Processor Supplier is authorised to do is listed in Contract Schedule 7 2 (Data Processing) by the Controller Buyer and may not be determined by the ProcessorSupplier. The Processor term “processing” and any associated terms are to be read in accordance with Article 4 of the UKGDPR. 11.2 The Supplier shall notify the Controller Buyer immediately if it considers that any of the Controller's Buyer’s instructions infringe the Data Protection Legislation. . 11.3 The Processor shall Supplier shall, at its own cost, provide all reasonable assistance to the Controller Buyer in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the ControllerBuyer, include: : (a) a systematic description of the envisaged processing operations and the purpose of the processing; ; (b) an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; (c) an assessment of the risks to the rights and freedoms of Data Subjects; and and (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 11.4 The Processor Supplier shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: Contract: (a) process that Personal Data only in accordance with Contract Schedule 7, 2 unless the Processor Supplier is required to do otherwise by Lawlaw. If it is so required required, the Processor Supplier shall promptly notify the Controller Buyer before processing the Personal Data unless prohibited by Law; law; (b) ensure that it has in place Protective Measures, Measures which are appropriate to protect against a Data Loss Event, which the Controller Buyer may reasonably reject (but failure reject. In the event of the Buyer reasonably rejecting Protective Measures put in place by the Supplier, the Supplier must propose alternative Protective Measures to the satisfaction of the Buyer. Failure to reject shall not amount to approval by the Controller Buyer of the adequacy of the Protective Measures), having taken . Protective Measures must take account of the: : i. nature of the data to be protected; ; ii. harm that might result from a Data Loss Event; ; iii. state of technological development; and and iv. cost of implementing any measures; ; (c) ensure that : that: i. the Processor Personnel Staff do not process Personal Data except in accordance with this Agreement the Contract (and in particular Schedule 72); ; ii. it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel Staff who have access to the Personal Data and ensure that they: a. are aware of and comply with the Supplier’s duties under this clause 11; b. are subject to appropriate confidentiality undertakings with the Supplier or any Sub-processor; c. are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Buyer or as otherwise allowed under this Contract; d. have undergone adequate training in the use, care, protection and handling of the Personal Data; and (d) not transfer Personal Data outside of the UK unless the prior written consent of the Buyer has been obtained and the following conditions are fulfilled: i. the destination country has been recognised as adequate by the UK government in accordance with Article 45 UK GDPR or section 74 of the DPA 2018; ii. the Buyer or the Supplier has provided appropriate safeguards in relation to the transfer (whether in accordance with UKGDPR Article 46 or s.75 of the DPA 2018) as determined by the Buyer; iii. the Data Subject has enforceable rights and effective legal remedies; iv. the Supplier complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Buyer in meeting its obligations); and v. the Supplier complies with any reasonable instructions notified to it in advance by the Buyer with respect to the processing of the Personal Data; and (e) at the written direction of the Buyer, delete or return Personal Data (and any copies of it) to the Buyer on termination of the Contract unless the Supplier is required by law to retain the Personal Data; 11.5 subject to clause 11.6, the Supplier shall notify the Buyer immediately if it: (a) receives a Data Subject Request (or purported Data Subject Request); (b) receives a request to rectify, block or erase any Personal Data; (c) receives any other request, complaint or communication relating to either Party’s obligations under the Data Protection Legislation; (d) receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under the Contract; (e) receives a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by law; or (f) becomes aware of a Data Loss Event. 11.6 The Supplier’s obligation to notify under clause 11.5 includes the provision of further information to the Buyer in phases as details become available. 11.7 Taking into account the nature of the processing, the Supplier shall provide the Buyer with full assistance in relation to either Party’s obligations under the Data Protection Legislation and any complaint, communication or request made under clause 11.5 (and insofar as possible within the timescales reasonably required by the Buyer) including by promptly providing: (a) the Buyer with full details and copies of the complaint, communication or request; (b) such assistance as is reasonably requested by the Buyer to enable the Buyer to comply with a Data Subject Request within the relevant timescales set out in the Data Protection Legislation; (c) the Buyer, at its request, with any Personal Data it holds in relation to a Data Subject; (d) assistance as requested by the Buyer following any Data Loss Event; and (e) assistance as requested by the Buyer with respect to any request from the Information Commissioner’s Office or any consultation by the Buyer with the Information Commissioner’s Office. 11.8 The Supplier shall maintain complete and accurate records and information to demonstrate its compliance with this clause 11. This requirement does not apply if the Supplier employs fewer than 250 people unless the Buyer determines that the processing: (a) is not occasional; (b) includes special categories of data as referred to in Article 9(1) of the UKGDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the UKGDPR; or (c) is likely to result in a risk to the rights and freedoms of Data Subjects. 11.9 The Supplier shall allow for audits of its Data Processing activity by the Buyer or the Buyer’s designated auditor.

Data Protection. The Parties acknowledge parties agree that for the purposes of the Data Protection Legislationin respect of: USTAN Personal Data, the Customer is USTAN shall be the Controller and the Supplier is Contractor shall be the Processor unless otherwise specified in Contract Schedule 7. The only processing that the Processor is authorised to do is listed in Contract Schedule 7 by Processor; and Contractor Personal Data, Contractor shall be the Controller and may not the USTAN shall be determined the Processor. Each party shall comply with DP Laws and its relevant obligations as Processor and Controller under this Agreement. The Processor shall procure that any Sub-Processor that has access to Protected Data shall comply with the Processor’s obligations under this Agreement. The processing to be carried out by the Processor under this Agreement is for the purpose of enabling the Contractor to carry out the Project for the Term. The Personal Data includes: (i) USTAN’s employee names and email addresses; (ii) Contractor’s employees names, email addresses and copies of their CV’s; and (iii) any other Personal Data which may be included on project reports provided by the Contractor to USTAN. Where the Processor processes Protected Data on behalf of Controller, the Processor shall (and shall procure that any person acting under its authority who has access to Protected Data): process the Protected Data only on and in accordance with Controller’s documented instructions as set out in this clause 14 (“Processing Instructions”); and immediately inform Controller of any legal requirement under applicable law that would require the Processor to process the Protected Data otherwise than only on the Processing Instructions, or if any Controller instruction infringes DP Laws. The Processor shall implement and maintain, at its cost and expense, appropriate technical and organisational measures in relation to the processing of Protected Data by the Processor: such that the processing will meet the requirements of DP Laws and ensure the protection of the rights of Data Subjects; and so as to ensure a level of security in respect of Protected Data processed by it is appropriate to the risks that are presented by the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Protected Data transmitted, stored or otherwise processed. Without prejudice to clause 14.5.2, the Processor shall, in respect of all Protected Data processed by it under this Agreement comply with the requirements regarding security of processing set out in DP Laws, all relevant Controller policies and in this Agreement. The Processor shall not engage another Processor to perform specific processing activities in respect of the Protected Data without Controller’s prior written consent and, if the Controller gives its consent, the Processor shall appoint the Sub-Processor under a binding written contract (“Processor Contract”) which imposes the same data protection obligations as are contained in this Agreement on the Sub-Processor, in particular under clause 14.5 and the conditions in this clause 14.7 for engaging another Processor. The Processor shall notify the Controller immediately if it considers that any of the Controller's instructions infringe the Data Protection Legislation. The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller, include: a systematic description of the envisaged processing operations and the purpose of the processing; an assessment of the necessity and proportionality of the processing operations in relation to the Services; an assessment of the risks to the rights and freedoms of Data Subjects; and the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. The Processor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: process that Personal Data only in accordance with Contract Schedule 7, unless the Processor is required to do otherwise by Law. If it is so required the Processor shall promptly notify the Controller before processing the Personal Data unless prohibited by Law; ensure that it has in place Protective MeasuresProcessor personnel processing Protected Data are under an obligation to keep Protected Data confidential, which are appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), having taken account of the: nature of the data to be protected; harm that might result from a Data Loss Event; state of technological development; and cost of implementing any measures; ensure that : the Processor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 7); it takes take all reasonable steps to ensure that the reliability Processor personnel processing Protected Data receive adequate training on compliance with this clause 14 and integrity of any Processor Personnel who have access the DP Laws applicable to the Personal processing. The Processor shall implement and maintain, at its cost and expense, appropriate technical and organisational measures to assist the Controller in the fulfilment of Controller’ obligations to respond to Data and Subject Requests relating to Protected Data, including to ensure that they:all Data Subject Requests it receives are recorded and then referred to the Controller within three (3) days of receipt of the request.

Data Protection. 20.1 The Parties parties acknowledge that for the purposes of the Data Protection Legislation, the Customer nature of the activity carried out by each of them in relation to their respective obligations under this DPS Agreement will determine the status of each party under the Data Protection Legislation. A party may act as: 20.1.1 Controller (where the other party acts as the Processor); 20.1.2 Processor (where the other party acts as the Controller); 20.1.3 Joint Controller (where both parties are considered to jointly control the same Personal Data); and 20.1.4 Independent Controller of the Personal Data where the other party is also Controller of the Controller same Personal Data in its own right (but there is no element of joint control); and the Supplier parties shall set out in Schedule 12 (Processing Personal Data) which scenario or scenarios are intended to apply under this DPS Agreement. 20.2 Where a party is a Processor, the Processor unless otherwise specified in Contract Schedule 7. The only processing that the Processor it is authorised to do is listed in Contract Schedule 7 12 (Processing Personal Data) by the Controller and may not be determined by the Processor. Controller. 20.3 The Processor shall notify the Controller immediately if it considers that any of the Controller's ’s instructions infringe the Data Protection Legislation. . 20.4 The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller, include: : 20.4.1 a systematic description of the envisaged processing operations and the purpose of the processing; ; 20.4.2 an assessment of the necessity and proportionality of the processing operations in relation to the Services; requirements of the Administering Authority hereunder; 20.4.3 an assessment of the risks to the rights and freedoms of Data Subjects; and and 20.4.4 the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 20.5 The Processor shall, in relation to any Personal Data processed in connection with its obligations under this DPS Agreement: : 20.5.1 process that Personal Data only in accordance with Contract Schedule 712 (Processing Personal Data), unless the Processor is required to do otherwise by Law. If it is so required the Processor shall promptly notify the Controller Contracting Authority before processing the Personal Data unless prohibited by Law; ; 20.5.2 ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, Measures which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), ) having taken account of the: : (a) nature of the data to be protected; ; (b) harm that might result from a Data Loss Event; ; (c) state of technological development; and and (d) cost of implementing any measures; ; 20.5.3 ensure that : that: (i) the Processor Personnel do not process Personal Data except in accordance with this DPS Agreement (and in particular Schedule 712 (Processing Personal Data); ); (ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they: (A) are aware of and comply with the Processor’s duties under this Clause and Clauses 17 (Confidentiality) and 19 (Freedom of Information); (B) are subject to appropriate confidentiality undertakings with the Processor or any Sub-processor; (C) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Controller or as otherwise permitted by this DPS Agreement; and (D) have undergone adequate training in the use, care, protection and handling of Personal Data; 20.5.4 not transfer Personal Data outside of the UK unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled: (a) the Controller or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or DPA 2018 Section

Data Protection. The Parties acknowledge that for i. With respect to the purposes of the Data Protection Legislationrights and obligations under this written arrangement, the Customer is and Developer (the Controller Parties) acknowledge that they jointly process Personal Data as set out in Schedule 1 to perform their obligations governed by this Agreement in respect of their respective roles, and the Supplier relationship between the Customer and Developer is the Processor unless otherwise specified in Contract Schedule 7one of joint controllers. ii. The only processing that Parties shall comply at all times with and assist each other in complying with their respective responsibilities for compliance with the Processor is authorised to do is listed in Contract Schedule 7 by the Controller and may not be determined by the Processor. The Processor shall notify the Controller immediately if it considers that any obligations of the Controller's instructions infringe the all Data Protection LegislationLaws in connection with the processing of Personal Data only as set out in Schedule 1 as updated in writing between the Parties from time to time, unless required to process the Personal Data for any other purpose by applicable Law in which case, where legally permitted, the Customer or Developer must inform the other of this legal requirement before processing. iii. The Processor shall provide all reasonable assistance Each Party agrees to the Controller their respective responsibilities and duties regarding processing as set out in the preparation of any Schedule 1 including to: a. comply with data protection by design and data protection by default obligations under Data Protection Impact Assessment prior to commencing any processing. Such assistance mayLaw, at the discretion of the Controllerincluding, include: a systematic description of the envisaged processing operations where required, legitimate interest assessments and the purpose of the processing; an assessment of the necessity data protection impact assessments and proportionality of associated consultation with data subjects, other Parties involved with the processing operations in relation and any applicable supervisory authority, to the Services; an assessment of the risks ensure appropriate technical and organisational measures, including appropriate data protection governance and audit compliance, are implemented to safeguard the rights and freedoms of data subjects; b. observe the principles of Data Subjects; and the measures envisaged to address the risksProtection Law, including safeguards, security measures and mechanisms to ensure the protection not retaining any of Personal Data. The Processor shall, in relation Data for longer than is necessary to any Personal Data processed in connection with perform its obligations under this Agreement: process that Agreement and upon the other Party’s reasonable request, securely destroy (unless applicable Laws require continued storage of Personal Data) or return such Personal Data; c. only transfer any Personal Data only outside of the European Economic Area (the “EEA”) relying on Adequacy Decisions by the EU Commission or on appropriate standard contractual clauses ("Standard Contractual Clauses") between the Parties. In the event that the Adequacy Decision granted in accordance respect of the Standard Contractual Clauses is invalidated or suspended, or any supervisory authority requires transfers of personal information pursuant to such Standard Contractual Clauses to be suspended, then the Parties may require to: i. cease data transfers forthwith, and implement an alternative adequacy mechanism (as agreed in writing by the Parties); or ii. return all Personal Data previously transferred and ensure that a senior officer or director of the Customer or Developer certifies to the other that this has been done. d. monitor for, investigate and manage any actual or suspected personal data breach regarding processing activities undertaken by them, to inform the other Party of such personal data breaches without undue delay, and the other Party’s sole and exclusive remedy shall be for the first Party to use reasonable commercial endeavours to resolve the personal data breach; e. comply with Contract Schedule 7and provide information notices to data subjects regarding processing activities undertaken by them, unless including personal data breaches – such notices being available to the Processor is Customer from time to time, as such document may be amended from time to time by the Developer in its sole discretion; f. notify any applicable law enforcement authority (including any applicable supervisory authority) regarding personal data breaches where required relating to processing activities undertaken by them; g. fulfil any data subject rights request pertaining to their Personal Data or assist the other Party in doing so – such requests to be passed to the other Party within two working days in order to fulfil that request; h. notify the other Party without undue delay in writing if it receives from any applicable law enforcement authorities (including any applicable regulators) where permitted to do otherwise so: i. any communication seeking to exercise rights conferred on the data subject by Data Protection Law; ii. If it any complaint or any claim for compensation arising from or relating to the processing of Personal Data as set out in Schedule 1; or iii. any communication from any applicable law enforcement authorities (including any applicable regulators); i. provide such information and such assistance to the other Party as they may reasonably require, and within the timescales reasonably specified by the Parties, to allow the other Party to comply with their data protection by design and data protection by default obligations under Data Protection Law, including, where required, consultation regarding legitimate interest assessments and data protection impact assessments, to ensure appropriate technical and organisational measures, including appropriate data protection governance and audit compliance, are implemented to safeguard the rights and freedoms of data subjects, including such full and prompt information and assistance to the other Party and any applicable law enforcement authorities (including any applicable regulators) in relation to a personal data breach. iv. Each Party shall designate a contact point for data subjects. v. The Parties agree that they shall at no additional cost, keep or cause to be kept such information as is necessary to demonstrate compliance with their respective obligations under this clause (Data Protection} regarding the joint processing of Personal Data as set out in [Annex / Schedule / Appendix X] carried out by the Parties in writing and in electronic form, and shall, upon reasonable notice, make available to the other Party or grant to the other Party and its auditors and agents, and any applicable law enforcement authority (including any applicable supervisory authority), a right of access to, and to take copies of, any information or records kept by the other Party pursuant to this clause (Data Protection) – this information to contain no less than: a. their name and contact details, including those of its Companies, and, where applicable, of their representative, and their data protection officer; b. the details regarding their respective processing set out in Schedule 1; c. a general description of the appropriate technical and organisational measures to protect Personal Data against accidental or unlawful processing, loss, destruction, damage, alteration, or unauthorised disclosure or access, including so required as to allow the Processor shall promptly notify Parties to comply with their obligations under Data Protection Law – in particular: to safeguard against the Controller before processing specific offences: i. for a person knowingly or recklessly to re-identify Personal Data that is de-identified Personal Data without the consent of the controller responsible for de-identifying the personal data. ii. to alter, deface, block, erase, destroy or conceal Personal Data with the intention of preventing disclosure of all or part of the Personal Data unless prohibited by Law; that the person making the request would have been entitled to receive. iii. where transferring Personal Data to a third country or an international organisation, the identification of that third country or international organisation and, in the case of ex- EEA transfers without adequacy, binding corporate rules, code of conduct, data protection seals, or standard contractual clauses, the documentation of appropriate safeguards such as: 1. explicit consent from affected data subjects, or 2. evidence that the transfer is required for the performance or conclusion of the performance of a contract with said data subjects. iv. ensure that it has in place Protective Measures, which are appropriate any staff or personnel (including contractors) authorised to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), having taken account of the: nature of the data to be protected; harm that might result from a Data Loss Event; state of technological development; and cost of implementing any measures; ensure that : the Processor Personnel do not process Personal Data except shall be subject to a binding duty of confidentiality in accordance with respect of such data. vi. The Parties agree to notify each other immediately if, in the opinion of the other Party, the written arrangement for the processing of Personal Data given by the Customer or Developer violates any provision of Data Protection Law. vii. Neither Party must not perform their obligations under this Agreement (and in particular Schedule 7); it takes all reasonable steps such a way as to ensure cause the reliability and integrity other Party to violate any of any Processor Personnel who have access to the Personal their obligations under Data and ensure that they:Protection Law.

Data Protection. 1.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer Council is the Controller and the Supplier Contractor is the Processor unless otherwise specified in Contract Schedule 7Processor. The only processing that the Processor Contractor is authorised to do is listed in Contract Schedule 7 schedule 1A below by the Controller Council and may not be determined by the Processor. Contractor. 1.2 The Processor Contractor shall notify the Controller Council immediately if it considers that any of the Controller's Council’s instructions infringe the Data Protection Legislation. . 1.3 The Processor Contractor shall provide all reasonable assistance to the Controller Council in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance mayassistance, at the discretion of the ControllerCouncil, include: a : (a) systematic description of the envisaged envisage processing operations and the purpose of the processing; ; (b) an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; (c) an assessment of the risks to the rights and freedoms of Data Subjects; and and (d) the measures envisaged to address the risks, including safeguards, security measures measures, and mechanisms to ensure the protection of Personal Data. . 1.4 The Processor Contractor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: : (a) process that Personal Data only in accordance with Contract Schedule 7, schedule 1A below unless the Processor Contractor is required to do otherwise by Law. If it is so required the Processor Contractor shall promptly notify the Controller Council before processing the Personal Data unless prohibited by Law; ; (b) ensure that it has in place Protective Measures, which are have been reviewed and approved by the Council as appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), Event having taken account of the: : (i) nature of the data to be protected; ; (ii) harm that might result from a Data Loss Event; ; (iii) state of technological development; and and (iv) cost of implementing any measures; ; (c) ensure that : that: (i) the Processor Contractor Personnel do not process Personal Data except accept in accordance with this Agreement Contract (and in particular Schedule 7schedule 1A); ; (ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Contractor Personnel who have access to the Personal Data and ensure that they: (A) are aware of and comply with the Contractor’s duties under this clause; (B) are subject to appropriate confidentiality undertakings with the Contractor or any Sub-processor; (C) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Council or as otherwise permitted by this Contract; and (D) have undergone adequate training in the use, care, protection and handling of Personal Data; and (d) not transfer Personal Data outside of the EU unless the prior written consent of the Council has been obtained and the following conditions are fulfilled: (i) the Council or the Contractor has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 47) as determined by the Council; (ii) the Data Subject has enforceable rights and effective legal remedies; (iii) the Contractor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist) the Council in meeting its obligations); and (iv) the Contractor complies with any reasonable instructions notified to it in advance by the Council with respect to the processing of the Personal Data; (e) at the written direction of the Council, delete or return Personal Data and any copies of it to the Council on termination of the Contract unless the Contractor is required by Law to retain the Personal Data. 1.5 Subject to clause 1.6, the Contractor shall notify the Council immediately if it: (a) receives a Data Subject Access Request (or purported Data Subject Access Request); (b) receives a request to rectify, block or erase any Personal Data; (c) receives any other request, complaint or communication relating to either Party’s obligations under the Data Protection Legislation; (d) receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Agreement; (e) receives a request from any third party for disclosure of Personal data where compliance with such request is required or purported to be required by Law; or (f) becomes aware of a Data Loss Event. 1.6 The Contractor’s obligation to notify under clause 1.5 shall include the provision of further information to the Council in phases as details become available. 1.7 Taking into account the nature of the processing, the Contractor shall provide the Council with full assistance in relation to either Parties obligations under the Data Protection Legislation and any complaint, communication or request made under clause 1.5 (and insofar as possible within the timescales reasonably required by the Council) including by promptly providing: (a) the Council with full details and copies of the complaint, communication or request; (b) such assistance as is reasonably requested by the Council to enable the Council to comply with a data Subject Access Request within the relevant timescales set out in the Data Protection Legislation; (c) the Council, at its request, with any Personal Data it holds in relation to a Data Subject; (d) assistance as requested by the Council following any Data Loss Event; (e) assistance as requested by the Council with respect to any request from the Information Commissioner’s Office, or any consultation by the Council with the information Commissioner’s Office. 1.8 the Contractor shall maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Contractor employs fewer than 250 staff, unless: (a) the Council determines that the processing is not occasional; (b) the Council determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; and (c) the Council determines that the processing is likely to result in a risk to the rights and freedoms of the Data Subjects. 1.9 The Contractor shall allow for audits of its Data Processing activity by the Council or the Council’s designated auditor. 1.10 The Contractor shall designate a data protection officer if required by Data Protection Legislation. 1.11 Before allowing any Sub-processor to process any Personal Data related to this Contract, the Contractor must: (a) notify the Council in writing of the intended Sub-processor and processing; (b) obtain the written consent of the Council; (c) enter into a written agreement with the Sub-processor which give effect to the terms set out in this clause such that they apply to the Sub-processor; and (d) provide the Council with such information regarding the Sub-processor as the Council may reasonably require. 1.12 The Contractor shall remain fully liable for all such acts or omissions of any Sub-processor. 1.13 The Council may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Contract). 1.14 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Council may on not less than 30 Working Days’ notice to the Contractor amend this Contract to ensure it complies with any guidance issued by the Information Commissioner’s Office. 1.15 The provisions of this Appendix I shall apply during the term of the Contract and indefinitely after its expiry.

Data Protection. i. The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the Controller and the Supplier Contractor is the Processor unless otherwise specified in Contract Schedule 7Processor. The only processing that the Processor Contractor is authorised to do is listed in Contract Schedule 7 1 by the Controller Customer and may not be determined by the ProcessorContractor. ii. The Processor Contractor shall notify the Controller Customer immediately if it considers that any of the ControllerCustomer's instructions infringe the Data Protection Legislation. iii. The Processor Contractor shall provide all reasonable assistance to the Controller Customer in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the ControllerCustomer, include: : a) a systematic description of the envisaged processing operations and the purpose of the processing; ; b) an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; c) an assessment of the risks to the rights and freedoms of Data Subjects; and and d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. iv. The Processor Contractor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: : a) process that Personal Data only in accordance with Contract Schedule 71, unless the Processor Contractor is required to do otherwise by Law. If it is so required the Processor Contractor shall promptly notify the Controller Customer before processing the Personal Data unless prohibited by Law; ; b) ensure that it has in place Protective Measures, which are have been reviewed and approved by the Customer as appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), Event having taken account of the: : i) nature of the data to be protected; ; ii) harm that might result from a Data Loss Event; ; iii) state of technological development; and and iv) cost of implementing any measures; ; c) ensure that : that: i) the Processor Contractor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 71); ; ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Contractor Personnel who have access to the Personal Data and ensure that they: A) are aware of and comply with the Contractor’s duties under this clause; B) are subject to appropriate confidentiality undertakings with the Contractor or any Sub-processor; C) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Customer or as otherwise permitted by this Agreement; and D) have undergone adequate training in the use, care, protection and handling of Personal Data; and d) not transfer Personal Data outside of the EU unless the prior written consent of the Customer has been obtained and the following conditions are fulfilled: i) the Customer or the Contractor has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Customer; ii) the Data Subject has enforceable rights and effective legal remedies; iii) the Contractor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Customer in meeting its obligations); and iv) the Contractor complies with any reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data; e) at the written direction of the Customer, delete or return Personal Data (and any copies of it) to the Customer on termination of the Agreement unless the Contractor is required by Law to retain the Personal Data. v. Subject to clause 3.5, the Contractor shall notify the Customer immediately if it: a) receives a Data Subject Access Request (or purported Data Subject Access Request); b) receives a request to rectify, block or erase any Personal Data; c) receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; d) receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Agreement; e) receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or f) becomes aware of a Data Loss Event. vi. The Contractor’s obligation to notify under clause 3.4 shall include the provision of further information to the Customer in phases, as details become available. vii. Taking into account the nature of the processing, the Contractor shall provide the Customer with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under clause 3.4 (and insofar as possible within the timescales reasonably required by the Customer) including by promptly providing: a) the Customer with full details and copies of the complaint, communication or request; b) such assistance as is reasonably requested by the Customer to enable the Customer to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation; c) the Customer, at its request, with any Personal Data it holds in relation to a Data Subject; d) assistance as requested by the Customer following any Data Loss Event; e) assistance as requested by the Customer with respect to any request from the Information Commissioner’s Office, or any consultation by the Customer with the Information Commissioner's Office. viii. The Contractor shall maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement applies because: a) the Customer determines that the processing is not occasional; b) the Customer determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR. ix. The Contractor shall allow for audits of its Data Processing activity by the Customer or the Customer’s designated auditor. x. The Contractor shall designate a data protection officer if required by the Data Protection Legislation. xi. Before allowing any Sub-processor to process any Personal Data related to this Agreement, the Contractor must: a) notify the Customer in writing of the intended Sub-processor and processing; b) obtain the written consent of the Customer; c) enter into a written agreement with the Sub-processor which give effect to the terms set out in this clause such that they apply to the Sub-processor; and d) provide the Customer with such information regarding the Sub-processor as the Customer may reasonably require. xii. The Contractor shall remain fully liable for all acts or omissions of any Sub-processor. xiii. The Contractor may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Agreement). xiv. The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Customer may on not less than 30 Working Days’ notice to the Contractor amend this agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office.

Data Protection. 13.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the Controller and the Supplier Contractor is the Processor unless otherwise specified in Contract Schedule 71. The only processing that the Processor is authorised to do is listed in Contract Schedule 7 1 by the Controller and may not be determined by the Processor. . 13.2 The Processor shall notify the Controller immediately if it considers that any of the Controller's instructions infringe the Data Protection Legislation. . 13.3 The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller, include: : (a) a systematic description of the envisaged processing operations and the purpose of the processing; ; (b) an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; (c) an assessment of the risks to the rights and freedoms of Data Subjects; and and (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 13.4 The Processor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: : (a) process that Personal Data only in accordance with Contract Schedule 71, unless the Processor is required to do otherwise by Law. If it is so required the Processor shall promptly notify the Controller before processing the Personal Data unless prohibited by Law; ; (b) ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), having taken account of the: : (i) nature of the data to be protected; ; (ii) harm that might result from a Data Loss Event; ; (iii) state of technological development; and and (iv) cost of implementing any measures; ; (c) ensure that : that: (i) the Processor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 7); 1; (ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they: (A) are aware of and comply with the Processor’s duties under this clause; (B) are subject to appropriate confidentiality undertakings with the Processor or any Sub-processor; (C) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Controller or as otherwise permitted by this Agreement; and (D) have undergone adequate training in the use, care, protection and handling of Personal Data; and (d) not transfer Personal Data outside of the EU unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled: (i) the Controller or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Controller; (ii) the Data Subject has enforceable rights and effective legal remedies; (iii) the Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and (iv) the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing of the Personal Data; (e) at the written direction of the Controller, delete or return Personal Data (and any copies of it) to the Controller on termination of the Agreement unless the Processor is required by Law to retain the Personal Data. (a) receives a Data Subject Request (or purported Data Subject Request); (b) receives a request to rectify, block or erase any Personal Data; (c) receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; (d) receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Agreement; (e) receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or (f) becomes aware of a Data Loss Event. 13.6 The Processor’s obligation to notify under clause 13.5 shall include the provision of further information to the Controller in phases, as details become available. 13.7 Taking into account the nature of the processing, the Processor shall provide the Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under clause 1.5 (and insofar as possible within the timescales reasonably required by the Controller) including by promptly providing: (a) the Controller with full details and copies of the complaint, communication or request; (b) such assistance as is reasonably requested by the Controller to enable the Controller to comply with a Data Subject Request within the relevant timescales set out in the Data Protection Legislation; (c) the Controller, at its request, with any Personal Data it holds in relation to a Data Subject; (d) assistance as requested by the Controller following any Data Loss Event; (e) assistance as requested by the Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Controller with the Information Commissioner's Office. 13.8 The Processor shall maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Processor employs fewer than 250 staff, unless: (a) the Controller determines that the processing is not occasional; (b) the Controller determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; or

Data Protection. 1.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the Controller and the Supplier is the Processor unless otherwise specified in Contract Schedule 7. The only processing that the Processor Blueteq Ltd is authorised to do is listed in Contract Schedule 7 by the Controller and may not be determined by the Processor. The Processor 1. 1.2 Blueteq Ltd shall notify the Controller Customer immediately if it considers that any of the ControllerCustomer's instructions infringe the Data Protection Legislation. The Processor . 1.3 Blueteq Ltd shall provide all reasonable assistance to the Controller Customer in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the ControllerCustomer, include: : i. a systematic description of the envisaged processing operations and the purpose of the processing; ; ii. an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; iii. an assessment of the risks to the rights and freedoms of Data Subjects; and and iv. the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. The Processor . 1.4 Blueteq Ltd shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: : i. process that Personal Data only in accordance with Contract Schedule 71, unless the Processor Blueteq Ltd is required to do otherwise by Law. If it is so required the Processor Blueteq Ltd shall promptly notify the Controller Customer before processing the Personal Data unless prohibited by Law; . ii. ensure that it has in place Protective Measures, which are have been reviewed and approved by the Customer as appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), Event having taken account of the: : a. nature of the data to be protected; ; b. harm that might result from a Data Loss Event; ; c. state of technological development; and and d. cost of implementing any measures; . iii. ensure that : the Processor Personnel : a. Blueteq Ltd personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 71); . b. it takes all reasonable steps to ensure the reliability and integrity of any Processor Blueteq Ltd Personnel who have access to the Personal Data and ensure that they: i. are aware of and comply with Blueteq Ltd’s duties under this clause; ii. are subject to appropriate confidentiality undertakings with Blueteq Ltd or any Sub-processor; iii. are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Customer or as otherwise permitted by this Agreement; and iv. have undergone adequate training in the use, care, protection and handling of Personal Data; and v. not transfer Personal Data outside of the UK unless the prior written consent of the Customer has been obtained and the following conditions are fulfilled: a. the Customer or Blueteq Ltd has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Customer; b. the Data Subject has enforceable rights and effective legal remedies; c. Blueteq Ltd complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Customer in meeting its obligations); and d. Blueteq Ltd complies with any reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data; e. at the written direction of the Customer, delete or return Personal Data (and any copies of it) to the Customer on termination of the Agreement unless Blueteq Ltd is required by Law to retain the Personal Data. 1.5 Subject to clause 1.6, Blueteq Ltd shall notify the Customer immediately if it: i. receives a Data Subject Access Request (or purported Data Subject Access Request); ii. receives a request to rectify, block or erase any Personal Data; iii. receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; iv. receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Agreement; receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; v. becomes aware of a Data Loss Event. 1.6 Blueteq Ltd’s obligation to notify under clause 1.5 shall include the provision of further information to the Customer in phases, as details become available. 1.7 Taking into account the nature of the processing, Blueteq Ltd shall provide the Customer with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under clause 1.5 (and insofar as possible within the timescales reasonably required by the Customer) including by promptly providing: i. the Customer with full details and copies of the complaint, communication or request; ii. such assistance as is reasonably requested by the Customer to enable the Customer to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation; iii. the Customer, at its request, with any Personal Data it holds in relation to a Data Subject; iv. assistance as requested by the Customer following any Data Loss Event; v. assistance as requested by the Customer with respect to any request from the Information Commissioner’s Office, or any consultation by the Customer with the Information Commissioner's Office. vi. Blueteq Ltd shall maintain complete and accurate records and information to demonstrate its compliance with this clause. 1.8 Blueteq Ltd shall allow for audits of its Data Processing activity by the Customer or the Customer’s designated auditor. 1.9 Blueteq Ltd shall have a designated Data Protection Officer/Information Governance Lead. 1.10 Before allowing any Sub-processor to process any Personal Data related to this Agreement, Blueteq Ltd must: i. notify the Customer in writing of the intended Sub-processor and processing; ii. obtain the written consent of the Customer; iii. enter into a written agreement with the Sub-processor which give effect to the terms set out in this clause such that they apply to the Sub-processor; and iv. provide the Customer with such information regarding the Sub-processor as the Customer may reasonably require. 1.11 Blueteq Ltd shall remain fully liable for all acts or omissions of any Sub-processor. 1.12 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. This agreement may be amended to ensure that it complies with any guidance issued by the Information Commissioner’s Office by following the process laid down in the Section “Changing the Terms of this Agreement” of the License Agreement.

Data Protection. 9.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the Controller and the Supplier Hornbill is the Processor unless otherwise specified in Contract Schedule 7Processor. The only processing Processing that the Processor Hornbill is authorised to do is listed in Contract Schedule 7 1 by the Controller Customer and may not be determined by the Processor. The Processor Hornbill. 9.2 Hornbill shall notify the Controller Customer immediately if it considers that any of the ControllerCustomer's instructions infringe the Data Protection Legislation. The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller, include: a systematic description of the envisaged processing operations and the purpose of the processing; an assessment of the necessity and proportionality of the processing operations in relation to the Services; an assessment of the risks to the rights and freedoms of Data Subjects; and the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. The Processor . 9.3 Hornbill shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: agreement: (a) unless Hornbill is required to do otherwise by Law, process that Personal Data only in accordance with Contract Schedule 7, unless 1 as updated from time to time by written agreement of the Processor is required to do otherwise by Lawparties. If it is so required the Processor Hornbill shall promptly notify the Controller Customer before processing the Personal Data unless prohibited by Law; ensure that it has and (b) implement and maintain at its cost and expense Protective Measures as set out in place Protective MeasuresSchedule 2, which are appropriate to safeguard the security of the Personal Data in accordance with Data Protection Laws and protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), Event having taken account of the: : (i) nature of the data to be protected; and (ii) harm that might result from a Data Loss Event; and (iii) state of technological development. The Parties acknowledge that the adequacy of the Protective Measures mentioned in this clause 9.3 and Schedule 2 may change over time, and that an effective set of Protective Measures demands frequent evaluation and improvement of the Protective Measures. Therefore Hornbill will frequently evaluate and tighten, increase or improve such Protective Measures to ensure compliance with Data Protection Legislation and the Protective Measures set out in Schedule 2 may as a result be changed from time to time by Hornbill where such changes are required by best practice, changing technological requirements, to protect against security weaknesses or other such situations that in the reasonable opinion of Hornbill are required to ensure the Protective Measures remain effective and compliant with Data Protection Legislation. The Customer will be notified in writing when a change is made to the Protective Measures; and cost of implementing any measures; and (c) ensure that : the Processor that: (i) Hornbill Personnel do not process Personal Data except in accordance with this Agreement agreement (and in particular Schedule 71); ; (ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Hornbill Personnel who have access to the Personal Data and ensure that they: (A) have received adequate training on and comply with Hornbill’s duties under this agreement; and (B) are in relation to Personal Data subject to a legally binding confidentiality undertaking with Hornbill or any Sub-processor; and (C) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Customer or as otherwise permitted by this Agreement; and (D) have undergone adequate training in the use, care, protection and handling of Personal Data. (d) not transfer Personal Data outside of the EEA or such third countries as the European Commission may from time to time designate unless the prior written consent of the Customer has been obtained and the following conditions are fulfilled: (i) the Customer or Hornbill has provided appropriate safeguards in relation to the transfer (in accordance with GDPR Article 46) as determined by the Customer; and (ii) the Data Subject has enforceable rights and effective legal remedies; and (iii) Hornbill complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Customer in meeting its obligations); and (iv) Hornbill complies with any reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data. (e) at the written direction of the Customer, securely delete and / or securely return Personal Data (and any copies of it) to the Customer promptly on termination of this agreement unless Hornbill is required by Law to retain the Personal Data. 9.4 Subject to clause 9.6, Hornbill shall notify the Customer immediately if it: (a) receives a Data Subject Access Request (or purported Data Subject Access Request); or (b) receives a request to rectify, block or erase any Personal Data; or (c) receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; or (d) receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Agreement; or (e) receives a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or (f) becomes aware of a Data Loss Event.

Data Protection. 7.1. The Parties acknowledge that for the purposes of the Data Protection Legislation, in respect of the Personal Data processed under this Agreement the Customer is the Controller and the Supplier Dashboard Technology Limited is the Processor unless otherwise specified in Contract Schedule 7Processor. The only processing that the Processor Dashboard Technology Limited is authorised to do is listed in Contract Schedule 7 Appendix A by the Controller Customer and may not be determined by the ProcessorDashboard Technology Limited. The Processor Customer warrants and undertakes that it shall notify the comply with all of its obligations as a Data Controller immediately if it considers that any of the Controller's instructions infringe under the Data Protection Legislation. 7.2. The Processor Dashboard Technology Limited shall provide all provide, at the Customers cost and expense reasonable assistance to the Controller Customer in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the ControllerCustomer, include: : 7.2.1. a systematic description of the envisaged processing operations and the purpose of the processing; ; 7.2.2. an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; 7.2.3. an assessment of the risks to the rights and freedoms of Data Subjects; and and 7.2.4. the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. 7.3. The Processor Dashboard Technology Limited shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: : 7.3.1. process that Personal Data only in accordance with Contract Schedule 7Appendix A, unless the Processor Dashboard Technology Limited is required to do otherwise by Law. If it is so required the Processor Dashboard Technology Limited shall promptly notify the Controller Customer before processing the Personal Data unless prohibited by Law; ; 7.3.2. ensure that it has in place Protective Measures, which are have been reviewed and approved by the Customer as appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), Event having taken account of the: : a) nature of the data to be protected; ; b) harm that might result from a Data Loss Event; ; c) state of technological development; and and d) cost of implementing any measures; ; 7.3.3. ensure that : the Processor Personnel that: a) Dashboard Technology Limited personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 7Appendix A); ; b) it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel Dashboard Technology Limited personnel who have access to the Personal Data and ensure that they: i are aware of and comply with Dashboard Technology Limited duties under this clause; ii are subject to appropriate confidentiality undertakings with Dashboard Technology Limited or any Sub-processor; iii are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Customer or as otherwise permitted by this Agreement; and iv have undergone adequate training in the use, care, protection and handling of Personal Data; and 7.3.4. not transfer Personal Data outside of the EU unless the prior written consent of the Customer has been obtained and the following conditions are fulfilled: a) the Customer or Dashboard Technology Limited has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Customer; b) the Data Subject has enforceable rights and effective legal remedies; c) Dashboard Technology Limited complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Customer in meeting its obligations); and 7.3.5. Dashboard Technology Limited complies with any reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data; 7.3.6. at the written direction of the Customer, delete or return Personal Data (and any copies of it) to the Customer on termination of the Agreement unless Dashboard Technology Limited is required by Law to retain the Personal Data. 7.4. Subject to clause 7.5, Dashboard Technology Limited shall notify the Customer promptly if it: 7.4.1. receives a Data Subject Access Request (or purported Data Subject Access Request); 7.4.2. receives a request to rectify, block or erase any Personal Data; 7.4.3. receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; 7.4.4. receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Agreement; 7.4.5. receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or 7.4.6. becomes aware of a Data Loss Event.

Data Protection. The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer Buyer Controller is the Controller and the Supplier (Abavus and iTouch Vision) is the Processor unless otherwise specified in Contract Schedule 7specified. The only processing that the Processor is authorised to do is listed in Contract Schedule 7 by relation to the Controller and may not be determined by delivery of the Processor. Service. 6.5.1 The Processor shall notify the Controller immediately if it considers that any of the Controller's Buyer’s instructions infringe the Data Protection Legislation. . 6.5.2 The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller, include: : (a) a systematic description of the envisaged processing operations and the purpose of the processing; ; (b) an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; (c) an assessment of the risks to the rights and freedoms of Data Subjects; and and (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 6.5.3 The Processor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: contract: (a) process that Personal Data only in accordance with Contract Schedule 7delivery of the Service, unless the Processor is required to do otherwise by Law. If it is so required the Processor shall promptly notify the Controller before processing the Personal Data unless prohibited by Law; ; (b) ensure that it has in place Protective Measures, Measures which are have been reviewed and approved by the Controller as appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), Event having taken account of the: : (i) nature of the data to be protected; ; (ii) harm that might result from a Data Loss Event; ; (iii) state of technological development; and and (iv) cost of implementing any measures; ; (c) ensure that : : (i) the Processor Personnel do not process Personal Data except in accordance with this Agreement contract (and in particular Schedule 7delivery of the Service); ; (ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they: (A) are aware of and comply with the Processor’s duties under this ▇▇▇▇▇▇; (B) are subject to appropriate confidentiality undertakings with the Processor or any Sub- processor; (C) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Controller or as otherwise permitted by this Call Off Contract; and (D) have undergone adequate training in the use, care, protection and handling of Personal Data; (d) not transfer Personal Data outside of the EU unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled: (i) the Controller or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Controller; (ii) the Data Subject has enforceable rights and effective legal remedies; (iii) the Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavors to assist the Controller in meeting its obligations); and (iv) the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing of the Personal Data; (e) at the written direction of the Controller, delete or return Personal Data (and any copies of it) to the Controller on termination of the contract unless the Processor is required by Law to retain the Personal Data. 6.5.4 Subject to Clause 6.5.6, the Processor shall notify the Controller immediately if it: (a) receives a Data Subject Access Request (or purported Data Subject Access Request); (b) receives a request to rectify, block or erase any Personal Data; (c) receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; (d) receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under contract; (e) receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or (f) becomes aware of a Data Loss Event. 6.5.5 The Processor’s obligation to notify under Clause 6.5.4 shall include the provision of further information to the Controller in phases, as details become available. 6.5.6 Taking into account the nature of the processing, the Processor shall provide the Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under Clause 6.5.4 (and insofar as possible within the timescales reasonably required by the Controller) including by promptly providing: (a) the Controller with full details and copies of the complaint, communication or request; (b) such assistance as is reasonably requested by the Controller to enable the Controller to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation; (c) the Controller, at its request, with any Personal Data it holds in relation to a Data Subject; (d) assistance as requested by the Controller following any Data Loss Event; (e) assistance as requested by the Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Controller with the Information Commissioner's Office.

Data Protection. The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the Controller and the Supplier is the Processor unless otherwise specified in Contract Schedule 7Processor. The only processing that the Processor Supplier is authorised to do is listed in Contract Schedule 7 Annex A by the Controller Customer and may not be determined by the ProcessorSupplier. The Processor Supplier shall notify the Controller Customer immediately if it considers that any of the ControllerCustomer's instructions infringe the Data Protection Legislation. The Processor Supplier shall provide all reasonable assistance to the Controller Customer in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the ControllerCustomer, include: a systematic description of the envisaged processing operations and the purpose of the processing; an assessment of the necessity and proportionality of the processing operations in relation to the Services; an assessment of the risks to the rights and freedoms of Data Subjects; and the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. The Processor Supplier shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: process that Personal Data only in accordance with Contract Schedule 7Annex A, unless the Processor Supplier is required to do otherwise by Law. If it is so required the Processor Supplier shall promptly notify the Controller Customer before processing the Personal Data unless prohibited by Law; ensure that it has in place Protective Measures, which are have been reviewed and approved by the Customer as appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), Event having taken account of the: nature of the data to be protected; harm that might result from a Data Loss Event; state of technological development; and cost of implementing any measures; ensure that : the Processor Supplier Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 7Annex A); it takes all reasonable steps to ensure the reliability and integrity of any Processor Supplier Personnel who have access to the Personal Data and ensure that they:: are aware of and comply with the Supplier’s duties under this clause; are subject to appropriate confidentiality undertakings with the Supplier or any Sub-processor; are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Customer or as otherwise permitted by this Agreement; and have undergone adequate training in the use, care, protection and handling of Personal Data; and not transfer Personal Data outside of the EU unless the prior written consent of the Customer has been obtained and the following conditions are fulfilled: the Customer or the Supplier has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Customer; the Data Subject has enforceable rights and effective legal remedies; the Supplier complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Customer in meeting its obligations); and the Supplier complies with any reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data; at the written direction of the Customer, delete or return Personal Data (and any copies of it) to the Customer on termination of the Agreement unless the Supplier is required by Law to retain the Personal Data. Subject to clause 1.6, the Supplier shall notify the Customer immediately if it: receives a Data Subject Access Request (or purported Data Subject Access Request); receives a request to rectify, block or erase any Personal Data; receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Agreement; receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or becomes aware of a Data Loss Event. The Supplier’s obligation to notify under clause 1.5 shall include the provision of further information to the Customer in phases, as details become available. Taking into account the nature of the processing, the Supplier shall provide the Customer with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under clause 1.5 (and insofar as possible within the timescales reasonably required by the Customer) including by promptly providing: the Customer with full details and copies of the complaint, communication or request; such assistance as is reasonably requested by the Customer to enable the Customer to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation; the Customer, at its request, with any Personal Data it holds in relation to a Data Subject; assistance as requested by the Customer following any Data Loss Event; assistance as requested by the Customer with respect to any request from the Information Commissioner’s Office, or any consultation by the Customer with the Information Commissioner's Office. The Supplier shall maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Supplier employs fewer than 250 staff, unless: the Customer determines that the processing is not occasional; the Customer determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; and the Customer determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects. The Supplier shall allow for audits of its Data Processing activity by the Customer or the Customer’s designated auditor. The Supplier shall designate a Data Protection Officer if required by the Data Protection Legislation. Before allowing any Sub-processor to process any Personal Data related to this Agreement, the Supplier must: notify the Customer in writing of the intended Sub-processor and processing; obtain the written consent of the Customer; enter into a written agreement with the Sub-processor where the contract is on terms no less onerous than the terms set out within this contract; and provide the Customer with such information regarding the Sub-processor as the Customer may reasonably require. The Supplier shall remain fully liable for all acts or omissions of any Sub-processor. The Customer may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Agreement). The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Customer may on not less than 30 Working Days’ notice to the Supplier amend this agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office.

Data Protection. The Parties acknowledge that for Supplier shall comply at all times with all data protection legislation applicable in the purposes of the UK from time to time. General Data Protection Legislation, the Customer is the Controller and the Regulations (GDPR) The Supplier is the Processor unless otherwise specified in Contract Schedule 7. The warrants that that it shall under this Contract: Process only processing that the Processor is authorised to do is listed in Contract Schedule 7 on documented instructions (Annex A) by the Controller and may not be determined by the Processor. The Processor shall notify the Controller immediately if it considers that any of the Controller's instructions infringe the Data Protection Legislation. The Processor shall Contracting Authority, including regarding international transfers (unless, subject to certain restrictions, legally required to transfer to a third country or international organisation); provide all reasonable assistance to the Controller Contracting Authority in the preparation of any Data Protection Impact Assessment (see ▇▇▇▇://▇▇▇- ▇▇▇.▇▇▇▇▇▇.▇▇/▇▇▇▇▇-▇▇▇▇▇▇▇/▇▇/▇▇▇/▇▇▇/?▇▇▇=▇▇▇▇▇:▇▇▇▇▇▇▇▇▇▇&▇▇▇▇=▇▇ of the GDPR). prior to commencing any processing. Such assistance may, at the discretion of the ControllerContracting Authority, include: a ; a) systematic description of the envisaged processing operations and the purpose of the processing; (b) an assessment of the necessity and proportionality of the processing operations in relation to the Services; (c) an assessment of the risks to the rights and freedoms of Data Subjects; and (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. The Processor shall, in relation V1.0 • ensure those processing personal data are under a confidentiality obligation (contractual or statutory); • appoint a suitably qualified data protection representative to any Personal Data processed in connection with its obligations manage the data; • keep records of their data processing activities performed under this AgreementContract in order to be able to provide information included in those records to the Data Protection Authorities, upon request. Records should include: process that Personal Data only in accordance with Contract Schedule 7, unless the Processor is required to do otherwise by Law. If it is so required the Processor shall promptly notify the Controller before processing the Personal Data unless prohibited by Law; ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), having taken account of the: nature 1) details of the data controller and data processor and their representatives; (2) the categories of processing activities that are performed; (3) information regarding cross-border data transfers and; and (4) a general description of the security measures that are implemented; • take all measures required under the security provisions which includes pseudonymisation and encrypting personal data as appropriate; • only use a sub-processor with the Contracting Authorities formal written consent (specific or general, although where general consent is obtained processors must notify all and any changes to Contracting Authority , giving them an opportunity to object); • flow down the same contractual obligations to sub-processors; • notify the Contracting Authority without undue delay data breaches; • assist the Contracting Authority in responding to requests from individuals (data subjects) exercising their rights; • assist the Contracting Authority in complying with the obligations relating to a security breach notification, Data Protection Impact Assessment and consulting with supervisory authorities; • securely destroy(providing evidence that this has occurred e.g. a secure waste disposal certificate from a third party) or return as instructed by the Contracting Authority all personal data at the end of the Contract (unless storage is required by EU/member state law); • Make available to the Contracting Authority all information necessary to demonstrate compliance; allow/contribute to audits (including inspections by the Contracting Authority or a third party); and inform the Contracting Authority if its instructions infringe data protection law or other EU or member state data protection provisions. The Contracting Authority may require further assurances during the Contract through a series of questions as to the Suppliers GDPR compliance. Notwithstanding any other remedies available to the Contracting Authority , the Supplier shall fully indemnify the Contracting Authority as a result of any such breach of the General Data Protection Regulations (GDPR), by the Supplier or any other party used by the Supplier in its performance of the Contract , that results in the Contracting Authority suffering fines, loss or damages. For the avoidance of doubt this clause shall require the Supplier to ensure that this Contract from its Commencement shall be performed in such a way so as to be protected; harm that might result from a compliant with any existing Data Loss Event; state Protection Act and will meet the requirements of technological development; the GDPR Annex A Template Subject matter of the processing Duration of the processing Nature and cost purposes of implementing any measures; ensure that : the Processor Personnel do not process processing Type of Personal Data except in accordance with this Agreement (Categories of Data Subject Plan for return and in particular Schedule 7); it takes all reasonable steps destruction of the data once the processing is complete UNLESS requirement under union or member state law to ensure the reliability and integrity preserve that type of any Processor Personnel who have access to the Personal Data and ensure that they:data C6 Freedom of Information‌

Data Protection. 1.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer if Table A of this Protocol has been completed then HEE is the Controller and the Supplier Provider is the Processor unless otherwise specified in Contract Schedule 7. The relation to the Processing described at Table A. Where the Provider acts as a Processor they are only processing that the Processor is authorised to do is carry out the Processing listed in Contract Schedule 7 by the Controller and may not be determined by the Processor. Table A. 1.2 The Processor Provider shall notify the Controller ▇▇▇ immediately if it considers that any of the Controller▇▇▇'s instructions infringe the Data Protection Legislation. . 1.3 The Processor Provider shall provide all reasonable assistance to the Controller HEE in the preparation of any Data Protection Impact Assessment prior to commencing any processingProcessing. Such assistance may, at the discretion of the ControllerHEE, include: : 1.3.1 a systematic description of the envisaged processing Processing operations and the purpose of the processing; Processing; 1.3.2 an assessment of the necessity and proportionality of the processing Processing operations in relation to the Services; ; 1.3.3 an assessment of the risks to the rights and freedoms of Data Subjects; and and 1.3.4 the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 1.4 The Processor Provider shall, in relation to any Personal Data processed Processed in connection with its obligations as a Processor under this Agreement: contract: 1.4.1 process that Personal Data only in accordance with Contract Schedule 7Table A of this Protocol, unless the Processor Provider is required to do otherwise by Law. If Where the Provider is required by Law to Process the Personal Data it is so required the Processor shall promptly notify the Controller HEE before processing Processing the Personal Data or at the first available opportunity where prior notification is not possible unless notification to HEE is prohibited by Law; ; 1.4.2 ensure that it has in place Protective Measures, which are Measures as appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), Event having taken account of the: : (i) nature of the data to be protected; ; (ii) harm that might result from a Data Loss Event; ; (iii) state of technological development; and and (iv) cost of implementing any measures; ; 1.4.3 ensure that : that: (i) the Processor Provider Personnel do not process Process Personal Data except in accordance with this Agreement contract (and in particular Schedule 7Table A of this Protocol); ; (ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Provider Personnel who have access to the Personal Data and ensure that they:

Data Protection. 37.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer Purchaser is the Controller and the Supplier is the Processor unless otherwise specified in Contract Schedule 7. specified 37.2 The only processing that the Processor is authorised to do is listed in Contract Schedule 7 by the Controller and may not be determined by the Processor. . 37.3 The Processor shall notify the Controller immediately if it considers that any of the Controller's instructions infringe the Data Protection Legislation. . 37.4 The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller, include: : 37.5 a systematic description of the envisaged processing operations and the purpose of the processing; ; 37.6 an assessment of the necessity and proportionality of the processing operations in relation to Providing the Goods and Services; ; 37.7 an assessment of the risks to the rights and freedoms of Data Subjects; and and 37.8 the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 37.9 The Processor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: : 37.10 process that Personal Data only in accordance with Contract Schedule 7only, unless the Processor is required to do otherwise by Law. If it is so required the Processor shall promptly notify the Controller before processing the Personal Data unless prohibited by Law; ; 37.11 ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), having Measures),having taken account of the: : (i) nature of the data to be protected; ; (ii) harm that might result from a Data Loss Event; ; (iii) state of technological development; and and (iv) cost of implementing any measures; ; 37.12 ensure that : the Processor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 7); it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they:

Data Protection. 1.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer Authority is the Controller and the Supplier is the Processor unless otherwise specified in Contract Schedule 7Processor. The only processing Processing that the Processor Supplier is authorised to do is listed in Contract Schedule 7 Table A of this Protocol by the Controller Authority and may not be determined by the Processor. Supplier. 1.2 The Processor Supplier shall notify the Controller Authority immediately if it considers that any of the ControllerAuthority's instructions infringe the Data Protection Legislation. . 1.3 The Processor Supplier shall provide all reasonable assistance to the Controller Authority in the preparation of any Data Protection Impact Assessment prior to commencing any processingProcessing. Such assistance may, at the discretion of the ControllerAuthority, include: : 1.3.1 a systematic description of the envisaged processing Processing operations and the purpose of the processing; Processing; 1.3.2 an assessment of the necessity and proportionality of the processing Processing operations in relation to the Services; ; 1.3.3 an assessment of the risks to the rights and freedoms of Data Subjects; and and 1.3.4 the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 1.4 The Processor Supplier shall, in relation to any Personal Data processed Processed in connection with its obligations under this Agreement: Contract: 1.4.1 process that Personal Data only in accordance with Contract Schedule 7Table A of this Protocol, unless the Processor Supplier is required to do otherwise by Law. If it is so required the Processor Supplier shall promptly notify the Controller Authority before processing Processing the Personal Data unless prohibited by Law; ; 1.4.2 ensure that it has in place Protective Measures, which are have been reviewed and approved by the Authority as appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), Event having taken account of the: : (i) nature of the data to be protected; ; (ii) harm that might result from a Data Loss Event; ; (iii) state of technological development; and and (iv) cost of implementing any measures; ; 1.4.3 ensure that : : (i) the Processor Supplier Personnel do not process Process Personal Data except in accordance with this Agreement Contract (and in particular Schedule 7Table A of this Protocol); ; (ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Supplier Personnel who have access to the Personal Data and ensure that they: (A) are aware of and comply with the Supplier’s duties under this Protocol; (B) are subject to appropriate confidentiality undertakings with the Supplier or any Sub-processor; (C) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority or as otherwise permitted by this Contract; and (D) have undergone adequate training in the use, care, protection and handling of Personal Data; 1.4.4 not transfer Personal Data outside of the EU unless the prior written consent of the Authority has been obtained and the following conditions are fulfilled: (i) the Authority or the Supplier has provided appropriate safeguards in relation to the transfer (whether in accordance with Article 46 of the GDPR or Article 37 of the Law Enforcement Directive (Directive (EU) 2016/680)) as determined by the Authority; (ii) the Data Subject has enforceable rights and effective legal remedies; (iii) the Supplier complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Authority in meeting its obligations); and (iv) the Supplier complies with any reasonable instructions notified to i t in advance by the Authority with respect to the Processing of the Personal Data; 1.4.5 at the written direction of the Authority, delete or return Personal Data (and any copies of it) to the Authority on termination or expiry of the Contract unless the Supplier is required by Law to retain the Personal Data. 1.5 Subject to Clause 1.6 of this Protocol, the Supplier shall notify the Authority immediately if it: 1.5.1 receives a Data Subject Access Request (or purported Data Subject Access Request); 1.5.2 receives a request to rectify, block or erase any Personal Data; 1.5.3 receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; 1.5.4 receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data Processed under this Contract; 1.5.5 receives a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or

Data Protection. 18.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer Council is the Controller and the Supplier Provider is the Processor unless otherwise specified in Contract Appendix 1 to Schedule 75. The only processing that the Processor is authorised to do is listed in Contract Appendix 1 to Schedule 7 5 by the Controller and may not be determined by the Processor. The term “processing” and any associated terms are to be read in accordance with Article 4 of the UK GDPR. 18.2 The Processor shall notify the Controller immediately if it considers that any of the Controller's instructions infringe the Data Protection Legislation. . 18.3 The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller, include: : (a) a systematic description of the envisaged processing operations and the purpose of the processing; ; (b) an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; (c) an assessment of the risks to the rights and freedoms of Data Subjects; and and (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. 18.4 The Processor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: the Contract (a) process that Personal Data only in accordance with Contract Appendix 1 to Schedule 75, unless the Processor is required to do otherwise by Law. If it is so required the Processor shall promptly notify the Controller before processing the Personal Data unless prohibited by Law; (b) ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure reject. In the event of the Controller reasonably rejecting Protective Measures put in place by the Processor, the Processor must propose alternative Protective Measures to the satisfaction of the Controller. Failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), having taken . Protective Measures must take account of the: : (i) nature of the data to be protected; (ii) harm that might result from a Data Loss Event; ; (iii) state of technological development; and and (iv) cost of implementing any measures; ; (c) ensure that : the Processor Personnel that: (i) Staff do not process Personal Data except in accordance with this Agreement (and in particular Appendix 1 to Schedule 75); it (ii) It takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel Staff who have access to the Personal Data and ensure that they: (A) are aware of and comply with the Processor’s duties under this clause: (B) are subject to appropriate confidentiality undertakings with the Processor or any Sub- processor; (C) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Controller or as otherwise permitted by this Agreement; and (D) have undergone adequate training in the use, care, protection and handling of Personal Data; and (d) not transfer Personal Data outside of the UK unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled: (i) the destination country has been recognised as adequate by the UK government in accordance with Article 45 UK GDPR or section 74 of the DPA 2018; (ii) the Controller or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with UK GDPR Article 46 or Section 75 DPA 2018) as determined by the Controller; (iii) the Data Subject has enforceable rights and effective legal remedies; (iv) the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing of the Personal Data; and (v) the Processor complies with its obligations under Data Protection Legislation by providing an appropriate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); (e) at the written direction of the Controller, delete or return Personal Data (and any copies of it) to the Controller on termination of the Agreement unless the Processor is required by Law to retain the Personal Data. 18.5 Subject to clause 18.6, the Processor shall notify the Controller immediately it: (a) receives a Data Subject Request (or purported Data Subject Request); (b) receives a request to rectify, block or erase any Personal Data; (c) receives any other request, complaint or communication relating to either Party's obligations under Data Protection Legislation; (d) receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Agreement; (e) receives a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or (f) becomes aware of a Data Loss Event. 18.6 The Processor’s obligation to notify under clause 18.5 shall include the provision of further information to the Controller, as details become available. 18.7 Taking into account the nature of the processing, the Processor shall provide the Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under clause 18.5 (and insofar as possible within the timescales reasonably required by the Controller) including but not limited to promptly providing: (a) the Controller with full details and copies of the complaint, communication or request; (b) such assistance as is reasonably requested by the Controller to enable the Controller to comply with a Data Subject Request within the relevant timescales set out in the Data Protection Legislation; (c) the Controller, at its request, with any Personal Data it holds in relation to a Data Subject; (d) assistance as requested by the Controller following any Data Loss Event; (e) assistance as requested by the Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Controller with the Information Commissioner's Office. 18.8 The Processor shall maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Processor employs fewer than 250 staff, unless: (a) the Controller determines that the processing is not occasional; (b) the Controller determines the processing includes special categories of data as referred to in Article 9(1) of the UK GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the UK GDPR; and (c) the Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects. 18.9 The Processor shall allow for audits of its Data Processing activity by the Controller or the Controller’s designated auditor. 18.10 Each Party shall designate a data protection officer if required by Data Protection Legislation. 18.11 Before allowing any Sub-processor to process any Personal Data, the Processor must: (a) notify the Controller in writing of the intended Sub-processor and processing; (b) obtain the written consent of the Controller; (c) enter into a written agreement with the Sub-processor which give effect to the terms set out in this clause 18 such that they apply to the Sub-processor; and (d) provide the Controller with such information regarding the Sub-processor as the Controller may reasonably require. 18.12 The Processor shall remain fully liable for all acts or omissions of any Sub-processors. 18.13 The Controller may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Agreement). 18.14 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Council may upon not less than 30 Working Days’ notice to the Provider amend this agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office. 18.15 Where the Parties include two or more Joint Controllers as identified in Appendix 1 to Schedule 5 in accordance with GDPR Article 26, the Parties shall enter into a Joint Controller Agreement on the terms provided by the Council in replacement of Clauses E1.1-E1.14 for the Personal Data under Joint Control.

Data Protection. 8.1 The Parties parties acknowledge that for the purposes of the Data Protection Legislation, the Customer Council is the Controller and the Supplier Consultant is the Processor unless otherwise specified in Contract Schedule 7Processor. The only processing that the Processor Consultant is authorised to do is listed in Contract Schedule 7 5 by the Controller Council and may not be determined by the Processor. Consultant. 8.2 The Processor Consultant shall notify the Controller Council immediately if it considers that any of the ControllerCouncil's instructions infringe the Data Protection Legislation. . 8.3 The Processor Consultant shall provide all reasonable assistance to the Controller Council in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the ControllerCouncil, include: : (a) a systematic description of the envisaged processing operations and the purpose of the processing; ; (b) an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; (c) an assessment of the risks to the rights and freedoms of Data Subjects; and and (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 8.4 The Processor Consultant shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: : (a) process that Personal Data only in accordance with Contract Schedule 75, unless the Processor Consultant is required to do otherwise by Law. If it is so required the Processor Consultant shall promptly notify the Controller Council before processing the Personal Data unless prohibited by Law; ; (b) ensure that it has in place Protective Measures, which are as appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), Event having taken account of the: : (i) nature of the data to be protected; ; (ii) harm that might result from a Data Loss Event; ; (iii) state of technological development; and and (iv) cost of implementing any measures; ; (c) ensure that : : (i) the Processor Consultant Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 7); 5; (ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Contractor Personnel who have access to the Personal Data and ensure that they: (A) are aware of and comply with the Consultant’s duties under this clause; (B) are subject to appropriate confidentiality undertakings with the Consultant or any Sub-processor; (C) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Council or as otherwise permitted by this Agreement; and (D) have undergone adequate training in the use, care, protection and handling of Personal Data; and (d) not transfer Personal Data outside of the EU unless the prior written consent of the Council has been obtained and the following conditions are fulfilled: (i) the Council or the Consultant has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Council; (ii) the Data Subject has enforceable rights and effective legal remedies; (iii) the Consultant complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Council in meeting its obligations); and (iv) the Consultant complies with any reasonable instructions notified to it in advance by the Council with respect to the processing of the Personal Data; (e) at the written direction of the Council, delete or return Personal Data (and any copies of it) to the Council on termination of the Agreement unless the Consultant is required by Law to retain the Personal Data. 8.5 Subject to clause 8.6, the Consultant shall notify the Council immediately if it: (a) receives a Data Subject Access Request (or purported Data Subject Access Request); (b) receives a request to rectify, block or erase any Personal Data; (c) receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; (d) receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Agreement; (e) receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or (f) becomes aware of a Data Loss Event. 8.6 The Consultant’s obligation to notify under clause 8.5 shall include the provision of further information to the Council in phases, as details become available. 8.7 Taking into account the nature of the processing, the Consultant shall provide the Council with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under Clause 8.5 (and insofar as possible within the timescales reasonably required by the Council) including by promptly providing: (a) the Council with full details and copies of the complaint, communication or request; (b) such assistance as is reasonably requested by the Council to enable the Council to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation; (c) the Council, at its request, with any Personal Data it holds in relation to a Data Subject; (d) assistance as requested by the Council following any Data Loss Event; (e) assistance as requested by the Council with respect to any request from the Information Commissioner’s Office, or any consultation by the Council with the Information Commissioner's Office. 8.8 The Consultant shall maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Consultant employs fewer than 250 staff, unless: (a) the Council determines that the processing is not occasional; (b) the Council determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; and (c) the Council determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects. 8.9 The Consultant shall allow for audits of its Data Processing activity by the Council or the Council’s designated auditor The Council is entitled, on giving at least three days' notice to the Consultant, to inspect or appoint representatives to inspect all facilities, equipment, documents and electronic data relating to the processing of Personal Data under this Agreement by the Consultant. The requirement to give notification in advance will not apply if the Council believes that the Consultant is in breach of any of its obligations under this Agreement. The Consultant shall designate a data protection officer if required by the Data Protection Legislation. 8.10 The Consultant shall designate a data protection officer if required by the data protection legislation 8.11 Before allowing any Sub-processor to process any Personal Data related to this Agreement, the Consultant must: (a) notify the Council in writing of the intended Sub-processor and processing; (b) obtain the written consent of the Council; (c) enter into a written agreement with the Sub-processor which give effect to the terms set out in this clause 8 such that they apply to the Sub-processor; and (d) provide the Council with such information regarding the Sub-processor as the Council may reasonably require. 8.12 The Consultant shall remain fully liable for all acts or omissions of any Sub-processor. 8.13 The Council may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Agreement). 8.14 The parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Council may on not less than 30 Working Days’ notice to the Consultant amend this agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Officer. 8.15 The Consultant shall undertake all of the above processing activities at its own expense and at no extra cost to the Council. 8.16 The Council retention and disposal schedule as provided in Schedule 5 will be followed by the Consultant where appropriate and relevant; no decisions on retention or disposal are to be made by the Consultant unless it is part of detailed Processing under this Agreement. 8.17 The Consultant shall without undue delay inform the Council if any Personal Data is lost or destroyed or becomes damaged, corrupted, or unusable. The Consultant will make regular backups of the Personal Data and will restore such Personal Data at its own expense.

Data Protection. 13.1 This clause 13 (Data Protection) applies in case ▇▇▇▇▇▇▇’▇ performance of the services incorporates processing of Personal Data by Trimble on behalf of the Customer. Both parties will comply with all applicable requirements of the Data Protection Legislation. This Agreement is an addition to, and does not relieve, remove or replace, a party’s obligations under the Data Protection Legislation. 13.2 The Parties parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the controller and the Trimble is the processor (where Controller and Processor have the Supplier is the Processor unless otherwise specified meanings as defined in Contract Schedule 7. The only processing that the Processor is authorised to do is listed in Contract Schedule 7 by the Controller and may not be determined by the Processor. The Processor shall notify the Controller immediately if it considers that any of the Controller's instructions infringe the Data Protection Legislation). The Processor shall provide all reasonable assistance to Agreement and Schedule sets out the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance mayscope, at the discretion of the Controller, include: a systematic description of the envisaged processing operations nature and the purpose of processing by Trimble, the processing; an assessment of the necessity and proportionality duration of the processing operations and the types of personal data (as defined in relation the Data Protection Legislation, “Personal Data”) and categories of data subject. 13.3 Without prejudice to the Services; an assessment generality of clause 13.1, the Customer will ensure that it fulfills all necessary requirements to enable lawful transfer of the risks Personal Data to Trimble for the duration and purposes of this agreement. 13.4 Without prejudice to the rights and freedoms generality of Data Subjects; and the measures envisaged to address the risksclause 13.1, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. The Processor Trimble shall, in relation to any Personal Data processed in connection with the performance by Trimble of its obligations under this Agreement: : (a) process that Personal Data only on the written instructions of the Customer subject to Art. 28 (3) GDPR. Instructions may be handled as a change request at the cost of Customer. Provider shall immediately inform the Customer if, in accordance with Contract Schedule 7its opinion, unless the Processor is required to do otherwise by Law. If it is so required the Processor shall promptly notify the Controller before processing the Personal an instruction infringes Data unless prohibited by Law; Protection Legislation; (b) ensure that it has in place Protective Measuresappropriate technical and organizational measures, which are reviewed and approved by the Customer (for ▇▇▇▇▇▇▇’▇ list of measures see the Schedule). Such measures shall ensure a level of security appropriate to protect against a Data Loss Event, which the Controller may reasonably reject risks presented by processing and are subject to change depending on Provider`s recurring risk assessments; (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), having taken account of the: nature of the data to be protected; harm that might result from a Data Loss Event; state of technological development; and cost of implementing any measures; c) ensure that : the Processor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 7); it takes all reasonable steps to ensure the reliability and integrity personnel or any other person acting on behalf of any Processor Personnel Trimble who have access to and/or process Personal Data are obliged to keep the Personal Data confidential and ensure any natural person acting under the authority of Trimble who has access to personal data does not process them except on instructions from the Customer; (d) may transfer Personal Data outside of the European Economic Area. In case of transfer outside the European Economic Area, Trimble ensures that they:the transfer is only to (a) countries for which the European Commission has decided that they have an adequate level of data protection or (b) use European Commission standard contractual clauses 2010/87/EU; (e) assist the Customer, at the Customer’s cost, in responding to any request from a data subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; (f) assist the Customer by providing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Customer’s obligation to respond to requests for exercising the data subject’s rights pursuant to Data Protection Regulation; (g) notify the Customer without undue delay on becoming aware of a Personal Data breach; (h) at the written direction of the Customer, delete or return Personal Data and copies thereof to the Customer on termination of the agreement unless required by Applicable Law to store the Personal Data; and (i) maintain complete and accurate records and information to demonstrate its compliance with this clause and the Data Protection Regulation and allow for audits by the Customer or the Customer’s designated auditor. (j) be entitled to collect, use, process anonymous and aggregate data of the use of the services pursuant to the Agreement, that is not personally identifiable with the Customer nor data subjects and use such data for any ▇▇▇▇▇▇▇’▇ internal business purpose, and for the improvement and/or the development of other products or service capabilities. 13.5 Trimble shall not engage a third-party processor without prior specific or general written authorization of the Customer. The Customer consents to Trimble appointing the parties named in the Schedule as third-party processors of Personal Data under this Agreement. Trimble confirms that it has entered or (as the case may be) will enter with the third-party processor into a written agreement in which he imposes on that other processor the obligations as set out in this clause. Trimble informs the Customer of any intended changes concerning the addition or replacement of other processors. The Customer has the right to object to such changes. As between the Customer and Trimble, Trimble shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this clause. 13.6 Either party may, at any time on not less than 30 days’ notice, revise this clause by replacing it with any applicable controller to processor standard clauses or similar terms forming party of an applicable certification scheme (which shall apply when replaced by attachment to this agreement). 13.7 Each party’s and its affiliates’ liability arising out of or related to this clause and processing of Customer’s Personal Data, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and its affiliates under the Agreement. For the avoidance of doubt, Provider's and its affiliates’ total liability for all claims from the Customer and its affiliates arising out of or related to the Agreement and this clause shall apply in the aggregate for all claims under the Agreement.

Data Protection. The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer CCS is the Controller and the Supplier is the Processor unless otherwise specified in Contract Schedule 7Processor. The only processing Processing that the Processor Supplier is authorised to do is listed in Contract Framework Schedule 7 20 by the Controller CCS and may not be determined by the ProcessorSupplier. The Processor Supplier shall notify the Controller CCS immediately if it considers that any of the ControllerCCS's instructions infringe the Data Protection Legislation. The Processor Supplier shall provide all reasonable assistance to the Controller CCS in the preparation of any Data Protection Impact Assessment prior to commencing any processingProcessing. Such assistance may, at the discretion of the ControllerCSS, include: a systematic description of the envisaged processing Processing operations and the purpose of the processingProcessing; an assessment of the necessity and proportionality of the processing operations in relation to the ServicesProcessing operations; an assessment of the risks to the rights and freedoms of Data Subjects; and the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. The Processor Supplier shall, in relation to any Personal Data processed Processed in connection with its obligations under this Framework Agreement: process that Personal Data only in accordance with Contract Framework Schedule 7, 20 unless the Processor Supplier is required to do otherwise by Law. If it is so required the Processor Supplier shall promptly notify the Controller CCS before processing Processing the Personal Data unless prohibited by Law; ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Controller CCS may reasonably reject (but failure to reject shall not amount to approval by the Controller CCS of the adequacy of the Protective Measures), having taken account of the: nature of the data to be protected; harm that might result from a Data Loss Event; state of technological development; and cost of implementing any measures; ensure that that: the Processor Supplier Personnel do not process Process Personal Data except in accordance with this Framework Agreement (and in particular Schedule 7Framework 20); it takes all reasonable steps to ensure the reliability and integrity of any Processor Supplier Personnel who have access to the Personal Data and ensure that they:: are aware of and comply with the Supplier’s duties under this ▇▇▇▇▇▇; are subject to appropriate confidentiality undertakings with the Supplier or any Sub- processor; are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by CCS or as otherwise permitted by this Framework Agreement; and have undergone adequate training in the use, care, protection and handling of Personal Data; and not transfer Personal Data outside of the EU unless the prior written consent of CCS has been obtained and the following conditions are fulfilled: CCS or the Supplier has provided appropriate safeguards in relation to the transfer in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by CCS; the Data Subject has enforceable rights and effective legal remedies; the Supplier complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist CCS in meeting its obligations); the Supplier complies with any reasonable instructions notified to it in advance by CCS with respect to the Processing of the Personal Data; and in respect of any Processing in, or transfer of Personal Data to, any Restricted Country permitted in accordance with this Clause 25.5.3, the Supplier shall, when requested by CCS, promptly enter into an agreement with CCS including or on such provisions as the Standard Contractual Clauses and/or such variation as a regulator or CCS might require which terms shall, in the event of any conflict, take precedence over those in this Clause 25.5.3, and the Supplier shall comply with any reasonable instructions notified to it in advance by CCS with respect to the transfer of the Personal Data; and at the written direction of CCS, delete or return Personal Data (and any copies of it) to CCS on termination of the Framework Agreement unless the Supplier is required by Law to retain the Personal Data. Subject to Clause 25.5.6, the Supplier shall notify CCS immediately if it: receives a Data Subject Access Request (or purported Data Subject Access Request); receives a request to rectify, block or erase any Personal Data; receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; receives a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; becomes aware of a Data Loss Event; or receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data Processed under this Framework Agreement. The Supplier’s obligation to notify under Clause 25.5.4 shall include the provision of further information to CCS in phases, as details become available. Taking into account the nature of the Processing, the Supplier shall provide CCS with full assistance in relation to either party's obligations under Data Protection Legislation and any complaint, communication or request made under Clause 25.5.5 (and insofar as possible within the timescales reasonably required by CCS) including by promptly providing: CCS with full details and copies of the complaint, communication or request; such assistance as is reasonably requested by CCS to enable CCS to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation; CCS, at its request, with any Personal Data it holds in relation to a Data Subject; assistance as requested by CCS following any Data Loss Event; assistance as requested by CCS with respect to any request from the Information Commissioner’s Office, or any consultation by CCS with the Information Commissioner's Office. The Supplier shall maintain complete and accurate records and information to demonstrate its compliance with this Clause 25.5 (Data Protection). This requirement does not apply where the Supplier employs fewer than 250 staff, unless CCS determines: that the processing is not occasional; the processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; and that the processing is likely to result in a risk to the rights and freedoms of Data Subjects. The Supplier shall allow for audits of its Data Processing activity by CCS or CCS’s designated auditor. The Parties shall designate a Data Protection Officer if required by the Data Protection Legislation. Before allowing any Sub-processor to Process any Personal Data related to this Framework Agreement, the Supplier must: notify CCS in writing of the intended Sub-processor and Processing; obtain the written consent of CCS; enter into a written agreement with the Sub-processor which give effect to the terms set out in this Clause 25.5 (Data Protection) such that they apply to the Sub-processor; and provide CCS with such information regarding the Sub-processor as CCS may reasonably require. The Supplier shall remain fully liable for all acts or omissions of any Sub- processor. CCS may, at any time on not less than 30 Working Days’ notice, revise this Clause 25.5 (Data Protection) by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Framework Agreement). The Parties agree The Parties agree to take account of any non-mandatory guidance issued by the Information Commissioner’s Office publishes guidance. CCS may on not less than 30 Working Days’ notice to the Supplier amend this Framework Agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Officer.

Data Protection. “The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the Controller and the Supplier is the Processor unless otherwise specified in Contract Schedule 7Processor. The only processing that the Processor Supplier is authorised to do is listed in Contract Call Off Schedule 7 5 by the Controller Customer and may not be determined by the ProcessorSupplier. The Processor Supplier shall notify the Controller Customer immediately if it considers that any of the ControllerCustomer's instructions infringe the Data Protection Legislation. The Processor Supplier shall provide all reasonable assistance to the Controller Customer in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the ControllerCustomer, include: a systematic description of the envisaged processing operations and the purpose of the processing; an assessment of the necessity and proportionality of the processing operations in relation to the provision of the Goods and Services; an assessment of the risks to the rights and freedoms of Data Subjects; and and; the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. : The Processor Supplier shall, in relation to any Personal Data processed in connection with its obligations under this AgreementCall-Off Contract: process that Personal Data only in accordance with Contract Call Off Schedule 7, 5 unless the Processor Supplier is required to do otherwise by Law. If it is so required the Processor Supplier shall promptly notify the Controller Customer before processing the Personal Data unless prohibited by Law; ensure that it has in place Protective Measures, which are have been reviewed and approved by the Customer as appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), Event having taken account of the: nature of the data to be protected; harm that might result from a Data Loss Event; state of technological development; and cost of implementing any measures; ensure that : the Processor Supplier Personnel do not process Personal Data except in accordance with this Agreement Call-Off Contract (and in particular Call Off Schedule 7)5; it takes all reasonable steps to ensure the reliability and integrity of any Processor Supplier Personnel who have access to the Personal Data and ensure that they:: are aware of and comply with the Supplier’s duties under this clause; are subject to appropriate confidentiality undertakings with the Supplier or any Sub-processor; are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Customer or as otherwise permitted by this Call-Off Contract; and have undergone adequate training in the use, care, protection and handling of Personal Data; and not transfer Personal Data outside of the European Economic Area unless the prior written consent of the Customer has been obtained and the following conditions are fulfilled the Customer or the Supplier has provided appropriate safeguards in relation to the transfer; the Data Subject has enforceable rights and effective legal remedies; the Supplier complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and the Supplier complies with any reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data; at the written direction of the Customer, delete or return Personal Data (and any copies of it) to the Customer on termination of the Call-Off Contract unless the Supplier is required by Law to retain the Personal Data Subject to clause 15.7.6, the Supplier shall notify the Customer immediately if it: receives a Data Subject Access Request (or purported Data Subject Access Request); receives a request to rectify, block or erase any Personal Data; receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; receives any communication from the Information Commissioner or any other regulatory Customer in connection with Personal Data processed under this Call-Off Contract; receives a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or becomes aware of a Data Loss Event. The Supplier’s obligation to notify under clause 15.7.5 shall include the provision of further information to the Customer in phases, as details become available: Taking into account the nature of the processing, the Supplier shall provide the Customer with full assistance in relation to either party's obligations under Data Protection Legislation and any complaint, communication or request made under Clause 15.7.5 (and insofar as possible within the timescales reasonably required by the Customer) including by promptly providing: the Customer with full details and copies of the complaint, communication or request; such assistance as is reasonably requested by the Customer to enable the Customer to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation; the Customer, at its request, with any Personal Data it holds in relation to a Data Subject; assistance as requested by the Customer following any Data Loss Event; assistance as requested by the Customer with respect to any request from the Information Commissioner’s Office, or any consultation by the Customer with the Information Commissioner's Office. The Supplier shall maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Supplier employs fewer than 250 staff, unless: the Customer determines that the processing is not occasional; the Customer determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; and the Customer determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects The Supplier shall allow for audits of its Data Processing activity by the Customer or the Customer’s designated auditor. The Supplier shall designate a Data Protection Officer if required by the Data Protection Legislation. Before allowing any Sub-processor to process any Personal Data related to this Call-Off Contract, the Supplier must: notify the Customer in writing of the intended Sub-processor and processing; obtain the written consent of the Customer; enter into a written agreement with the Sub-processor which give effect to the terms set out in this clause 15.7 such that they apply to the Sub-processor; and provide the Customer with such information regarding the Sub-processor as the Customer may reasonably require The Supplier shall remain fully liable for all acts or omissions of any Sub-processor. The Customer may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Call-Off Contract). The Parties agree to take account of any non-mandatory guidance issued by the Information Commissioner’s Office publishes guidance. The Customer may on not less than 30 Working Days’ notice to the Supplier amend this Call-Off Contract to ensure that it complies with any guidance issued by the Information Commissioner’s Officer. “.

Data Protection. 13.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer Authority is the Controller and the Supplier Contractor is the Processor unless otherwise specified in Contract Schedule 7. The only processing that the Processor Contractor is authorised to do is listed in Contract Schedule 7 by the Controller Authority and may not be determined by the Processor. Contractor. 13.2 The Processor Contractor shall notify the Controller Authority immediately if it considers that any of the Controller's Authority’s instructions infringe the Data Protection Legislation. . 13.3 The Processor Contractor shall provide all reasonable assistance to the Controller Authority in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the ControllerAuthority, include: : (a) a systematic description of the envisaged processing operations and the purpose of the processing; ; (b) an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; (c) an assessment of the risks to the rights and freedoms of Data Subjects; and and (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 13.4 The Processor Contractor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: Contract: (a) process that Personal Data only in accordance with Contract Schedule 7, 7 unless the Processor Contractor is required to do otherwise by Law. If it is so required the Processor Contractor shall promptly notify the Controller Authority before processing the Personal Data unless prohibited by Law; ; (b) ensure that it has in place Protective Measures, Measures which are appropriate to protect against a Data Loss Event, which the Controller Authority may reasonably reject (but failure to reject shall not amount to approval by the Controller Authority of the adequacy of the Protective Measures), having taken account of the: : (i) nature of the data to be protected; ; (ii) harm that might result from a Data Loss Event; ; (iii) state of technological development; and and (iv) cost of implementing any measures; ; (c) ensure that : : (i) the Processor Personnel Staff do not process Personal Data except in accordance with this Agreement Contract (and in particular Schedule 7); ; (ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel Staff who have access to the Personal Data and ensure that they: (A) are aware of and comply with the Contractor’s duties under this clause; (B) are subject to appropriate confidentiality undertakings with the Contractor or any Sub-processor; (C) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority or as otherwise permitted by this Contract; and (D) have undergone adequate training in the use, care, protection and handling of Personal Data; and (d) not transfer Personal Data outside of the European Union unless the prior written consent of the Authority has been obtained and the following conditions are fulfilled: (i) the Authority or the Contractor has provided appropriate safeguards in relation to the transfer (whether in accordance with the GDPR Article 46 or LED Article 37) as determined by the Authority; (ii) the Data Subject has enforceable rights and effective legal remedies; (iii) the Contractor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Authority in meeting its obligations); and (iv) the Contractor complies with any reasonable instructions notified to it in advance by the Authority with respect to the processing of the Personal Data; (e) at the written direction of the Authority, delete or return Personal Data (and any copies of it) to the Authority on termination of the Contract unless the Contractor is required by Law to retain the Personal Data. 13.5 Subject to clause 25.6 the Contractor shall notify the Authority immediately if, in relation to any Personal Data processed in connection with its obligations under this Contract, it: (a) receives a Data Subject Request (or purported Data Subject Request); (b) receives a request to rectify, block or erase any Personal Data; (c) receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; (d) receives any communication from the Information Commissioner or any other regulatory authority; (e) receives a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or (f) becomes aware of a Data Loss Event. 13.6 The Contractor’s obligation to notify under clause E25.5 shall include the provision of further information to the Authority in phases, as details become available. 13.7 Taking into account the nature of the processing, the Contractor shall provide the Authority with full assistance in relation to either Party's obligations under Data Protection Legislation in relation to any Personal Data processed in connection with its obligations under this Contract and any complaint, communication or request made under Clause E25.5 (and insofar as possible within the timescales reasonably required by the Authority) including by promptly providing: (a) the Authority with full details and copies of the complaint, communication or request; (b) such assistance as is reasonably requested by the Authority to enable the Authority to comply with a Data Subject Request within the relevant timescales set out in the Data Protection Legislation; (c) the Authority, at its request, with any Personal Data it holds in relation to a Data Subject; (d) assistance as requested by the Authority following any Data Loss Event; (e) assistance as requested by the Authority with respect to any request from the Information Commissioner’s Office, or any consultation by the Authority with the Information Commissioner's Office. 13.8 The Contractor shall maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Contractor employs fewer than 250 staff, unless: (a) the Authority determines that the processing is not occasional; (b) the Authority determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; or (c) the Authority determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects. 13.9 The Contractor shall allow for audits of its Personal Data processing activity by the Authority or the Authority’s designated auditor. 13.10 Each Party shall designate its own Data Protection Officer if required by the Data Protection Legislation. 13.11 Before allowing any Sub-processor to process any Personal Data related to this Contract, the Contractor must: (a) notify the Authority in writing of the intended Sub-processor and processing; (b) obtain the written consent of the Authority; (c) enter into a written agreement with the Sub-processor which give effect to the terms set out in this clause E2 such that they apply to the Sub- processor; and (d) provide the Authority with such information regarding the Sub- processor as the Authority may reasonably require. 13.12 The Contractor shall remain fully liable for all acts or omissions of any of its Sub-processors. 13.13 The Authority may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Contract). 13.14 The Parties agree to take account of any non-mandatory guidance issued by the Information Commissioner’s Office. The Authority may on not less than 30 Working Days’ notice to the Contractor amend this Contract to ensure that it complies with any guidance issued by the Information Commissioner’s Officer. 13.15 This clause 25 shall apply during the Contract Period and indefinitely after its expiry.

Data Protection. 1.1 [The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer Authority is the Controller and the Supplier Grant Recipient is the Processor unless otherwise specified in Contract Schedule 7. this Annex 8.] [TO BE DETERMINED BASED ON GRANT RECIPIENT’S APPLICATION] The only processing that the Processor is authorised to do is listed in Contract Annex 8 Part 1: Schedule 7 of Processing, Personal Data and Data Subjects by the Controller and may not be determined by the Processor. . 1.2 The Processor shall notify the Controller immediately if it considers that any of the Controller's instructions infringe the Data Protection Legislation. . 1.3 The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller, include: : (a) a systematic description of the envisaged processing operations and the purpose of the processing; ; (b) an assessment of the necessity and proportionality of the processing operations in relation to the Services; Funded Activities; (c) an assessment of the risks to the rights and freedoms of Data Subjects; and and (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 1.4 The Processor shall, in relation to any Personal Data processed in connection with its obligations under this Grant Funding Agreement: : (a) process that Personal Data only in accordance with Contract Annex 8 Part 1: Schedule 7of Processing, Personal Data and Data Subjects, unless the Processor is required to do otherwise by Law. If it is so required the Processor shall promptly notify the Controller before processing the Personal Data unless prohibited by Law; ; (b) ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), having taken account of the: : (i) nature of the data to be protected; ; (ii) harm that might result from a Data Loss Event; ; (iii) state of technological development; and and (iv) cost of implementing any measures; ; (c) ensure that : : (i) the Processor Personnel do not process Personal Data except in accordance with this Grant Funding Agreement (and in particular Annex 8 Part 1: Schedule 7of Processing, Personal Data and Data Subjects); ; (ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they: (A) are aware of and comply with the Processor’s duties under this clause; (B) are subject to appropriate confidentiality undertakings with the Processor or any Sub-processor; (C) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Controller or as otherwise permitted by this Grant Funding Agreement; and (D) have undergone adequate training in the use, care, protection and handling of Personal Data; and (d) where the Personal Data is subject to the UK GDPR, not transfer Personal Data outside of the UK unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled: (i) the transfer is in accordance with Article 45 of the UK GDPR or DPA 2018 Section 17A; or (ii) the Controller or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with Article 46 of the UK GDPR or DPA 2018 Section 17C ) as determined by the Controller which could include relevant parties entering into the International Data Transfer Agreement or International Data Transfer Agreement Addendum to the European Commission’s Standard Contractual Clauses published by the Information Commissioner’s Office from time to time under section 119A(1) of the DPA 2018 as well as any additional measures determined by the Controller; (iii) the Data Subject has enforceable rights and effective legal remedies; (iv) the Processor complies with its obligations under Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and (v) the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing of the Personal Data;

Data Protection. 1.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer Authority is the Controller and the Supplier Grant Recipient is the Processor unless otherwise specified in Contract Schedule 7this Annex 8. The only processing that the Processor is authorised to do is listed in Contract Schedule 7 Part 1 of Annex 8 by the Controller and may not be determined by the Processor. . 1.2 The Processor shall notify the Controller immediately if it considers that any of the Controller's instructions infringe the Data Protection Legislation. . 1.3 The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller, include: : (a) a systematic description of the envisaged processing operations and the purpose of the processing; ; (b) an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; (c) an assessment of the risks to the rights and freedoms of Data Subjectsdata subjects; and and (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 1.4 The Processor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: these Conditions: (a) process that Personal Data only in accordance with Contract Schedule 7this Annex 8, unless the Processor is required to do otherwise by Law. If it is so required the Processor shall promptly notify the Controller before processing the Personal Data unless prohibited by Law; ; (b) ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), having taken account of the: : (i) nature of the data to be protected; ; (ii) harm that might result from a Data Loss Event; ; (iii) state of technological development; and and (iv) cost of implementing any measures; ; (c) ensure that : : (i) the Processor Personnel do not process Personal Data except in accordance with this Agreement these Conditions (and in particular Schedule 7); Part 1 of Annex 8); (ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they: (A) are aware of and comply with the Processor’s duties under this paragraph; (B) are subject to appropriate confidentiality undertakings with the Processor or any sub-processor; (C) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any Third Party unless directed in writing to do so by the Controller or as otherwise permitted by these Conditions; and (D) have undergone adequate training in the use, care, protection and handling of Personal Data; and (d) not transfer Personal Data outside of the EU (which for the purposes of this limb (d) shall be deemed to include the UK) unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled: (i) the Controller or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with UK GDPR Article 46 or DPA 2018 Section 75) as determined by the Controller; (ii) the Data Subject has enforceable rights and effective legal remedies; (iii) the Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and (iv) the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing of the Personal Data; (e) at the written direction of the Controller, delete or return Personal Data (and any copies of it) to the Controller on termination of the Agreement unless the Processor is required by Law to retain the Personal Data. 1.5 Subject to paragraph 1.6, the Processor shall notify the Controller immediately if it: (a) receives a Data Subject Request (or purported Data Subject Request); (b) receives a request to rectify, block or erase any Personal Data; (c) receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; (d) receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under these Conditions; (e) receives a request from any Third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or (f) becomes aware of a Data Loss Event. 1.6 The Processor’s obligation to notify under paragraph 1.5 shall include the provision of further information to the Controller in phases, as details become available. 1.7 Taking into account the nature of the processing, the Processor shall provide the Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under paragraph 1.5 (and insofar as possible within the timescales reasonably required by the Controller) including by promptly providing: (a) the Controller with full details and copies of the complaint, communication or request; (b) such assistance as is reasonably requested by the Controller to enable the Controller to comply with a Data Subject Request within the relevant timescales set out in the Data Protection Legislation; (c) the Controller, at its request, with any Personal Data it holds in relation to a Data Subject; (d) assistance as requested by the Controller following any Data Loss Event; (e) assistance as requested by the Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Controller with the Information Commissioner's Office. 1.8 The Processor shall maintain complete and accurate records and information to demonstrate its compliance with this paragraph. This requirement does not apply where the Processor employs fewer than 250 staff, unless: (a) the Controller determines that the processing is not occasional; (b) the Controller determines the processing includes special categories of data as referred to in Article 9(1) of the UK GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the UK GDPR; or (c) the Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects. 1.9 The Processor shall allow for audits of its Data Processing activity by the Controller or the Controller’s designated auditor. 1.10 Each Party shall designate its own data protection officer if required by the Data Protection Legislation. 1.11 Before allowing any Sub-processor to process any Personal Data related to these Conditions, the Processor must: (a) notify the Controller in writing of the intended Sub-processor and processing; (b) obtain the written consent of the Controller; (c) enter into a written agreement with the Sub-processor which give effect to the terms set out in this paragraph 1.11 such that they apply to the Sub-processor; and (d) provide the Controller with such information regarding the Sub-processor as the Controller may reasonably require. 1.12 The Processor shall remain fully liable for all acts or omissions of any of its Sub-processors. 1.13 The Authority may, at any time on not less than 30 Working Days’ notice, revise this paragraph by replacing it with any applicable controller to processor standard paragraphs or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to these Conditions). 1.14 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Controller may on not less than 30 Working Days’ notice to the Processor amend these Conditions to ensure that it complies with any guidance issued by the Information Commissioner’s Office. 1.15 Where the Parties include two or more Joint Controllers in respect of Personal Data under this Grant Funding Agreement as identified in Part 1 of Annex 8 in accordance with UK GDPR Article 26, those Parties shall enter into a Joint Controller Agreement based on the terms outlined in Part 2 of Annex 8 in replacement of paragraphs 1.1 to 1.14 for the Personal Data under Joint Control. This Annex shall be completed by the Controller, who may take account of the view of the Processors, however the final decision as to the content of this Annex shall be with the Controller at its absolute discretion. 1. The contact details of the Controller’s Data Protection Officer are: [Insert Contact details]

Data Protection. 12.1 The Parties parties acknowledge that for the purposes of the Data Protection Legislation, the Customer Funder is the Controller and the Supplier Recipient is the Processor unless otherwise specified in Contract Schedule 7Processor. The only processing that the Processor Recipient is authorised to do is listed in Contract Schedule 7 9 by the Controller Funder and may not be determined by the Processor. Recipient. 12.2 The Processor Recipient shall notify the Controller Funder immediately if it considers that any of the ControllerFunder's instructions infringe the Data Protection Legislation. . 12.3 The Processor Recipient shall provide all reasonable assistance to the Controller Funder in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the ControllerFunder, include: : (a) a systematic description of the envisaged processing operations and the purpose of the processing; ; (b) an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; (c) an assessment of the risks to the rights and freedoms of Data Subjects; and and (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 12.4 The Processor Recipient shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: : (a) process that Personal Data only in accordance with Contract Schedule 79, unless the Processor Recipient is required to do otherwise by Law. If it is so required the Processor Recipient shall promptly notify the Controller Funder before processing the Personal Data unless prohibited by Law; ; (b) ensure that it has in place Protective Measures, which are as appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), Event having taken account of the: : (i) nature of the data to be protected; ; (ii) harm that might result from a Data Loss Event; ; (iii) state of technological development; and and (iv) cost of implementing any measures; ; (c) ensure that : : (i) the Processor Recipient Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 79); ; (ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Recipient Personnel who have access to the Personal Data and ensure that they: (A) are aware of and comply with the Recipient’s duties under this clause; (B) are subject to appropriate confidentiality undertakings with the Recipient or any Sub-processor; (C) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Funder or as otherwise permitted by this Agreement; and (D) have undergone adequate training in the use, care, protection and handling of Personal Data; and (d) not transfer Personal Data outside of the EU unless the prior written consent of the Funder has been obtained and the following conditions are fulfilled: (i) the Funder or the Recipient has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Funder; (ii) the Data Subject has enforceable rights and effective legal remedies; (iii) the Recipient complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Funder in meeting its obligations); and (iv) the Recipient complies with any reasonable instructions notified to it in advance by the Funder with respect to the processing of the Personal Data; (e) at the written direction of the Funder, delete or return Personal Data (and any copies of it) to the Funder on termination of the Agreement unless the Recipient is required by Law to retain the Personal Data. 12.5 Subject to clause 12.6, the Recipient shall notify the Funder immediately if it: (a) receives a Data Subject Access Request (or purported Data Subject Access Request); (b) receives a request to rectify, block or erase any Personal Data; (c) receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; (d) receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Agreement; (e) receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or (f) becomes aware of a Data Loss Event. 12.6 The Recipient’s obligation to notify under clause 12.5 shall include the provision of further information to the Funder in phases, as details become available. 12.7 Taking into account the nature of the processing, the Recipient shall provide the Funder with full assistance in relation to either party's obligations under Data Protection Legislation and any complaint, communication or request made under clause 12.5 (and insofar as possible within the timescales reasonably required by the Funder) including by promptly providing: (a) the Funder with full details and copies of the complaint, communication or request; (b) such assistance as is reasonably requested by the Funder to enable the Funder to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation; (c) the Funder, at its request, with any Personal Data it holds in relation to a Data Subject; (d) assistance as requested by the Funder following any Data Loss Event; (e) assistance as requested by the Funder with respect to any request from the Information Commissioner’s Office, or any consultation by the Funder with the Information Commissioner's Office. 12.8 The Recipient shall maintain complete, up-to-date and accurate records at all times and information to demonstrate its compliance with this clause. This requirement does not apply where the Recipient employs fewer than 250 staff, unless: (a) the Funder determines that the processing is not occasional; (b) the Funder determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; and (c) the Funder determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects. 12.9 The Recipient shall allow for audits of its Data Processing activity by the Funder or the Funder’s designated auditor The Funder is entitled, on giving at least three Working 12.10 The Recipient shall designate a data protection officer if required by the data protection legislation 12.11 Before allowing any Sub-processor to process any Personal Data related to this Agreement, the Recipient must: (a) notify the Funder in writing of the intended Sub-processor and processing; (b) obtain the written consent of the Funder; (c) enter into a written agreement with the Sub-processor which give effect to the terms set out in this clause 12 such that they apply to the Sub-processor; and (d) provide the Funder with such information regarding the Sub-processor as the Funder may reasonably require. 12.12 The Recipient shall remain fully liable for all acts or omissions of any Sub-processor. 12.13 The Funder may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Agreement). 12.14 The parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Funder may on not less than 30 Working Days’ notice to the Recipient amend this agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Officer. 12.15 The Recipient shall undertake all of the above processing activities at its own expense and at no extra cost to the Funder. 12.16 The Funder retention and disposal schedule as provided will be followed by the Recipient where appropriate and relevant; no decisions on retention or disposal are to be made by the Recipient unless it is part of detailed Processing under this Agreement. 12.17 The Recipient shall without undue delay inform the Funder if any Personal Data is lost or destroyed or becomes damaged, corrupted, or unusable. The Recipient will make regular backups of the Personal Data and will restore such Personal Data at its own expense.

Data Protection. 1.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the Controller and the Supplier Contractor is the Processor unless otherwise specified in Contract Schedule 7Appendix 1. The only processing that the Processor is authorised to do is listed in Contract Schedule 7 Appendix 1 by the Controller and may not be determined by the Processor. . 1.2 Controller warrants that it has taken all necessary steps to achieve compliance with Data Protection Legislation. 1.3 Without prejudice to the generality of paragraph 1.2, Controller warrants that where Controller supplies Personal Data to Processor, Controller has provided any requisite notice and has a valid legal basis to collect, obtain and share the Personal Data with Processor and to allow Processor to process the Personal Data in accordance with Schedule 1. 1.4 The Processor shall notify the Controller immediately if it considers that any of the Controller's instructions infringe the Data Protection Legislation. . 1.5 The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller, include: : (a) a systematic description of the envisaged processing operations and the purpose of the processing; ; (b) an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; (c) an assessment of the risks to the rights and freedoms of Data Subjects; and and (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 1.6 The Processor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: : (a) process that Personal Data only in accordance with Contract Schedule 7Appendix 1, unless the Processor is required to do otherwise by Law. If it is so required required, the Processor shall promptly notify the Controller before processing the Personal Data unless prohibited by Law; ; (b) ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), having taken account of the: : (i) nature of the data to be protected; ; (ii) harm that might result from a Data Loss Event; ; (iii) state of technological development; and and (iv) cost of implementing any measures; ; (c) ensure that : that: (i) the Processor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 7Appendix 1); ; (ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they: (A) are aware of and comply with the Processor’s duties under this clause; (B) are subject to appropriate confidentiality undertakings with the Processor or any Sub-processor; (C) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Controller or as otherwise permitted by this Agreement; and (D) have undergone adequate training in the use, care, protection and handling of Personal Data; and (d) not transfer Personal Data outside of the EU unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled: (i) the Controller or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Controller; (ii) the Data Subject has enforceable rights and effective legal remedies; (iii) the Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and (iv) the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing of the Personal Data; (e) at the written direction of the Controller, delete or return Personal Data (and any copies of it) to the Controller on termination of the Agreement unless the Processor is required by Law to retain the Personal Data. 1.7 Subject to clause 1.6, the Processor shall notify the Controller immediately if it: (a) receives a Data Subject Request (or purported Data Subject Request); (b) receives a request to rectify, block or erase any Personal Data; (c) receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; (d) receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Agreement; (e) receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or (f) becomes aware of a Data Loss Event.

Data Protection. 1.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer Authority is the Controller and the Supplier Grant Recipient is the Processor unless otherwise specified in Contract Schedule 7this Annex 8. The only processing that the Processor is authorised to do is listed in Contract Schedule 7 Part 1 of Annex 8 by the Controller and may not be determined by the Processor. . 1.2 The Processor shall notify the Controller immediately if it considers that any of the Controller's instructions infringe the Data Protection Legislation. . 1.3 The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller, include: : (a) a systematic description of the envisaged processing operations and the purpose of the processing; ; (b) an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; (c) an assessment of the risks to the rights and freedoms of Data Subjectsdata subjects; and and (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 1.4 The Processor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: these Conditions: (a) process that Personal Data only in accordance with Contract Schedule 7this Annex 8, unless the Processor is required to do otherwise by Law. If it is so required the Processor shall promptly notify the Controller before processing the Personal Data unless prohibited by Law; ; (b) ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), having taken account of the: : (i) nature of the data to be protected; ; (ii) harm that might result from a Data Loss Event; ; (iii) state of technological development; and and (iv) cost of implementing any measures; ; (c) ensure that : : (i) the Processor Personnel do not process Personal Data except in accordance with this Agreement these Conditions (and in particular Schedule 7); Part 1 of Annex 8); (ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they: (A) are aware of and comply with the Processor’s duties under this paragraph; (B) are subject to appropriate confidentiality undertakings with the Processor or any sub-processor; (C) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any Third Party unless directed in writing to do so by the Controller or as otherwise permitted by these Conditions; and (D) have undergone adequate training in the use, care, protection and handling of Personal Data; and (d) not transfer Personal Data outside of the EU (which for the purposes of this limb (d) shall be deemed to include the UK) unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled: (i) the Controller or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or DPA 2018 Section 75) as determined by the Controller; (ii) the Data Subject has enforceable rights and effective legal remedies; (iii) the Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and (iv) the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing of the Personal Data; (e) at the written direction of the Controller, delete or return Personal Data (and any copies of it) to the Controller on termination of the Agreement unless the Processor is required by Law to retain the Personal Data. 1.5 Subject to paragraph 1.6, the Processor shall notify the Controller immediately if it: (a) receives a Data Subject Request (or purported Data Subject Request); (b) receives a request to rectify, block or erase any Personal Data; (c) receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; (d) receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under these Conditions; (e) receives a request from any Third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or (f) becomes aware of a Data Loss Event. 1.6 The Processor’s obligation to notify under paragraph 1.5 shall include the provision of further information to the Controller in phases, as details become available. 1.7 Taking into account the nature of the processing, the Processor shall provide the Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under paragraph 1.5 (and insofar as possible within the timescales reasonably required by the Controller) including by promptly providing: (a) the Controller with full details and copies of the complaint, communication or request; (b) such assistance as is reasonably requested by the Controller to enable the Controller to comply with a Data Subject Request within the relevant timescales set out in the Data Protection Legislation; (c) the Controller, at its request, with any Personal Data it holds in relation to a Data Subject; (d) assistance as requested by the Controller following any Data Loss Event; (e) assistance as requested by the Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Controller with the Information Commissioner's Office. 1.8 The Processor shall maintain complete and accurate records and information to demonstrate its compliance with this paragraph. This requirement does not apply where the Processor employs fewer than 250 staff, unless: (a) the Controller determines that the processing is not occasional; (b) the Controller determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; or (c) the Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects. 1.9 The Processor shall allow for audits of its Data Processing activity by the Controller or the Controller’s designated auditor. 1.10 Each Party shall designate its own data protection officer if required by the Data Protection Legislation. 1.11 Before allowing any Sub-processor to process any Personal Data related to these Conditions, the Processor must: (a) notify the Controller in writing of the intended Sub-processor and processing; (b) obtain the written consent of the Controller; (c) enter into a written agreement with the Sub-processor which give effect to the terms set out in this paragraph 1.11 such that they apply to the Sub-processor; and (d) provide the Controller with such information regarding the Sub-processor as the Controller may reasonably require. 1.12 The Processor shall remain fully liable for all acts or omissions of any of its Sub-processors. 1.13 The Authority may, at any time on not less than 30 Working Days’ notice, revise this paragraph by replacing it with any applicable controller to processor standard paragraphs or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to these Conditions). 1.14 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Controller may on not less than 30 Working Days’ notice to the Processor amend these Conditions to ensure that it complies with any guidance issued by the Information Commissioner’s Office. 1.15 Where the Parties include two or more Joint Controllers in respect of Personal Data under this Grant Funding Agreement as identified in Part 1 of Annex 8 in accordance with GDPR Article 26, those Parties shall enter into a Joint Controller Agreement based on the terms outlined in Part 2 of Annex 8 in replacement of paragraphs 1.1 to 1.14 for the Personal Data under Joint Control. This ▇▇▇▇▇ shall be completed by the Controller, who may take account of the view of the Processors, however the final decision as to the content of this Annex shall be with the Controller at its absolute discretion. 1. The contact details of the Controller’s Data Protection Officer are: [Insert Contact details]

Data Protection. 20.1 The Parties parties acknowledge that for the purposes of the Data Protection Legislation, the Customer nature of the activity carried out by each of them in relation to their respective obligations under this DPS Agreement will determine the status of each party under the Data Protection Legislation. A party may act as: 20.1.1 Controller (where the other party acts as the Processor); 20.1.2 Processor (where the other party acts as the Controller); 20.1.3 Joint Controller (where both parties are considered to jointly control the same Personal Data); and 20.1.4 Independent Controller of the Personal Data where the other party is also Controller of the Controller same Personal Data in its own right (but there is no element of joint control); and the Supplier parties shall set out in Schedule 12 (Processing Personal Data) which scenario or scenarios are intended to apply under this DPS Agreement. 20.2 Where a party is a Processor, the Processor unless otherwise specified in Contract Schedule 7. The only processing that the Processor it is authorised to do is listed in Contract Schedule 7 12 (Processing Personal Data) by the Controller and may not be determined by the Processor. Controller. 20.3 The Processor shall notify the Controller immediately if it considers that any of the Controller's ’s instructions infringe the Data Protection Legislation. . 20.4 The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller, include: : 20.4.1 a systematic description of the envisaged processing operations and the purpose of the processing; ; 20.4.2 an assessment of the necessity and proportionality of the processing operations in relation to the Services; requirements of the Administering Authority hereunder; 20.4.3 an assessment of the risks to the rights and freedoms of Data Subjects; and and 20.4.4 the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 20.5 The Processor shall, in relation to any Personal Data processed in connection with its obligations under this DPS Agreement: : 20.5.1 process that Personal Data only in accordance with Contract Schedule 712 (Processing Personal Data), unless the Processor is required to do otherwise by Law. If it is so required the Processor shall promptly notify the Controller Contracting Authority before processing the Personal Data unless prohibited by Law; ; 20.5.2 ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, Measures which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), ) having taken account of the: : (a) nature of the data to be protected; ; (b) harm that might result from a Data Loss Event; ; (c) state of technological development; and and (d) cost of implementing any measures; ; 20.5.3 ensure that : that: (i) the Processor Personnel do not process Personal Data except in accordance with this DPS Agreement (and in particular Schedule 712 (Processing Personal Data); ); (ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they: (A) are aware of and comply with the Processor’s duties under this Clause and Clauses 17 (Confidentiality) and 19 (Freedom of Information); (B) are subject to appropriate confidentiality undertakings with the Processor or any Sub-processor; (C) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Controller or as otherwise permitted by this DPS Agreement; and (D) have undergone adequate training in the use, care, protection and handling of Personal Data; 20.5.4 not transfer Personal Data outside of the UK unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled: (a) the Controller or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or DPA 2018 Section 75) as determined by the Controller; (b) the Data Subject has enforceable rights and effective legal remedies; (c) the Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and (d) the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing of the Personal Data; and 20.5.5 at the written direction of the Controller, delete or return Personal Data (and any copies of it) to the Controller on termination of this DPS Agreement unless the Processor is required by Law to retain the Personal Data. 20.6 Subject to Clause 20.7 (Data Protection), the Processor shall notify the Controller immediately if it: 20.6.1 receives a Data Subject Request (or purported Data Subject Request); 20.6.2 receives a request to rectify, block or erase any Personal Data; 20.6.3 receives any other request, complaint or communication relating to either party's obligations under the Data Protection Legislation; 20.6.4 receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this DPS Agreement; 20.6.5 receives a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or 20.6.6 becomes aware of a Data Loss Event. 20.7 The Processor’s obligation to notify under Clause 20.6 (Data Protection) shall include the provision of further information to the Controller in phases, as details become available. 20.8 Taking into account the nature of the processing, the Processor shall provide the Controller with reasonable assistance in relation to either party's obligations under Data Protection Legislation and any complaint, communication or request made under Clause 20.6 (Data Protection) (and insofar as possible within the timescales reasonably required by the Controller) including by promptly providing: 20.8.1 the Controller with full details and copies of the complaint, communication or request; 20.8.2 such assistance as is reasonably requested by the Controller to enable it to comply with a Data Subject Request within the relevant timescales set out in the Data Protection Legislation; 20.8.3 the Controller, at its request, with any Personal Data it holds in relation to a Data Subject; 20.8.4 assistance as requested by the Controller following any Data Loss Event; and/or 20.8.5 assistance as requested by the Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Controller with the Information Commissioner's Office. 20.9 The Processor shall maintain complete and accurate records and information to demonstrate its compliance with this Clause. This requirement does not apply where the Processor employs fewer than 250 staff, unless: 20.9.1 the Controller determines that the processing is not occasional; 20.9.2 the Controller determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; or 20.9.3 the Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects. 20.10 The Processor shall allow for Audits of its Data Processing activity by the Controller or the Controller’s designated auditor. 20.11 The parties shall designate a Data Protection Officer if required by the Data Protection Legislation. 20.12 Before allowing any Sub-processor to process any Personal Data related to this DPS Agreement, the Processor must: 20.12.1 notify the Controller in writing of the intended Sub-processor and processing; 20.12.2 obtain the written consent of the Controller; 20.12.3 enter into a written agreement with the Sub-processor which give effect to the terms set out in this Clause 20 (Data Protection) such that they apply to the Sub- processor; and 20.12.4 provide the Controller with such information regarding the Sub-processor as the Controller may reasonably require. 20.13 The Processor shall remain fully liable for all acts or omissions of any of its Sub-processors. 20.14 The Contracting Authority may, at any time on not less than thirty (30) Working Days’ notice, revise this Clause by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this DPS Agreement). 20.15 The parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Contracting Authority may on not less than thirty (30) Working Days’ notice to the Provider amend this DPS Agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office. 20.16 In the event that the parties are Joint Controllers in respect of Personal Data under this DPS Agreement, the parties shall implement Clauses that are necessary to comply with GDPR Article 26 based on the terms set out in Annex 1 to Schedule 12 (Processing Personal Data). 20.17 With respect to Personal Data provided by one party to the other party for which each party acts as Controller but which is not under the Joint Control of the parties, each party undertakes to comply with the applicable Data Protection Legislation in respect of their processing of such Personal Data as Controller. 20.18 Each party shall process the Personal Data in compliance with its obligations under the Data Protection Legislation and not do anything to cause the other party to be in breach of it. 20.19 Where a party has provided Personal Data to the other party in accordance with Clause 20.17 (Data Protection), the recipient of the Personal Data will provide all such relevant documents and information relating to its data protection policies and procedures as the other party may reasonably require. 20.20 The parties shall be responsible for their own compliance with Articles 13 and 14 GDPR in respect of the processing of Personal Data for the purposes of this DPS Agreement. 20.21 The parties shall only provide Personal Data to each other: 20.21.1 to the extent necessary to perform the respective obligations under this DPS Agreement; and 20.21.2 in compliance with the Data Protection Legislation (including by ensuring all required fair processing information has been given to affected Data Subjects); and 20.21.3 where it has recorded it in Schedule 12 (Processing Personal Data). 20.22 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, each party shall, with respect to its processing of Personal Data as independent Controller, implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1)(a), (b), (c) and (d) of the GDPR, and the measures shall, at a minimum, comply with the requirements of the Data Protection Legislation, including Article 32 of the GDPR. 20.23 A party processing Personal Data for the purposes of this DPS Agreement shall maintain a record of its processing activities in accordance with Article 30 GDPR and shall make the record available to the other party upon reasonable request. 20.24 Where a party receives a request by any Data Subject to exercise any of their rights under the Data Protection Legislation in relation to the Personal Data provided to it by the other party pursuant to this DPS Agreement (the Request Recipient): 20.24.1 the other party shall provide any information and/or assistance as reasonably requested by the Request Recipient to help it respond to the request or correspondence, at the cost of the Request Recipient; or 20.24.2 where the request or correspondence is directed to the other party and/or relates to the other party's Processing of the Personal Data, the Request Recipient will: (a) promptly, and in any event within five (5) Working Days of receipt of the request or correspondence, inform the other party that it has received the same and shall forward such request or correspondence to the other party; and (b) provide any information and/or assistance as reasonably requested by the other party to help it respond to the request or correspondence in the timeframes specified by Data Protection Legislation. 20.25 Each party shall promptly notify the other party upon it becoming aware of any Personal Data Breach relating to Personal Data provided by the other party pursuant to this DPS Agreement and shall: 20.25.1 do all such things as reasonably necessary to assist the other party in mitigating the effects of the Personal Data Breach; 20.25.2 implement any measures necessary to restore the security of any compromised Personal Data; 20.25.3 work with the other party to make any required notifications to the Information Commissioner’s Office and affected Data Subjects in accordance with the Data Protection Legislation (including the timeframes set out therein); and 20.25.4 not do anything which may damage the reputation of the other party or that party's relationship with the relevant Data Subjects, save as required by Law. 20.26 Personal Data provided by one party to the other party may be used exclusively to exercise rights and obligations under this DPS Agreement as specified in Schedule 12 (Processing Personal Data). 20.27 Personal Data shall not be retained or processed for longer than is necessary to perform each Party’s obligations under this DPS Agreement which is specified in Schedule 12 (Processing Personal Data). 20.28 Notwithstanding the general application of Clauses 20.2 – 20.15 (Data Protection) to Personal Data, where the Provider is required to exercise its regulatory and/or legal obligations in respect of Personal Data, it shall act as an Independent Controller of Personal Data in accordance with Clause 20.16 – 20.27 (Data Protection).

Data Protection. 12.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, Legislation that the Customer is the Controller and the Supplier CardioScan Ltd is the Processor unless otherwise specified in Contract Schedule 7Processor. The only processing that the Processor is authorised to do is listed set out in Contract Appendix 1 of Schedule 7 2, which is attached to and forms part of this Agreement, by the Controller and may not be determined by the Processor. The Processor . 12.2 CardioScan shall notify the Controller immediately Customer without undue delay if it considers that any of the Controller's Customer’s instructions infringe the Data Protection Legislation. The Processor . 12.3 CardioScan shall provide all reasonable assistance to the Controller Customer in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the ControllerCustomer, include: : 12.3.1 a systematic description of the envisaged processing operations and the purpose of the processing; ; 12.3.2 an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; 12.3.3 an assessment of the risks to the rights and freedoms of Data Subjects; and and 12.3.4 the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. The Processor . 12.4 CardioScan shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: : 12.4.1 process that Personal Data only in accordance with Contract Appendix 1 of Schedule 72, unless the Processor CardioScan is required to do otherwise by Law. If it is so required the Processor required, CardioScan shall promptly notify the Controller Customer before processing the Personal Data unless prohibited by Law; ; 12.4.2 ensure that it has all measures in place Protective Measures, which Appendix 2 of Schedule 2 are appropriate adhered to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), having taken account and met at all times of the: (a) the nature of the data to be protected; ; (b) the harm and risks that might result from a Data Loss Event; state ; (c) assessment of technological development; the technical and non-technical controls to mitigate these risks; (d) the cost of implementing any measures; ensure measures if required; (e) ensuring that : the Processor CardioScan Personnel do not process Personal Data except in accordance with this Agreement (Agreement, and in particular Appendix 1 of Schedule 7); it takes 2; (f) taking all reasonable steps further detailed in Appendix 2 of Schedule 2, both technical and non- technical to ensure the reliability and integrity of any Processor CardioScan Personnel who have access to the Personal Data and ensure that they: (i) are aware of and comply with ▇▇▇▇▇▇▇▇▇▇’s duties under this clause; (ii) are subject to appropriate confidentiality undertakings with CardioScan or any Sub-processor. This includes but is not limited to commercially sensitive information and Personal Data; (iii) are informed of the confidential nature of the Personal Data and commercially sensitive information and do not publish, disclose or divulge any of the Personal Data or commercially sensitive information to any third Party unless directed in writing to do so by the Customer or as otherwise permitted by this Agreement; (iv) have undergone adequate annual training in the use, care, protection and handling of Personal Data and are assessed as competent to undertake the processing activity or activities; (v) keep Personal Data and commercially sensitive information confidential for the length of the Agreement and ensure that once the Agreement has ended or terminated that Personal Data and commercially sensitive information is kept confidential indefinitely; (vi) at the written direction of the Customer, delete or return the Personal Data (and any copies of it) to the Customer on termination of the Agreement unless CardioScan is required by Law to retain the Personal Data. 12.5 Subject to clause 12.6 of this Schedule 3, CardioScan shall notify the Customer within two (2) Business Days if it: 12.5.1 receives a request to rectify, block or erase or transfer any Personal Data by the Data Subject; 12.5.2 receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Agreement; 12.5.3 receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or 12.5.4 becomes aware of a Data Loss Event. 12.6 CardioScan’s obligation to notify under clause 12.5 of this Schedule 3 shall include the provision of further information to the Customer in phases, as details become available. 12.7 Taking into account the nature of the processing, CardioScan shall provide the Customer with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under clause 12.5 of this Schedule 3 (and insofar as possible within the timescales reasonably required by the Customer) including by promptly providing: 12.7.1 the Customer with full details and copies of the complaint, communication, Data Loss Event or request; 12.7.2 such assistance as is reasonably requested by the Customer to enable the Customer to comply with an Individual Rights Request within the relevant timescales set out in the Data Protection Legislation; 12.7.3 the Customer, at its request, with any Personal Data it holds in relation to a Data Subject; 12.7.4 reasonable assistance as requested by the Customer following any Data Loss Event; 12.7.5 reasonable assistance as requested by the Customer with respect to any request from the Information Commissioner’s Office, or any consultation by the Customer with the Information Commissioner's Office. 12.8 CardioScan shall allow for audits of its Data Processing activity by the Customer or the Customer’s designated auditor on five (5) Business Days’ notice. 12.9 CardioScan when ensuring that it has in place such Protective Measures, having been reviewed and approved by the Customer, shall following the reasonable request of the Customer supply such evidence as requested by the Customer within twenty-eight (28) days. 12.10 CardioScan shall designate a Data Protection Officer or where not required by Law, authorised responsible officer whose 12.11 Subject to clauses 12.12 and 12.13 below CardioScan may transfer Personal Data to a Sub-processor outside of the European Economic Area (EEA) subject to the following conditions being fulfilled: 12.11.1 the Customer or CardioScan has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37); 12.11.2 the Data Subject has enforceable rights and effective legal remedies; 12.11.3 CardioScan complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Customer in meeting its obligations); 12.11.4 CardioScan complies with any reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data; 12.11.5 CardioScan notifies the Customer prior to any transformation of the Personal Data which is not part of this agreed processing but occurs due to the transfer of Personal Data from CardioScan to or from another organisation party to this Agreement. 12.12 CardioScan shall not engage a Sub-processor for carrying out any Processing activities in respect of Personal Data except with the prior written agreement of the Customer and then only after entering into a binding agreement with each Sub-Processor that imposes the same obligations in respect of Processing Personal data as a set out in this Agreement. CardioScan shall remain responsible for compliance of any such Sub-Processor with the requirements of this Agreement.‌ 12.13 Specifically, the Customer hereby consents to the CardioScan engaging the following Sub-processors:‌ i) Amazon Web Services (‘AWS’) and ▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇.▇▇ to store the data on servers located in the cloud in England ; and ii) CardioScan Services Pty Ltd, an Australian registered company that is located in Melbourne, Australia, and 100% owner of CardioScan to process Personal Data related to this Agreement in particular for the purposes of analysing the Personal Data; and subject to CardioScan: 12.13.1 Signing the EU Standard Contractual Clauses (SCC) in Schedule 2 with the Customer. Whilst the most relevant SCC strictly apply between a Controller in the EU and a Processor established outside the EU, the Parties agree, and after consultation with the lead supervisory authority (‘LSA’) that the Controller/Processor SCC are the most closely appropriate European Commission SCC for safeguarding the transfer of the Personal Data outside the EU by CardioScan as the Processor to Sub-processor 12.13.2 Entering into a written agreement with each Sub-processor which gives effect to the terms set out in this clause 1 of Schedule 2 such that they apply to the sub-processor; and 12.13.3 Providing the Customer with such information regarding each Sub-processor as the Customer may reasonably require. 12.14 CardioScan shall remain fully liable for all acts or omissions of any Sub-processor. 12.15 The Customer may, at any time on not less than thirty (30) Business Days’ notice, revise clause 12 of this Schedule 3 (Data Protection) by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Agreement). 12.16 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Customer may on not less than thirty (30) Business Days’ notice to CardioScan amend this Agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office. 12.17 At the choice of the Customer, ▇▇▇▇▇▇▇▇▇▇ shall return or destroy all Personal Data to the Customer and delete any existing copies at the end of the provision of the Services. 12.18 CardioScan warrants that it shall: 12.18.1 Process the Personal Data in compliance with Law; and 12.18.2 Take appropriate technical and organisational measures against Data Breach. 12.19 CardioScan agrees to indemnify and keep indemnified and defend at its own expense the Customer against all costs, claims, damages or expenses (including without limitation fines and penalties imposed by the Information Commissioner Office) incurred by the Customer or for which the Customer may become liable due to any failure by CardioScan or its employees or agents to comply with any of its obligations under clause 12 of this Schedule 3 (Data Protection) and shall be subject to the liability cap set out in clause 14 of this Schedule 3. 12.20 The Customer agrees to indemnify and keep indemnified and defend at its own expense CardioScan against all costs, claims, damages, fines, penalties or expenses (including without limitation fines and penalties imposed by the Information Commissioner Office) incurred by CardioScan or for which the CardioScan may become liable, due to any failure by the Customer or its employees or agents to comply with any of its obligations under clause 12 of this Schedule 3 (Data Protection).

Data Protection. 25.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer Authority is the Controller and the Supplier Contractor is the Processor unless otherwise specified in Contract Schedule 75. The only processing that the Processor Contractor is authorised to do is listed in Contract Schedule 7 5 by the Controller Authority and may not be determined by the Processor. Contractor. 25.2 The Processor Contractor shall notify the Controller Authority immediately if it considers that any of the Controller's Authority’s instructions infringe the Data Protection Legislation. . 25.3 The Processor Contractor shall provide all reasonable assistance to the Controller Authority in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the ControllerAuthority, include: : (a) a systematic description of the envisaged processing operations and the purpose of the processing; ; (b) an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; (c) an assessment of the risks to the rights and freedoms of Data Subjects; and and (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 25.4 The Processor Contractor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: Contract: (a) process that Personal Data only in accordance with Contract Schedule 7, 5 unless the Processor Contractor is required to do otherwise by Law. If it is so required the Processor Contractor shall promptly notify the Controller Authority before processing the Personal Data unless prohibited by Law; ; (b) ensure that it has in place Protective Measures, Measures which are appropriate to protect against a Data Loss Event, which the Controller Authority may reasonably reject (but failure to reject shall not amount to approval by the Controller Authority of the adequacy of the Protective Measures), having taken account of the: : (i) nature of the data to be protected; ; (ii) harm that might result from a Data Loss Event; ; (iii) state of technological development; and and (iv) cost of implementing any measures; ; (c) ensure that : : (i) the Processor Personnel Staff do not process Personal Data except in accordance with this Agreement Contract (and in particular Schedule 75); ; (ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel Staff who have access to the Personal Data and ensure that they: (A) are aware of and comply with the Contractor’s duties under this clause; (B) are subject to appropriate confidentiality undertakings with the Contractor or any Sub-processor; (C) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority or as otherwise permitted by this Contract; and (D) have undergone adequate training in the use, care, protection and handling of Personal Data; and (d) not transfer Personal Data outside of the European Union unless the prior written consent of the Authority has been obtained and the following conditions are fulfilled: (i) the Authority or the Contractor has provided appropriate safeguards in relation to the transfer (whether in accordance with the GDPR Article 46 or LED Article 37) as determined by the Authority; (ii) the Data Subject has enforceable rights and effective legal remedies; (iii) the Contractor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Authority in meeting its obligations); and (iv) the Contractor complies with any reasonable instructions notified to it in advance by the Authority with respect to the processing of the Personal Data; (e) at the written direction of the Authority, delete or return Personal Data (and any copies of it) to the Authority on termination of the Contract unless the Contractor is required by Law to retain the Personal Data. 25.5 Subject to clause 25.6 the Contractor shall notify the Authority immediately if, in relation to any Personal Data processed in connection with its obligations under this Contract, it: (a) receives a Data Subject Request (or purported Data Subject Request); (b) receives a request to rectify, block or erase any Personal Data; (c) receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; (d) receives any communication from the Information Commissioner or any other regulatory authority; (e) receives a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or (f) becomes aware of a Data Loss Event. 25.6 The Contractor’s obligation to notify under clause E25.5 shall include the provision of further information to the Authority in phases, as details become available. 25.7 Taking into account the nature of the processing, the Contractor shall provide the Authority with full assistance in relation to either Party's obligations under Data Protection Legislation in relation to any Personal Data processed in connection with its obligations under this Contract and any complaint, communication or request made under Clause E25.5 (and insofar as possible within the timescales reasonably required by the Authority) including by promptly providing: (a) the Authority with full details and copies of the complaint, communication or request; (b) such assistance as is reasonably requested by the Authority to enable the Authority to comply with a Data Subject Request within the relevant timescales set out in the Data Protection Legislation; (c) the Authority, at its request, with any Personal Data it holds in relation to a Data Subject; (d) assistance as requested by the Authority following any Data Loss Event; (e) assistance as requested by the Authority with respect to any request from the Information Commissioner’s Office, or any consultation by the Authority with the Information Commissioner's Office. 25.8 The Contractor shall maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Contractor employs fewer than 250 staff, unless: (a) the Authority determines that the processing is not occasional; (b) the Authority determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; or (c) the Authority determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects. 25.9 The Contractor shall allow for audits of its Personal Data processing activity by the Authority or the Authority’s designated auditor. 25.10 Each Party shall designate its own Data Protection Officer if required by the Data Protection Legislation. 25.11 Before allowing any Sub-processor to process any Personal Data related to this Contract, the Contractor must: (a) notify the Authority in writing of the intended Sub-processor and processing; (b) obtain the written consent of the Authority; (c) enter into a written agreement with the Sub-processor which give effect to the terms set out in this clause E2 such that they apply to the Sub- processor; and (d) provide the Authority with such information regarding the Sub- processor as the Authority may reasonably require. 25.12 The Contractor shall remain fully liable for all acts or omissions of any of its Sub-processors. 25.13 The Authority may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Contract). 25.14 The Parties agree to take account of any non-mandatory guidance issued by the Information Commissioner’s Office. The Authority may on not less than 30 Working Days’ notice to the Contractor amend this Contract to ensure that it complies with any guidance issued by the Information Commissioner’s Officer. 25.15 This clause 25 shall apply during the Contract Period and indefinitely after its expiry.

Data Protection. The Parties 34.1 Both parties agree that they will comply with their respective obligations under the Data Protection Legislation and the terms of this Agreement and in particular each party shall designate a data protection officer if required by Data Protection Legislation and shall maintain complete and accurate records and information to demonstrate its compliance with Data Protection Legislation and this clause. 34.2 Both parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the each will have responsibilities as a Controller, a joint Controller and as a Processor for Personal Data under this Agreement. 34.3 Insofar that each party has responsibility as a Controller and/or joint Controller, both parties will ensure that a Data Sharing Agreement is completed and signed by both parties. 34.4 To the Supplier is extent that either party acts as a Processor on behalf of the Processor unless otherwise specified in Contract Schedule 7. The only processing that other, the Processor is authorised to do is listed in Contract Schedule 7 by the Controller and may not be determined by the Processor. remainder of this clause shall apply. 34.5 The Processor shall notify the Controller immediately if it considers that any of the Controller's ’s instructions infringe the Data Protection Legislation. . 34.6 The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller, include: : 34.6.1 a systematic description of the envisaged processing operations and the purpose of the processing; ; 34.6.2 an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; 34.6.3 an assessment of the risks to the rights and freedoms of Data Subjects; and and 34.6.4 the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 34.7 The Processor shall, in relation to any Personal Data processed on behalf of the Controller in connection with its obligations under this Agreement: : 34.7.1 process that Personal Data only with the Controllers prior agreement and in accordance with Contract Schedule 7, the written instructions of the Controller unless the Processor is required to do otherwise by Law. If it is so required the Processor shall promptly notify the Controller before processing the Personal Data unless prohibited by Law; ; 34.7.2 ensure that it has in place Protective Measures, which are have been reviewed and approved by the Controller as appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), Event having taken account of the: : (i) nature of the data to be protected; ; (ii) harm that might result from a Data Loss Event; ; (iii) state of technological development; and and (iv) cost of implementing any measures; ; 34.7.3 ensure that : that: (i) the Processor Personnel do not process Personal Data except in accordance with this Agreement and any additional agreement between the two parties. (and in particular Schedule 7); ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they: ● are aware of and comply with the Processors duties under this Clause; ● are subject to appropriate confidentiality undertakings with the Processor or any Sub-processor; ● are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Controller or as otherwise permitted by this Agreement; and ● have undergone adequate training. 34.7.4 not transfer Personal Data outside of the UK unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled: (i) the Controller or the Processor has provided appropriate safeguards in relation to the transfer (in accordance with ‘Data Protection Legislation) as determined by the Controller; (ii) the Data Subject has enforceable rights and effective legal remedies; (iii) the Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and (iv) the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing of the personal Data; 34.7.5 at the written direction of the Controller, delete or return Personal Data (and any copies of it) to the Controller on termination of the Agreement unless the Processor is required by law to retain the Personal Data. 34.8 Subject to clause 34.8, the Processor shall notify the Controller immediately (and in any event, within 24 hours) of becoming aware if it: (i) receives a Data Subject Access Request (or purported Data Subject Access Request); (ii) receives a request to rectify, block or erase any Personal Data; (iii) receives any other request, complaint or communication relating to either Party’s obligations under the Data Protection Legislation; (iv) receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Agreement; (v) receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or (vi) becomes aware of a Data Loss Event. 34.9 The Processor’s obligation to notify under clause 34.7 shall include the provision of further information to the Controller in phases, as details become available. 34.10 Taking into account the nature of the processing, the Processor shall provide the Controller with full assistance in relation to either Party’s obligations under Data Protection Legislation and any complaint, communication or request made under clause 34.8 (and insofar as possible within the timescales reasonably required by the Controller) including by promptly providing: (i) the Controller with full details and copies of the complaint, communication or Request; (ii) such assistance as is reasonably requested by the Controller to enable the Controller to comply with a Data Subject Access Request within the relevant timescales set out in Data Protection Legislation; (iii) the Controller, at its request, with any Personal Data it holds in relation to a Data Subject; (iv) assistance as requested by the Controller following any Data Loss Event; (v) assistance as requested by the Controller with respect to any request from the Information Commissioner's Office or any consultation by the Controller with the Information Commissioner’s Office. 34.11 The Processor shall allow for audits of its Data Processing activity by the Controller or the Controller’s designated auditor. 34.12 Before allowing any Sub-processor to process any Personal Data related to this Agreement, the Processor must: (i) notify the Controller in writing of the intended Sub-processor and processing; (ii) obtain the written consent of the Controller; (iii) enter into a written agreement with the Sub-processor which give effect to the terms that apply to the Sub-processor; (iv) provide the Controller with such information regarding the Sub-processor as the Controller may reasonably require. 34.13 The Processor shall remain fully liable for all acts or omissions of any Sub- Processor. 34.14 The Controller may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Agreement). 34.15 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Controller may on not less than 30 Working Days’ Notice to the Processor amend this Agreement to ensure that it complies with any Guidance issued by the Information Commissioner’s Office.

Data Protection. The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer Authority is the Controller and the Supplier Grant Recipient is the Processor unless otherwise specified in Contract Schedule 7this Annex 8. The only processing that the Processor is authorised to do is listed in Contract Schedule 7 Part 1A of Annex 8 by the Controller and may not be determined by the Processor. The Processor shall notify the Controller immediately if it considers that any of the Controller's instructions infringe the Data Protection Legislation. The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller, include: a systematic description of the envisaged processing operations and the purpose of the processing; an assessment of the necessity and proportionality of the processing operations in relation to the Services; an assessment of the risks to the rights and freedoms of Data Subjectsdata subjects; and the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. The Processor shall, in relation to any Personal Data processed in connection with its obligations under this Agreementthese Conditions: process that Personal Data only in accordance with Contract Schedule 7this Annex 8, unless the Processor is required to do otherwise by Law. If it is so required the Processor shall promptly notify the Controller before processing the Personal Data unless prohibited by Law; ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), having taken account of the: nature of the data to be protected; harm that might result from a Data Loss Event; state of technological development; and cost of implementing any measures; ensure that : the Processor Personnel do not process Personal Data except in accordance with this Agreement these Conditions (and in particular Schedule 7)Part 1 of Annex 8); it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they:: are aware of and comply with the Processor’s duties under this paragraph; are subject to appropriate confidentiality undertakings with the Processor or any Sub-processor; are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any Third Party unless directed in writing to do so by the Controller or as otherwise permitted by these Conditions; and have undergone adequate training in the use, care, protection and handling of Personal Data; and where the Personal Data is subject to the UK GDPR, not transfer the Personal Data outside of the UK unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled: the transfer is in accordance with Article 45 of the UK GDPR or DPA 2018 Section 17A; or the Controller or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with Article 46 of the UK GDPR or DPA 2018 Section 17C ) as determined by the Controller which could include relevant parties entering into the International Data Transfer Agreement or International Data Transfer Agreement Addendum to the European Commission’s Standard Contractual Clauses published by the Information Commissioner’s Office from time to time under section 119A(1) of the DPA 2018 as well as any additional measures determined by the Controller; the Data Subject has enforceable rights and effective legal remedies; the Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing of the Personal Data; where the Personal Data is subject to EU GDPR, not transfer such Personal Data outside of the European Union unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled: the transfer is in accordance with Article 45 of the EU GDPR; or the Processor has provided appropriate safeguards in relation to the transfer in accordance with Article 46 of the EU GDPR as determined by the Controller which could include relevant parties entering into Standard Contractual Clauses in the European Commission’s decision 2021/914/EU or such updated version of such Standard Contractual Clauses as are published by the European Commission from time to time as well as any additional measures determined by the Controller; the Data Subject has enforceable rights and effective legal remedies; the Processor complies with its obligations under the EU GDPR by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing of the Personal Data; and at the written direction of the Controller, delete or return Personal Data (and any copies of it) to the Controller on termination of the Grant Funding Agreement unless the Processor is required by Law to retain the Personal Data. Subject to paragraph 1.6, the Processor shall notify the Controller immediately if it: receives a Data Subject Request (or purported Data Subject Request); receives a request to rectify, block or erase any Personal Data; receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under these Conditions; receives a request from any Third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or becomes aware of a Data Loss Event. The Processor’s obligation to notify under paragraph 1.5 shall include the provision of further information to the Controller in phases, as details become available. Taking into account the nature of the processing, the Processor shall provide the Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under paragraph 1.5 (and insofar as possible within the timescales reasonably required by the Controller) including by promptly providing: the Controller with full details and copies of the complaint, communication or request; such assistance as is reasonably requested by the Controller to enable the Controller to comply with a Data Subject Request within the relevant timescales set out in the Data Protection Legislation; the Controller, at its request, with any Personal Data it holds in relation to a Data Subject; assistance as requested by the Controller following any Data Loss Event; assistance as requested by the Controller with respect to any request from the Information Commissioner’s Office or any other regulatory authority, or any consultation by the Controller with the Information Commissioner's Office or any other regulatory authority. The Processor shall maintain complete and accurate records and information to demonstrate its compliance with this paragraph. This requirement does not apply where the Processor employs fewer than 250 staff, unless: the Controller determines that the processing is not occasional; the Controller determines the processing includes special categories of data as referred to in Article 9(1) of the UK GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the UK GDPR; or the Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects. The Processor shall allow for audits of its Data Processing activity by the Controller or the Controller’s designated auditor. Each Party shall designate its own data protection officer if required by the Data Protection Legislation. Before allowing any Sub-processor to process any Personal Data related to this Grant Funding Agreement, the Processor must: notify the Controller in writing of the intended Sub-processor and processing; obtain the written consent of the Controller; enter into a written agreement with the Sub-processor which give effect to the terms set out in this paragraph 1.11 such that they apply to the Sub-processor; and provide the Controller with such information regarding the Sub-processor as the Controller may reasonably require. The Processor shall remain fully liable for all acts or omissions of any of its Sub-processors. The Authority may, at any time on not less than 30 Working Days’ notice, revise this paragraph by replacing it with any applicable controller to processor standard paragraphs or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to these Conditions). The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Controller may on not less than 30 Working Days’ notice to the Processor amend these Conditions to ensure that it complies with any guidance issued by the Information Commissioner’s Office. Where the Parties include two or more Joint Controllers in respect of Personal Data under this Grant Funding Agreement as identified in Part 1 of Annex 8 in accordance with Article 26 of the UK GDPR, those Parties shall enter into a Joint Controller Agreement based on the terms outlined in Part 2 of Annex 8 in replacement of paragraphs 1.1 to 1.14 for the Personal Data under Joint Control. This ▇▇▇▇▇ shall be completed by the Controller, who may take account of the view of the Processors, however the final decision as to the content of this Annex shall be with the Controller at its absolute discretion. The contact details of the Controller’s Data Protection Officer are: [Insert Contact details] The contact details of the Processor’s Data Protection Officer are: [Insert Contact details] The Processor shall comply with any further written instructions with respect to processing by the Controller. Any such further instructions shall be incorporated into this Annex.

Data Protection. 13.1 This clause 13 (Data Protection) applies in case ▇▇▇▇▇▇▇’▇ performance of the services incorporates processing of Personal Data by Trimble on behalf of the Customer. Both parties will comply with all applicable requirements of the Data Protection Legislation. This Agreement is an addition to, and does not relieve, remove or replace, a Party’s obligations under the Data Protection Legislation. 13.2 The Parties parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the controller and the Trimble is the processor (where Controller and Processor have the Supplier is the Processor unless otherwise specified meanings as defined in Contract Schedule 7. The only processing that the Processor is authorised to do is listed in Contract Schedule 7 by the Controller and may not be determined by the Processor. The Processor shall notify the Controller immediately if it considers that any of the Controller's instructions infringe the Data Protection Legislation). The Processor shall provide all reasonable assistance to Agreement and Schedule sets out the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance mayscope, at the discretion of the Controller, include: a systematic description of the envisaged processing operations nature and the purpose of processing by Trimble, the processing; an assessment of the necessity and proportionality duration of the processing operations and the types of personal data (as defined in relation the Data Protection Legislation, “Personal Data”) and categories of data subject. 13.3 Without prejudice to the Services; an assessment generality of clause 13.1, the Customer will ensure that it fulfills all necessary requirements to enable lawful transfer of the risks Personal Data to Trimble for the duration and purposes of this agreement. 13.4 Without prejudice to the rights and freedoms generality of Data Subjects; and the measures envisaged to address the risksclause 13.1, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. The Processor Trimble shall, in relation to any Personal Data processed in connection with the performance by Trimble of its obligations under this Agreement: : (a) process that Personal Data only on the written instructions of the Customer subject to Art. 28 (3) GDPR. Instructions may be handled as a change request at the cost of Customer. Provider shall immediately inform the Customer if, in accordance with Contract Schedule 7its opinion, unless the Processor is required to do otherwise by Law. If it is so required the Processor shall promptly notify the Controller before processing the Personal an instruction infringes Data unless prohibited by Law; Protection Legislation; (b) ensure that it has in place Protective Measuresappropriate technical and organizational measures, which are reviewed and approved by the Customer (for ▇▇▇▇▇▇▇’▇ list of measures see the Schedule). Such measures shall ensure a level of security appropriate to protect against a Data Loss Event, which the Controller may reasonably reject risks presented by processing and are subject to change depending on Provider`s recurring risk assessments; (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), having taken account of the: nature of the data to be protected; harm that might result from a Data Loss Event; state of technological development; and cost of implementing any measures; c) ensure that : the Processor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 7); it takes all reasonable steps to ensure the reliability and integrity personnel or any other person acting on behalf of any Processor Personnel Trimble who have access to and/or process Personal Data are obliged to keep the Personal Data confidential and ensure any natural person acting under the authority of Trimble who has access to personal data does not process them except on instructions from the Customer; (d) may transfer Personal Data outside of the European Economic Area. In case of transfer outside the European Economic Area, Trimble ensures that they:the transfer is only to (a) countries for which the European Commission has decided that they have an adequate level of data protection or (b) use European Commission standard contractual clauses 2010/87/EU; (e) assist the Customer, at the Customer’s cost, in responding to any request from a data subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; (f) assist the Customer by providing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Customer’s obligation to respond to requests for exercising the data subject’s rights pursuant to Data Protection Regulation; (g) notify the Customer without undue delay on becoming aware of a Personal Data breach; (h) at the written direction of the Customer, delete or return Personal Data and copies thereof to the Customer on termination of the agreement unless required by Applicable Law to store the Personal Data; and (i) maintain complete and accurate records and information to demonstrate its compliance with this clause and the Data Protection Regulation and allow for audits by the Customer or the Customer’s designated auditor. (j) be entitled to collect, use, process anonymous and aggregate data of the use of the services pursuant to the Agreement, that is not personally identifiable with the Customer nor data subjects and use such data for any ▇▇▇▇▇▇▇’▇ internal business purpose, and for the improvement and/or the development of other products or service capabilities. 13.5 Trimble shall not engage a third-party processor without prior specific or general written authorization of the Customer. The Customer consents to Trimble appointing the parties named in the Schedule as third-party processors of Personal Data under this Agreement. Trimble confirms that it has entered or (as the case may be) will enter with the third-party processor into a written agreement in which he imposes on that other processor the obligations as set out in this clause. Trimble informs the Customer of any intended changes concerning the addition or replacement of other processors. The Customer has the right to object to such changes. As between the Customer and Trimble, Trimble shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this clause. 13.6 Either Party may, at any time on not less than 30 days’ notice, revise this clause by replacing it with any applicable controller to processor standard clauses or similar terms forming Party of an applicable certification scheme (which shall apply when replaced by attachment to this agreement). 13.7 Each Party’s and its affiliates’ liability arising out of or related to this clause and processing of Customer’s Personal Data, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of the Agreement, and any reference in such section to the liability of a Party means the aggregate liability of that Party and its affiliates under the Agreement. For the avoidance of doubt, Provider's and its affiliates’ total liability for all claims from the Customer and its affiliates arising out of or related to the Agreement and this clause shall apply in the aggregate for all claims under the Agreement.

Data Protection. The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer WRWA is the Controller and the Supplier Consultant is the Processor unless otherwise specified in Contract Schedule 7Processor. The only processing that the Processor Consultant is authorised to do is listed that permitted by Data Protection Legislation in Contract Schedule 7 by order to perform the Controller and may not be determined by the ProcessorServices under this Contract. The Processor Consultant shall notify the Controller WRWA immediately if it considers that any of the ControllerWRWA's instructions infringe the Data Protection Legislation. The Processor Consultant shall provide all reasonable assistance to the Controller WRWA in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the ControllerWRWA, include: a systematic description of the envisaged processing operations and the purpose of the processing; an assessment of the necessity and proportionality of the processing operations in relation to the Services; an assessment of the risks to the rights and freedoms of Data Subjects; and the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. The Processor Consultant shall, in relation to any Personal Data processed in connection with its obligations under this AgreementContract: process that Personal Data only in accordance with Contract Schedule 7the performance of the Services under this Contract, unless the Processor Consulant is required to do otherwise by Law. If it is so required the Processor Consultant shall promptly notify the Controller WRWA before processing the Personal Data unless prohibited by Law; ensure that it has in place Protective Measures, which are have been reviewed and approved by WRWA as appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), Event having taken account of the: nature of the data to be protected; harm that might result from a Data Loss Event; state of technological development; and cost of implementing any measures; ensure that : the Processor Personnel its employees, Project Team and Key Subconsultants do not process Personal Data except in accordance with this Agreement (and in particular Schedule 7)Contract; it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel Of its employees, Project Team and Key Subconsultants who have access to the Personal Data and ensure that they: are aware of and comply with the Consultant’s duties under this Clause 20; are subject to appropriate confidentiality undertakings with the Consultant or any Sub-processor; are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by WRWA or as otherwise permitted by this Contract; and have undergone adequate training in the use, care, protection and handling of Personal Data; and not transfer Personal Data outside of the EU unless the prior written consent of WRWA has been obtained and the following conditions are fulfilled: WRWA or the Consultant has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46) as determined by WRWA; the Data Subject has enforceable rights and effective legal remedies; the Consultant complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist WRWA in meeting its obligations); and the Consultant complies with any reasonable instructions notified to it in advance by WRWA with respect to the processing of the Personal Data; at the written direction of ▇▇▇▇, delete or return Personal Data (and any copies of it) to WRWA on termination of the Agreement unless this Consultant is required by Law to retain the Personal Data. Subject to clause 20.7, the Consultant shall notify WRWA immediately if it:

Data Protection. 1.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the Controller and the Supplier is the Processor unless otherwise specified in Contract Schedule 7. The only processing that the Processor Blueteq Ltd is authorised to do is listed in Contract Schedule 7 by the Controller and may not be determined by the Processor. The Processor 1. 1.2 Blueteq Ltd shall notify the Controller Customer immediately if it considers that any of the ControllerCustomer's instructions infringe the Data Protection Legislation. The Processor . 1.3 Blueteq Ltd shall provide all reasonable assistance to the Controller Customer in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the ControllerCustomer, include: : i. a systematic description of the envisaged processing operations and the purpose of the processing; ; ii. an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; iii. an assessment of the risks to the rights and freedoms of Data Subjects; and and iv. the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. The Processor . 1.4 Blueteq Ltd shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: : i. process that Personal Data only in accordance with Contract Schedule 71, unless the Processor Blueteq Ltd is required to do otherwise by Law. If it is so required the Processor Blueteq Ltd shall promptly notify the Controller Customer before processing the Personal Data unless prohibited by Law; . ii. ensure that it has in place Protective Measures, which are have been reviewed and approved by the Customer as appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), Event having taken account of the: : a. nature of the data to be protected; ; b. harm that might result from a Data Loss Event; ; c. state of technological development; and and d. cost of implementing any measures; . iii. ensure that : the Processor Personnel : a. Blueteq Ltd personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 71); . b. it takes all reasonable steps to ensure the reliability and integrity of any Processor Blueteq Ltd Personnel who have access to the Personal Data and ensure that they: i. are aware of and comply with Blueteq Ltd’s duties under this clause; ii. are subject to appropriate confidentiality undertakings with Blueteq Ltd or any Sub-processor; iii. are informed of the confidential nature of the Personal Data and do not publish, disclose, or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Customer or as otherwise permitted by this Agreement; and iv. have undergone adequate training in the use, care, protection, and handling of Personal Data; and v. not transfer Personal Data outside of the UK unless the prior written consent of the Customer has been obtained and the following conditions are fulfilled: a. the Customer or Blueteq Ltd has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Customer; b. the Data Subject has enforceable rights and effective legal remedies; c. Blueteq Ltd complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Customer in meeting its obligations); and d. Blueteq Ltd complies with any reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data; e. at the written direction of the Customer, delete or return Personal Data (and any copies of it) to the Customer on termination of the Agreement unless Blueteq Ltd is required by Law to retain the Personal Data. 1.5 Subject to clause 1.6, Blueteq Ltd shall notify the Customer immediately if it: i. receives a Data Subject Access Request (or purported Data Subject Access Request); ii. receives a request to rectify, block or erase any Personal Data; iii. receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; iv. receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Agreement; receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; v. becomes aware of a Data Loss Event. 1.6 Blueteq Ltd’s obligation to notify under clause 1.5 shall include the provision of further information to the Customer in phases, as details become available. 1.7 Taking into account the nature of the processing, Blueteq Ltd shall provide the Customer with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under clause 1.5 (and insofar as possible within the timescales reasonably required by the Customer) including by promptly providing: i. the Customer with full details and copies of the complaint, communication or request; ii. such assistance as is reasonably requested by the Customer to enable the Customer to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation; iii. the Customer, at its request, with any Personal Data it holds in relation to a Data Subject; iv. assistance as requested by the Customer following any Data Loss Event; v. assistance as requested by the Customer with respect to any request from the Information Commissioner’s Office, or any consultation by the Customer with the Information Commissioner's Office. vi. Blueteq Ltd shall maintain complete and accurate records and information to demonstrate its compliance with this clause. 1.8 Blueteq Ltd shall allow for audits of its Data Processing activity by the Customer or the Customer’s designated auditor. 1.9 Blueteq Ltd shall have a designated Data Protection Officer/Information Governance Lead. 1.10 Before allowing any Sub-processor to process any Personal Data related to this Agreement, Blueteq Ltd must: i. notify the Customer in writing of the intended Sub-processor and processing;

Data Protection. 1.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer Authority is the Controller and the Supplier Grant Recipient is the Processor unless otherwise specified in Contract Schedule 7this Annex 8. The only processing that the Processor is authorised to do is listed in Contract Schedule 7 Part 1 of Annex 8 by the Controller and may not be determined by the Processor. . 1.2 The Processor shall notify the Controller immediately if it considers that any of the Controller's instructions infringe the Data Protection Legislation. . 1.3 The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller, include: : (a) a systematic description of the envisaged processing operations and the purpose of the processing; ; (b) an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; (c) an assessment of the risks to the rights and freedoms of Data Subjectsdata subjects; and and (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 1.4 The Processor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: these Conditions: (a) process that Personal Data only in accordance with Contract Schedule 7this Annex 8, unless the Processor is required to do otherwise by Law. If it is so required required, the Processor shall promptly notify the Controller before processing the Personal Data unless prohibited by Law; ; (b) ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), having taken account of the: : (i) nature of the data to be protected; ; (ii) harm that might result from a Data Loss Event; ; (iii) state of technological development; and and (iv) cost of implementing any measures; ; (c) ensure that : that: (i) the Processor Personnel do not process Personal Data except in accordance with this Agreement these Conditions (and in particular Schedule 7); Part 1 of Annex 8); (ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they: (A) are aware of and comply with the Processor’s duties under this paragraph; (B) are subject to appropriate confidentiality undertakings with the Processor or any sub-processor; (C) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any Third Party unless directed in writing to do so by the Controller or as otherwise permitted by these Conditions; and (D) have undergone adequate training in the use, care, protection and handling of Personal Data; and (d) not transfer Personal Data outside of the EU unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled: (i) the Controller or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Controller; (ii) the Data Subject has enforceable rights and effective legal remedies; (iii) the Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and (iv) the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing of the Personal Data; (e) at the written direction of the Controller, delete or return Personal Data (and any copies of it) to the Controller on termination of the Agreement unless the Processor is required by Law to retain the Personal Data. 1.5 Subject to paragraph 1.6, the Processor shall notify the Controller immediately if it: (a) receives a Data Subject Request (or purported Data Subject Request); (b) receives a request to rectify, block or erase any Personal Data; (c) receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; (d) receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under these Conditions; (e) receives a request from any Third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or (f) becomes aware of a Data Loss Event. 1.6 The Processor’s obligation to notify under paragraph 1.5 shall include the provision of further information to the Controller in phases, as details become available. 1.7 Taking into account the nature of the processing, the Processor shall provide the Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under paragraph 1.5 (and insofar as possible within the timescales reasonably required by the Controller) including by promptly providing: (a) the Controller with full details and copies of the complaint, communication or request; (b) such assistance as is reasonably requested by the Controller to enable the Controller to comply with a Data Subject Request within the relevant timescales set out in the Data Protection Legislation; (c) the Controller, at its request, with any Personal Data it holds in relation to a Data Subject; (d) assistance as requested by the Controller following any Data Loss Event; (e) assistance as requested by the Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Controller with the Information Commissioner's Office. 1.8 The Processor shall maintain complete and accurate records and information to demonstrate its compliance with this paragraph. This requirement does not apply where the Processor employs fewer than 250 staff, unless: (a) the Controller determines that the processing is not occasional; (b) the Controller determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; or (c) the Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects. 1.9 The Processor shall allow for audits of its Data Processing activity by the Controller or the Controller’s designated auditor. 1.10 Each Party shall designate its own data protection officer if required by the Data Protection Legislation. 1.11 Before allowing any Sub-processor to process any Personal Data related to these Conditions, the Processor must: (a) notify the Controller in writing of the intended Sub-processor and processing; (b) obtain the written consent of the Controller; (c) enter into a written agreement with the Sub-processor which give effect to the terms set out in this paragraph 1.11 such that they apply to the Sub-processor; and (d) provide the Controller with such information regarding the Sub-processor as the Controller may reasonably require. 1.12 The Processor shall remain fully liable for all acts or omissions of any of its Sub-processors. 1.13 The Controller may, at any time on not less than 30 Working Days’ notice, revise this paragraph by replacing it with any applicable controller to processor standard paragraphs or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to these Conditions). 1.14 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Controller may on not less than 30 Working Days’ notice to the Processor amend these Conditions to ensure that it complies with any guidance issued by the Information Commissioner’s Office. 1.15 Where the Parties include two or more Joint Controllers as identified in Part 1 of Annex 8 in accordance with GDPR Article 26, those Parties shall enter into a Joint Controller Agreement based on the terms outlined in Part 2 of Annex 8 in replacement of paragraphs 1.1-1.14 for the Personal Data under Joint Control. This ▇▇▇▇▇ shall be completed by the Controller, who may take account of the view of the Processors, however the final decision as to the content of this Annex shall be with the Controller at its absolute discretion. 1. The contact details of the Controller’s Data Protection Officer are: [Insert Contact details]

Data Protection. 15.7.1 “The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the Controller and the Supplier is the Processor unless otherwise specified in Contract Schedule 7Processor. The only processing that the Processor Supplier is authorised to do is listed in Contract Call Off Schedule 7 5 by the Controller Customer and may not be determined by the Processor. Supplier. 15.7.2 The Processor Supplier shall notify the Controller Customer immediately if it considers that any of the ControllerCustomer's instructions infringe the Data Protection Legislation. . 15.7.3 The Processor Supplier shall provide all reasonable assistance to the Controller Customer in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the ControllerCustomer, include: : a) a systematic description of the envisaged processing operations and the purpose of the processing; ; b) an assessment of the necessity and proportionality of the processing operations in relation to the provision of the Goods and Services; ; c) an assessment of the risks to the rights and freedoms of Data Subjects; and and; d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. : 15.7.4 The Processor Supplier shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: Call-Off Contract: a) process that Personal Data only in accordance with Contract Call Off Schedule 7, 5 unless the Processor Supplier is required to do otherwise by Law. If it is so required the Processor Supplier shall promptly notify the Controller Customer before processing the Personal Data unless prohibited by Law; ; b) ensure that it has in place Protective Measures, which are have been reviewed and approved by the Customer as appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), Event having taken account of the: : (i) nature of the data to be protected; ; (ii) harm that might result from a Data Loss Event; ; (iii) state of technological development; and and (iv) cost of implementing any measures; ; c) ensure that : that (i) the Processor Supplier Personnel do not process Personal Data except in accordance with this Agreement Call-Off Contract (and in particular Call Off Schedule 7); 5; (ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Supplier Personnel who have access to the Personal Data and ensure that they: (i) are aware of and comply with the Supplier’s duties under this clause; (ii) are subject to appropriate confidentiality undertakings with the Supplier or any Sub- processor; (iii) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Customer or as otherwise permitted by this Call- Off Contract; and (iv) have undergone adequate training in the use, care, protection and handling of Personal Data; and d) not transfer Personal Data outside of the European Economic Area unless the prior written consent of the Customer has been obtained and the following conditions are fulfilled (i) the Customer or the Supplier has provided appropriate safeguards in relation to the transfer; (ii) the Data Subject has enforceable rights and effective legal remedies; (iii) the Supplier complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and (iv) the Supplier complies with any reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data; e) at the written direction of the Customer, delete or return Personal Data (and any copies of it) to the Customer on termination of the Call-Off Contract unless the Supplier is required by Law to retain the Personal Data 15.7.5 Subject to clause 15.7.6, the Supplier shall notify the Customer immediately if it: a) receives a Data Subject Access Request (or purported Data Subject Access Request); b) receives a request to rectify, block or erase any Personal Data; c) receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; d) receives any communication from the Information Commissioner or any other regulatory Customer in connection with Personal Data processed under this Call-Off Contract; e) receives a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or f) becomes aware of a Data Loss Event. 15.7.6 The Supplier’s obligation to notify under clause 15.7.5 shall include the provision of further information to the Customer in phases, as details become available: 15.7.7 Taking into account the nature of the processing, the Supplier shall provide the Customer with full assistance in relation to either party's obligations under Data Protection Legislation and any complaint, communication or request made under Clause 15.7.5 (and insofar as possible within the timescales reasonably required by the Customer) including by promptly providing: a) the Customer with full details and copies of the complaint, communication or request; b) such assistance as is reasonably requested by the Customer to enable the Customer to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation; c) the Customer, at its request, with any Personal Data it holds in relation to a Data Subject; d) assistance as requested by the Customer following any Data Loss Event; e) assistance as requested by the Customer with respect to any request from the Information Commissioner’s Office, or any consultation by the Customer with the Information Commissioner's Office. 15.7.8 The Supplier shall maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Supplier employs fewer than 250 staff, unless: a) the Customer determines that the processing is not occasional; b) the Customer determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; and c) the Customer determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects 15.7.9 The Supplier shall allow for audits of its Data Processing activity by the Customer or the Customer’s designated auditor. 15.7.10 The Supplier shall designate a Data Protection Officer if required by the Data Protection Legislation. 15.7.11 Before allowing any Sub-processor to process any Personal Data related to this Call-Off Contract, the Supplier must: a) notify the Customer in writing of the intended Sub-processor and processing; b) obtain the written consent of the Customer; c) enter into a written agreement with the Sub-processor which give effect to the terms set out in this clause 15.7 such that they apply to the Sub-processor; and d) provide the Customer with such information regarding the Sub- processor as the Customer may reasonably require 15.7.12 The Supplier shall remain fully liable for all acts or omissions of any Sub-processor. 15.7.13 The Customer may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Call-Off Contract). The Parties agree to take account of any non-mandatory guidance issued by the Information Commissioner’s Office publishes guidance. The Customer may on not less than 30 Working Days’ notice to the Supplier amend this Call-Off Contract to ensure that it complies with any guidance issued by the Information Commissioner’s Officer. “.

Data Protection. The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer School is the Controller and the Supplier Processor is the Processor unless otherwise specified in Contract Schedule 7Processor. The only processing that the Processor is authorised to do by the School is listed in Contract Schedule 7 by the Controller One and may not be determined by the Processor. The Processor shall notify the Controller School immediately if it considers that any of the ControllerSchool's instructions infringe the Data Protection Legislation. The Processor shall provide all reasonable assistance to the Controller School in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the ControllerSchool, include: a systematic description of the envisaged processing operations and the purpose of the processing; an assessment of the necessity and proportionality of the processing operations in relation to the Services; an assessment of the risks to the rights and freedoms of Data Subjects; and the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. The Processor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: process that Personal Data only in accordance with Contract Schedule 7, One unless the Processor is required to do otherwise by Law. If it is so required the Processor shall promptly notify the Controller School before processing the Personal Data unless prohibited by Law; ensure that it has in place Protective Measures, which are have been reviewed and approved by the School as appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), Event having taken account of the: nature of the data to be protected; harm that might result from a Data Loss Event; state of technological development; and cost of implementing any measures; ensure that : the Processor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 7); it takes One take all reasonable steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they:: are aware of and comply with the Processor’s duties under this clause; are subject to appropriate confidentiality undertakings with the Processor or any Sub-processor; are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the School or as otherwise permitted by this Agreement; and have undergone adequate training in the use, care, protection and handling of Personal Data; and not transfer Personal Data outside of the EU unless the prior written consent of the School has been obtained and the following conditions are fulfilled: the School or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the School; the Data Subject has enforceable rights and effective legal remedies; the Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the School in meeting its obligations); and the Processor complies with any reasonable instructions notified to it in advance by the School with respect to the processing of the Personal Data; at the written direction of the School, delete or return Personal Data (and any copies of it) to the School on termination of the Agreement unless the Processor is required by Law to retain the Personal Data. The Processor shall notify the School immediately if it: receives a Data Subject Access Request (or purported Data Subject Access Request); receives a request to rectify, block or erase any Personal Data; receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Agreement; receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or becomes aware of a Data Loss Event. The Processor’s obligation to notify under clause 1.5 shall include the provision of further information to the School in phases, as details become available. Taking into account the nature of the processing, the Processor shall provide the School with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under clause 1.5 (and insofar as possible within the timescales reasonably required by the School) including by promptly providing: the School with full details and copies of the complaint, communication or request; such assistance as is reasonably requested by the School to enable the School to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation; the School, at its request, with any Personal Data it holds in relation to a Data Subject; assistance as requested by the School following any Data Loss Event; assistance as requested by the School with respect to any request from the Information Commissioner’s Office, or any consultation by the School with the Information Commissioner's Office. The Processor shall maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Processor employs fewer than 250 staff, unless: the School determines that the processing is not occasional; the School determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; and the School determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects. The Processor shall allow for audits of its Data Processing activity by the School or the School’s designated auditor. The Processor shall designate a data protection officer if required by the Data Protection Legislation. Before allowing any Sub-processor to process any Personal Data related to this Agreement, the Processor must: notify the School in writing of the intended Sub-processor and processing; obtain the written consent of the School; enter into a written agreement with the Sub-processor which give effect to the terms set out in this Agreement such that they apply to the Sub-processor; and provide the School with such information regarding the Sub-processor as the School may reasonably require. The Processor shall remain fully liable for all acts or omissions of any Sub-processor. The School may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Agreement). The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The School may on not less than 30 Working Days’ notice to the Processor amend this agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office.

Data Protection. 5.1 Each party shall for the duration of the provision of the Services by the Supplier to the Customer comply with the provisions of the Data Protection Legislation and shall not do or permit anything to be done which might cause or otherwise result in breach of the same. 5.2 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the Controller and the Supplier is the Processor unless otherwise specified in Contract Schedule 7Processor. The only processing that the Processor Supplier is authorised to do is listed in Contract Schedule 7 determined by the Controller Customer and may not be determined by the Processor. Supplier. 5.3 The Processor Supplier shall notify the Controller Customer immediately if it considers that any of the ControllerCustomer's instructions infringe the Data Protection Legislation. . 5.4 The Processor Supplier shall provide all reasonable assistance to the Controller Customer in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the ControllerCustomer, include: : a) a systematic description of the envisaged processing operations and the purpose of the processing; ; b) an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; c) an assessment of the risks to the rights and freedoms of Data Subjects; and and d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 5.5 The Processor Supplier shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: : (a) process that Personal Data only in accordance with Contract Schedule 7the Customer’s written instructions, unless the Processor Supplier is required to do otherwise by Law. If it is so required the Processor Supplier shall promptly notify the Controller Customer before processing the Personal Data unless prohibited by Law; ; (b) ensure that it has in place Protective Measures, which are have been reviewed and approved by the Customer as appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), Event having taken account of the: : (i) nature of the data to be protected; ; (ii) harm that might result from a Data Loss Event; ; (iii) state of technological development; and and (iv) cost of implementing any measures; ensure that : the Processor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 7); it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they:;

Data Protection. 1.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the Controller Combined Authority and the Supplier is the Processor unless otherwise specified in Contract Schedule 7. The only processing that the Processor is authorised to do is listed in Contract Schedule 7 by the Controller and may not be determined by the Processor. The Processor shall notify the Controller immediately if it considers that any other named Parties are Joint Controllers of the Controller's instructions infringe personal data processed for the Data Protection Legislation. The Processor purposes of implementing Multiply; and which is defined in Schedule A and Annex 1. 1.2 Parties shall provide all reasonable assistance to the Controller in Combined Authority regarding the preparation Privacy Impact Assessment of any Data Protection Impact Assessment prior to commencing aspect of Multiply data processing as the project is rolled out and evolves. This includes the effective implementation of any processingprivacy risk mitigation solutions consequently agreed by the parties. Such assistance may, at the discretion of the Controller, may include: : (a) a systematic description of the envisaged processing operations and the purpose of the processing; ; (b) an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; (c) an assessment of the risks to the rights and freedoms of Data Subjects; and and (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. The Processor . 1.3 Parties shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: for the purposes of Multiply, process that Personal Data only in accordance with Contract Schedule 7A, unless the Processor a Party is required to do otherwise by Law. If it is so required required, the Processor Party shall promptly notify the Controller before Combined Authority processing the Personal Data unless prohibited by Law; ; 1.4 Parties shall ensure that it has they have adequate Security Measures in place Protective Measures, which are appropriate to protect against a Data Loss Eventunauthorised access to, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller and/or loss or destruction of the adequacy personal data processed for the purposes of Multiply. Such measures should take account of: (i) the Protective Measures), having taken account of the: nature and volume of the data to be protected; ; (ii) the harm that might result from a Data Loss Event; security incident; (iii) the state of technological developmentdevelopment concerning security measures available; and and (iv) cost of implementing any measures; ; 1.5 Parties shall ensure that : the Processor that: (i) Personnel of any Party do not process Personal Data except in accordance with this Agreement (and in particular Schedule 7A); it takes ; (ii) Parties take all reasonable steps to ensure the reliability and integrity of any Processor Party Personnel who have access to the Personal Data and ensure that they: (A) are aware of and comply with the Party’s duties under this clause; (B) are subject to appropriate confidentiality undertakings with the Party or any Sub-processor; (C) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Combined Authority or as otherwise permitted by this Agreement; and (D) have undergone adequate training in the use, care, protection and handling of Personal Data 1.6 Parties shall not transfer Personal Data outside of the EU unless the following conditions are fulfilled: (i) the Party has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) (ii) the Data Subject has enforceable rights and effective legal remedies; (iii) the Party complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; 1.7 Parties shall retain personal data only for as long as necessary to serve the purposes of processing which are defined in Schedule A, or as may be required by Law. 1.8 Each Party shall be responsible for responding to requests they receive from their data subjects for the exercise of data subject rights as established under Articles 15 to 23 of the GDPR, and further clarified by the 2018 DPA. Upon receipt of such a request, the Party concerned shall inform the Combined Authority without delay. The Combined Authority shall provide information and support, as and where necessary, to assist in the preparation of an appropriate and legally compliant response to such a request. 1.9 As regards compliance with the GDPR principle of transparency, and the data subjects’ rights outlined in GDPR Articles 12 to 14, the Parties shall provide appropriate privacy information at the time of collection of personal data, and to inform data subjects’ choice to proceed as a Multiply participant. The content of this privacy information shall be consistent and agreed between the Parties. 1.10 If any of the Parties is made aware of a security incident relating to the processing covered by this agreement, they shall report this to the Combined Authority without delay, and in any case within 24 hours. Parties shall provide information and assistance as may be required by the Combined Authority to: i. co-ordinate the containment of any risks to the rights of Multiply data subjects;

Data Protection. 1.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer [ORG A] is the Controller and the Supplier [ORG B] is the Processor unless otherwise specified in Contract Schedule 7[X]. The only processing that the Processor is authorised to do is listed in Contract Schedule 7 [X] by the Controller and may not be determined by the Processor. . 1.2 The Processor shall notify the Controller immediately if it considers that any of the Controller's instructions infringe the Data Protection Legislation. . 1.3 The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller, include: : (a) a systematic description of the envisaged processing operations and the purpose of the processing; ; (b) an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; (c) an assessment of the risks to the rights and freedoms of Data Subjects; and and (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 1.4 The Processor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: : (a) process that Personal Data only in accordance with Contract Schedule 7[X], unless the Processor is required to do otherwise by Law. If it is so required the Processor shall promptly notify the Controller before processing the Personal Data unless prohibited by Law; ; (b) ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), having taken account of the: : (i) nature of the data to be protected; ; (ii) harm that might result from a Data Loss Event; ; (iii) state of technological development; and and (iv) cost of implementing any measures; ; (c) ensure that : : (i) the Processor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 7X); ; (ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they: (A) are aware of and comply with the Processor’s duties under this clause; (B) are subject to appropriate confidentiality undertakings with the Processor or any Sub-processor; (C) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Controller or as otherwise permitted by this Agreement; and (D) have undergone adequate training in the use, care, protection and handling of Personal Data; and (d) not transfer Personal Data outside of the EU unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled: (i) the Controller or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Controller; (ii) the Data Subject has enforceable rights and effective legal remedies; (iii) the Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and (iv) the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing of the Personal Data; (e) at the written direction of the Controller, delete or return Personal Data (and any copies of it) to the Controller on termination of the Agreement unless the Processor is required by Law to retain the Personal Data. 1.5 Subject to clause 1.6, the Processor shall notify the Controller immediately if it: (a) receives a Data Subject Request (or purported Data Subject Request); (b) receives a request to rectify, block or erase any Personal Data; (c) receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; (d) receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Agreement; (e) receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or (f) becomes aware of a Data Loss Event. 1.6 The Processor’s obligation to notify under clause 1.5 shall include the provision of further information to the Controller in phases, as details become available. 1.7 Taking into account the nature of the processing, the Processor shall provide the Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under clause 1.5 (and insofar as possible within the timescales reasonably required by the Controller) including by promptly providing: (a) the Controller with full details and copies of the complaint, communication or request; (b) such assistance as is reasonably requested by the Controller to enable the Controller to comply with a Data Subject Request within the relevant timescales set out in the Data Protection Legislation; (c) the Controller, at its request, with any Personal Data it holds in relation to a Data Subject; (d) assistance as requested by the Controller following any Data Loss Event; (e) assistance as requested by the Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Controller with the Information Commissioner's Office. 1.8 The Processor shall maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Processor employs fewer than 250 staff, unless: (a) the Controller determines that the processing is not occasional; (b) the Controller determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; or (c) the Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects. 1.9 The Processor shall allow for audits of its Data Processing activity by the Controller or the Controller’s designated auditor. 1.10 Each Party shall designate its own data protection officer if required by the Data Protection Legislation. 1.11 Before allowing any Sub-processor to process any Personal Data related to this Agreement, the Processor must: (a) notify the Controller in writing of the intended Sub-processor and processing; (b) obtain the written consent of the Controller; (c) enter into a written agreement with the Sub-processor which give effect to the terms set out in this clause [X] such that they apply to the Sub-processor; and (d) provide the Controller with such information regarding the Sub-processor as the Controller may reasonably require. 1.12 The Processor shall remain fully liable for all acts or omissions of any of its Sub- processors. 1.13 The Controller may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Agreement). 1.14 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Controller may on not less than 30 Working Days’ notice to the Processor amend this agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office. 1.15 Where the Parties include two or more Joint Controllers as identified in Schedule [X] in accordance with GDPR Article 26, those Parties shall enter into a Joint Controller Agreement based on the terms outlined in Schedule [Y] in replacement of Clauses 1.1-1.14 for the Personal Data under Joint Control.

Data Protection. The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the Controller and the Supplier Consultant is the Processor unless otherwise specified in Contract Schedule 7Processor. The only processing that the Processor Consultant is authorised to do is listed in Contract Schedule 7 3 by the Controller Customer and may not be determined by the ProcessorConsultant. The Processor Consultant shall notify the Controller Customer immediately if it considers that any of the ControllerCustomer's instructions infringe the Data Protection Legislation. The Processor Consultant shall provide all reasonable assistance to the Controller Customer in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the ControllerCustomer, include: a systematic description of the envisaged processing operations and the purpose of the processing; an assessment of the necessity and proportionality of the processing operations in relation to the Services; an assessment of the risks to the rights and freedoms of Data Subjects; and the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. The Processor Consultant shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: process that Personal Data only in accordance with Contract Schedule 7A, unless the Processor Consultant is required to do otherwise by Lawlaw. If it is so required the Processor Consultant shall promptly notify the Controller Customer before processing the Personal Data unless prohibited by Lawlaw; ensure that it has in place Protective Measures, which are have been reviewed and approved by the Customer as appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), Event having taken account of the: nature of the data to be protected; harm that might result from a Data Loss Event; state of technological development; and cost of implementing any measures; ensure that that: the Processor Consultant Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 7A); it takes all reasonable steps to ensure the reliability and integrity of any Processor Consultant Personnel who have access to the Personal Data and ensure that they: are aware of and comply with the Consultant’s duties under this clause; are subject to appropriate confidentiality undertakings with the Consultant or any Sub-processor; are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Customer or as otherwise permitted by this Agreement; and have undergone adequate training in the use, care, protection and handling of Personal Data; and not transfer Personal Data outside of the EU unless the prior written consent of the Customer has been obtained and the following conditions are fulfilled: the Customer or the Consultant has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Customer; the Data Subject has enforceable rights and effective legal remedies; the Consultant complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Customer in meeting its obligations); and the Consultant complies with any reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data; at the written direction of the Customer, delete or return Personal Data (and any copies of it) to the Customer on termination of the Agreement unless the Consultant is required by Law to retain the Personal Data. Subject to clause 6.6, the Consultant shall notify the Customer immediately if it:

Data Protection. 3.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer School is the Controller and the Supplier Processor is the Processor unless otherwise specified in Contract Schedule 7Processor. The only processing that the Processor is authorised to do by the School is listed in Contract Schedule 7 by the Controller One and may not be determined by the Processor. . 3.2 The Processor shall notify the Controller School immediately if it considers that any of the ControllerSchool's instructions infringe the Data Protection Legislation. . 3.3 The Processor shall provide all reasonable assistance to the Controller School in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the ControllerSchool, include: : (a) a systematic description of the envisaged processing operations and the purpose of the processing; ; (b) an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; (c) an assessment of the risks to the rights and freedoms of Data Subjects; and and (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 3.4 The Processor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: : (a) process that Personal Data only in accordance with Contract Schedule 7, One unless the Processor is required to do otherwise by Law. If it is so required required, the Processor shall promptly notify the Controller School before processing the Personal Data unless prohibited by Law; ; (b) ensure that it has in place Protective Measures, which are have been reviewed and approved by the School as appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), Event having taken account of the: : i. nature of the data to be protected; ; ii. harm that might result from a Data Loss Event; ; iii. state of technological development; and and iv. cost of implementing any measures; ; (c) ensure that : the Processor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 7); it takes One (d) take all reasonable steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they: i. are aware of and comply with the Processor’s duties under this clause; ii. are subject to appropriate confidentiality undertakings with the Processor or any Sub- processor; iii. are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the School or as otherwise permitted by this Agreement; and iv. have undergone adequate training in the use, care, protection and handling of Personal Data; and (e) not transfer Personal Data outside of the EU unless the following conditions are fulfilled: i. the School or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the School; ii. the Data Subject has enforceable rights and effective legal remedies; iii. the Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the School in meeting its obligations); and (f) at the written direction of the School, delete Personal Data (and any copies of it) to the School on termination of the Agreement unless the Processor is required by Law to retain the Personal Data. 3.5 The Processor shall notify the School immediately if it: (a) receives a Data Subject Access Request (or purported Data Subject Access Request); (b) receives a request to rectify, block or erase any Personal Data; (c) receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; (d) receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Agreement; (e) receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or (f) becomes aware of a Data Loss Event. 3.6 The Processor’s obligation to notify under clause 3.5 shall include the provision of further information to the School in phases, as details become available. 3.7 Taking into account the nature of the processing, the Processor shall provide the School with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under clause 3.5 (and insofar as possible within the timescales reasonably required by the School) including by promptly providing: (a) the School with full details and copies of the complaint, communication or request; (b) such assistance as is reasonably requested by the School to enable the School to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation; (c) the School, at its request, with any Personal Data it holds in relation to a Data Subject; (d) assistance as requested by the School following any Data Loss Event; (e) assistance as requested by the School with respect to any request from the Information Commissioner’s Office, or any consultation by the School with the Information Commissioner's Office. 3.8 The Processor shall maintain complete and accurate records and information to demonstrate its compliance with clause 3.5. This requirement does not apply where the Processor employs fewer than 250 staff, unless: (a) the School determines that the processing is not occasional; (b) the School determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; and (c) the School determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects. 3.9 The Processor shall make available to the controller all information necessary to demonstrate compliance with the obligations laid down in this agreement and will contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller. 3.10 The Processor shall designate a data protection officer if required by the Data Protection Legislation. 3.11 The School hereby authorizes Processor to engage the Sub-processors listed at ▇▇▇.▇▇▇▇▇▇▇▇.▇▇/▇▇▇▇▇▇▇▇▇▇▇▇▇. Processor must enter into a written agreement with all Sub-processors. Processor must obtain sufficient guarantees from all Sub-processors that they will implement appropriate technical and organizational measures in such a manner that the Processing will meet the requirements of Data Protection Law and this DPA. 3.12 The Processor shall inform the School of any intended changes concerning the addition or replacement of sub- processors, thereby giving the School the opportunity to object to such changes. The School must not act unreasonably in objecting to any proposed subprocessors. 3.13 The Processor shall remain fully liable for all acts or omissions of any Sub-processor.

Data Protection. 12.1. The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer Authority is the Controller and the Supplier Provider is the Processor unless otherwise specified in Contract Schedule 7Processor. The only processing Processing that the Processor Supplier is authorised to do is listed in Contract Schedule 7 A by the Controller Authority and may not be determined by the ProcessorProvider. 12.2. The Processor Provider shall notify the Controller Authority immediately if it considers that any of the ControllerAuthority's instructions infringe the Data Protection Legislation. 12.3. The Processor Provider shall provide all reasonable assistance to the Controller Authority in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the ControllerAuthority, include: : a) a systematic description of the envisaged processing operations and the purpose of the processing; ; b) an assessment of the necessity and proportionality of the processing Processing operations in relation to the Services; ; c) an assessment of the risks to the rights and freedoms of Data Subjects; and and d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. 12.4. The Processor Provider shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: Contract: a) process that Personal Data only in accordance with Contract Schedule 7A, unless the Processor Provider is required to do otherwise by Law. If it is so required the Processor Provider shall promptly notify the Controller Authority before processing the Personal Data unless prohibited by Law; ; b) ensure that it has in place Protective Measures, which are have been reviewed and approved by the Authority as appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), Event having taken account of the: : (i) nature of the data to be protected; ; (ii) harm that might result from a Data Loss Event; ; (iii) state of technological development; and and (iv) cost of implementing any measures; ; c) ensure that : that: (i) the Processor Provider Personnel do not process Process Personal Data except in accordance with this Agreement Contract (and in particular Schedule 7A); ; (ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Provider Personnel who have access to the Personal Data and ensure that they: (A) are aware of and comply with the Provider’s duties under this clause; (B) are subject to appropriate confidentiality undertakings with the Provider or any Sub- processor; (C) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority or as otherwise permitted by this Contract; and (D) have undergone adequate training in the use, care, protection and handling of Personal Data; d) not transfer Personal Data outside of the EU unless the prior written consent of the Authority has been obtained and the following conditions are fulfilled: (i) the Authority or the Provider has provided appropriate safeguards in relation to the t ransfer (whether in accordance with Article 46 of the GDPR or Article 37 of the Law Enforcement Directive (Directive (EU) 2016/680)) as determined by the Authority; (ii) the Data Subject has enforceable rights and effective legal remedies; (iii) the Provider complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Authority in meeting its obligations); and the (iv) Provider complies with any reasonable instructions notified to it in advance by the Authority with respect to the Processing of the Personal Data; e) at the written direction of the Authority, delete or return Personal Data [and any copies of it] to the Authority on termination or expiry of the Contract unless the Provider is required by Law to retain the Personal Data. 12.5. Subject to Clause 1.6, the Provider shall notify the Authority immediately if it: a) receives a Data Subject Access Request (or purported Data Subject Access Request); b) receives a request to rectify, block or erase any Personal Data; c) receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; d) receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data Processed under this Contract; e) receives a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or f) becomes aware of a Data Loss Event. 12.6. The Provider’s obligation to notify under Clause 1.5 shall include the provision of further information to the Authority in phases, as details become available. 12.7. Taking into account the nature of the Processing, the Provider shall provide the Authority with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under Clause 1.5 (and insofar as possible within the timescales reasonably required by the Authority) including by promptly providing: a) the Authority with full details and copies of the complaint, communication or request; b) such assistance as is reasonably requested by the Authority to enable the Authority to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation; c) the Authority, at its request, with any Personal Data it holds in relation to a Data Subject; d) assistance as requested by the Authority following any Data Loss Event; e) assistance as requested by the Authority with respect to any request from the Information Office. 12.8. The Provider shall maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Provider employs fewer than 250 staff, unless: a) the Authority determines that the processing is not occasional; b) the Authority determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; and c) the Authority determines that the processing is likely to result in a risk to the rights and f reedoms of Data Subjects. 12.9. The Provider shall allow for audits of its processing activity by the Authority or the Authority’s designated auditor. 12.10. The Provider shall designate a data protection officer if required by the Data Protection Legislation. 12.11. Before allowing any Sub-processor to process any Personal Data related to this Contract, the Provider must: a) notify the Authority in writing of the intended Sub-processor and Processing; b) obtain the written consent of the Authority; c) enter into a written agreement with the Sub-processor which give effect to the terms set out in this clause such that they apply to the Sub-processor; and d) provide the Authority with such information regarding the Sub -processor as the Authority may reasonably require. 12.12. The Provider shall remain fully liable for all acts or omissions of any Sub-processor. 12.13. The Provider may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Contract). 12.14. The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Authority may on not less than 30 Working Days’ notice to the Provider amend this agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office.

Data Protection. Processing 1.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer Purchaser is the Controller and the Supplier is the Processor unless otherwise specified in Contract Schedule 7Processor. The only processing that the Processor Supplier is authorised to do is listed in Contract the Data Processing Schedule 7 by the Controller and may not be determined by the Processor. Supplier. 1.2 The Processor Supplier shall notify the Controller Purchaser immediately if it considers that any of the ControllerPurchaser's instructions infringe the Data Protection Legislation. . 1.3 The Processor Supplier shall provide all reasonable assistance to the Controller Purchaser in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the ControllerPurchaser, include: : (a) a systematic description of the envisaged processing operations and the purpose of the processing; ; (b) an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; (c) an assessment of the risks to the rights and freedoms of Data Subjects; and and (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 1.4 The Processor Supplier shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: Contract: (a) process that Personal Data only in accordance with Contract Schedule 7the Data Processing Schedule, unless the Processor Supplier is required to do otherwise by Law. If it is so required the Processor Supplier shall promptly notify the Controller Purchaser before processing the Personal Data unless prohibited by Law; ; (b) ensure that it has in place Protective Measures, which are have been reviewed and approved by the Purchaser as appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), Event having taken account of the: : (i) nature of the data to be protected; ; (ii) harm that might result from a Data Loss Event; ; (iii) state of technological development; and and (iv) cost of implementing any measures; ; (c) ensure that : that: (i) the Processor Supplier Personnel do not process Personal Data except in accordance with this Agreement Contract (and in particular Schedule 7the Data Processing Schedule); ; (ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Supplier Personnel who have access to the Personal Data and ensure that they: (A) are aware of and comply with the Supplier’s duties under this clause; (B) are subject to appropriate confidentiality undertakings with the Supplier or any Sub-processor; (C) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Purchaser or as otherwise permitted by this Contract; and (D) have undergone adequate training in the use, care, protection and handling of Personal Data; and (d) not transfer Personal Data outside of the EU unless the prior written consent of the Purchaser has been obtained and the following conditions are fulfilled: (i) the Purchaser or the Supplier has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Purchaser; (ii) the Data Subject has enforceable rights and effective legal remedies; (iii) the Supplier complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Purchaser in meeting its obligations); and (iv) the Supplier complies with any reasonable instructions notified to it in advance by the Purchaser with respect to the processing of the Personal Data; (e) at the written direction of the Purchaser, delete or return Personal Data (and any copies of it) to the Purchaser on termination of the Contract unless the Supplier is required by Law to retain the Personal Data.

Data Protection. The Parties parties acknowledge that for the purposes of the Data Protection Legislation, the Customer Authority is the Controller and the Supplier is the Processor unless otherwise specified in Contract Schedule 7Processor. The only processing that the Processor Supplier is authorised to do is listed in Contract Part 2 of Schedule 7 11(Processing, Personal Data and Data Subjects) by the Controller Authority and may not be determined by the ProcessorSupplier. Without prejudice to the generality of clause 40 (Data Protection), the Authority will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to the Supplier for the duration and purposes of this Contract. The Processor Supplier shall notify the Controller Authority immediately if it considers that any of the ControllerAuthority's instructions infringe the Data Protection Legislation. The Processor Supplier shall provide all reasonable assistance to the Controller Authority in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the ControllerAuthority, include: a systematic description of the envisaged processing operations and the purpose of the processing; an assessment of the necessity and proportionality of the processing operations in relation to the Services; an assessment of the risks to the rights and freedoms of Data Subjects; and the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Datapersonal data. The Processor Supplier shall, in relation to any Personal Data processed in connection with its obligations under this AgreementContract: process that Personal Data only on the written instructions of the Authority and in accordance with Contract Part 2 of Schedule 711 (Processing, Personal Data and Data Subjects), unless the Processor Supplier is required to do otherwise by Lawlegislation. If it is so required the Processor Supplier shall promptly notify the Controller Authority before processing the Personal Data unless prohibited by Lawlegislation; ensure that it has in place Protective Measures, which are have been reviewed and approved by the Authority as appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), Event having taken account of the: nature of the data to be protected; harm that might result from a Data Loss Event; state of technological development; and cost of implementing any measures; ensure that : the Processor Supplier Personnel do not process Personal Data except in accordance with this Agreement Contract (and in particular Part 2 of Schedule 711 (Processing, Personal Data and Data Subjects)); it takes all reasonable steps to ensure the reliability and integrity of any Processor Supplier Personnel who have access to the Personal Data and ensure that they:: are aware of and comply with the Supplier’s duties under this Schedule; are subject to appropriate confidentiality undertakings with the Supplier or any Sub-processor; are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority or as otherwise permitted by this Contract; and have undergone adequate training in the use, care, protection and handling of Personal Data; and not transfer Personal Data outside of the EU unless the prior written consent of the Authority has been obtained and the following conditions are fulfilled: the Authority or the Supplier has provided appropriate safeguards in relation to the transfer as determined by the Authority; the Data Subject has enforceable rights and effective legal remedies; the Supplier complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Authority in meeting its obligations); and the Supplier complies with any reasonable instructions notified to it in advance by the Authority with respect to the processing of the Personal Data; at the written direction of the Authority, delete or return Personal Data (and any copies of it) to the Authority on expiry or earlier termination of this Contract unless the Supplier is required by legislation to retain the Personal Data. Subject to paragraph 2.7, the Supplier shall notify the Authority immediately if it: receives a Data Subject Access Request (or purported Data Subject Access Request); receives a request to rectify, block or erase any Personal Data; receives any other request, complaint or communication relating to either party's obligations under the Data Protection Legislation; receives any communication from the Information Commissioner’s Office or any other regulatory authority in connection with Personal Data processed under this Contract; receives a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by legislation; or becomes aware of a Data Loss Event. The Supplier’s obligation to notify under paragraph 2.6 shall include the provision of further information to the Authority in phases, as details become available. Taking into account the nature of the processing, the Supplier shall provide the Authority with full assistance in relation to either party's obligations under Data Protection Legislation and any complaint, communication or request made under paragraph 2.6 (and insofar as possible within the timescales reasonably required by the Authority) including by promptly providing: the Authority with full details and copies of the complaint, communication or request; such assistance as is reasonably requested by the Authority to enable the Authority to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation; the Authority, at its request, with any Personal Data it holds in relation to a Data Subject; assistance as requested by the Authority following any Data Loss Event; assistance as requested by the Authority with respect to any request from the Information Commissioner’s Office, or any consultation by the Authority with the Information Commissioner's Office. The Supplier shall maintain complete and accurate records and information to demonstrate its compliance with this Schedule. The Supplier shall allow for audits of its Data Processing activity by the Authority or the Authority's designated auditor. The Supplier shall designate a Data Protection Officer if required by the Data Protection Legislation. As at the Commencement Date, the Authority does not consent to the Supplier appointing any Sub-processor of Personal Data under this Contract. Any such third-party processing shall require the Authority's prior written consent. If, following the Commencement Date, the Authority does consent in writing to the Supplier appointing a Sub-processor then, before allowing any Sub-processor to process any Personal Data related to this Contract, the Supplier must: notify the Authority in writing of the intended Sub-processor and processing; enter into a written agreement with the Sub-processor which give effect to the terms set out in this Schedule 11 such that they apply to the Sub-processor; and provide the Authority with such information regarding the Sub-processor as the Authority may reasonably require. The Supplier shall remain fully liable for all acts or omissions of any Sub-processor. The Authority may, at any time on not less than 30 Business Days’ notice, revise this Schedule by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Contract). The Supplier shall, and shall procure that all Sub-Contractors shall enter into such further agreements relating to compliance with Data Protection Legislation as the Authority may from time to time reasonably require. The parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Authority may on not less than 30 Working Days’ notice to the Supplier amend this Contract to ensure that it complies with any guidance issued by the Information Commissioner’s Office.

Data Protection. 12.1. The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer Authority is the Controller and the Supplier Provider is the Processor unless otherwise specified in Contract Schedule 7Processor. The only processing Processing that the Processor Supplier is authorised to do is listed in Contract Schedule 7 A by the Controller Authority and may not be determined by the ProcessorProvider. 12.2. The Processor Provider shall notify the Controller Authority immediately if it considers that any of the ControllerAuthority's instructions infringe the Data Protection Legislation. 12.3. The Processor Provider shall provide all reasonable assistance to the Controller Authority in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the ControllerAuthority, include: : a) a systematic description of the envisaged processing operations and the purpose of the processing; ; b) an assessment of the necessity and proportionality of the processing Processing operations in relation to the Services; ; c) an assessment of the risks to the rights and freedoms of Data Subjects; and and d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. 12.4. The Processor Provider shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: Contract: a) process that Personal Data only in accordance with Contract Schedule 7A, unless the Processor Provider is required to do otherwise by Law. If it is so required the Processor Provider shall promptly notify the Controller Authority before processing the Personal Data unless prohibited by Law; ; b) ensure that it has in place Protective Measures, which are have been reviewed and approved by the Authority as appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), Event having taken account of the: : (i) nature of the data to be protected; ; (ii) harm that might result from a Data Loss Event; ; (iii) state of technological development; and and (iv) cost of implementing any measures; ; c) ensure that : that: (i) the Processor Provider Personnel do not process Process Personal Data except in accordance with this Agreement Contract (and in particular Schedule 7A); ; (ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Provider Personnel who have access to the Personal Data and ensure that they: (A) are aware of and comply with the Provider’s duties under this clause; (B) are subject to appropriate confidentiality undertakings with the Provider or any Sub- processor; (C) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority or as otherwise permitted by this Contract; and (D) have undergone adequate training in the use, care, protection and handling of Personal Data; d) not transfer Personal Data outside of the EU unless the prior written consent of the Authority has been obtained and the following conditions are fulfilled: (i) the Authority or the Provider has provided appropriate safeguards in relation to the transfer (whether in accordance with Article 46 of the GDPR or Article 37 of the Law Enforcement Directive (Directive (EU) 2016/680)) as determined by the Authority; (ii) the Data Subject has enforceable rights and effective legal remedies; (iii) the Provider complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Authority in meeting its obligations); and (iv) the Provider complies with any reasonable instructions notified to it in advance by the Authority with respect to the Processing of the Personal Data; e) at the written direction of the Authority, delete or return Personal Data [and any copies of it] to the Authority on termination or expiry of the Contract unless the Provider is required by Law to retain the Personal Data. 12.5. Subject to Clause 1.6, the Provider shall notify the Authority immediately if it: a) receives a Data Subject Access Request (or purported Data Subject Access Request); b) receives a request to rectify, block or erase any Personal Data; c) receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; d) receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data Processed under this Contract; e) receives a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or f) becomes aware of a Data Loss Event. 12.6. The Provider’s obligation to notify under Clause 1.5 shall include the provision of further information to the Authority in phases, as details become available. 12.7. Taking into account the nature of the Processing, the Provider shall provide the Authority with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under Clause 1.5 (and insofar as possible within the timescales reasonably required by the Authority) including by promptly providing: a) the Authority with full details and copies of the complaint, communication or request; b) such assistance as is reasonably requested by the Authority to enable the Authority to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation; c) the Authority, at its request, with any Personal Data it holds in relation to a Data Subject; d) assistance as requested by the Authority following any Data Loss Event; e) assistance as requested by the Authority with respect to any request from the Information Commissioner’s Office, or any consultation by the Authority with the Information Commissioner's Office. 12.8. The Provider shall maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Provider employs fewer than 250 staff, unless: a) the Authority determines that the processing is not occasional; b) the Authority determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; and c) the Authority determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects. 12.9. The Provider shall allow for audits of its processing activity by the Authority or the Authority’s designated auditor. 12.10. The Provider shall designate a data protection officer if required by the Data Protection Legislation. 12.11. Before allowing any Sub-processor to process any Personal Data related to this Contract, the Provider must: a) notify the Authority in writing of the intended Sub-processor and Processing; b) obtain the written consent of the Authority; c) enter into a written agreement with the Sub-processor which give effect to the terms set out in this clause such that they apply to the Sub-processor; and d) provide the Authority with such information regarding the Sub-processor as the Authority may reasonably require. 12.12. The Provider shall remain fully liable for all acts or omissions of any Sub-processor. 12.13. The Provider may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Contract). 12.14. The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Authority may on not less than 30 Working Days’ notice to the Provider amend this agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office.

Data Protection. 1.1 This GDPR Schedule includes Annex 1 (Schedule of Processing, Personal Data and Data. Annex 1 must be completed for this Schedule to be valid. 1.2 In the event of a conflict between this Schedule and other Clauses of the Contract pertaining to data protection, the Clauses within this Schedule shall apply. 1.3 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the Controller and the Supplier is Processor are as described at the Processor unless otherwise specified in Contract Schedule 7start of this Schedule. The only processing that the Processor is authorised to do is listed in Contract Annex 1 to this Schedule 7 by the Controller and may not be determined by the Processor. . 1.4 The Processor shall notify the Controller immediately if it considers that any of the Controller's instructions infringe the Data Protection Legislation. . 1.5 The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller, include: : 1.5.1 a systematic description of the envisaged processing operations and the purpose of the processing; ; 1.5.2 an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; 1.5.3 an assessment of the risks to the rights and freedoms of Data Subjects; and and 1.5.4 the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 1.6 The Processor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: Contract: 1.6.1 process that Personal Data only in accordance with Contract Schedule 7Annex 1 to this Schedule, unless the Processor is required to do otherwise by Law. If it is so required the Processor shall promptly notify the Controller before processing the Personal Data unless prohibited by Law; ; 1.6.2 ensure that it has in place Protective Measures, which are have been reviewed and approved by the Controller as appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), Event having taken account of the: : a. nature of the data to be protected; protected;‌ b. harm that might result from a Data Loss Event; Event;‌ c. state of technological development; and and‌ d. cost of implementing any measures; measures;‌ 1.6.3 ensure that : that: a. the Processor Personnel do not process Personal Data except in accordance with this Agreement Contract (and in particular Schedule 7); Annex 1 to this Schedule);‌ b. it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that theythey:‌ i. are aware of and comply with the Processors duties under this Clause; ii. are subject to appropriate confidentiality undertakings with the Processor or any Sub-processor; iii. are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Controller or as otherwise permitted by this Contract; and iv. have undergone adequate training. 1.6.4 not transfer Personal Data outside of the EU unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled: a. the Controller or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Controller;‌ b. the Data Subject has enforceable rights and effective legal remedies;‌ c. the Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and‌ d. the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing of the Personal Data;‌ 1.6.5 at the written direction of the Controller, delete or return Personal Data (and any copies of it) to the Controller on termination of the Contract unless the Processor is required by Law to retain the Personal Data.

Data Protection. The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer Client is the Controller and the Supplier Consultant is the Processor unless otherwise specified in Contract Schedule 7Schedule[X]. The only processing that the Processor is authorised to do is listed in Contract Schedule 7 [X] by the Controller and may not be determined by the Processor. The Processor shall notify the Controller immediately if it considers that any of the Controller's instructions infringe the Data Protection Legislation. The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller, include: a systematic description of the envisaged processing operations and the purpose of the processing; an assessment of the necessity and proportionality of the processing operations in relation to the Services; an assessment of the risks to the rights and freedoms of Data Subjects; and the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. The Processor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: process that Personal Data only in accordance with Contract Schedule 7[ X ], unless the Processor is required to do otherwise by Law. If it is so required the Processor shall promptly notify the Controller before processing the Personal Data unless prohibited by Law; ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), having Measures),having taken account of the: nature of the data to be protected; harm that might result from a Data Loss Event; state of technological development; and cost of implementing any measures; ensure that : the Processor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 7X); it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they:: are aware of and comply with the Processor's duties under this clause; are subject to appropriate confidentiality undertakings with the Processor or any Sub- processor; are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Controller or as otherwise permitted by this Agreement; and have undergone adequate training in the use, care, protection and handling of Personal Data; and not transfer Personal Data outside of the UK unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled: the Controller or the Processor has provided appropriate safeguards in relation to the transfer (in accordance with the Data Protection Legislation) as determined by the Controller; the Data Subject has enforceable rights and effective legal remedies; the Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing of the Personal Data; at the written direction of the Controller, delete or return Personal Data (and any copies of it) to the Controller on termination of the Agreement unless the Processor is required by Law to retain the Personal Data.

Data Protection. 1.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer Client is the Controller and the Supplier Exacom is the Processor unless otherwise specified in Contract Schedule 7Processor. The only processing that the Processor Exacom is authorised to do is listed in Contract Schedule 7 A by the Controller Client and may not be determined by the Processor. The Processor Exacom. 1.2 Exacom shall notify the Controller Client immediately if it considers that any of the ControllerClient 's instructions infringe the Data Protection Legislation. The Processor . 1.3 Exacom shall provide all reasonable assistance to the Controller Client in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the ControllerClient, include: : (a) a systematic description of the envisaged processing operations and the purpose of the processing; ; (b) an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; (c) an assessment of the risks to the rights and freedoms of Data Subjects; and and (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. The Processor 1.4 Exacom shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: : (a) process that Personal Data only in accordance with Contract Schedule 7A, unless the Processor Exacom is required to do otherwise by Law. If it is so required the Processor Exacom shall promptly notify the Controller Client before processing the Personal Data unless prohibited by Law; ; (b) ensure that it has in place Protective Measures, which are have been reviewed and approved by the Client as appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), Event having taken account of the: : (i) nature of the data to be protected; ; (ii) harm that might result from a Data Loss Event; ; (iii) state of technological development; and and (iv) cost of implementing any measures; ; (c) ensure that : the Processor that: (i) Exacom’s Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 7A); ; (ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Exacom’s Personnel who have access to the Personal Data and ensure that they: (A) are aware of and comply with ▇▇▇▇▇▇’s duties under this Clause; (B) are subject to appropriate confidentiality undertakings with Exacom or any Sub- Processor; (C) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Client or as otherwise permitted by this Agreement; and (D) have undergone adequate training in the use, care, protection and handling of Personal Data; and (d) not transfer Personal Data outside of the EU unless the prior written consent of the Client has been obtained and the following conditions are fulfilled: (i) the Client or Exacom has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Client ; (ii) the Data Subject has enforceable rights and effective legal remedies; (iii) Exacom complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Client in meeting its obligations); and (iv) Exacom complies with any reasonable instructions notified to it in advance by the Client with respect to the processing of the Personal Data; (e) at the written direction of the Client , and at Exacom’s sole cost, delete or return Personal Data (and any copies of it) to the Client on termination of the Agreement unless Exacom is required by Law to retain the Personal Data. 1.5 Subject to Clause 1.6, Exacom shall notify the Client immediately if it: (a) receives a Data Subject Access Request (or purported Data Subject Access Request); (b) receives a request to rectify, block or erase any Personal Data; (c) receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; (d) receives any communication from the Information Commissioner or any other regulatory Client in connection with Personal Data processed under this Agreement; (e) receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or (f) becomes aware of a Data Loss Event.

Data Protection. 1.1 The Parties acknowledge parties agree that the Controller is the data controller and the Processor is the data processor for the purposes of the Data Protection Legislation, provision of the Customer Services. 1.2 The subject-matter of the data processing is the Controller and performance of the Supplier is the Processor unless otherwise specified in Contract Schedule 7Services. The only processing that the Processor is authorised to do is listed in Contract Schedule 7 by obligations and rights of the Controller and may not be determined by the Processorare as set out in this Data Processing Agreement. The Processor shall notify the Controller immediately if it considers Personal Data that any of the Controller's instructions infringe the Data Protection Legislation. The Processor shall provide all reasonable assistance will be processed pursuant to the Controller Services shall be as set out in the preparation form attached as Annex I to the SCCs and shall form part of any Data Protection Impact Assessment prior each work order concluded under the Agreement or other relevant services agreement (whether or not the SCCs are applicable). Annex I to commencing any processing. Such assistance maythe SCCs sets out the nature, at the discretion of the Controller, include: a systematic description of the envisaged processing operations duration and the purpose of the processing; an assessment , the types of Personal Data the necessity and proportionality of the processing operations in relation to the Services; an assessment of the risks to the rights and freedoms of Data Subjects; Processor processes and the measures envisaged to address categories of data subjects whose Personal Data is processed. 1.3 When the risks, including safeguards, security measures and mechanisms to ensure the protection of Processor processes Personal Data. The , the Processor shall, notwithstanding anything to the contrary in relation to any Personal Data processed in connection with its obligations under this Agreement: Agreement : 1.3.1 process that the Personal Data only in accordance with Contract Schedule 7, unless written lawful and reasonable instructions of the Controller (which may be specific instructions or instructions of a general nature as set out in this Agreement or as otherwise notified in writing by the Controller to the Processor from time to time) and not for the Processor's own purposes. If the Processor is required to do otherwise process the personal data for any other purpose by Law. If it European Union or Member State law to which the Processor is so required subject, the Processor shall promptly notify inform the Controller of this requirement before the processing, unless otherwise mandated by Applicable Law on important grounds of public interest; 1.3.2 notify Controller promptly if, in Processor's opinion, an instruction for the processing of Personal Data infringes applicable Data Protection Legislation (“Unlawful Instruction”). Should Controller insist on the Unlawful Instruction Processor reserves the right to either suspend the processing or terminate the Service to which the Unlawful Instruction relates. This suspension or termination will not be deemed a breach of this Data Processing Agreement; 1.3.3 provide reasonable assistance to Controller where required under Data Protection Legislation to enable it to comply with its obligations, including its transparency obligations towards data subject(s), under Data Protection Legislation and at Controller’s cost and expense, unless otherwise agreed. For the avoidance of doubt, Controller shall be responsible for providing the relevant notices to Processor where required for data subject(s); 1.3.4 at Controller’s cost and expense unless otherwise agreed, and by taking into account the nature of the processing and by using appropriate technical and organisational measures, and insofar as this is possible, assist Controller to fulfil its obligations to respond to requests from data subjects exercising their rights in connection with their Personal Data processed by Processor and/or its Subprocessor during the course of the Services; 1.3.5 implement and maintain appropriate technical and organisational measures commensurate with the nature of the Personal Data unless prohibited by Law; ensure that it has in place Protective Measuresto protect the Personal Data against unauthorised or unlawful processing and against a Security Incident. Such measures shall include the provisions of Annex II to the SCCs, which shall apply whether or not the SCCs are appropriate applicable, and publish any updates to protect against such measures at the IQVIA Customer Support Hub at ▇▇▇▇▇://▇▇▇.▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇.▇▇▇▇▇.▇▇▇ and the IQVIA Customer Portal at ▇▇▇▇▇://▇▇▇.▇▇▇▇▇▇▇▇▇▇▇▇▇▇.▇▇▇▇▇.▇▇▇. 1.3.6 engage Subprocessors for the purposes of processing Personal Data under this Agreement. Controller hereby acknowledges and accepts that Processor may engage any of its affiliates as Subprocessors during the term of the Agreement. A list of third party Subprocessors authorised as of the date of the Agreement is set out in Appendix A attached hereto. Any intended changes concerning the addition or replacement of third party Subprocessors shall be published at ▇▇▇▇▇://▇▇▇.▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇.▇▇▇▇▇.▇▇▇ and the IQVIA Customer Portal at ▇▇▇▇▇://▇▇▇.▇▇▇▇▇▇▇▇▇▇▇▇▇▇.▇▇▇▇▇.▇▇▇ in order to give the Controller the opportunity to object to such change. If Controller has a legitimate reason under Data Loss EventProtection Legislation to object to the new Subprocessors’ processing of Personal Data, Controller may terminate the Agreement (limited to the Services for which the Controller may reasonably reject (but failure new Subprocessor is intended to reject be used) on written notice to Processor within 15 business days of such publication. Such termination shall not amount to approval take effect at the time determined by the Controller which shall be no later than 30 days from the date of the adequacy Processor’s publication of the Protective Measures), having taken account of the: nature of the data to be protected; harm that might result from a Data Loss Event; state of technological development; and cost of implementing any measures; ensure that : the Processor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 7); it takes all reasonable steps to such intended change. 1.3.7 ensure the reliability and integrity competence of the Subprocessor(s) and Processor shall include in any Processor Personnel contract with the Subprocessor(s) provisions which are no less stringent than those contained in this Data Processing Agreement; 1.3.8 remain fully liable to Controller for the fulfilment of Processor's obligations under this Data Processing Agreement, where such Subprocessor fails to fulfil its obligations under the applicable subprocessing agreement or any applicable Data Protection Legislation; 1.3.9 bind Processor’s personnel who have access to the Personal Data by confidential and ensure non-use obligations no less stringent than the obligations set out in this Data Processing Agreement or under a statutory obligation of confidentiality; 1.3.10 upon Controller’s written request at reasonable intervals, and subject to reasonable confidentiality controls, Processor will make available to Controller a copy, if available, of either (i) a certification as to compliance with ISO 27001 or other standards (scope as defined in the certificate); or (ii) Processor’s most recent SOC- 2 attestation report to verify the adequacy of its security measures relevant to Personal Data processed by Processor (“Audit Report”). Controller agrees that theyany audit rights granted by Data Protection Legislation will be satisfied by these Audit Reports. To the extent that Processor’s provision of an Audit Report does not provide sufficient information or Controller is required to respond to a regulatory authority audit, Controller agrees to a mutually agreed-upon audit plan with Processor that: (a) allows Controller or its mandated independent third party auditor to conduct the audit; (b) provides at least ninety (90) days advance notice of any audit to Processor unless Data Protection Legislation or a competent data protection authority requires shorter notice; (c) requests access only during business hours; (d) accepts that Controller shall bear the costs of any audit; (e) occurs no more than once annually; (f) restricts its findings to only data relevant to Controller; and (g) obligates Controller, to the extent permitted by law or regulation, to keep confidential any information gathered that, by its nature, should be confidential. 1.3.11 maintain, and make available to Controller upon reasonable prior notice, all necessary information and documentation relevant to the Personal Data processing activities in connection with Services performed under the Agreement to verify Controller’s compliance with the Data Protection Legislation; 1.3.12 agree, subject to the protection of Processor ’s confidential and proprietary information in accordance with the Agreement, that Controller may disclose such information, records and documentation, including this Data Processing Agreement, to demonstrate Controller’s compliance with the Data Protection Legislation; 1.3.13 at the end of the Services (1) cease processing the Personal Data except as otherwise provided under Applicable Law and/or (2) destroy or return all copies of Personal Data except as otherwise provided under Applicable Law; 1.4 If Processor becomes aware of any Security Incident affecting its processing of Personal Data, Processor shall without undue delay notify Controller and: 1.4.1 provide Controller with as detailed a description as possible of the Security Incident; 1.4.2 take action immediately, at Processor 's own expense, to investigate the Security Incident and to identify, prevent and mitigate the effects of the Security Incident and carry out any commercially reasonable action to remedy the Security Incident; and 1.4.3 not release or publish any filing, communication, notice, press release, or report concerning the Security Incident unless otherwise agreed with the Controller (except where required to do so by Applicable Law). 1.5 Unless specific data localisation terms are agreed in the Agreement or in the applicable work order, Controller acknowledges that the Processor’s platform and services are operated, supported and maintained globally. Any transfer of Personal Data outside of a Protected Area shall be made with appropriate safeguards in place and in accordance the Data Protection Legislation. Where data protection legislation of any member state of the EU, EEA, Switzerland or the United Kingdom applies to the processing of the Personal Data prior to its processing by Processor and where Processor (or Controller, in cases where Module 4 of the SCCs apply) is established outside the Protected Area then the parties agree to the terms of the Standard Contractual Clauses as if they were set out here in full 1.6 In the event Processor makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Data Protection Legislation, Processor must as soon as practicable following the determination provide Controller notice thereof, and provide such further information and assistance as may be reasonably requested at Controller’s expense. 1.7 To the extent that the terms contained in the Agreement conflict or are inconsistent with those contained in this Data Processing Agreement, the terms contained in this Data Processing Agreement shall control to the extent of such conflict or inconsistency.

Data Protection. 2.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is we are the Controller and you are the Supplier is the Processor unless otherwise specified in Contract Schedule 7Processor. The only processing that the Processor is authorised to do is listed in Contract Schedule 7 Appendix 1 by the Controller and may not be determined by the Processor. The term “processing” and any associated terms are to be read in accordance with Article 4 of the UK GDPR. 2.2 The Processor shall notify the Controller immediately if it considers that any of the Controller's instructions infringe the Data Protection Legislation. The . 2.3 If the Controller considers a Data Protection Impact Assessment (DPIA) is needed, the Processor shall provide all reasonable assistance to the Controller in preparing the preparation of any Data Protection Impact Assessment DPIA prior to commencing any processing. Such assistance may, at the discretion of the Controller, include: a systematic description of the envisaged processing operations and the purpose of the processing; an assessment of the necessity and proportionality of the processing operations in relation to the Services; an assessment of the risks to the rights and freedoms of Data Subjects; and the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 2.4 The Processor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: : a. process that Personal Data only in accordance with Contract Schedule 7Appendix 1, unless the Processor is required to do otherwise by Law. If it is so required the Processor shall promptly notify the Controller before processing the Personal Data unless prohibited by Law; ; b. ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure reject. In the event of the Controller reasonably rejecting Protective Measures put in place by the Processor, the Processor must propose alternative Protective Measures to the satisfaction of the Controller. Failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), having taken . Protective Measures must take account of the: : (i) nature of the data to be protected; ; (ii) harm that might result from a Data Loss Event; ; (iii) state of technological development; and and (iv) cost of implementing any measures; ; c. ensure that : that: (i) the Processor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 7Appendix 1); ; (ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they: (A) are aware of and comply with the Processor’s duties under this clause; (B) are subject to appropriate confidentiality undertakings with the Processor or any Sub-processor; (C) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Controller or as otherwise permitted by this Agreement; and (D) have undergone adequate training in the use, care, protection and handling of Personal Data; and d. not transfer Personal Data outside of the UK unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled: (i) the destination country has been recognised as adequate by the UK government in accordance with Article 45 UK GDPR or section 74 of the DPA 2018; (ii) the Controller or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with UK GDPR Article 46 or section 75 DPA 2018) as determined by the Controller; (iii) the Data Subject has enforceable rights and effective legal remedies; (iv) the Processor complies with its obligations under Data Protection Legislation by providing an appropriate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and (v) the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing of the Personal Data; e. at the written direction of the Controller, delete or return Personal Data (and any copies of it) to the Controller on termination of the Agreement unless the Processor is required by Law to retain the Personal Data. 2.5 Subject to paragraph 2.6, the Processor shall notify the Controller immediately if it: a. receives a Data Subject Request (or purported Data Subject Request); b. receives a request to rectify, block or erase any Personal Data; c. receives any other request, complaint or communication relating to either Party's obligations under Data Protection Legislation; d. receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Agreement; e. receives a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or f. becomes aware of a Data Loss Event. 2.6 The Processor’s obligation to notify under paragraph 2.5 shall include the provision of further information to the Controller, as details become available. 2.7 Taking into account the nature of the processing, the Processor shall provide the Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under paragraph 2.5 (and insofar as possible within the timescales reasonably required by the Controller. 2.8 The Processor shall maintain complete and accurate records and information to demonstrate its compliance with this clause. 2.9 The Processor shall allow for audits of its Data Processing activity by the Controller or the Controller’s designated auditor. 2.10 Before allowing any Sub-processor to process any Personal Data related to this Agreement, the Processor must: a. notify the Controller in writing of the intended Sub-processor and processing;

Data Protection. 19.1 The Lessor shall, and shall procure that all staff shall, comply with any notification requirements under DPA and all Parties shall duly observe all their obligations under the DPA which arise in connection with the Agreement. 19.2 It is not envisaged that for the purposes of management that there will be any provision of Personal Data to the Lessor by Lessee for processing. This Clause does not seek to limit or obviate the responsibilities of the Lessee or the Lessor to Personal Data. 19.3 Whilst it is not envisaged that there will be any provision of Personal Data by ▇▇▇▇▇▇ to the Lessor, should this situation alter then the following Clauses 19.4 – 19.17 apply. 19.4 All Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer Lessee is the Controller and the Supplier Lessor is the Processor unless otherwise specified in Contract Schedule 7Processor. The only processing that the Processor Lessor is authorised to do is listed undertake will be notified in Contract Schedule 7 writing by the Controller and ▇▇▇▇▇▇. Changes to processing may not be determined by the Processor. Lessor. 19.5 The Processor Lessor shall notify the Controller ▇▇▇▇▇▇ immediately if it considers that any of the Controller▇▇▇▇▇▇'s instructions infringe the Data Protection Legislation. DPA. 19.6 The Processor Lessor shall provide all reasonable assistance to the Controller Lessee in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the ControllerLessee, include: a : (a) systematic description of the envisaged processing operations and the purpose of the processing; ; (b) an assessment of the necessity and proportionality of the processing operations in relation to the Services; this Agreement; (c) an assessment of the risks to the rights and freedoms of Data Subjects; and and (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 19.7 The Processor Lessor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: : (a) process that Personal Data only in accordance with Contract Schedule 7, ensuring delivery of Goods unless the Processor Lessor is required to do otherwise by Law. If it is so required the Processor Lessor shall promptly notify the Controller Lessee before processing the Personal Data unless prohibited by Law; ; (b) ensure that it has in place Protective Measures, which are have been reviewed and approved by ▇▇▇▇▇▇ as appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), Event having taken account of the: : (i) nature of the data to be protected; ; (ii) harm that might result from a Data Loss Event; ; (iii) state of technological development; and and (iv) cost of implementing any measures; ; (c) ensure that : that: (i) the Processor Personnel employees do not process Personal Data except in accordance with this Agreement (and in particular Schedule 7particularly for the purposes of delivery of Goods); ; (ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel employees who have access to the Personal Data and ensure that they: (A) are aware of and comply with the Lessor’s duties under this clause; (B) are subject to appropriate confidentiality undertakings with the Lessor or any Sub-processor; (C) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by ▇▇▇▇▇▇ or as otherwise permitted by this Agreement; and (D) have undergone adequate training in the use, care, protection and handling of Personal Data; and (d) not transfer Personal Data outside of the United Kingdom unless the prior written consent of ▇▇▇▇▇▇ has been obtained and the following conditions are fulfilled: (i) The Lessor has provided appropriate safeguards in relation to the transfer (whether in accordance with UK GDPR Article 46 or LED Article

Data Protection. 21.1 The expiry or earlier termination of the Contract shall not affect the continuing rights and obligations of the Service Provider and the Council under this clause. The Parties acknowledge that for the purposes of the Data Protection Legislation, they shall be the Customer Controller of their respective orders (and where necessary shall both be Controllers) and the Service Provider is the Controller and the Supplier is the Processor unless otherwise specified in Contract Schedule 7Processor. The only processing that the Processor Service Provider is authorised to do by the Council is listed in Contract Schedule 7 by the Controller 4 to this clause and may not be determined by the Processor. Service Provider. 21.2 The Processor Service Provider shall notify the Controller Council immediately if it considers that any of the ControllerCouncil's instructions infringe the Data Protection Legislation. . 21.3 The Processor Service Provider shall provide all reasonable assistance to the Controller Council in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller, Council include: : 21.3.1 a systematic description of the envisaged processing operations and the purpose of the processing; ; 21.3.2 an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; 21.3.3 an assessment of the risks to the rights and freedoms of Data Subjects; and and 21.3.4 the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 21.4 The Processor Service Provider shall, in relation to any Personal Data processed in connection with its obligations under this the Agreement: : 21.4.1 process that Personal Data only in accordance with Contract Schedule 74 of this Agreement, unless the Processor Service Provider is required to do otherwise by Law. If it is so required required, the Processor Service Provider shall promptly notify the Controller Council before processing the Personal Data unless prohibited by Law; ; 21.4.2 ensure that it has in place Protective Measures, which are have been reviewed and approved by the as appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), Event having taken account of the: : (i) nature of the data to be protected; ; (ii) harm that might result from a Data Loss Event; ; (iii) state of technological development; and and (iv) cost of implementing any measures; ; 21.4.3 ensure that : that: (i) the Processor Service Provider Personnel do not process Personal Data except in accordance with this the Agreement (and in particular Schedule 74 to this Agreement); ; (ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Service Provider Personnel who have access to the Personal Data and ensure that they: (a) are aware of and comply with the Service Provider's duties under this clause (b) are subject to appropriate confidentiality undertakings with the Service Provider or any Sub-processor (c) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the or as otherwise permitted by this Agreement; and (d) have undergone adequate training in the use, care, protection and handling of Personal Data; and 21.4.4 not transfer Personal Data outside of the EU unless the prior written consent of the has been obtained and the following conditions are fulfilled: (i) the Council or the Service Provider has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Council ; (ii) the data subject has enforceable rights and effective legal remedies enforceable in the territory to which the Personal Data is to be transferred ; (iii) the Service Provider complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Council in meeting its obligations); and (iv) the Service Provider complies with any reasonable instructions notified to it in advance by the with respect to the processing or the Personal Data; 21.4.5 at the written direction of the Council, delete or return Personal Data (and any copies of it) to the on termination of this Agreement unless the Service Provider is required by Law to retain the Personal Data. 21.5 The Service Provider shall notify the Council immediately if it: 21.5.1 receives a Data Subject Access Request (or purported Data Subject Access Request); 21.5.2 receives a request to rectify, block or erase any Personal Data; 21.5.3 receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; 21.5.4 receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Agreement; 21.5.5 receives a request from any third party for disclosure of Personal Data, or 21.5.6 becomes aware of a Data Loss Event 21.6 The Service Provider's obligation to notify under clause 1.5 shall include the provision of further information to the Council in phases, as details become available. 21.7 Taking into account the nature of the processing, the Service Provider shall provide the Council with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under clause 21.5 (and insofar as possible within the timescales reasonably required by the Council) including by promptly providing: 21.7.1 such assistance as is reasonably requested by the Council to enable the Council to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation; 21.7.2 the Council, at its request, with any Personal Data it holds in relation to a Data Subject; 21.7.3 assistance as requested by the Council following any Data Loss Event; 21.7.4 assistance as requested by the Council with respect to any request from the Information Commissioner's Office, or any consultation by the Council with the Information Commissioner's Office. 21.8 The Service Provider shall maintain complete and accurate records and information to demonstrate its compliance with the clause. This requirement does not apply where the Service Provider employs fewer than 250 staff, unless: 21.8.1 the Council determines that the processing is not occasional; 21.8.2 the Council determines the processing includes special categories or data as referred to Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; and 21.8.3 the Council determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects. 21.9 The Contactor shall allow for audits of its Data Processing activity by the Council or the Council's designated auditor. 21.10 The Service Provider shall designate a data protection officer if required by the Data Protection Legislation. 21.11 Before allowing any Sub-processor to process Personal Data related to this Agreement, the Service Provider must: 21.11.1 notify the Council in writing of the intended Sub-processor and processing; 21.11.2 obtain the written consent of the Council; 21.11.3 enter into a written agreement with the Sub-processor which gives effect to the terms set out in this clause such that they apply to the Sub-processor; and 21.11.4 provide the Council with such information regarding the Sub- processor as the Council may reasonably require. 21.12 The Service Provider shall remain fully liable for all acts or omissions of any Sub-processor. 21.13 The Council may, at any time on not less than 30 Working Days' notice, revise this clause by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Agreement). 21.14 The Parties agree to take account of any guidance issued by the Information Commissioner's Office. The Council may on not less than 30 Working Days' notice to the Service Provider amend this agreement to ensure that it complies with any guidance issued by the Information Commissioner's Office. 21.15 Upon termination of the Contract the Service Provider shall: 21.15.1 cease processing Personal Data on behalf of the Council ; and 21.15.2 at the Council’s request, either forthwith return to the all copies of the Personal Data which it is processed on behalf of the Council , or destroy the same within 14 days of being requested to do so by the Council . 21.16 The Service Provider shall ensure that all personnel do not publish, disclose or divulge any of the Personal Data to any third party, unless directed in writing by the to do so. 21.17 The Service Provider shall fully indemnify the Council, its employees or agents against the cost of dealing with any claims made in respect of any information subject to Data Protection Legislation, which claims would not have arisen but for some act, omission or negligence on the part of the Service Provider, his employees or agents in the provision of the Services.

Data Protection. 1.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer Authority is the Controller and the Supplier Service Provider is the Processor unless otherwise specified in Contract Schedule 7Processor. The only processing that the Processor Service Provider is authorised to do is listed in Contract Schedule 7 A by the Controller Authority and may not be determined by the Processor. Service Provider. 1.2 The Processor Service Provider shall notify the Controller Authority immediately if it considers that any of the ControllerAuthority's instructions infringe the Data Protection Legislation. . 1.3 The Processor Service Provider shall provide all reasonable assistance to the Controller Authority in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the ControllerAuthority, include: : (a) a systematic description of the envisaged processing operations and the purpose of the processing; ; (b) an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; (c) an assessment of the risks to the rights and freedoms of Data Subjects; and and (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. 1.4 The Processor Service Provider shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: : (a) process that Personal Data only in accordance with Contract Schedule 7A, unless the Processor Service Provider is required to do otherwise by Law. If it is so required the Processor Service Provider shall promptly notify the Controller Authority before processing the Personal Data unless prohibited by Law; ; (b) ensure that it has in place Protective Measures, which are have been reviewed and approved by the Authority as appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), Event having taken account of the: : (i) nature of the data to be protected; ; (ii) harm that might result from a Data Loss Event; ; (iii) state of technological development; and and (iv) cost of implementing any measures; ; (c) ensure that : that: (i) the Processor Service Provider’s Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 7A); ; (ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Service Provider’s Personnel who have access to the Personal Data and ensure that they: (A) are aware of and comply with the Service Provider’s duties under this Clause; (B) are subject to appropriate confidentiality undertakings with the Service Provider or any Sub-Processor; (C) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Authority or as otherwise permitted by this Agreement; and (D) have undergone adequate training in the use, care, protection and handling of Personal Data; and (d) not transfer Personal Data outside of the EU unless the prior written consent of the Authority has been obtained and the following conditions are fulfilled: (i) the Authority or the Service Provider has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Authority; (ii) the Data Subject has enforceable rights and effective legal remedies; (iii) the Service Provider complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Authority in meeting its obligations); and (iv) the Service Provider complies with any reasonable instructions notified to it in advance by the Authority with respect to the processing of the Personal Data; (e) at the written direction of the Authority, and at the Service Provider’s sole cost, delete or return Personal Data (and any copies of it) to the Authority on termination of the Agreement unless the Service Provider is required by Law to retain the Personal Data. 1.5 Subject to Clause 1.6, the Service Provider shall notify the Authority immediately if it: (a) receives a Data Subject Access Request (or purported Data Subject Access Request); (b) receives a request to rectify, block or erase any Personal Data; (c) receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; (d) receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Agreement; (e) receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or (f) becomes aware of a Data Loss Event. 1.6 The Service Provider’s obligation to notify under Clause 1.5 shall include the provision of further information to the Authority in phases, as details become available. 1.7 Taking into account the nature of the processing, the Service Provider shall provide the Authority with full assistance in relation to either Party's obligations under Data Protection Legislation including any complaint, communication or request made under Clause 1.5 (and insofar as possible within the timescales reasonably required by the Authority) including by promptly providing: (a) the Authority with full details and copies of the complaint, communication or request; (b) such assistance as is reasonably requested by the Authority to enable the Authority to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation; (c) the Authority, at its request, with any Personal Data it holds in relation to a Data Subject; (d) assistance as requested by the Authority following any Data Loss Event; (e) assistance as requested by the Authority with respect to any request from the Information Commissioner’s Office, or any consultation by the Authority with the Information Commissioner's Office. 1.8 The Service Provider shall maintain complete and accurate records and information to demonstrate its compliance with this Clause. This requirement does not apply where the Service Provider employs fewer than 250 staff, unless: (a) the Authority determines that the processing is not occasional; (b) the Authority determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; and (c) the Authority determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects. 1.9 The Service Provider shall allow for audits of its Data Processing activity by the Authority or the Authority’s designated auditor. 1.10 The Service Provider shall designate a Data Protection Officer if required by the Data Protection Legislation. 1.11 Before allowing any Sub-Processor to process any Personal Data related to this Agreement, the Service Provider must: (a) notify the Authority in writing of the intended Sub-Processor and processing; (b) obtain the written consent of the Authority; (c) enter into a written agreement with the Sub-Processor which give effect to the terms set out in this Clause 1 such that they apply to the Sub-Processor; and (d) provide the Authority with such information regarding the Sub- Processor as the Authority may reasonably require. 1.12 The Service Provider shall remain fully liable for all acts or omissions of any Sub-Processor. 1.13 The Service Provider may, at any time on not less than 30 Working Days’ notice, revise this Clause by replacing it with any applicable controller to processor standard Clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Agreement). 1.14 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Authority may on not less than 30 Working Days’ notice to the Service Provider amend this agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office. 1. The Service Provider shall comply with any further written instructions with respect to processing by the Authority.

Data Protection. 8.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer Client is the Controller and the Supplier Consultant Company is the Processor unless otherwise specified in Contract Schedule 7. Processor. 8.2 The only processing that the Processor is authorised to do is listed in Contract Schedule 7 4 by the Controller and may not be determined by the Processor. . 8.3 The Processor shall notify the Controller immediately if it considers that any of the Controller's instructions infringe the Data Protection Legislation. . 8.4 The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller, include: : a. a systematic description of the envisaged processing operations and the purpose of the processing; . b. an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; c. an assessment of the risks to the rights and freedoms of Data Subjects; and and d. the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 8.5 The Processor shall carry out its own Data Protection Impact Assessment prior to commencing any processing under this Agreement where required under the Data Protection Legislation and otherwise as may be appropriate to ensure the security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, and shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: : a. process that Personal Data only in accordance with Contract Schedule 74, unless the Processor is required to do otherwise by Law. If it is so required the Processor shall promptly notify the Controller before processing the Personal Data unless prohibited by Law; ; b. ensure that it has in place Protective Measures, which are have been reviewed and approved by the Controller as appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), Event having taken account of the: : i. nature of the data to be protected; ; ii. harm that might result from a Data Loss Event; ; iii. state of technological development; and and iv. cost of implementing any measures; ; c. ensure that : that: i. the Processor Processor’s Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 74); ; ii. it takes all reasonable steps to ensure the reliability and integrity of any Processor Processor’s Personnel who have access to the Personal Data and ensure that they: A. are aware of and comply with the Processor’s duties under this ▇▇▇▇▇▇; B. are subject to appropriate confidentiality undertakings with the Processor or any Sub- Processor; C. are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Controller or as otherwise permitted by this Agreement; and D. have undergone adequate training in the use, care, protection and handling of Personal Data; and d. not transfer Personal Data outside of the UK unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled: i. the Controller or the Processor has provided appropriate safeguards in relation to the transfer as determined by the Controller; ii. the Data Subject has enforceable rights and effective legal remedies; iii. the Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and iv. the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing of the Personal Data; e. at the written direction of the Controller, and at the Service Processor’s sole cost, delete or return Personal Data (and any copies of it) to the Controller on termination of the Agreement unless the Processor is required by Law to retain the Personal Data. 8.6 Subject to Clause 8.7, the Processor shall notify the Controller immediately if it: a. receives a Data Subject Access Request (or purported Data Subject Access Request); b. receives a request to rectify, block or erase any Personal Data; c. receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; d. receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Agreement; e. receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or f. becomes aware of a Data Loss Event. 8.7 The Processor’s obligation to notify under Clause 8.6 shall include the provision of further information to the Controller in phases, as details become available. 8.8 Taking into account the nature of the processing, the Processor shall provide the Controller with full assistance in relation to either Party's obligations under Data Protection Legislation including any complaint, communication or request made under Clause 8.6 (and insofar as possible within the timescales reasonably required by the Controller) including by promptly providing: a. the Controller with full details and copies of the complaint, communication or request; b. such assistance as is reasonably requested by the Controller to enable the Controller to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation; c. the Controller, at its request, with any Personal Data it holds in relation to a Data Subject; d. assistance as requested by the Controller following any Data Loss Event including but not limited to all information and findings relating to any internal or external investigation into the Data Loss Event; e. assistance as requested by the Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Controller with the Information Commissioner's Office. 8.9 The Processor shall maintain complete and accurate records and information to demonstrate its compliance with this Clause 8. This requirement does not apply where the Processor employs fewer than 250 staff, unless: a. the Controller determines that the processing is not occasional; b. the Controller determines the processing includes special categories of data or Personal Data relating to criminal convictions and offences as referred to in the UK GDPR; and c. the Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects. 8.10 The Processor shall allow for audits of its Data Processing activity by the Controller or the Controller’s designated auditor. 8.11 The Processor shall designate a Data Protection Officer if required by the Data Protection Legislation. 8.12 Before allowing any Sub-Processor to process any Personal Data related to this Agreement, the Processor must: a. notify the Controller in writing of the intended Sub-Processor and processing;

Data Protection. 19.1 The Lessor shall, and shall procure that all staff shall, comply with any notification requirements under DPA and all Parties shall duly observe all their obligations under the DPA which arise in connection with the Agreement. 19.2 It is not envisaged that for the purposes of management that there will be any provision of Personal Data to the Lessor by Lessee for processing. This Clause does not seek to limit or obviate the responsibilities of the Lessee or the Lessor to Personal Data. 19.3 Whilst it is not envisaged that there will be any provision of Personal Data by Lessee to the Lessor, should this situation alter then the following Clauses 19.4 – 19.17 apply. 19.4 All Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer Lessee is the Controller and the Supplier Lessor is the Processor unless otherwise specified in Contract Schedule 7Processor. The only processing that the Processor Lessor is authorised to do is listed undertake will be notified in Contract Schedule 7 writing by the Controller and Lessee. Changes to processing may not be determined by the Processor. Lessor. 19.5 The Processor Lessor shall notify the Controller Lessee immediately if it considers that any of the ControllerLessee's instructions infringe the Data Protection Legislation. DPA. 19.6 The Processor Lessor shall provide all reasonable assistance to the Controller Lessee in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the ControllerLessee, include: a : (a) systematic description of the envisaged processing operations and the purpose of the processing; ; (b) an assessment of the necessity and proportionality of the processing operations in relation to the Services; this Agreement; (c) an assessment of the risks to the rights and freedoms of Data Subjects; and and (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 19.7 The Processor Lessor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: : (a) process that Personal Data only in accordance with Contract Schedule 7, ensuring delivery of Goods unless the Processor Lessor is required to do otherwise by Law. If it is so required the Processor Lessor shall promptly notify the Controller Lessee before processing the Personal Data unless prohibited by Law; ; (b) ensure that it has in place Protective Measures, which are have been reviewed and approved by Lessee as appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), Event having taken account of the: : (i) nature of the data to be protected; ; (ii) harm that might result from a Data Loss Event; ; (iii) state of technological development; and and (iv) cost of implementing any measures; ; (c) ensure that : that: (i) the Processor Personnel employees do not process Personal Data except in accordance with this Agreement (and in particular Schedule 7particularly for the purposes of delivery of Goods); ; (ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel employees who have access to the Personal Data and ensure that they: (A) are aware of and comply with the Lessor’s duties under this clause; (B) are subject to appropriate confidentiality undertakings with the Lessor or any Sub-processor; (C) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by Lessee or as otherwise permitted by this Agreement; and (D) have undergone adequate training in the use, care, protection and handling of Personal Data; and (d) not transfer Personal Data outside of the United Kingdom unless the prior written consent of Lessee has been obtained and the following conditions are fulfilled: (i) The Lessor has provided appropriate safeguards in relation to the transfer (whether in accordance with UK GDPR Article 46 or LED Article

Data Protection. The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer Authority is the Controller and the Supplier is the Processor unless otherwise specified Processor. Appendix 1 to this Annex 6 sets out the following information in Contract Schedule 7relation to the Data: subject-matter of the Processing; duration of Processing; nature and purpose of the Processing; type of Data; and categories of Data Subject. The only processing that the Processor Supplier is authorised to do by the Authority is listed in Contract Schedule Appendix 1 to this Annex 6 (Processing Personal Data). The Supplier shall review Appendix 1 of this Annex 6 no less than once every twelve (12) months to ensure that it remains up-to-date and shall agree any changes required with the Authority using the change control form included at Annex 7 of this Agreement. Changes will only be effective after that form has been reviewed and signed by the Controller and may not be determined by the ProcessorAuthority. The Processor Supplier shall notify the Controller Authority immediately if it considers that any of the ControllerAuthority's instructions infringe the Data Protection Legislation. The Processor Supplier shall provide all reasonable assistance to the Controller Authority in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the ControllerAuthority, include: a systematic description of the envisaged processing operations and the purpose of the processing; an assessment of the necessity and proportionality of the processing operations in relation to the Mobilisation Services, Services and Portal; an assessment of the risks to the rights and freedoms of Data Subjects; and the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. The Processor Supplier shall, in relation to any Personal Data processed in connection with its obligations under this Framework Agreement: process (and ensure that its Staff and subcontractors process) that Personal Data only in accordance with Contract Schedule 7Appendix 1 (Processing Personal Data) of this Annex 6 as may be updated in accordance with clause 1.2 of this Annex 6, unless the Processor Supplier is required to do otherwise by Applicable Law. If it is so required the Processor Supplier shall promptly notify the Controller Authority before processing the Personal Data unless prohibited by Law; ensure that it has in place Protective Measures, which the measures that are appropriate expressed to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller be obligations of the adequacy Processor in the Data Protection Legislation in order to ensure the appropriate level of security for the Protective Measures), Data having taken account of the: nature of the data to be protected; harm that might result from a Data Loss Eventloss event; state of technological development; and cost of implementing any measures; ensure that that: the Processor Personnel Staff and any subcontractors do not process Personal Data except in accordance with this Agreement Annex 6 (and in particular Schedule 7Appendix 1 (Processing Personal Data)); it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel Staff and subcontractors who have access to the Personal Data and ensure that they:: are aware of and comply with the Supplier's duties under ▇▇▇▇▇ 6; are subject to appropriate confidentiality undertakings; are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Authority or as otherwise permitted by this Agreement; and have undergone adequate training in the use, care, protection and handling of Personal Data; taking into account the nature of the Processing and the information available to the Supplier, assist the Authority in ensuring compliance with the Authority's obligations in the Data Protection Legislation to notify the Controller of a security breach, to communicate a security breach to Data Subjects, to assist with data protection impact assessments and assist with consultations with regulators; not transfer Personal Data outside of the UK or the European Economic Area (or any country deemed adequate by the European Commission or the UK Government pursuant to Directive 95/46/EC or the Data Protection Legislation) unless the prior written consent of the Authority has been obtained and without putting in place adequate protection for the Data to enable compliance by the Authority and the Supplier with their obligations under the Data Protection Legislation; at the written direction of the Authority, delete or return Personal Data (and any copies of it) to the Authority at any time upon request by the Authority or promptly upon on termination of the this Agreement unless the Supplier is required by Applicable Law to retain the Personal Data; and at all times perform its obligations under this Agreement in such a manner as not to cause the Authority in any way to be in breach of the Data Protection Legislation. Subject to clause 1.7 of this Annex 6, the Supplier shall assist the Authority with its obligations to comply with Data Subjects' requests and rights under the Data Protection Legislation through the use of appropriate technical and organisational measures. The Supplier shall notify the Authority immediately if it: receives a Data Subject Access Request (or purported Data Subject Access Request); receives a request to rectify, block or erase any Personal Data; receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Agreement; receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Applicable Law; or becomes aware of a Data loss event. The Supplier's obligation to notify under clause 1.5 of this Annex 6 shall include the provision of further information to the Authority in phases, as details become available. Taking into account the nature of the processing, the Supplier shall provide the Authority with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under clause 1.5 of this Annex 6 (and insofar as possible within the timescales reasonably required by the Authority) including by promptly providing: the Authority with full details and copies of the complaint, communication or request; such assistance as is reasonably requested by the Authority to enable the Authority to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation; the Authority, at its request, with any Personal Data it holds in relation to a Data Subject; assistance as requested by the Authority following any Data loss event; assistance as requested by the Authority with respect to any request from the Information Commissioner's Office, or any consultation by the Authority with the Information Commissioner's Office. The Supplier shall maintain complete and accurate records and information to demonstrate its compliance with this Annex 6. The Supplier shall allow for audits of its Data Processing activity by the Authority or the Authority's designated auditor. The Supplier shall designate a Data Protection Officer if required by the Data Protection Legislation. Before allowing any Sub-processor to process any Personal Data related to this Contract, the Supplier must: notify the Authority in writing of the intended Sub-processor and processing; obtain the written consent of the Authority; enter into a written agreement with the Sub-processor which give effect to the terms set out in this Annex 6 such that they apply to the Sub-processor; and provide the Authority with such information regarding the Sub-processor as the Authority may reasonably require. The Supplier shall remain fully liable for all acts or omissions of any Sub-processor. the Authority determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR and the Authority determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects. The Supplier shall allow for audits of its Data Processing activity by the Authority or the Authority's designated auditor. The Supplier shall designate a Data Protection Officer if required by the Data Protection Legislation. Before allowing any Sub-processor to process any Personal Data related to this Call Off Contract, the Supplier must: notify the Authority in writing of the intended Sub-processor and processing; obtain the written consent of the Authority; enter into a written agreement with the Sub-processor which give effect to the terms set out in this clause 1.17 of this Annex 6 such that they apply to the Sub-processor; and provide the Authority with such information regarding the Sub-processor as the Authority may reasonably require. The Supplier shall remain fully liable for all acts or omissions of any Sub-processor.

Data Protection. The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer Defra is the Controller and the Supplier Contractor is the Processor unless otherwise specified specified 1.1 in Contract Schedule 7Annex 1. The only processing that the Processor is authorised to do is listed in Contract Schedule 7 Annex 1 by the Controller and may not be determined by the Processor. . 1.2 The Processor shall notify the Controller immediately if it considers that any of the Controller's instructions infringe the Data Protection Legislation. . 1.3 The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller, include: : (a) a systematic description of the envisaged processing operations and the purpose of the processing; ; (b) an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; (c) an assessment of the risks to the rights and freedoms of Data Subjects; and and (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 1.4 The Processor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: Contract: (a) process that Personal Data only in accordance with Contract Schedule 7Annex 1, unless the Processor is required to do otherwise by Law. If it is so required the Processor shall promptly notify the Controller before processing the Personal Data unless prohibited by Law; ; (b) ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), having taken account of the: : (i) nature of the data to be protected; ; (ii) harm that might result from a Data Loss Event; ; (iii) state of technological development; and and (iv) cost of implementing any measures; ; (c) ensure that : : (i) the Processor Contractor Personnel do not process Personal Data except in accordance with this Agreement Contract (and in particular Schedule 7Annex 1); ; (ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Contractor Personnel who have access to the Personal Data and ensure that they: (A) are aware of and comply with the Processor’s duties under this clause; (B) are subject to appropriate confidentiality undertakings with the Processor or any Sub-processor; (C) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Controller or as otherwise permitted by this Contract; and (D) have undergone adequate training in the use, care, protection and handling of Personal Data; and (d) at the written direction of the Controller, delete or return Personal Data (and any copies of it) to the Controller on termination of the Contract unless the Processor is required by Law to retain the Personal Data. 1.5 Subject to clause 1.6, the Processor shall notify the Controller immediately if it: (a) receives a Data Subject Request (or purported Data Subject Request); (b) receives a request to rectify, block or erase any Personal Data; (c) receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; (d) receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Contract; (e) receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or (f) becomes aware of a Data Loss Event. 1.6 The Processor’s obligation to notify under clause 1.5 shall include the provision of further information to the Controller in phases, as details become available. 1.7 Taking into account the nature of the processing, the Processor shall provide the Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under clause 1.5 (and insofar as possible within the timescales reasonably required by the Controller) including by promptly providing: (a) the Controller with full details and copies of the complaint, communication or request; (b) such assistance as is reasonably requested by the Controller to enable the Controller to comply with a Data Subject Request within the relevant timescales set out in the Data Protection Legislation; (c) the Controller, at its request, with any Personal Data it holds in relation to a Data Subject; (d) assistance as requested by the Controller following any Data Loss Event; (e) assistance as requested by the Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Controller with the Information Commissioner's Office. 1.8 The Processor shall maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Processor employs fewer than 250 staff, unless: (a) the Controller determines that the processing is not occasional; (b) the Controller determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; or (c) the Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects. 1.9 The Processor shall allow for audits of its Data Processing activity by the Controller or the Controller’s designated auditor. 1.10 Each Party shall designate its own data protection officer if required by the Data Protection Legislation. 1.11 Before allowing any Sub-processor to process any Personal Data related to this Contract, the Processor must: (a) notify the Controller in writing of the intended Sub-processor and processing; (b) obtain the written consent of the Controller; (c) enter into a written agreement with the Sub-processor which gives effect to the terms set out in this Schedule such that they apply to the Sub-processor; and (d) provide the Controller with such information regarding the Sub-processor as the Controller may reasonably require. 1.12 The Processor shall remain fully liable for all acts or omissions of any of its Sub-processors. 1.13 The Controller may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Contract). 1.14 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Controller may on not less than 30 Working Days’ notice to the Processor amend

Data Protection. The Parties acknowledge parties shall comply with the provisions and obligations imposed on them by the Data Protection Laws at all times when processing Personal Data in connection with this Agreement, which processing shall be in respect of the types of Personal Data, categories of Data Subjects, nature and purposes, and duration, set out in Schedule 3. 7.1 Each party shall maintain records of all processing operations under its responsibility that contain at least the minimum information required by the Data Protection Laws, and shall make such information available to any DP Regulator on request. 7.2 The data controller shall: (a) ensure that any instructions it issues to the data processor shall comply with the Data Protection Laws; and (b) have sole responsibility for the accuracy, quality and legality of Personal Data and the means by which the data controller acquired Personal Data shall establish the legal basis for processing under Data Protection Laws, including providing all notices and obtaining all consents as may be required under Data Protection Laws in order for the data processor to process the Personal Data as otherwise contemplated by this Agreement. 7.3 To the extent the Supplier receives from, or processes any Personal Data on behalf of, the Customer, the Supplier shall: (a) process such Personal Data (i) only in accordance with the Customer's written instructions from time to time (including those set out in this Agreement) provided such instructions are lawful and unless it is otherwise required by applicable law (in which case, unless such law prohibits such notification on important grounds of public interest, the Supplier shall notify the Customer of the relevant legal requirement before processing the Personal Data), and (ii) only for the duration of this Agreement; (b) take commercially reasonable steps to ensure its personnel who are authorised to have access to such Personal Data, and ensure that any such personnel are committed to confidentiality or are under an appropriate statutory obligation of confidentiality when processing such Personal Data; (c) taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the Processing, implement technical and organisational measures and procedures to ensure an level of security for such Personal Data appropriate to the risk, including the risks of accidental, unlawful or unauthorised destruction, loss, alteration, disclosure, dissemination or access; (d) unless the transfer is based on an "adequacy decision", is otherwise "subject to appropriate safeguards" or if a "derogation for specific situations" applies, each within the meanings given to them in Articles 45, 46 and 49 of the GDPR respectively, not transfer, access or process such Personal Data outside the European Union without the prior written consent of the Customer (not to be unreasonably withheld or delayed), unless such transfer is to the Customer or an Authorised User; (e) inform the Customer without undue delay upon becoming aware of any such Personal Data (while within the Supplier's or its subcontractors' or affiliates' possession or control) being subject to a personal data breach (as defined in Article 4 of GDPR); (f) not disclose any Personal Data to any Data Subject or to a third party other than at the written request of the Customer or as expressly provided for in this Agreement; (g) except for Personal Data of which the data processor is also a data controller and except as required by law or in order to defend any actual or possible legal claims, as the Customer so directs, take reasonable steps to return or irretrievably delete all Personal Data on termination or expiry of this Agreement, and not make any further use of such Personal Data; (h) provide to the Customer and any DP Regulator all information and assistance reasonably necessary to demonstrate or ensure compliance with the obligations in this clause 7 and/or the Data Protection Laws; (i) permit the Customer or its representatives to access any relevant premises, personnel or records of the Supplier on reasonable notice to audit and otherwise verify compliance with this clause 7, subject to the following requirements: (i) the Customer may perform such audits no more than once per year or more frequently if required by Data Protection Laws; (ii) the Customer may use a third party to perform the audit on its behalf, provided such third party executes a confidentiality agreement acceptable to the Supplier before the audit; (iii) audits must be conducted during regular business hours, subject to the Supplier's policies, and may not unreasonably interfere with the Supplier's business activities; (iv) the Customer must provide the Supplier with any audit reports generated in connection with any audit at no charge unless prohibited by applicable law. The Customer may use the audit reports only for the purposes of meeting its audit requirements under Data Protection Laws and/or confirming compliance with the requirements of this clause 7. The audit reports shall be confidential; (v) to request an audit, the Customer must first submit a detailed audit plan to the Supplier at least 6 (six) weeks in advance of the proposed audit date. The audit must describe the proposed scope, duration and start date of the audit. The Supplier will review the audit plan and inform the Customer of any concerns or questions (for example, any request for information that could compromise the Supplier's confidentiality obligations or its security, privacy, employment or other relevant policies). The Supplier will work cooperatively with the Customer to agree a final audit plan; (vi) nothing in this clause 17.5(d)(vii) shall require the Supplier to breach any duties of confidentiality owed to any of its clients, employees or Third Party Providers; and (vii) all audits are at the Customer's sole cost and expense; (j) take such steps as are reasonably required to assist the Customer in ensuring compliance with its obligations under Articles 30 to 36 (inclusive) of GDPR; (k) notify the Customer as soon as reasonably practicable if it receives a request from a Data Subject to exercise its rights under the Data Protection Legislation, the Customer is the Controller and the Supplier is the Processor unless otherwise specified in Contract Schedule 7. The only processing that the Processor is authorised to do is listed in Contract Schedule 7 by the Controller and may not be determined by the Processor. The Processor shall notify the Controller immediately if it considers that any of the Controller's instructions infringe the Data Protection Legislation. The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller, include: a systematic description of the envisaged processing operations and the purpose of the processing; an assessment of the necessity and proportionality of the processing operations Laws in relation to the Services; an assessment of the risks to the rights and freedoms of Data Subjects; and the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of that person's Personal Data. The Processor shall, ; and (l) provide the Customer with reasonable co-operation and assistance in relation to any request made by a Data Subject to exercise its rights under the Data Protection Laws in relation to that person's Personal Data processed provided that the Customer shall be responsible for the Supplier's costs and expenses arising from such co-operation and assistance. 7.4 If either party receives any complaint, notice or communication which relates directly or indirectly to the processing of Personal Data by the other party or to either party's compliance with the Data Protection Laws, it shall as soon as reasonably practicable notify the other party and it shall provide the other party with commercially reasonable co-operation and assistance in relation to any such complaint, notice or communication. 7.5 The Supplier shall not engage Third Party Providers including any advisers, contractors, or auditors to Process Personal Data. 7.6 Where Personal Data is Processed by the Supplier under or in connection with this Agreement on behalf of the Customer as the data controller, the Customer agrees that the Supplier may disclose the Personal Data to the Supplier's employees, sub-contractors (including Third Party Providers), agents, Affiliates and Affiliate employees as the Supplier reasonably considers necessary for the performance of its obligations under this Agreement: process that Personal Data only in accordance , for compliance with Contract Schedule 7, unless the Processor applicable law and is required to do otherwise by Lawdefend any actual or possible legal claims. If it is so required the Processor The Supplier shall promptly notify the Controller before processing the Personal Data unless prohibited by Law; ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), having taken account of the: nature of the data to be protected; harm that might result from a Data Loss Event; state of technological development; and cost of implementing any measures; ensure that : the Processor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 7); it takes all take reasonable steps to ensure the reliability and integrity of any Processor Personnel person who have has access to the Personal Data and ensure that they:such persons are aware of the Supplier's obligations under this Agreement. 7.7 The Customer shall, prior to inputting any Personal Data in respect of its pupils, students or clients into the Software, provide a copy of the Supplier Privacy Policy to all Data Subjects in respect of whom the Customer inputs Personal Data into the Software.

Data Protection. [This clause 17 and the drafting at Schedule 6 are subject to revision at the Call Off stage] 17.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, they are joint Controllers. Schedule 6 describes the Customer is subject matter, duration, nature and purpose of the Controller processing and the Supplier is Personal Data categories and Data Subject types in respect of which the Processor unless otherwise specified Contractor may process to fulfil the purposes specifically set out in Contract that Schedule 76. The only processing that Contractor shall seek relevant permission from the Processor Data Subjects to process their Personal Data and ensure it is authorised to do is listed processed in Contract Schedule 7 by accordance with the Controller Data Protection Legislation and may not be determined by the Processor. Contractor’s privacy policy 17.2 The Processor Contractor shall notify the Controller Department immediately if it considers that any of the ControllerDepartment's instructions infringe the Data Protection Legislation. . 17.3 The Processor Contractor shall provide all reasonable assistance to the Controller Department in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the ControllerDepartment, include: : 17.3.1 a systematic description of the envisaged processing operations and the purpose of the processing; ; 17.3.2 an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; 17.3.3 an assessment of the risks to the rights and freedoms of Data Subjects; and 17.3.4 the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 17.4 The Processor Contractor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: Contract: 17.4.1 process that Personal Data only in accordance with Contract Schedule 76, unless the Processor Contractor is required to do otherwise by Law. If it is so required required, the Processor Contractor shall promptly notify the Controller Department before processing the Personal Data unless prohibited by Law; ; 17.4.2 ensure that it has in place Protective Measures, which are have been reviewed and approved by the Department as appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), Event having taken account of the: : (a) nature of the data to be protected; ; (b) harm that might result from a Data Loss Event; (c) state of technological development; and cost of implementing any measures; ensure that : the Processor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 7); it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they:and

Data Protection. The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer Authority is the Controller and the Supplier Grant Recipient is the Processor unless otherwise specified in Contract Schedule 7this Annex 12. The only processing that the Processor is authorised to do is listed in Contract Schedule 7 Part 1 of Annex 12 by the Controller and may not be determined by the Processor. The Processor shall notify the Controller immediately if it considers that any of the Controller's instructions infringe the Data Protection Legislation. The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller, include: a systematic description of the envisaged processing operations and the purpose of the processing; an assessment of the necessity and proportionality of the processing operations in relation to the Services; an assessment of the risks to the rights and freedoms of Data Subjectsdata subjects; and the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. The Processor shall, in relation to any Personal Data processed in connection with its obligations under this Agreementthese Conditions: process that Personal Data only in accordance with Contract Schedule 7this Annex 12, unless the Processor is required to do otherwise by Law. If it is so required the Processor shall promptly notify the Controller before processing the Personal Data unless prohibited by Law; ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), having taken account of the: nature of the data to be protected; harm that might result from a Data Loss Event; state of technological development; and cost of implementing any measures; ensure that : the Processor Personnel do not process Personal Data except in accordance with this Agreement these Conditions (and in particular Schedule 7Part 1 of Annex 12); it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they:: are aware of and comply with the Processor’s duties under this paragraph; are subject to appropriate confidentiality undertakings with the Processor or any sub-processor; are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any Third Party unless directed in writing to do so by the Controller or as otherwise permitted by these Conditions; and have undergone adequate training in the use, care, protection and handling of Personal Data; and not transfer Personal Data outside of the EU (which for the purposes of this limb (d) shall be deemed to include the UK) unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled: the Controller or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or DPA 2018 Section 75) as determined by the Controller; the Data Subject has enforceable rights and effective legal remedies; the Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing of the Personal Data; at the written direction of the Controller, delete or return Personal Data (and any copies of it) to the Controller on termination of the Agreement unless the Processor is required by Law to retain the Personal Data. Subject to paragraph 1.6, the Processor shall notify the Controller immediately if it: receives a Data Subject Request (or purported Data Subject Request); receives a request to rectify, block or erase any Personal Data; receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under these Conditions; receives a request from any Third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or becomes aware of a Data Loss Event. The Processor’s obligation to notify under paragraph 1.5 shall include the provision of further information to the Controller in phases, as details become available. Taking into account the nature of the processing, the Processor shall provide the Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under paragraph 1.5 (and insofar as possible within the timescales reasonably required by the Controller) including by promptly providing: the Controller with full details and copies of the complaint, communication or request; such assistance as is reasonably requested by the Controller to enable the Controller to comply with a Data Subject Request within the relevant timescales set out in the Data Protection Legislation; the Controller, at its request, with any Personal Data it holds in relation to a Data Subject; assistance as requested by the Controller following any Data Loss Event; assistance as requested by the Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Controller with the Information Commissioner's Office. The Processor shall maintain complete and accurate records and information to demonstrate its compliance with this paragraph. This requirement does not apply where the Processor employs fewer than 250 staff, unless: the Controller determines that the processing is not occasional; the Controller determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; or the Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects. The Processor shall allow for audits of its Data Processing activity by the Controller or the Controller’s designated auditor. Each Party shall designate its own data protection officer if required by the Data Protection Legislation. Before allowing any Sub-processor to process any Personal Data related to these Conditions, the Processor must: notify the Controller in writing of the intended Sub-processor and processing; obtain the written consent of the Controller; enter into a written agreement with the Sub-processor which give effect to the terms set out in this paragraph 1.11 such that they apply to the Sub-processor; and provide the Controller with such information regarding the Sub-processor as the Controller may reasonably require. The Processor shall remain fully liable for all acts or omissions of any of its Sub-processors. The Authority may, at any time on not less than 30 Working Days’ notice, revise this paragraph by replacing it with any applicable controller to processor standard paragraphs or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to these Conditions). The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Controller may on not less than 30 Working Days’ notice to the Processor amend these Conditions to ensure that it complies with any guidance issued by the Information Commissioner’s Office. Where the Parties include two or more Joint Controllers in respect of Personal Data under this Grant Funding Agreement as identified in Part 1 of Annex 12 in accordance with GDPR Article 26, those Parties shall enter into a Joint Controller Agreement based on the terms outlined in Part 2 of Annex 12 in replacement of paragraphs 1.1 to 1.14 for the Personal Data under Joint Control. In the event that both Parties are Controllers of the Personal Data, the Parties agree: that without any further action being required they have entered into the Standard Contractual Clauses in the European Commission's decision 2004/915/EC set out in Part 4 to Annex 12 in respect of data transfers by the Grant Recipient outside of the EEA: that, where no other appropriate safeguard or exemption applies, the Personal Data subject to this Grant Funding Agreement (and to which Chapter V of the GDPR applies) will be transferred in accordance with those Standard Contractual Clauses as of the date the Parties entered into those Standard Contractual Clauses; to use best endeavours to complete the annexes to the Standard Contractual Clauses promptly and at their own cost for the purpose of giving full effect to them; and that if there is any conflict between this Grant Funding Agreement and the Standard Contractual Clauses the terms of the Standard Contractual Clauses shall apply. In the event that the Grant Recipient is a Controller of Personal Data and the Authority is a Processor, the Parties agree: that without any further action being required they have entered into the standard contractual clauses in the European Commission's decision 2010/87/EU set out in Part 5 of Annex 12 in respect of data transfers by the Grant Recipient outside of the EEA; that, where no other appropriate safeguard or exemption applies, the Personal Data subject to this Grant Funding Agreement (and to which Chapter V of the GDPR applies) will be transferred in accordance with those Standard Contractual Clauses as of the date the Parties entered into those Standard Contractual Clauses; to use best endeavours to complete the annexes to the Standard Contractual Clauses promptly and at their own cost for the purpose of giving full effect to them; and that if there is any conflict between this Grant Funding Agreement and the Standard Contractual Clauses the terms of the Standard Contractual Clauses shall apply. In the event that (i) the European Commission updates, amends, substitutes, adopts or publishes new standard contractual clauses from time to time and (ii) the European Commission has not adopted an adequacy decision for the UK before the European Commission decision regarding such new Standard Contractual Clauses becomes effective, the Parties agree: that the most up to date Standard Contractual Clauses from time to time shall be automatically incorporated in place of those in Part 4 or 5 of Annex 12 (as the context requires); that where no other appropriate safeguard or exemption applies, that the Personal Data subject to this Grant Funding Agreement (and to which Chapter V of the GDPR applies) will be transferred in accordance with the relevant form of the most up to date Standard Contractual Clauses as of the date the European Commission decision regarding such new Standard Contractual Clauses becomes effective; to use best endeavours to complete any part of the most up to date Standard Contractual Clauses that a Party must complete promptly and at their own cost for the purpose of giving full effect to them; and that if there is any conflict between this Grant Funding Agreement and the most up to date Standard Contractual Clauses the terms of the most up to date Standard Contractual Clauses shall apply. This Annex shall be completed by the Controller, who may take account of the view of the Processors, however the final decision as to the content of this Annex shall be with the Controller at its absolute discretion. The contact details of the Controller’s Data Protection Officer are: [Insert Contact details] The contact details of the Processor’s Data Protection Officer are: [Insert Contact details] The Processor shall comply with any further written instructions with respect to processing by the Controller. Any such further instructions shall be incorporated into this Annex. Identity of the Controller and Processor The Parties acknowledge that for the purposes of the Data Protection Legislation, the Authority is the Controller and the Grant Recipient is the Processor in accordance with paragraph 1.1. Subject matter of the processing Duration of the processing Nature and purposes of the processing Type of Personal Data being Processed Categories of Data Subject Plan for return and destruction of the data once the processing is complete UNLESS requirement under union or member state law to preserve that type of data

Data Protection. The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the Controller and the Supplier is the Processor unless otherwise specified in Contract Schedule 7. The only processing that the Processor is authorised to do is listed in Contract Schedule 7 by the Controller or further provided in writing by the Controller and may not be determined by the Processor. The Processor shall notify the Controller immediately if it considers that any of the Controller's instructions infringe the Data Protection Legislation. The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processingProcessing. Such assistance may, at the discretion of the Controller, include: a systematic description of the envisaged processing operations Processing and the purpose of the processingProcessing; an assessment of the necessity and proportionality of the processing operations Processing in relation to the Services; an assessment of the risks to the rights and freedoms of Data Subjects; and the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. The Processor shall, in relation to any Personal Data processed Processed in connection with its obligations under this AgreementContract: process that Personal Data only in accordance with Contract Schedule 7, or as further provided in writing by the Controller, unless the Processor is required to do otherwise by Law. If it is so required the Processor shall promptly notify the Controller before processing the Personal Data unless prohibited by Law; ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, including the measures set out in this Contract which the Controller may reasonably reject in accordance with those provisions (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), having taken account of the: nature of the data to be protected; harm that might result from a Data Loss Event; state of technological development; and cost of implementing any measures; ensure that : the Processor Personnel do not process Process Personal Data except in accordance with this Agreement Contract (and in particular Schedule 7)) and the Controller’s further written instructions; it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they:

Data Protection. 14.1 Both Parties shall comply with all applicable requirements of the Data Protection Legislation. This clause 14 is in addition to, and does not relieve, remove or replace, a Party's obligations under the Data Protection Legislation. Each Party shall bear its own costs in relation to compliance with this clause 14 and the Data Protection Legislation. 14.2 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the Controller and the Supplier Veritau is the Processor unless otherwise specified in Contract Schedule 7Processor. The only processing that the Processor Veritau is authorised to do is listed in Contract Schedule 7 A by the Controller Customer and may not be determined by the Processor. The Processor Veritau. 14.3 Veritau shall notify the Controller Customer immediately if it considers that any of the Controller's Customer’s instructions infringe the Data Protection Legislation. The Processor . 14.4 Veritau shall provide all reasonable assistance to the Controller Customer in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the ControllerCustomer, include: : (a) a systematic description of the envisaged processing operations and the purpose of the processing; ; (b) an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; (c) an assessment of the risks to the rights and freedoms of Data Subjects; and and (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. The Processor . 14.5 Veritau shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: : (a) process that Personal Data only in accordance with Contract Schedule 7A, unless the Processor Veritau is required to do otherwise by Law. If it is so required the Processor Veritau shall promptly notify the Controller Customer before processing the Personal Data unless prohibited by Law; ; (b) ensure that it has in place Protective Measures, which are have been reviewed and approved by the Customer as appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), Event having taken account of the: : (i) nature of the data to be protected; ; (ii) harm that might result from a Data Loss Event; ; (iii) state of technological development; and and (iv) cost of implementing any measures; ; (c) ensure that : that: (i) the Processor Personnel Staff do not process Personal Data except in accordance with this Agreement (and in particular Schedule 7A); ; (ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel Staff who have access to the Personal Data and ensure that they: (A) are aware of and comply with Veritau’s duties under this clause 14; (B) are subject to appropriate confidentiality undertakings with Veritau or any Sub-processor; (C) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Customer or as otherwise permitted by this Agreement; and (D) have undergone adequate training in the use, care, protection and handling of Personal Data; (d) not transfer Personal Data outside of the EU unless the prior written consent of the Customer has been obtained and the following conditions are fulfilled: (i) the Customer or Veritau has provided appropriate safeguards in relation to the transfer (whether in accordance with UK GDPR Article 46 or LED Article 37) as determined by the Customer; (ii) the Data Subject has enforceable rights and effective legal remedies; (iii) Veritau complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Customer in meetings its obligations); and (iv) Veritau complies with any reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data; (e) at the written direction of the Customer, delete or return Personal Data (and any copies of it) to the Customer on termination of the Agreement unless Veritau is required by Law to retain the Personal Data. 14.6 Subject to clause 14.7, Veritau shall notify the Customer immediately if it: (a) receives a Data Subject Access Request (or purported Data Subject Access Request); (b) receives a request to rectify, block or erase any Personal Data: (c) receives any other request, complaint or communication relating to either Party’s obligations under the Data Protection Legislation; (d) receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Agreement; (e) receives a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or (f) becomes aware of a Data Loss Event. 14.7 Veritau’s obligation to notify under clause 14.6 shall include the provision of further information to the Customer in phases, as details become available. 14.8 Taking into account the nature of the processing, Veritau shall provide to the Customer with full assistance in relation to either Party’s obligations under Data Protection Legislation and any complaint, communication or request made under clause 14.6 (and insofar as possible within the timescales reasonably required by the Customer) including by promptly providing: (a) the Customer with full details and copies of the complaint, communication or request; (b) such assistance as is reasonably requested by the Customer to enable the Customer to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation; (c) the Customer, at its request, with any Personal Data it holds in relation to a Data Subject; (d) assistance as requested by the Customer following any Data Loss Event; and (e) assistance as requested by the Customer with respect to any request from the Information Commissioner’s Office, or any consultation by the Customer with the Information Commissioner’s Office. 14.9 Veritau shall maintain complete and accurate records and information to demonstrate its compliance with this clause 14 and maintain a record of all categories of processing activities carried out on behalf of a controller where: (a) the Customer determines that the processing is not occasional; (b) the Customer determines the processing includes special categories of data as referred to in Article 9(1) of the UK GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the UK GDPR; and (c) the Customer determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects. 14.10 Veritau shall allow for audits of its data processing activity and premises by the Customer or the Customer’s designated auditor. 14.11 Veritau shall comply with the instructions of the Customer to enable the audits referred to in clause 14.10 to be carried out and Veritau shall provide to the Customer and/or their designated auditor, all reasonable assistance that they require in connection with any audits, including making available to the Customer all information necessary to demonstrate compliance with its obligations under this Agreement and the Data Protection Legislation. 14.12 Veritau shall designate a data protection officer if required by the Data Protection Legislation. 14.13 Before allowing any Sub-processor to process any Personal Data related to this Agreement, Veritau must: (a) notify the Customer in writing of the intended Sub-processor and processing; (b) obtain the written consent of the Customer; (c) enter into a written agreement with the Sub-processor which give effect to the terms set out in this clause 14 such that they apply to the Sub-processor; and (d) provide the Customer with such information regarding the Sub- processor as the Customer may reasonably require. 14.14 Veritau shall remain fully liable for all acts or omissions of any Sub-processor. 14.15 Veritau shall indemnify the Customer for any damage, cost or losses (including legal costs) incurred by the Customer in connection with any third party claim made or threatened against the Customer in connection with the loss, unauthorised disclosure or breach of the Data Protection Legislation by Veritau or any Sub-processor in relation to any Personal Data which Veritau is processing on behalf of the Customer in connection with this Agreement. This indemnity shall not apply to the extent Veritau’s act or omission was as a result of the express instruction of the Customer. 14.16 Veritau may, at any time on not less than thirty (30) Working Days’ notice, revise this clause 14 by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Agreement). 14.17 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Customer may on not less than thirty (30) Working Days’ notice to Veritau amend this Agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office.

Data Protection. 16.1 The Parties parties acknowledge that for the purposes of the Data Protection Legislation, the Customer HCC is the Controller and the Supplier Service Provider is the Processor unless otherwise specified in Contract Schedule 73. The only processing that the Processor is authorised to do is listed in Contract Schedule 7 3 by the Controller and may not be determined by the Processor. . 16.2 The Processor shall notify the Controller immediately if it considers that any of the Controller's instructions infringe the Data Protection Legislation. . 16.3 The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller, include: : (a) a systematic description of the envisaged processing operations and the purpose of the processing; ; (b) an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; (c) an assessment of the risks to the rights and freedoms of Data Subjects; and and (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 16.4 The Processor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: : (a) process that Personal Data only in accordance with Contract Schedule 73, unless the Processor is required to do otherwise by Law. If it is so required the Processor shall promptly notify the Controller before processing the Personal Data unless prohibited by Law; ; (b) ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), having taken account of the: : (i) nature of the data to be protected; ; (ii) harm that might result from a Data Loss Event; ; (iii) state of technological development; and and (iv) cost of implementing any measures; ; (c) ensure that : that: (i) the Processor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 73); ; (ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they: (A) are aware of and comply with the Processor’s duties under this clause 16; (B) are subject to appropriate confidentiality undertakings with the Processor or any Sub-processor; (C) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any Third Party unless directed in writing to do so by the Controller or as otherwise permitted by this Agreement; and (D) have undergone adequate training in the use, care, protection and handling of Personal Data; and (d) not transfer Personal Data outside of the EU unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled: (i) the Controller or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Controller; (ii) the Data Subject has enforceable rights and effective legal remedies; (iii) the Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and (iv) the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing of the Personal Data; (e) at the written direction of the Controller, delete or return Personal Data (and any copies of it) to the Controller on termination, cancellation or expiry of this Agreement unless the Processor is required by Law to retain the Personal Data. 16.5 Subject to clause 16.6, the Processor shall notify the Controller immediately if it: (a) receives a Data Subject Request (or purported Data Subject Request); (b) receives a request to rectify, block or erase any Personal Data; (c) receives any other request, complaint or communication relating to either party's obligations under the Data Protection Legislation; (d) receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Agreement; (e) receives a request from any Third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or (f) becomes aware of a Data Loss Event. 16.6 The Processor’s obligation to notify under clause 16.5 shall include the provision of further information to the Controller in phases, as details become available. 16.7 Taking into account the nature of the processing, the Processor shall provide the Controller with full assistance in relation to either party's obligations under Data Protection Legislation and any complaint, communication or request made under clause 16.5 (and insofar as possible within the timescales reasonably required by the Controller) including by promptly providing: (a) the Controller with full details and copies of the complaint, communication or request; (b) such assistance as is reasonably requested by the Controller to enable the Controller to comply with a Data Subject Request within the relevant timescales set out in the Data Protection Legislation; (c) the Controller, at its request, with any Personal Data it holds in relation to a Data Subject; (d) assistance as requested by the Controller following any Data Loss Event; (e) assistance as requested by the Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Controller with the Information Commissioner's Office. 16.8 The Processor shall maintain complete and accurate records and information to demonstrate its compliance with this clause 16. This requirement does not apply where the Processor employs fewer than 250 staff, unless: (a) the Controller determines that the processing is not occasional; (b) the Controller determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; or (c) the Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects. 16.9 The Processor shall allow for audits of its Data Processing activity by the Controller or the Controller’s designated auditor. 16.10 Each party shall designate its own data protection officer if required by the Data Protection Legislation. 16.11 Before allowing any Sub-processor to process any Personal Data related to this Agreement, the Processor must: (a) notify the Controller in writing of the intended Sub-processor and processing; (b) obtain the written consent of the Controller; (c) enter into a written agreement with the Sub-processor which gives effect to the terms set out in this clause 16 such that they apply to the Sub-processor; and (d) provide the Controller with such information regarding the Sub-processor as the Controller may reasonably require. 16.12 The Processor shall remain fully liable for all acts or omissions of any of its Sub- processors. 16.13 The Controller may, at any time on not less than 30 Business Days’ notice, revise this clause 16 by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Agreement). 16.14 The parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Controller may on not less than 30 Business Days’ notice to the Processor amend this Agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office.

Data Protection. 1.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer Licensee is the Controller and the Supplier Granicus is the Processor unless otherwise specified in Contract Schedule 7Processor. The only processing that the Processor ▇▇▇▇▇▇▇▇ is authorised to do is listed in Contract the Schedule 7 by the Controller Licensee and may not be determined by the Processor. The Processor ▇▇▇▇▇▇▇▇. 1.2 Granicus shall notify the Controller Licensee immediately if it considers that any of the ControllerLicensee's instructions infringe the Data Protection Legislation. The Processor . 1.3 Granicus shall provide all reasonable assistance to the Controller Licensee in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the ControllerLicensee, include: : (a) a systematic description of the envisaged processing operations and the purpose of the processing; ; (b) an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; (c) an assessment of the risks to the rights and freedoms of Data Subjects; and and (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. The Processor . 1.4 Granicus shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: : (a) process that Personal Data only in accordance with Contract Schedule 7the Schedule, unless the Processor Granicus is required to do otherwise by Law. If it is so required the Processor required, Granicus shall promptly notify the Controller Licensee before processing the Personal Data Data, unless prohibited by Law; ; (b) ensure that it has in place Protective Measures, which are have been reviewed and approved by the Licensee as appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), Event having taken account of the: : (i) nature of the data to be protected; ; (ii) harm that might result from a Data Loss Event; ; (iii) state of technological development; and and (iv) cost of implementing any measures; ; (c) ensure that : the Processor that: (i) Granicus Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 7particular, the Schedule); ; (ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Granicus Personnel who have access to the Personal Data and ensure that they: (A) are aware of and comply with ▇▇▇▇▇▇▇▇'s duties under this clause; (B) are subject to appropriate confidentiality undertakings with Granicus or any Sub-processor; (C) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Licensee or as otherwise permitted by this Agreement; and (D) have undergone adequate training in the use, care, protection and handling of Personal Data. (d) not transfer Personal Data outside of the EU unless the prior written consent of the Licensee has been obtained and the following conditions are fulfilled: (i) the Licensee or Granicus has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Licensee; (ii) the Data Subject has enforceable rights and effective legal remedies; (iii) Granicus complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Licensee in meeting its obligations); and (iv) Granicus complies with any reasonable instructions notified to it in advance by the Licensee with respect to the processing of the Personal Data; (e) at the written direction of the Licensee, delete or return Personal Data (and any copies of it) to the Licensee on termination of the Agreement unless Granicus is required by Law to retain the Personal Data. 1.5 Subject to clause 1.6, Granicus shall notify the Licensee immediately if it: (a) receives a Data Subject Access Request (or purported Data Subject Access Request); (b) receives a request to rectify, block or erase any Personal Data; (c) receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; (d) receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Agreement; (e) receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or (f) becomes aware of a Data Loss Event. 1.6 Granicus's obligation to notify under clause 1.5 shall include the provision of further information to the Licensee in phases, as details become available. 1.7 Taking into account the nature of the processing, Granicus shall provide the Licensee with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under clause 1.5 (and insofar as possible within the timescales reasonably required by the Licensee) including by promptly providing: (a) the Licensee with full details and copies of the complaint, communication or request; (b) such assistance as is reasonably requested by the Licensee to enable the Licensee to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation; (c) the Licensee, at its request, with any Personal Data it holds in relation to a Data Subject; (d) assistance, as requested by the Licensee, following any Data Loss Event; (e) assistance, as requested by the Licensee, with respect to any request from the Information Commissioner's Office, or any consultation by the Licensee with the Information Commissioner's Office. 1.8 Granicus shall maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where Granicus employs fewer than 250 staff, unless: (a) the Licensee determines that the processing is not occasional; (b) the Licensee determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR, or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; and (c) the Licensee determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects. 1.9 Granicus shall allow for audits of its Data Processing activity by the Licensee or the Licensee's designated auditor. 1.10 Granicus shall designate a data protection officer if required by the Data Protection Legislation. 1.11 Before allowing any Sub-processor to process any Personal Data related to this Agreement, Granicus must: (a) notify the Licensee in writing of the intended Sub-processor and processing; (b) obtain the written consent of the Licensee; (c) enter into a written agreement with the Sub-processor which give effect to the terms set out in this clause, such that they apply to the Sub-processor; and (d) provide the Licensee with such information regarding the Sub-processor as the Licensee may reasonably require. 1.12 Granicus shall remain fully liable for all acts or omissions of any Sub-processor. 1.13 The Licensee may, at any time on not less than 30 Working Days' notice, revise this clause 1 by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Agreement). 1.14 The Parties agree to take account of any guidance issued by the Information Commissioner's Office. The Licensee may, on not less than 30 Working Days' notice to ▇▇▇▇▇▇▇▇, amend this Agreement to ensure that it complies with any guidance issued by the Information Commissioner's Office. 1.15 The Parties agree that any term or condition of the Agreement that attempts to limit the liability of Granicus with respect to any claims it may receive from the Licensee following any fine, costs damages, costs or any other claim (the "Losses") imposed on the Licensee from the Information Commissioner's Office (or such successor organisation or regulator thereof) shall have no effect, and, accordingly, notwithstanding any other terms or conditions of the Agreement, Granicus shall indemnify the Licensee in full for any Losses imposed on the Licensee from the Information Commissioner's Office. Schedule of Processing, Personal Data and Data Subjects 1. Granicus shall comply with any further written instructions with respect to processing by the Licensee.

Data Protection. 16.1 The Parties parties acknowledge that for the purposes of the Data Protection Legislation, the Customer HCC is the Controller and the Supplier Service Provider is the Processor unless otherwise specified in Contract Schedule 73. The only processing that the Processor is authorised to do is listed in Contract Schedule 7 3 by the Controller and may not be determined by the Processor. . 16.2 The Processor shall notify the Controller immediately if it considers that any of the Controller's instructions infringe the Data Protection Legislation. . 16.3 The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller, include: : (a) a systematic description of the envisaged processing operations and the purpose of the processing; ; (b) an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; (c) an assessment of the risks to the rights and freedoms of Data Subjects; and and (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 16.4 The Processor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: : (a) process that Personal Data only in accordance with Contract Schedule 73, unless the Processor is required to do otherwise by Law. If it is so required the Processor shall promptly notify the Controller before processing the Personal Data unless prohibited by Law; ; (b) ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), having taken account of the: : (i) nature of the data to be protected; ; (ii) harm that might result from a Data Loss Event; ; (iii) state of technological development; and and (iv) cost of implementing any measures; ; (c) ensure that : that: (i) the Processor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 73); ; (ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they: (A) are aware of and comply with the Processor’s duties under this clause 16; (B) are subject to appropriate confidentiality undertakings with the Processor or any Sub-processor; (C) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any Third Party unless directed in writing to do so by the Controller or as otherwise permitted by this Agreement; and (D) have undergone adequate training in the use, care, protection and handling of Personal Data; and (d) not transfer Personal Data outside of the EU unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled: (i) the Controller or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Controller; (ii) the Data Subject has enforceable rights and effective legal remedies; (iii) the Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and (iv) the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing of the Personal Data; (e) at the written direction of the Controller, delete or return Personal Data (and any copies of it) to the Controller on termination, cancellation or expiry of this Agreement unless the Processor is required by Law to retain the Personal Data. 16.5 Subject to clause 16.6, the Processor shall notify the Controller immediately if it: (a) receives a Data Subject Request (or purported Data Subject Request); (b) receives a request to rectify, block or erase any Personal Data; (c) receives any other request, complaint or communication relating to either party's obligations under the Data Protection Legislation; (d) receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Agreement; (e) receives a request from any Third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or (f) becomes aware of a Data Loss Event. 16.6 The Processor’s obligation to notify under clause 16.5 shall include the provision of further information to the Controller in phases, as details become available. 16.7 Taking into account the nature of the processing, the Processor shall provide the Controller with full assistance in relation to either party's obligations under Data Protection Legislation and any complaint, communication or request made under clause 16.5 (and insofar as possible within the timescales reasonably required by the Controller) including by promptly providing: (a) the Controller with full details and copies of the complaint, communication or request; (b) such assistance as is reasonably requested by the Controller to enable the Controller to comply with a Data Subject Request within the relevant timescales set out in the Data Protection Legislation; (c) the Controller, at its request, with any Personal Data it holds in relation to a Data Subject; (d) assistance as requested by the Controller following any Data Loss Event; (e) assistance as requested by the Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Controller with the Information Commissioner's Office. 16.8 The Processor shall maintain complete and accurate records and information to demonstrate its compliance with this clause 16. This requirement does not apply where the Processor employs fewer than 250 staff, unless: (a) the Controller determines that the processing is not occasional; (b) the Controller determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; or (c) the Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects. 16.9 The Processor shall allow for audits of its Data Processing activity by the Controller or the Controller’s designated auditor. 16.10 Each party shall designate its own data protection officer if required by the Data Protection Legislation. 16.11 Before allowing any Sub-processor to process any Personal Data related to this Agreement, the Processor must: (a) notify the Controller in writing of the intended Sub-processor and processing; (b) obtain the written consent of the Controller; (c) enter into a written agreement with the Sub-processor which gives effect to the terms set out in this clause 16 such that they apply to the Sub-processor; and (d) provide the Controller with such information regarding the Sub-processor as the Controller may reasonably require. 16.12 The Processor shall remain fully liable for all acts or omissions of any of its Sub-processors. 16.13 The Controller may, at any time on not less than 30 Business Days’ notice, revise this clause 16 by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Agreement). 16.14 The parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Controller may on not less than 30 Business Days’ notice to the Processor amend this Agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office.

Data Protection. 1.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer Buyer is the Controller and the Supplier is the Processor unless otherwise specified in Contract Schedule 7Processor. The only processing that the Processor is authorised to do is listed in Contract Schedule 7 Annex 1 by the Controller and may not be determined by the Processor. The term “processing” and any associated terms are to be read in accordance with Article 4 of the UK GDPR. 1.2 The Processor shall notify the Controller immediately if it considers that any of the Controller's instructions infringe the Data Protection Legislation. . 1.3 The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller, include: : (a) a systematic description of the envisaged processing operations and the purpose of the processing; ; (b) an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; (c) an assessment of the risks to the rights and freedoms of Data Subjects; and and (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 1.4 The Processor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: Call-Off Contract: (a) process that Personal Data only in accordance with Contract Schedule 7Annex 1, unless the Processor is required to do otherwise by Law. If it is so required the Processor shall promptly notify the Controller before processing the Personal Data unless prohibited by Law; ; (b) ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure reject. In the event of the Controller reasonably rejecting Protective Measures put in place by the Processor, the Processor must propose alternative Protective Measures to the satisfaction of the Controller. Failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), having taken . Protective Measures must take account of the: : (i) nature of the data to be protected; ; (ii) harm that might result from a Data Loss Event; ; (iii) state of technological development; and and (iv) cost of implementing any measures; ; (c) ensure that : that: (i) the Processor Personnel do not process Personal Data except in accordance with this Agreement Call-Off Contract (and in particular Schedule 7Annex 1); ; (ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they: (A) are aware of and comply with the Processor’s duties under this clause; (B) are subject to appropriate confidentiality undertakings with the Processor or any Sub- processor; (C) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Controller or as otherwise permitted by this Call-Off Contract; and (D) have undergone adequate training in the use, care, protection and handling of Personal Data; and (d) not transfer Personal Data outside of the UK unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled: (i) the destination country has been recognised as adequate by the UK government in accordance with Article 45 UK GDPR or section 74 of the DPA 2018; (ii) the Controller or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with UK GDPR Article 46 or section 75 DPA 2018) as determined by the Controller; (iii) the Data Subject has enforceable rights and effective legal remedies; (iv) the Processor complies with its obligations under Data Protection Legislation by providing an appropriate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and (v) the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing of the Personal Data; (e) at the written direction of the Controller, delete or return Personal Data (and any copies of it) to the Controller on termination of the Call-Off Contract unless the Processor is required by Law to retain the Personal Data. 1.5 The Processor acknowledges that the Controller must (in accordance with UK GDPR Article 33) without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify a Personal Data Breach to the Information Commissioner’s Office, unless the Personal Data Breach is unlikely to result in a risk to the rights and freedoms of natural persons and where such notification is not made within 72 hours, it must be accompanied by reasons for the delay. In order to enable the Controller to comply with UK GDPR Article 33, subject to clause 1.6, the Processor shall notify the Controller immediately if it: (a) receives a Data Subject Request (or purported Data Subject Request); (b) receives a request to rectify, block or erase any Personal Data; (c) receives any other request, complaint or communication relating to either Party's obligations under Data Protection Legislation; (d) receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Call-Off Contract; (e) receives a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or (f) becomes aware of a Data Loss Event. 1.6 The Processor’s obligation to notify under clause 1.5 shall include the provision of further information to the Controller, as details become available. 1.7 Taking into account the nature of the processing, the Processor shall provide the Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under clause 1.5 (and insofar as possible within the timescales reasonably required by the Controller) including but not limited to promptly providing: (a) the Controller with full details and copies of the complaint, communication or request; (b) such assistance as is reasonably requested by the Controller to enable the Controller to comply with a Data Subject Request within the relevant timescales set out in Data Protection Legislation; (c) the Controller, at its request, with any Personal Data it holds in relation to a Data Subject; (d) assistance as requested by the Controller following any Data Loss Event; (e) assistance as requested by the Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Controller with the Information Commissioner's Office. 1.8 The Processor shall maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Processor employs fewer than 250 staff, unless: (a) the Controller determines that the processing is not occasional; (b) the Controller determines the processing includes special categories of data as referred to in Article 9(1) of the UK GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the UK GDPR; or (c) the Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects. 1.9 The Processor shall allow for audits of its Personal Data processing activity by the Controller or the Controller’s designated auditor. 1.10 Each Party shall designate its own data protection officer if required by Data Protection Legislation. 1.11 Before allowing any Sub-processor to process any Personal Data related to this Call- Off Contract, the Processor must: (a) notify the Controller in writing of the intended Sub-processor and processing; (b) obtain the written consent of the Controller; (c) enter into a written agreement with the Sub-processor which give effect to the terms set out in this Schedule 7 Clause 1 such that they apply to the Sub-processor; and; (d) provide the Controller with such information regarding the Sub-processor as the Controller may reasonably require.

Data Protection. 2.1 All Parties shall comply with this Clause 2 of this Schedule 6 to the extent applicable to the operation of this DPS Framework Agreement. 2.2 The Parties acknowledge that for the purposes of shall seek to agree their respective roles under the Data Protection LegislationLegislation and the capacity that they act in be this a Controller, Processor, joint Controller or Controller in common. In the absence of such agreement it shall be assumed that the Suppliers shall act as a Processor and the Authority as a Controller. Before the Processor undertakes any Processing, the Customer is Controller shall complete the Controller and form set out in the Supplier is Annex to this Schedule 6 (the Processor unless otherwise specified in Contract Schedule 7Data Processing Form). The only processing that the Processor is authorised to do undertake only that Processing that is listed set out in Contract Schedule 7 by the Controller and may not be determined by the Processor. completed Data Processing Form. 2.3 The Processor shall notify the Controller immediately if it considers they consider that any of the Controller's ’s instructions infringe the Data Protection Legislation. . 2.4 The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processingProcessing. Such assistance may, at the discretion of the Controller, include: : 2.4.1 a systematic description of the envisaged processing Processing operations and the purpose of the processing; Processing; 2.4.2 an assessment of the necessity and proportionality of the processing operations in relation to the Services; Deliverables; 2.4.3 an assessment of the risks to the rights and freedoms of Data Subjectsnatural persons; and and 2.4.4 the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 2.5 The Processor shall provide all reasonable assistance to the Controller if the outcome of the Data Protection Impact Assessment leads the Controller to consult the Information Commissioner. 2.6 The Processor shall, in relation to any Personal Data processed Processed in connection with its their obligations under this DPS Framework Agreement: process : 2.6.1 Process that Personal Data only in accordance with Contract Schedule 7, the instructions set out in the completed Data Processing Form unless the Processor is are required to do otherwise by Law. If it the Processor is so required the Processor required, they shall promptly notify the Controller before processing the Personal Data unless prohibited by Law; ; 2.6.2 ensure that it has they have in place Protective Measures, Measures which are appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), having taken account of the: ; 2.6.2.1 nature of the data to be protected; ; 2.6.2.2 harm that might result from a Data Loss Event; ; 2.6.2.3 state of technological development; and and 2.6.2.4 cost of implementing any measures; ; 2.6.3 ensure that : that: 2.6.3.1 the Processor Personnel do not process the Personal Data except in accordance with this DPS Framework Agreement (and in particular Schedule 7the completed Data Processing Form); it takes ; 2.6.3.2 they take all reasonable steps to ensure the reliability and integrity of any Processor Personnel who will have access to Personal Data and ensure that the Processor Personnel: 2.6.3.2.1 are aware of and comply with the Processor’s duties under this Clause 2 of this Schedule 6; 2.6.3.2.2 are subject to confidentiality undertakings with the Processors (or where the Controller permits the Processor to sub-contract the processing of Personal Data pursuant to Clause 2.8 of this Schedule 6 below, with the relevant sub-contractors) that are in writing and are legally enforceable in respect of the Personal Data processed under this DPS Framework Agreement. Such confidentiality undertakings must as a minimum require each member of Processor Personnel to keep all Personal Data Processed under this DPS Framework Agreement confidential; 2.6.3.2.3 are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in advance and in writing to do so by the Controller or as otherwise permitted by this DPS Framework Agreement; and 2.6.3.2.4 have undergone adequate training in the use, care, protection and handling of Personal Data that enables them and the Processor to comply with their responsibilities under the Data Protection Legislation and this DPS Framework Agreement. The Processor shall provide the Controller with evidence of the completion and maintenance of that training within three (3) Business Days of request by the Controller; and 2.6.4 not cause or allow Personal Data to be transferred outside the European Economic Area unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled: 2.6.4.1 the Controller or the Processor have provided appropriate safeguards in relation to the transfer (in accordance with the Data Protection Legislation) as determined by the Controller; 2.6.4.2 the Data Subject has enforceable rights and effective legal remedies; 2.6.4.3 the Processor complies with their obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if they are not so required to comply, use their best endeavours to assist the Controller in meeting its obligations); and 2.6.4.4 the Processor complies with any reasonable instructions notified to them in advance by the Controller with respect to the processing of the Personal Data; 2.6.5 at the written direction of the Controller, delete or return the Personal Data (and any copies of it) to the Controller on termination of this DPS Framework Agreement unless the Processor is required by Law to retain the Personal Data. If the Processor is asked to delete the Personal Data by the Controller, the Processor shall provide the Controller with evidence that the Personal Data has been securely deleted in accordance with the Data Protection Legislation within the period stated within the written direction of the Controller. 2.7 Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including, but not limited to, as appropriate: 2.7.1 the pseudonymisation and encryption of Personal Data; 2.7.2 the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services; 2.7.3 the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and 2.7.4 a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of Processing. 2.8 Before permitting any Sub-processor of the Processor to Process Personal Data related to this DPS Framework Agreement, the Processor must: 2.8.1 notify the Controller in writing of the intended Sub-processor and Processing save where such intended Sub-processor has been specified in the Supplier’s response to the DPS Framework ITT; 2.8.2 obtain the written consent of the Controller save where such intended Sub-processor has been specified in the Supplier’s response to the DPS Framework ITT; 2.8.3 enter into a written agreement with the Sub-processor which gives effect to the terms set out in this Clause 2 of this Schedule 6 such that they apply to the Sub-processor and in respect of which the Controller is given the benefit of third party rights to enforce the same; and 2.8.4 provide the Controller with such information regarding the sub-contractor as the Authority may reasonably require. 2.9 The Processor shall ensure that the Sub-processor’s access to the Personal Data terminates automatically on the termination of this DPS Framework Agreement save that the Sub-processor may access the Personal Data in order to securely destroy it (or at the option of the Controller return it) in accordance with the requirements of the Data Protection Legislation. 2.10 For the avoidance of doubt, the Processor shall remain fully liable for all acts and omissions of any Sub-processor that they appoint to Process Personal Data on their behalf in relation to this DPS Framework Agreement. 2.11 Subject to Clause 2.12 of this Schedule 6 below, the Processor shall notify the Controller immediately if they: 2.11.1 receive a Data Subject Access Request (or purported Data Subject Access Request); 2.11.2 receive a request to rectify, block or erase any Personal Data; 2.11.3 receive any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; 2.11.4 receive any communication from the Information Commissioner or any other Regulatory or Supervisory Body in connection with Personal Data processed under this DPS Framework Agreement; 2.11.5 receive a request from any third party for disclosure of Personal Data; or 2.11.6 become aware of an actual or suspected Data Loss Event. 2.12 The Processors obligation to notify the Controller under Clause 2.11 above shall include the prompt provision of further information relevant to the request, complaint or communication or Data Loss Event to the Authority, as it becomes available. 2.13 The Processor shall not respond substantively to the requests, complaints or communications listed in Clause 2.11 above save that they may respond to a Regulatory or Supervisory Body following prior consultation with the Controller. 2.14 Taking into account the nature of the Processing, the Processor shall provide the Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under Clause 2.11 of this Schedule 6 above (and within the timescales reasonably required by the Authority) including by promptly providing: 2.14.1 the Controller with full details and copies of the complaint, communication or request; 2.14.2 such assistance as is reasonably requested by the Controller to enable the Controller to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation; 2.14.3 such assistance as is reasonably requested by the Controller to enable the Controller to comply with other rights granted to individuals by the Data Protection Legislation including the right of rectification, the right to erasure, the right to object to Processing, the right to restrict Processing, the right to data portability and the right not to be subject to an automated individual decision (including profiling) 2.14.4 the Controller, at its request, with any Personal Data the Processor hold in relation to a Data Subject; 2.14.5 such assistance as is requested by the Controller following any Data Loss Event; 2.14.6 such assistance as is requested by the Controller in relation to informing a Data Subject about any Data Loss Event, including communication with the Data Subject; 2.14.7 such assistance as is requested by the Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Controller with the Information Commissioner's Office. 2.15 The Processor shall take such prompt and proper remedial action regarding any Data Loss Event as is agreed with the Controller. 2.16 The Processor shall provide the Controller with copies of any requests from Data Subjects seeking to exercise their rights under the Data Protection Legislation. Where the Supplier is a Processor, such requests must be sent to ▇▇▇▇▇▇▇.▇▇-▇▇▇▇▇▇▇▇▇@▇▇▇.▇▇▇ immediately and within no longer than one (1) Business Day of receipt by the Suppliers. 2.17 The Processor shall provide the Controller with evidence to demonstrate compliance with all of their obligations under this DPS Framework Agreement and the Data Protection Legislation. 2.18 The Processor shall allow for audits of their Processing activity by the Controller or the Controller’s designated auditor who for the avoidance of doubt shall enter into obligations of confidentiality and non-use the same as those set out in this Schedule 4 and the audits shall be conducted during normal business hours having given advance written notice of no less than five (5) Business Days. The Processor shall provide all reasonable cooperation with such audit and accompany the Authority or its authorised representative(s) if requested. The Controller (or the Controller’s designated auditor) shall not be permitted to conduct such an audit on more than 2 occasions in each 6 Month period, except with the agreement of the Processor (not to be unreasonably withheld or delayed). 2.19 The Processor shall each (where multiple Processors) designate a Data Protection Officer if required by the Data Protection Legislation and shall notify the Controller of the name and contact details of any such Data Protection Officer. 2.20 The Processor shall maintain complete and accurate records and information to demonstrate their compliance with this DPS Framework Agreement, the Data Protection Legislation and the Data Guidance. The Processor shall create and maintain a record of all categories of data Processing activities carried out under this DPS Framework Agreement, containing: 2.20.1 the categories of Processing carried out under this DPS Framework Agreement; 2.20.2 where applicable, transfers of Personal Data to a third country or an international organisation, including the identification of that third country or international organisation and, where required to ensure compliance with the Data Protection Legislation, the documentation of suitable safeguards; 2.20.3 a general description of the Protective Measures taken to ensure the security and integrity of the Personal Data Processed under this DPS Framework Agreement; and 2.20.4 a log recording the Processing of Personal Data in connection with this DPS Framework Agreement comprising, as a minimum, details of the Personal Data concerned, how the Personal Data was Processed, where the Personal Data was Processed and the identity of any individuals who had access to the Personal Data. 2.21 The Processor shall ensure that theythe record of Processing maintained in accordance with Clause 2.20 of this Schedule 6 is provided to the Controller within four (4) Business Days of a written request from the Controller. 2.22 This DPS Framework Agreement does not relieve the Processor from any obligations conferred upon them by the Data Protection Legislation. 2.23 The Parties agree to take account of any guidance issued by the Information Commissioner. The Controller may on not less than thirty (30) Business Days’ notice to the Processor amend this DPS Framework Agreement to ensure that it complies with any guidance issued by the Information Commissioner. 2.24 The Controller may, at any time on not less than 30 Business Days’ notice, revise this Clause 2 of this Schedule 6 by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme issued by the European Commission, the Information Commissioner’s Office or any other competent authority (which shall apply when incorporated by attachment to this DPS Framework Agreement). 2.25 Where the Processor is Processing Personal Data under or in connection with this DPS Framework Agreement the Processor shall: 2.25.1 where such Personal Data is patient identifiable Personal Data ensure that such Personal Data is only: 2.25.1.1 used for the purposes of providing direct care for the relevant person to whom such Personal Data relates; or 2.25.1. 2 used as otherwise permitted by Law; and 2.25.2 where such Personal Data is Processed pursuant to a S.251 Authorisation, only Process such Personal Data in accordance with the terms of such S.251 Authorisation. 2.26 The Processor and the Controller shall ensure that Personal Data is safeguarded at all times in accordance with the Law. This obligation will include but not be limited to (if transferred electronically) only transferring Personal Data: 2.26.1 if such transfer of Personal Data is essential, having regard to the purpose for which the transfer is conducted; and; 2.26.2 if such P

Data Protection. ‌ The Parties acknowledge that for parties shall comply with the purposes of provisions and obligations imposed on them by the Data Protection LegislationLaws at all times when processing Personal Data in connection with this Agreement, the Customer is the Controller and the Supplier is the Processor unless otherwise specified which processing shall be in Contract Schedule 7. The only processing that the Processor is authorised to do is listed in Contract Schedule 7 by the Controller and may not be determined by the Processor. The Processor shall notify the Controller immediately if it considers that any respect of the Controller's instructions infringe types of Personal Data, categories of Data Subjects, nature and purposes, and duration, set out in Schedule 3. 7.1 Each party shall maintain records of all processing operations under its responsibility that contain at least the minimum information required by the Data Protection Legislation. Laws, and shall make such information available to any DP Regulator on request. 7.2 The Processor shall provide all reasonable assistance data controller shall: (a) ensure that any instructions it issues to the Controller in data processor shall comply with the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance mayLaws; and (b) have sole responsibility for the accuracy, at the discretion quality and legality of the Controller, include: a systematic description of the envisaged processing operations Personal Data and the purpose of means by which the processing; an assessment of data controller acquired Personal Data shall establish the necessity and proportionality of the legal basis for processing operations in relation to the Services; an assessment of the risks to the rights and freedoms of under Data Subjects; and the measures envisaged to address the risksProtection Laws, including safeguardsproviding all notices and obtaining all consents as may be required under Data Protection Laws in order for the data processor to process the Personal Data as otherwise contemplated by this Agreement. 7.3 To the extent the Supplier receives from, security measures and mechanisms to ensure the protection of Personal Data. The Processor shall, in relation to or processes any Personal Data processed in connection with its obligations under this Agreement: on behalf of, the Customer, the Supplier shall: (a) process that such Personal Data (i) only in accordance with Contract Schedule 7the Customer's written instructions from time to time (including those set out in this Agreement) provided such instructions are lawful and unless it is otherwise required by applicable law (in which case, unless such law prohibits such notification on important grounds of public interest, the Processor is required to do otherwise by Law. If it is so required the Processor Supplier shall promptly notify the Controller Customer of the relevant legal requirement before processing the Personal Data unless prohibited by Law; ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective MeasuresData), having taken account and (ii) only for the duration of the: nature of the data to be protected; harm that might result from a Data Loss Event; state of technological development; and cost of implementing any measures; ensure that : the Processor Personnel do not process Personal Data except in accordance with this Agreement Agreement; (and in particular Schedule 7); it takes all b) take commercially reasonable steps to ensure the reliability and integrity of any Processor Personnel its personnel who are authorised to have access to the such Personal Data Data, and ensure that they:any such personnel are committed to confidentiality or are under an appropriate statutory obligation of confidentiality when processing such Personal Data; (c) taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the Processing, implement technical and organisational measures and procedures to ensure an level of security for such Personal Data appropriate to the risk, including the risks of accidental, unlawful or unauthorised destruction, loss, alteration, disclosure, dissemination or access; (d) unless the transfer is based on an "adequacy decision", is otherwise "subject to appropriate safeguards" or if a "derogation for specific situations" applies, each within the meanings given to them in Articles 45, 46 and 49 of the GDPR respectively, not transfer, access or process such Personal Data outside the European Union without the prior written consent of the Customer (not to be unreasonably withheld or delayed), unless such transfer is to the Customer or an Authorised User; Supplier's or its subcontractors' or affiliates' possession or control) being subject to a personal data breach (as defined in Article 4 of GDPR);

Data Protection. 28.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer Authority is the Controller and the Supplier Service Provider is the Processor unless otherwise specified in Contract Schedule 7Processor. The only processing that the Processor Service Provider is authorised to do is listed in Contract Schedule 7 15 by the Controller Authority and may not be determined by the Processor. Service Provider. 28.2 The Processor Service Provider shall notify the Controller Authority immediately if it considers that any of the ControllerAuthority's instructions infringe the Data Protection Legislation. . 28.3 The Processor Service Provider shall provide all reasonable assistance to the Controller Authority in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the ControllerAuthority, include: : (a) a systematic description of the envisaged processing operations and the purpose of the processing; ; (b) an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; (c) an assessment of the risks to the rights and freedoms of Data Subjects; and and (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. 28.4 The Processor Service Provider shall, carry out its own Data Protection Impact Assessment prior to commencing any processing under this Agreement where required under the Data Protection Legislation and otherwise as may be appropriate to ensure the security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, and shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: : (a) process that Personal Data only in accordance with Contract Schedule 715, unless the Processor Service Provider is required to do otherwise by Law. If it is so required the Processor Service Provider shall promptly notify the Controller Authority before processing the Personal Data unless prohibited by Law; ; (b) ensure that it has in place Protective Measures, which are have been reviewed and approved by the Authority as appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), Event having taken account of the: : (i) nature of the data to be protected; ; (ii) harm that might result from a Data Loss Event; ; (iii) state of technological development; and and (iv) cost of implementing any measures; ; (c) ensure that : that: (i) the Processor Service Provider’s Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 715); ; (ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Service Provider’s Personnel who have access to the Personal Data and ensure that they: (A) are aware of and comply with the Service Provider’s duties under this Clause; (B) are subject to appropriate confidentiality undertakings with the Service Provider or any Sub-Processor; (C) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Authority or as otherwise permitted by this Agreement; and (D) have undergone adequate training in the use, care, protection and handling of Personal Data; and (d) not transfer Personal Data outside of the EU unless the prior written consent of the Authority has been obtained and the following conditions are fulfilled: (i) the Authority or the Service Provider has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Authority; (ii) the Data Subject has enforceable rights and effective legal remedies; (iii) the Service Provider complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Authority in meeting its obligations); and (iv) the Service Provider complies with any reasonable instructions notified to it in advance by the Authority with respect to the processing of the Personal Data; (e) at the written direction of the Authority, and at the Service Provider’s sole cost, delete or return Personal Data (and any copies of it) to the Authority on termination of the Agreement unless the Service Provider is required by Law to retain the Personal Data. 28.5 Subject to Clause 28.6, the Service Provider shall notify the Authority immediately if it: (a) receives a Data Subject Access Request (or purported Data Subject Access Request); (b) receives a request to rectify, block or erase any Personal Data; (c) receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; (d) receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Agreement; (e) receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or (f) becomes aware of a Data Loss Event. 28.6 The Service Provider’s obligation to notify under Clause 28.5 shall include the provision of further information to the Authority in phases, as details become available. 28.7 Taking into account the nature of the processing, the Service Provider shall provide the Authority with full assistance in relation to either Party's obligations under Data Protection Legislation including any complaint, communication or request made under Clause 28.5 (and insofar as possible within the timescales reasonably required by the Authority) including by promptly providing: (a) the Authority with full details and copies of the complaint, communication or request; (b) such assistance as is reasonably requested by the Authority to enable the Authority to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation; (c) the Authority, at its request, with any Personal Data it holds in relation to a Data Subject; (d) assistance as requested by the Authority following any Data Loss Event including but not limited to all information and findings relating to any internal or external investigation into the Data Loss Event; (e) assistance as requested by the Authority with respect to any request from the Information Commissioner’s Office, or any consultation by the Authority with the Information Commissioner's Office. 28.8 The Service Provider shall maintain complete and accurate records and information to demonstrate its compliance with this Clause 28. This requirement does not apply where the Service Provider employs fewer than 250 staff, unless: (a) the Authority determines that the processing is not occasional; (b) the Authority determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; and (c) the Authority determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects. 28.9 The Service Provider shall allow for audits of its Data Processing activity by the Authority or the Authority’s designated auditor. 28.10 The Service Provider shall designate a Data Protection Officer if required by the Data Protection Legislation. 28.11 Before allowing any Sub-Processor to process any Personal Data related to this Agreement, the Service Provider must: (a) notify the Authority in writing of the intended Sub-Processor and processing; (b) obtain the written consent of the Authority; (c) enter into a written Agreement with the Sub-Processor which give effect to the terms set out in this Clause 28 such that they apply to the Sub- Processor; and (d) provide the Authority with such information regarding the Sub- Processor as the Authority may reasonably require. 28.12 The Service Provider shall remain fully liable for all acts or omissions of any Sub-Processor. 28.13 The Service Provider may, at any time on not less than 30 Working Days’ notice, revise this Clause by replacing it with any applicable controller to processor standard Clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Agreement). 28.14 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Authority may on not less than 30 Working Days’ notice to the Service Provider amend this Agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office.

Data Protection. 38.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer DFE is the Controller and the Supplier Contractor is the Processor unless otherwise specified in Contract Schedule 7Processor. The only processing that the Processor Contractor is authorised to do is listed in Contract Schedule 7 11 by the Controller DFE and may not be determined by the Processor. Contractor. 38.2 The Processor Contractor shall notify the Controller DFE immediately if it considers that any of the ControllerDFE's instructions infringe the Data Protection Legislation. . 38.3 The Processor Contractor shall provide all reasonable assistance to the Controller DFE in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the ControllerDFE, include: : (a) a systematic description of the envisaged processing operations and the purpose of the processing; ; (b) an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; (c) an assessment of the risks to the rights and freedoms of Data Subjects; and and (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 38.4 The Processor Contractor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: Contract: (a) process that Personal Data only in accordance with Contract Schedule 711, unless the Processor Contractor is required to do otherwise by Law. If it is so required the Processor Contractor shall promptly notify the Controller DFE before processing the Personal Data unless prohibited by Law; ; (b) ensure that it has in place Protective Measures, which are have been reviewed and approved by the DFE as appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), Event having taken account of the: : (i) nature of the data to be protected; ; (ii) harm that might result from a Data Loss Event; ; (iii) state of technological development; and and (iv) cost of implementing any measures; ; (c) ensure that : the Processor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 7); it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that theythat:

Data Protection. The Parties acknowledge that for the purposes of the Data Protection LegislationLeg- islation, the Customer is the Controller and the Supplier is the Processor unless otherwise specified in Contract Schedule 7. The only processing that the Processor is authorised to do is listed in Contract Schedule 7 by the Controller and may not be determined by the Processor. The Processor shall notify the Controller immediately if it considers that any of the Controller's instructions infringe the Data Protection Legislation. The Processor shall provide all reasonable assistance to the Controller in the preparation prep- aration of any Data Protection Impact Assessment prior to commencing any processingpro- cessing. Such assistance may, at the discretion of the Controller, include: ) a systematic description of the envisaged processing operations and the purpose of the processing; ) an assessment of the necessity and proportionality of the processing operations op- erations in relation to the Services; ) an assessment of the risks to the rights and freedoms of Data Subjects; and ) the measures envisaged to address the risks, including safeguards, security secu- rity measures and mechanisms to ensure the protection of Personal Data. The Processor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: ) process that Personal Data only in accordance with Contract Schedule 7, unless the Processor is required to do otherwise by Law. If it is so required the Processor shall promptly notify the Controller before processing the Personal Data unless prohibited by Law; ) ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), having taken account of the: nature of the data to be protected; harm that might result from a Data Loss Event; state of technological development; and cost of implementing any measures; ) ensure that : . the Processor Personnel do not process Personal Data except ex- cept in accordance with this Agreement (and in particular Schedule 7); . it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they:: are aware of and comply with the Processor’s duties under this clause; are subject to appropriate confidentiality undertakings with the Processor or any Sub- processor; are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Controller or as otherwise permitted by this Agreement; and have undergone adequate training in the use, care, protection and handling of Personal Data; and ) not transfer Personal Data outside of the EU unless the prior written con- sent of the Controller has been obtained and the following conditions are fulfilled: . the Controller or the Processor has provided appropriate safe- guards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Con- troller; . the Data Subject has enforceable rights and effective legal rem- edies; . the Processor complies with its obligations under the Data Pro- tection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and . the Processor complies with any reasonable instructions noti- fied to it in advance by the Controller with respect to the pro- cessing of the Personal Data; ) at the written direction of the Controller, delete or return Personal Data (and any copies of it) to the Controller on termination of the Agreement unless the Processor is required by Law to retain the Personal Data. Subject to Clause The Processor’s obligation to notify under Clause 23.29 shall in- clude the provision of further information to the Controller in phases, as details become available., the Processor shall notify the Controller immediately if it: ) receives a Data Subject Request (or purported Data Subject Request); ) receives a request to rectify, block or erase any Personal Data; ) receives any other request, complaint or communication relating to ei- ther Party's obligations under the Data Protection Legislation; ) receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Agreement; ) receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be re- quired by Law; or ) becomes aware of a Data Loss Event. The Processor’s obligation to notify under Clause Subject to Clause The Processor’s obligation to notify under Clause 23.29 shall include the provision of further infor- mation to the Controller in phases, as details become available., the Processor shall notify the Controller immediately if it: shall include the provision of further infor- mation to the Controller in phases, as details become available. Taking into account the nature of the processing, the Processor shall provide the Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under Clause Subject to Clause The Processor’s obligation to notify under Clause 23.29 shall include the provision of further information to the Controller in phases, as details become available., the Processor shall notify the Controller immediately if it: (and insofar as possible within the timescales reasonably required by the Con- troller) including by promptly providing: ) the Controller with full details and copies of the complaint, communica- tion or request; ) such assistance as is reasonably requested by the Controller to enable the Controller to comply with a Data Subject Request within the relevant timescales set out in the Data Protection Legislation; ) the Controller, at its request, with any Personal Data it holds in relation to a Data Subject; ) assistance as requested by the Controller following any Data Loss Event; ) assistance as requested by the Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Controller with the Information Commissioner's Office. The Processor shall maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Processor employs fewer than 250 staff, unless: ) the Controller determines that the processing is not occasional; ) the Controller determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; or ) the Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects. The Processor shall allow for audits of its Data Processing activity by the Controller or the Controller’s designated auditor. Each Party shall designate its own data protection officer if required by the Data Protection Legislation. Before allowing any Sub-processor to process any Personal Data related to this Agreement, the Processor must: ) notify the Controller in writing of the intended Sub-processor and pro- cessing; ) obtain the written consent of the Controller; ) enter into a written agreement with the Sub-processor which give effect to the terms set out in clauses The Parties acknowledge that for the pur- poses of the Data Protection Legislation, the Customer is the Controller and the Supplier is the Processor unless otherwise specified in Contract Schedule 7. The only processing that the Processor is authorised to do is listed in Contract Schedule 7 by the Controller and may not be deter- mined by the Processor. to Where the Parties include two or more Joint Controllers as identified in Contract Schedule 7 in accordance with GDPR Article 26, those Parties shall enter into a Joint Controller Agreement based on the terms outlined in Contract Schedule 8 in replacement of Clauses The Parties acknowledge that for the purposes of the Data Pro- tection Legislation, the Customer is the Controller and the Supplier is the Processor unless otherwise specified in Contract Schedule 7. The only processing that the Processor is authorised to do is listed in Contract Schedule 7 by the Controller and may not be determined by the Proces- sor. to Error! Not a valid bookmark self-reference. for the Personal Data under Joint Control. (Data Protection) such that they apply to the Sub- processor; and ) provide the Controller with such information regarding the Sub-proces- sor as the Controller may reasonably require. The Processor shall remain fully liable for all acts or omissions of any of its Sub- processors. The Controller may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Agreement). The Parties agree to take account of any guidance issued by the Information Com- missioner’s Office. The Controller may on not less than 30 Working Days’ notice to the Processor amend this agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office. Where the Parties include two or more Joint Controllers as identified in Contract Schedule 7 in accordance with GDPR Article 26, those Parties shall enter into a Joint Controller Agreement based on the terms outlined in Contract Schedule 8 in re- placement of Clauses The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the Controller and the Supplier is the Pro- cessor unless otherwise specified in Contract Schedule 7. The only processing that the Processor is authorised to do is listed in Contract Schedule 7 by the Controller and may not be determined by the Processor. to Error! Not a valid bookmark self- reference. for the Personal Data under Joint Control. PUBLICITY AND BRANDING The Supplier shall not, without Approval (the decision of the Customer to Approve or not shall not be unreasonably withheld or delayed): ) make any press announcements or publicise this Contract in any way; or ) use the Customer's name or brand in any promotion or marketing or an- nouncement of orders, Each Party acknowledges to the other that nothing in this Contract either expressly or by implication constitutes an endorsement of any products or services of the other Party (including the Goods and/or Services and Supplier Equipment) and each Party agrees not to conduct itself in such a way as to imply or express any such approval or endorsement.

Data Protection. 1.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the Controller and the Supplier Contractor is the Processor unless otherwise specified in Contract Schedule 71. The only processing that the Processor is authorised to do is listed in Contract Schedule 7 1 by the Controller and may not be determined by the Processor. . 1.2 Controller warrants that it has taken all necessary steps to achieve compliance with Data Protection Legislation. 1.3 Without prejudice to the generality of paragraph 1.2, Controller warrants that where Controller supplies Personal Data to Processor, Controller has provided any requisite notice and has a valid legal basis to collect, obtain and share the Personal Data with Processor and to allow Processor to process the Personal Data in accordance with Schedule 1. 1.4 The Processor shall notify the Controller immediately if it considers that any of the Controller's instructions infringe the Data Protection Legislation. . 1.5 The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller, include: : (a) a systematic description of the envisaged processing operations and the purpose of the processing; ; (b) an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; (c) an assessment of the risks to the rights and freedoms of Data Subjects; and and (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 1.6 The Processor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: : (a) process that Personal Data only in accordance with Contract Schedule 71, unless the Processor is required to do otherwise by Law. If it is so required required, the Processor shall promptly notify the Controller before processing the Personal Data unless prohibited by Law; ; (b) ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), having taken account of the: : (i) nature of the data to be protected; ; (ii) harm that might result from a Data Loss Event; ; (iii) state of technological development; and and (iv) cost of implementing any measures; ; (c) ensure that : that: (i) the Processor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 71); ; (ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they: (A) are aware of and comply with the Processor’s duties under this clause; (B) are subject to appropriate confidentiality undertakings with the Processor or any Sub-processor; (C) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Controller or as otherwise permitted by this Agreement; and (D) have undergone adequate training in the use, care, protection and handling of Personal Data; and (d) not transfer Personal Data outside of the UK unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled: (i) the Controller or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Controller; (ii) the Data Subject has enforceable rights and effective legal remedies; (iii) the Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and (iv) the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing of the Personal Data; (e) at the written direction of the Controller, delete or return Personal Data (and any copies of it) to the Controller on termination of the Agreement unless the Processor is required by Law to retain the Personal Data. 1.7 Subject to clause 1.6, the Processor shall notify the Controller immediately if it: (a) receives a Data Subject Request (or purported Data Subject Request); (b) receives a request to rectify, block or erase any Personal Data; (c) receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; (d) receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Agreement; (e) receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or (f) becomes aware of a Data Loss Event. 1.8 The Processor’s obligation to notify under clause 1.5 shall include the provision of further information to the Controller in phases, as details become available. 1.9 Taking into account the nature of the processing, the Processor shall provide the Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under clause 1.5 (and insofar as possible within the timescales reasonably required by the Controller) including by promptly providing: (a) the Controller with full details and copies of the complaint, communication or request; (b) such assistance as is reasonably requested by the Controller to enable the Controller to comply with a Data Subject Request within the relevant timescales set out in the Data Protection Legislation; (c) the Controller, at its request, with any Personal Data it holds in relation to a Data Subject; (d) assistance as requested by the Controller following any Data Loss Event; (e) assistance as requested by the Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Controller with the Information Commissioner's Office. 1.10 The Processor shall maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Processor employs fewer than 250 staff, unless: (a) the Controller determines that the processing is not occasional; (b) the Controller determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; or (c) the Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects. 1.11 The Processor shall allow for audits of its Data Processing activity by the Controller or the Controller’s designated auditor. 1.12 Each Party shall designate its own data protection officer if required by the Data Protection Legislation. 1.13 Before allowing any Sub-processor to process any Personal Data related to this Agreement, the Processor must: (a) notify the Controller in writing of the intended Sub-processor and processing; (b) obtain the written consent of the Controller; (c) enter into a written agreement with the Sub-processor which give effect to the terms set out in this clause 1.11 such that they apply to the Sub-processor; and (d) provide the Controller with such information regarding the Sub-processor as the Controller may reasonably require. 1.14 The Processor shall remain fully liable for all acts or omissions of any of its Sub-processors. 1.15 The Controller may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Agreement). 1.16 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Controller may on not less than 30 Working Days’ notice to the Processor amend this agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office. 1.17 IN NO EVENT WILL CONTRACTOR’S AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THIS DATA PROTECTION AGREEMENT ARISING OUT OF OR RELATED TO BREACH OF CONTRACT, TORT (INCLUDING NEGLIGENCE) OR OTHERWISE, EXCEED £500,000. IN NO EVENT WILL CONTRACTOR BE LIABLE TO THE CUSTOMER FOR ANY INDIRECT, SPECIAL, PUNITIVE, EXEMPLARY, INCIDENTAL OR CONSEQUENTIAL DAMAGES OF ANY KIND, INCLUDING, WITHOUT LIMITATION, LOST PROFITS, HOWEVER ARISING, WHETHER IN CONTRACT, TORT, OR OTHERWISE, REGARDING THESE DATA PROTECTION TERMS, EVEN IF SUCH PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. The contact details of the Controller’s Data Protection Officer shall be provided to the Processor upon execution of the Data Sharing Agreement.

Data Protection. 13.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the Controller and the Supplier Contractor is the Processor unless otherwise specified in Contract Schedule 71. The only processing that the Processor is authorised to do is listed in Contract Schedule 7 1 by the Controller and may not be determined by the Processor. . 13.2 The Processor shall notify the Controller immediately if it considers that any of the Controller's instructions infringe the Data Protection Legislation. . 13.3 The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller, include: : (a) a systematic description of the envisaged processing operations and the purpose of the processing; ; (b) an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; (c) an assessment of the risks to the rights and freedoms of Data Subjects; and and (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 13.4 The Processor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: : (a) process that Personal Data only in accordance with Contract Schedule 71, unless the Processor is required to do otherwise by Law. If it is so required the Processor shall promptly notify the Controller before processing the Personal Data unless prohibited by Law; ; (b) ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), having taken account of the: : (i) nature of the data to be protected; ; (ii) harm that might result from a Data Loss Event; ( ) state of technological development; and and (i) cost of implementing any measures; ; (c) ensure that : that: (i) the Processor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 7); 1; (ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they: (A) are aware of and comply with the Processor’s duties under this clause; (B) are subject to appropriate confidentiality undertakings with the Processor or any Sub-processor; (C) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Controller or as otherwise permitted by this Agreement; and (D) have undergone adequate training in the use, care, protection and handling of Personal Data; and (d) not transfer Personal Data outside of the EU unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled: (i) the Controller or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Controller; (ii) the Data Subject has enforceable rights and effective legal remedies;

Data Protection. 1.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer Education Body [“the Customer”] is the Controller and the Supplier Wisdom Canvas Ltd is the Processor unless otherwise specified in Contract Schedule 7Processor. The only processing Processing that the Processor Supplier is authorised to do is listed in Contract Schedule 7 Table A of this Protocol by the Controller Customer and may not be determined by the Processor. Supplier. 1.2 The Processor Supplier shall notify the Controller Customer immediately if it considers that any of the ControllerCustomer's instructions infringe the Data Protection Legislation. . 1.3 The Processor Supplier shall provide all reasonable assistance to the Controller Customer in the preparation of any Data Protection Impact Assessment prior to commencing any processingProcessing. Such assistance may, at the discretion of the ControllerCustomer, include: : 1.3.1 a systematic description of the envisaged processing Processing operations and the purpose of the processing; Processing; 1.3.2 an assessment of the necessity and proportionality of the processing Processing operations in relation to the Services; ; 1.3.3 an assessment of the risks to the rights and freedoms of Data Subjects; and and 1.3.4 the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 1.4 The Processor Supplier shall, in relation to any Personal Data processed Processed in connection with its obligations under this Agreement: Contract: 1.4.1 process that Personal Data only in accordance with Contract Schedule 7Table A of this Protocol, unless the Processor Supplier is required to do otherwise by Law. If it is so required the Processor Supplier shall promptly notify the Controller Customer before processing Processing the Personal Data unless prohibited by Law; ; 1.4.2 notify the Customer immediately of any changes or required updates to permissions and systems access. This includes, for example, where members of staff leave, are suspended or are on an extended period of absence, like maternity leave; 1.4.3 ensure that it has in place Protective Measures, which are have been reviewed and approved by the Customer as appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), Event having taken account of the: : (i) nature of the data to be protected; ; (ii) harm that might result from a Data Loss Event; ; (iii) state of technological development; and and (iv) cost of implementing any measures; ; 1.4.4 ensure that : : (i) the Processor Supplier Personnel do not process Process Personal Data except in accordance with this Agreement Contract (and in particular Schedule 7Table A of this Protocol); ; (ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Supplier Personnel who have access to the Personal Data and ensure that they: (A) are aware of and comply with the Supplier’s duties under this Protocol; (B) are subject to appropriate confidentiality undertakings with the Supplier or any Sub-processor; (C) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Customer or as otherwise permitted by this Contract; and (D) have undergone adequate training in the use, care, protection and handling of Personal Data; 1.4.5 not transfer Personal Data outside of the EU unless the prior written consent of the Customer has been obtained and the following conditions are fulfilled: (i) the Customer or the Supplier has provided appropriate safeguards in relation to the transfer (whether in accordance with Article 46 of the GDPR or Article 37 of the Law Enforcement Directive (Directive (EU) 2016/680)) as determined by the Customer; (ii) the Data Subject has enforceable rights and effective legal remedies; (iii) the Supplier complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Customer in meeting its obligations); and (iv) the Supplier complies with any reasonable instructions notified to it in advance by the Customer with respect to the Processing of the Personal Data; 1.4.6 at the written direction of the Customer, delete or return Personal Data (and any copies of it) to the Customer on termination or expiry of the Contract unless the Supplier is required by Law to retain the Personal Data. 1.5 Subject to Clause 1.6 of this Protocol, the Supplier shall notify the Customer immediately if it: 1.5.1 receives a Data Subject Access (or purported Data Subject Access Request), Freedom of Information or Environmental Information Regulation (EIR) request; 1.5.2 receives a request to rectify, block or erase any Personal Data; 1.5.3 receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; 1.5.4 receives any communication from the Information Commissioner or any other regulatory Customer in connection with Personal Data Processed under this Contract; 1.5.5 receives a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or

Data Protection. 1.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer Purchaser is the Controller and the Supplier is the Processor unless otherwise specified in Contract Annex A to this Schedule 7Part 14. The only processing that the Processor is authorised to do is listed in Contract Annex A to this Schedule 7 Part 14 by the Controller and may not be determined by the Processor. . 1.2 The Processor shall notify the Controller immediately if it considers that any of the Controller's instructions infringe the Data Protection Legislation. . 1.3 The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller, include: : (a) a systematic description of the envisaged processing operations and the purpose of the processing; ; (b) an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; (c) an assessment of the risks to the rights and freedoms of Data Subjects; and and (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 1.4 The Processor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: : (a) process that Personal Data only in accordance with Contract Annex A to this Schedule 7Part 14, unless the Processor is required to do otherwise by Law. If it is so required the Processor shall promptly notify the Controller before processing the Personal Data unless prohibited by Law; ; (b) ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), having Measures),having taken account of the: : (i) nature of the data to be protected; ; (ii) harm that might result from a Data Loss Event; ; (iii) state of technological development; and and (iv) cost of implementing any measures; ensure that : the Processor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 7); it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they:;

Data Protection. 23.1.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the Controller and the Supplier Contractor is the Processor unless otherwise specified in Contract Schedule 7Processor. The only processing that the Processor Contractor is authorised to do is listed in Contract Schedule 7 A by the Controller Customer and may not be determined by the Processor. Contractor. 23.1.2 The Processor Contractor shall notify the Controller Customer immediately if it considers that any of the ControllerCustomer's instructions infringe the Data Protection Legislation. . 23.1.3 The Processor Contractor shall provide all reasonable assistance to the Controller Customer in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the ControllerCustomer, include: : (a) a systematic description of the envisaged processing operations and the purpose of the processing; ; (b) an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; (c) an assessment of the risks to the rights and freedoms of Data Subjects; and and (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 23.1.4 The Processor Contractor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: : (a) process that Personal Data only in accordance with Contract Schedule 7A, unless the Processor Contractor is required to do otherwise by Law. If it is so required the Processor Contractor shall promptly notify the Controller Customer before processing the Personal Data unless prohibited by Law; ; (b) ensure that it has in place Protective Measures, which are have been reviewed and approved by the Customer as appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), Event having taken account of the: : (i) nature of the data to be protected; ; (ii) harm that might result from a Data Loss Event; ; (iii) state of technological development; and and (iv) cost of implementing any measures; ; (c) ensure that : : (i) the Processor Contractor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 7A); ; (ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Contractor Personnel who have access to the Personal Data and ensure that they: (A) are aware of and comply with the Contractor’s duties under this clause; (B) are subject to appropriate confidentiality undertakings with the Contractor or any Sub-processor; (C) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Customer or as otherwise permitted by this Agreement; and (D) have undergone adequate training in the use, care, protection and handling of Personal Data; and (d) not transfer Personal Data outside of the EU unless the prior written consent of the Customer has been obtained and the following conditions are fulfilled: (i) the Customer or the Contractor has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or 23.1.5 LED Article 37) as determined by the Customer;

Data Protection. 20.1 The Parties parties acknowledge that for the purposes of the Data Protection Legislation, the Customer nature of the activity carried out by each of them in relation to their respective obligations under this DPS Agreement will determine the status of each party under the Data Protection Legislation. A party may act as: 20.1.1 Controller (where the other party acts as the Processor); 20.1.2 Processor (where the other party acts as the Controller); 20.1.3 Joint Controller (where both parties are considered to jointly control the same Personal Data); and 20.1.4 Independent Controller of the Personal Data where the other party is also Controller of the Controller same Personal Data in its own right (but there is no element of joint control); and the Supplier parties shall set out in Schedule 12 (Processing Personal Data) which scenario or scenarios are intended to apply under this DPS Agreement. 20.2 Where a party is a Processor, the Processor unless otherwise specified in Contract Schedule 7. The only processing that the Processor it is authorised to do is listed in Contract Schedule 7 12 (Processing Personal Data) by the Controller and may not be determined by the Processor. Controller. 20.3 The Processor shall notify the Controller immediately if it considers that any of the Controller's ’s instructions infringe the Data Protection Legislation. . 20.4 The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller, include: : 20.4.1 a systematic description of the envisaged processing operations and the purpose of the processing; ; 20.4.2 an assessment of the necessity and proportionality of the processing operations in relation to the Services; requirements of the Administering Authority hereunder; 20.4.3 an assessment of the risks to the rights and freedoms of Data Subjects; and and 20.4.4 the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 20.5 The Processor shall, in relation to any Personal Data processed in connection with its obligations under this DPS Agreement: : 20.5.1 process that Personal Data only in accordance with Contract Schedule 712 (Processing Personal Data), unless the Processor is required to do otherwise by Law. If it is so required the Processor shall promptly notify the Controller Contracting Authority before processing the Personal Data unless prohibited by Law; ; 20.5.2 ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, Measures which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), ) having taken account of the: : (a) nature of the data to be protected; ; (b) harm that might result from a Data Loss Event; ; (c) state of technological development; and and (d) cost of implementing any measures; ; 20.5.3 ensure that : that: (i) the Processor Personnel do not process Personal Data except in accordance with this DPS Agreement (and in particular Schedule 712 (Processing Personal Data); ); (ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they: (A) are aware of and comply with the Processor’s duties under this ▇▇▇▇▇▇ and Clauses 17 (Confidentiality) and 19 (Freedom of Information); (B) are subject to appropriate confidentiality undertakings with the Processor or any Sub-processor; (C) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Controller or as otherwise permitted by this DPS Agreement; and (D) have undergone adequate training in the use, care, protection and handling of Personal Data; 20.5.4 not transfer Personal Data outside of the UK unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled: (a) the Controller or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or DPA 2018 Section 75) as determined by the Controller; (b) the Data Subject has enforceable rights and effective legal remedies; (c) the Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and (d) the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing of the Personal Data; and 20.5.5 at the written direction of the Controller, delete or return Personal Data (and any copies of it) to the Controller on termination of this DPS Agreement unless the Processor is required by Law to retain the Personal Data. 20.6 Subject to Clause 20.7 (Data Protection), the Processor shall notify the Controller immediately if it: 20.6.1 receives a Data Subject Request (or purported Data Subject Request); 20.6.2 receives a request to rectify, block or erase any Personal Data; 20.6.3 receives any other request, complaint or communication relating to either party's obligations under the Data Protection Legislation; 20.6.4 receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this DPS Agreement; 20.6.5 receives a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or 20.6.6 becomes aware of a Data Loss Event. 20.7 The Processor’s obligation to notify under Clause 20.6 (Data Protection) shall include the provision of further information to the Controller in phases, as details become available. 20.8 Taking into account the nature of the processing, the Processor shall provide the Controller with reasonable assistance in relation to either party's obligations under Data Protection Legislation and any complaint, communication or request made under Clause 20.6 (Data Protection) (and insofar as possible within the timescales reasonably required by the Controller) including by promptly providing: 20.8.1 the Controller with full details and copies of the complaint, communication or request; 20.8.2 such assistance as is reasonably requested by the Controller to enable it to comply with a Data Subject Request within the relevant timescales set out in the Data Protection Legislation; 20.8.3 the Controller, at its request, with any Personal Data it holds in relation to a Data Subject; 20.8.4 assistance as requested by the Controller following any Data Loss Event; and/or 20.8.5 assistance as requested by the Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Controller with the Information Commissioner's Office. 20.9 The Processor shall maintain complete and accurate records and information to demonstrate its compliance with this Clause. This requirement does not apply where the Processor employs fewer than 250 staff, unless: 20.9.1 the Controller determines that the processing is not occasional; 20.9.2 the Controller determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; or 20.9.3 the Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects. 20.10 The Processor shall allow for Audits of its Data Processing activity by the Controller or the Controller’s designated auditor. 20.11 The parties shall designate a Data Protection Officer if required by the Data Protection Legislation. 20.12 Before allowing any Sub-processor to process any Personal Data related to this DPS Agreement, the Processor must: 20.12.1 notify the Controller in writing of the intended Sub-processor and processing; 20.12.2 obtain the written consent of the Controller; 20.12.3 enter into a written agreement with the Sub-processor which give effect to the terms set out in this Clause 20 (Data Protection) such that they apply to the Sub- processor; and 20.12.4 provide the Controller with such information regarding the Sub-processor as the Controller may reasonably require. 20.13 The Processor shall remain fully liable for all acts or omissions of any of its Sub-processors. 20.14 The Contracting Authority may, at any time on not less than thirty (30) Working Days’ notice, revise this Clause by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this DPS Agreement). 20.15 The parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Contracting Authority may on not less than thirty (30) Working Days’ notice to the Provider amend this DPS Agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office. 20.16 In the event that the parties are Joint Controllers in respect of Personal Data under this DPS Agreement, the parties shall implement Clauses that are necessary to comply with GDPR Article 26 based on the terms set out in Annex 1 to Schedule 12 (Processing Personal Data). 20.17 With respect to Personal Data provided by one party to the other party for which each party acts as Controller but which is not under the Joint Control of the parties, each party undertakes to comply with the applicable Data Protection Legislation in respect of their processing of such Personal Data as Controller. 20.18 Each party shall process the Personal Data in compliance with its obligations under the Data Protection Legislation and not do anything to cause the other party to be in breach of it. 20.19 Where a party has provided Personal Data to the other party in accordance with Clause 20.17 (Data Protection), the recipient of the Personal Data will provide all such relevant documents and information relating to its data protection policies and procedures as the other party may reasonably require. 20.20 The parties shall be responsible for their own compliance with Articles 13 and 14 GDPR in respect of the processing of Personal Data for the purposes of this DPS Agreement. 20.21 The parties shall only provide Personal Data to each other: 20.21.1 to the extent necessary to perform the respective obligations under this DPS Agreement; and 20.21.2 in compliance with the Data Protection Legislation (including by ensuring all required fair processing information has been given to affected Data Subjects); and 20.21.3 where it has recorded it in Schedule 12 (Processing Personal Data). 20.22 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, each party shall, with respect to its processing of Personal Data as independent Controller, implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1)(a), (b), (c) and (d) of the GDPR, and the measures shall, at a minimum, comply with the requirements of the Data Protection Legislation, including Article 32 of the GDPR. 20.23 A party processing Personal Data for the purposes of this DPS Agreement shall maintain a record of its processing activities in accordance with Article 30 GDPR and shall make the record available to the other party upon reasonable request. 20.24 Where a party receives a request by any Data Subject to exercise any of their rights under the Data Protection Legislation in relation to the Personal Data provided to it by the other party pursuant to this DPS Agreement (the Request Recipient): 20.24.1 the other party shall provide any information and/or assistance as reasonably requested by the Request Recipient to help it respond to the request or correspondence, at the cost of the Request Recipient; or 20.24.2 where the request or correspondence is directed to the other party and/or relates to the other party's Processing of the Personal Data, the Request Recipient will: (a) promptly, and in any event within five (5) Working Days of receipt of the request or correspondence, inform the other party that it has received the same and shall forward such request or correspondence to the other party; and (b) provide any information and/or assistance as reasonably requested by the other party to help it respond to the request or correspondence in the timeframes specified by Data Protection Legislation. 20.25 Each party shall promptly notify the other party upon it becoming aware of any Personal Data Breach relating to Personal Data provided by the other party pursuant to this DPS Agreement and shall: 20.25.1 do all such things as reasonably necessary to assist the other party in mitigating the effects of the Personal Data Breach; 20.25.2 implement any measures necessary to restore the security of any compromised Personal Data; 20.25.3 work with the other party to make any required notifications to the Information Commissioner’s Office and affected Data Subjects in accordance with the Data Protection Legislation (including the timeframes set out therein); and 20.25.4 not do anything which may damage the reputation of the other party or that party's relationship with the relevant Data Subjects, save as required by Law. 20.26 Personal Data provided by one party to the other party may be used exclusively to exercise rights and obligations under this DPS Agreement as specified in Schedule 12 (Processing Personal Data). 20.27 Personal Data shall not be retained or processed for longer than is necessary to perform each Party’s obligations under this DPS Agreement which is specified in Schedule 12 (Processing Personal Data). 20.28 Notwithstanding the general application of Clauses 20.2 – 20.15 (Data Protection) to Personal Data, where the Provider is required to exercise its regulatory and/or legal obligations in respect of Personal Data, it shall act as an Independent Controller of Personal Data in accordance with Clause 20.16 – 20.27 (Data Protection).

Data Protection. 2.1 All Parties shall comply with this Clause 2 of this Schedule 6 to the extent applicable to the operation of this DPS Framework Agreement. 2.2 The Parties acknowledge that for the purposes of shall seek to agree their respective roles under the Data Protection LegislationLegislation and the capacity that they act in be this a Controller, Processor, joint Controller or Controller in common. In the absence of such agreement it shall be assumed that the Suppliers shall act as a Processor and the Authority as a Controller. Before the Processor undertakes any Processing, the Customer is Controller shall complete the Controller and form set out in the Supplier is Annex to this Schedule 6 (the Processor unless otherwise specified in Contract Schedule 7Data Processing Form). The only processing that the Processor is authorised to do undertake only that Processing that is listed set out in Contract Schedule 7 by the Controller and may not be determined by the Processor. completed Data Processing Form. 2.3 The Processor shall notify the Controller immediately if it considers they consider that any of the Controller's ’s instructions infringe the Data Protection Legislation. . 2.4 The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processingProcessing. Such assistance may, at the discretion of the Controller, include: : 2.4.1 a systematic description of the envisaged processing Processing operations and the purpose of the processing; Processing; 2.4.2 an assessment of the necessity and proportionality of the processing operations in relation to the Services; Deliverables; 2.4.3 an assessment of the risks to the rights and freedoms of Data Subjectsnatural persons; and and 2.4.4 the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 2.5 The Processor shall provide all reasonable assistance to the Controller if the outcome of the Data Protection Impact Assessment leads the Controller to consult the Information Commissioner. 2.6 The Processor shall, in relation to any Personal Data processed Processed in connection with its their obligations under this DPS Framework Agreement: process : 2.6.1 Process that Personal Data only in accordance with Contract Schedule 7, the instructions set out in the completed Data Processing Form unless the Processor is are required to do otherwise by Law. If it the Processor is so required the Processor required, they shall promptly notify the Controller before processing the Personal Data unless prohibited by Law; ; 2.6.2 ensure that it has they have in place Protective Measures, Measures which are appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), having taken account of the: ; 2.6.2.1 nature of the data to be protected; ; 2.6.2.2 harm that might result from a Data Loss Event; ; 2.6.2.3 state of technological development; and and 2.6.2.4 cost of implementing any measures; ; 2.6.3 ensure that : that: 2.6.3.1 the Processor Personnel do not process the Personal Data except in accordance with this DPS Framework Agreement (and in particular Schedule 7the completed Data Processing Form); it takes ; 2.6.3.2 they take all reasonable steps to ensure the reliability and integrity of any Processor Personnel who will have access to Personal Data and ensure that the Processor Personnel: 2.6.3.2.1 are aware of and comply with the Processor’s duties under this Clause 2 of this Schedule 6; 2.6.3.2.2 are subject to confidentiality undertakings with the Processors (or where the Controller permits the Processor to sub-contract the processing of Personal Data pursuant to Clause 2.8 of this Schedule 6 below, with the relevant sub- contractors) that are in writing and are legally enforceable in respect of the Personal Data processed under this DPS Framework Agreement. Such confidentiality undertakings must as a minimum require each member of Processor Personnel to keep all Personal Data Processed under this DPS Framework Agreement confidential; 2.6.3.2.3 are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in advance and in writing to do so by the Controller or as otherwise permitted by this DPS Framework Agreement; and 2.6.3.2.4 have undergone adequate training in the use, care, protection and handling of Personal Data that enables them and the Processor to comply with their responsibilities under the Data Protection Legislation and this DPS Framework Agreement. The Processor shall provide the Controller with evidence of the completion and maintenance of that training within three (3) Business Days of request by the Controller; and 2.6.4 not cause or allow Personal Data to be transferred outside the European Economic Area unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled: 2.6.4.1 the Controller or the Processor have provided appropriate safeguards in relation to the transfer (in accordance with the Data Protection Legislation) as determined by the Controller; 2.6.4.2 the Data Subject has enforceable rights and effective legal remedies; 2.6.4.3 the Processor complies with their obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if they are not so required to comply, use their best endeavours to assist the Controller in meeting its obligations); and 2.6.4.4 the Processor complies with any reasonable instructions notified to them in advance by the Controller with respect to the processing of the Personal Data; 2.6.5 at the written direction of the Controller, delete or return the Personal Data (and any copies of it) to the Controller on termination of this DPS Framework Agreement unless the Processor is required by Law to retain the Personal Data. If the Processor is asked to delete the Personal Data by the Controller, the Processor shall provide the Controller with evidence that the Personal Data has been securely deleted in accordance with the Data Protection Legislation within the period stated within the written direction of the Controller. 2.7 Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including, but not limited to, as appropriate: 2.7.1 the pseudonymisation and encryption of Personal Data; 2.7.2 the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services; 2.7.3 the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and 2.7.4 a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of Processing. 2.8 Before permitting any Sub-processor of the Processor to Process Personal Data related to this DPS Framework Agreement, the Processor must: 2.8.1 notify the Controller in writing of the intended Sub-processor and Processing save where such intended Sub-processor has been specified in the Supplier’s response to the DPS Framework ITT; 2.8.2 obtain the written consent of the Controller save where such intended Sub- processor has been specified in the Supplier’s response to the DPS Framework ITT; 2.8.3 enter into a written agreement with the Sub-processor which gives effect to the terms set out in this Clause 2 of this Schedule 6 such that they apply to the Sub-processor and in respect of which the Controller is given the benefit of third party rights to enforce the same; and 2.8.4 provide the Controller with such information regarding the sub-contractor as the Authority may reasonably require. 2.9 The Processor shall ensure that the Sub-processor’s access to the Personal Data terminates automatically on the termination of this DPS Framework Agreement save that the Sub-processor may access the Personal Data in order to securely destroy it (or at the option of the Controller return it) in accordance with the requirements of the Data Protection Legislation. 2.10 For the avoidance of doubt, the Processor shall remain fully liable for all acts and omissions of any Sub-processor that they appoint to Process Personal Data on their behalf in relation to this DPS Framework Agreement. 2.11 Subject to Clause 2.12 of this Schedule 6 below, the Processor shall notify the Controller immediately if they: 2.11.1 receive a Data Subject Access Request (or purported Data Subject Access Request); 2.11.2 receive a request to rectify, block or erase any Personal Data; 2.11.3 receive any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; 2.11.4 receive any communication from the Information Commissioner or any other Regulatory or Supervisory Body in connection with Personal Data processed under this DPS Framework Agreement; 2.11.5 receive a request from any third party for disclosure of Personal Data; or 2.11.6 become aware of an actual or suspected Data Loss Event. 2.12 The Processors obligation to notify the Controller under Clause 2.11 above shall include the prompt provision of further information relevant to the request, complaint or communication or Data Loss Event to the Authority, as it becomes available. 2.13 The Processor shall not respond substantively to the requests, complaints or communications listed in Clause 2.11 above save that they may respond to a Regulatory or Supervisory Body following prior consultation with the Controller. 2.14 Taking into account the nature of the Processing, the Processor shall provide the Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under Clause 2.11 of this Schedule 6 above (and within the timescales reasonably required by the Authority) including by promptly providing: 2.14.1 the Controller with full details and copies of the complaint, communication or request; 2.14.2 such assistance as is reasonably requested by the Controller to enable the Controller to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation; 2.14.3 such assistance as is reasonably requested by the Controller to enable the Controller to comply with other rights granted to individuals by the Data Protection Legislation including the right of rectification, the right to erasure, the right to object to Processing, the right to restrict Processing, the right to data portability and the right not to be subject to an automated individual decision (including profiling) 2.14.4 the Controller, at its request, with any Personal Data the Processor hold in relation to a Data Subject; 2.14.5 such assistance as is requested by the Controller following any Data Loss Event; 2.14.6 such assistance as is requested by the Controller in relation to informing a Data Subject about any Data Loss Event, including communication with the Data Subject; 2.14.7 such assistance as is requested by the Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Controller with the Information Commissioner's Office. 2.15 The Processor shall take such prompt and proper remedial action regarding any Data Loss Event as is agreed with the Controller. 2.16 The Processor shall provide the Controller with copies of any requests from Data Subjects seeking to exercise their rights under the Data Protection Legislation. Where the Supplier is a Processor, such requests must be sent to england.ig- ▇▇▇▇▇▇▇▇▇@▇▇▇.▇▇▇ immediately and within no longer than one (1) Business Day of receipt by the Suppliers. 2.17 The Processor shall provide the Controller with evidence to demonstrate compliance with all of their obligations under this DPS Framework Agreement and the Data Protection Legislation. 2.18 The Processor shall allow for audits of their Processing activity by the Controller or the Controller’s designated auditor who for the avoidance of doubt shall enter into obligations of confidentiality and non-use the same as those set out in this Schedule 4 and the audits shall be conducted during normal business hours having given advance written notice of no less than five (5) Business Days. The Processor shall provide all reasonable cooperation with such audit and accompany the Authority or its authorised representative(s) if requested. The Controller (or the Controller’s designated auditor) shall not be permitted to conduct such an audit on more than 2 occasions in each 6 Month period, except with the agreement of the Processor (not to be unreasonably withheld or delayed). 2.19 The Processor shall each (where multiple Processors) designate a Data Protection Officer if required by the Data Protection Legislation and shall notify the Controller of the name and contact details of any such Data Protection Officer. 2.20 The Processor shall maintain complete and accurate records and information to demonstrate their compliance with this DPS Framework Agreement, the Data Protection Legislation and the Data Guidance. The Processor shall create and maintain a record of all categories of data Processing activities carried out under this DPS Framework Agreement, containing: 2.20.1 the categories of Processing carried out under this DPS Framework Agreement; 2.20.2 where applicable, transfers of Personal Data to a third country or an international organisation, including the identification of that third country or international organisation and, where required to ensure compliance with the Data Protection Legislation, the documentation of suitable safeguards; 2.20.3 a general description of the Protective Measures taken to ensure the security and integrity of the Personal Data Processed under this DPS Framework Agreement; and 2.20.4 a log recording the Processing of Personal Data in connection with this DPS Framework Agreement comprising, as a minimum, details of the Personal Data concerned, how the Personal Data was Processed, where the Personal Data was Processed and the identity of any individuals who had access to the Personal Data. 2.21 The Processor shall ensure that theythe record of Processing maintained in accordance with Clause 2.20 of this Schedule 6 is provided to the Controller within four (4) Business Days of a written request from the Controller. 2.22 This DPS Framework Agreement does not relieve the Processor from any obligations conferred upon them by the Data Protection Legislation. 2.23 The Parties agree to take account of any guidance issued by the Information Commissioner. The Controller may on not less than thirty (30) Business Days’ notice to the Processor amend this DPS Framework Agreement to ensure that it complies with any guidance issued by the Information Commissioner. 2.24 The Controller may, at any time on not less than 30 Business Days’ notice, revise this Clause 2 of this Schedule 6 by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme issued by the European Commission, the Information Commissioner’s Office or any other competent authority (which shall apply when incorporated by attachment to this DPS Framework Agreement). 2.25 Where the Processor is Processing Personal Data under or in connection with this DPS Framework Agreement the Processor shall: 2.25.1 where such Personal Data is patient identifiable Personal Data ensure that such Personal Data is only: 2.25.1.1 used for the purposes of providing direct care for the relevant person to whom such Personal Data relates; or 2.25.1. 2 used as otherwise permitted by Law; and 2.25.2 where such Personal Data is Processed pursuant to a S.251 Authorisation, only Process such Personal Data in accordance with the terms of such S.251 Authorisation. 2.26 The Processor and the Controller shall ensure that Personal Data is safeguarded at all times in accordance with the Law. This obligation will include but not be limited to (if transferred electronically) only transferring Personal Data: 2.26.1 if such transfer of Personal Data is essential, having regard to the purpose for which the transfer is conducted; and; 2.26.2 if suc

Data Protection. The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer Authority is the Controller and the Supplier Contractor is the Processor unless otherwise specified in Contract Schedule 7Processor. The only processing that the Processor Contractor is authorised to do is listed in Annex 1 of this Contract Schedule 7 by the Controller Authority and may not be determined by the ProcessorContractor. The Processor Contractor shall notify the Controller Authority immediately if it considers that any of the ControllerAuthority's instructions infringe the Data Protection Legislation. The Processor Contractor shall provide all reasonable assistance to the Controller Authority in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the ControllerAuthority, include: a systematic description of the envisaged processing operations and the purpose of the processing; an assessment of the necessity and proportionality of the processing operations in relation to the Services; an assessment of the risks to the rights and freedoms of Data Subjects; and the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. The Processor Contractor shall, in relation to any Personal Data processed in connection with its obligations under this AgreementContract: process that Personal Data only in accordance with Contract Schedule 7Annex 1, unless the Processor Contractor is required to do otherwise by Law. If it is so required the Processor Contractor shall promptly notify the Controller Authority before processing the Personal Data unless prohibited by Law; ensure that it has in place Protective Measures, which are as appropriate to protect against a Data Loss Event, which the Controller Authority may reasonably reject (but failure to reject shall not amount to approval by the Controller Authority of the adequacy of the Protective Measures), having taken account of the: nature of the data to be protected; harm that might result from a Data Loss Event; state of technological development; and cost of implementing any measures; The review and approval of the Protective Measures by the Authority shall not relieve the Contractor of its obligations under the Data Protection Legislation, and the Contractor acknowledges that it is solely responsible for determining whether such Protective Measures are sufficient for it to have met its obligations under the Data Protection Legislation. ensure that that: the Processor Contractor Personnel do not process Personal Data except in accordance with this Agreement (Contract and in particular Schedule 7)Annex 1; it takes all reasonable steps to ensure the reliability and integrity of any Processor Contractor Personnel who have access to the Personal Data and ensure that they:: are aware of and comply with the Contractor’s duties under this Condition; are subject to appropriate confidentiality undertakings with the Contractor or any Sub-Processor; are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Authority or as otherwise permitted by this Contract; and have undergone adequate training in the use, care, protection and handling of Personal Data; not transfer Personal Data outside of the UK unless the prior written consent of the Authority has been obtained and provided the following conditions are fulfilled: the Authority or the Contractor has provided appropriate safeguards in relation to the transfer in accordance with guidance issued by the UK Government or body appointed by the Government and approved by the Authority; the Data Subject has enforceable rights and effective legal remedies; the Contractor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Authority in meeting its obligations); and the Contractor complies with any reasonable instructions notified to it in advance by the Authority with respect to the processing of the Personal Data. Subject to clause (6) below, the Contractor shall notify the Authority immediately if it: receives a Data Subject Request (or purported Data Subject Request); receives a request to rectify, block or erase any Personal Data; receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Contract; receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or becomes aware of a Data Loss Event. The Contractor’s obligation to notify under clause (5) of this Condition shall include the provision of further information to the Authority in phases, as details become available. Taking into account the nature of the processing, the Contractor shall provide the Authority with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under Condition 12(5) (and insofar as possible within the timescales reasonably required by the Authority) including by promptly providing: the Authority with full details and copies of the complaint, communication or request; such assistance as is reasonably requested by the Authority to enable the Authority to comply with a Data Subject Request within the relevant timescales set out in the Data Protection Legislation; the Authority, at its request, with any Personal Data it holds in relation to a Data Subject; assistance as requested by the Authority following any Data Loss Event; and assistance as requested by the Authority with respect to any request from the Information Commissioner’s Office, or any consultation by the Authority with the Information Commissioner's Office. The Contractor shall maintain complete and accurate records and information to demonstrate its compliance with this Condition. This requirement does not apply where the Contractor employs fewer than 250 staff, unless: the Authority determines that the processing is not occasional; the Authority determines the processing includes special categories of data as referred to in Article 9(1) of the UK GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the UK GDPR; and the Authority determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects. The Contractor shall allow for audits of its Data Processing activity by the Authority or the Authority’s designated auditor. The Contractor shall designate a Data Protection Officer if required by the Data Protection Legislation. Before allowing any Sub-Processor to process any Personal Data related to this Contract, the Contractor must: notify the Authority in writing of the intended Sub-Processor and processing; obtain the written consent of the Authority; enter into a written agreement with the Sub-Processor which give effect to the terms set out in this Condition 12 such that they apply to the Sub-Processor; and provide the Authority with such information regarding the Sub-Processor as the Authority may reasonably require. The Contractor shall remain fully liable for all acts or omissions of any of its Sub-Processors. The Authority may, at any time on not less than 30 Working Days’ notice, revise this Condition 12 by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Contract). The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Authority may on not less than 30 Working Days’ notice to the Contractor amend this Contract to ensure that it complies with any guidance issued by the Information Commissioner’s Office. If the Contractor fails to comply with any provision of this Condition 12, the Authority may terminate the Contract immediately in which event the provisions of Condition 33 shall apply. The Contractor shall indemnify and keep indemnified the Authority against all claims and proceedings, and all costs and expenses incurred by it in connection therewith, made or brought against the Authority by any person in respect of the Data Protection Legislation or equivalent applicable legislation in any other country which claims would not have arisen but for some act, omission, misrepresentation or negligence on the part of the Contractor, its subcontractors and/or its Sub-Processors and hold it harmless against all costs, fines, losses and liability whatsoever incurred by it arising out of any action or inaction on its part in relation to any of its obligations as set out in this Contract which results in the Authority being in breach of its obligations under the Data Protection Legislation or equivalent applicable legislation in any other country. Upon expiry or earlier termination of this Contract for whatever reason, the Contractor shall, unless otherwise specified in Annex 1 or required by Law, immediately cease any processing of the Personal Data on the Authority’s behalf and at the written direction of the Authority: provide the Authority with a complete and uncorrupted version of the Personal Data in electronic form (or such other format as reasonably required by the Authority); and delete the Personal Data (and any copies of it) including from any computers, storage devices and storage media that are to be retained by the Contractor after the expiry of the Contract. The Contractor will certify to the Authority that it has completed such deletion. Where the Contractor is required to collect any Personal Data on behalf of the Authority, it shall ensure that it provides the relevant Data Subjects from whom the Personal Data are collected with a privacy notice in a form to be agreed with the Authority. Bribery and Corruption The Contractor shall not, and shall ensure that its Contractor Personnel do not: offer or promise, to any person employed or engaged by or on behalf of the Authority, any financial or other advantage as an inducement or reward for the improper performance of a function or activity, or for showing or not showing favour or disfavour to any person in relation to this Contract or any other contract with the Authority; agree to receive or accept any financial or other advantage as an inducement or reward for any improper performance of a function or activity in relation to this Contract or any other contract with the Authority; or enter into the Contract or any other contract with the Authority or any other department or office of Her Majesty's Government in connection with which commission has been paid, or agreed to be paid by the Contractor or on the Contractor’s behalf, or to the Contractor’s knowledge, unless, before the Contract is made, particulars of any such commission and the terms and conditions of any agreement for the payment thereof, have been disclosed in writing to any person duly authorised by the Authority to act as its representative for the purpose of this Condition. Nothing contained in this Condition shall prevent the Contractor paying such commission or bonuses to the Contractor’s own staff in accordance with their agreed contracts of employment. Any breach of this Condition by the Contractor, or by any person employed or engaged by the Contractor or acting on the Contractor’s behalf (whether with or without the Contractor’s knowledge), or any act or omission by the Contractor, or by such other person, in contravention of the Bribery Act 2010 or any other anti-corruption law, in relation to this Contract or any other contract with the Authority, shall entitle the Authority to terminate the Contract with immediate effect by notice in writing and to recover from the Contractor the amount of any loss resulting from such termination, and the amount of the value of any such gift, consideration or commission as the Authority shall think fit. In any dispute, difference or question arising in respect of: the interpretation of this Condition (except so far as the same may relate to the amount recoverable from the Contractor under clause (3) of this Condition in respect of any loss resulting from such determination of the Contract); or the right of the Authority to determine the Contract; or the amount or value of any gift, consideration or commission, the decision of the Authority shall be final and conclusive.

Data Protection. 17.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer CITB is the Controller and the Supplier ATO is the Processor unless otherwise specified in Contract Schedule 7Processor. The only processing that the Processor ATO is authorised to do in connection with this Agreement is listed in Contract Schedule 7 Annex A by the Controller CITB and may not be determined by the Processor. ATO. 17.2 The Processor ATO shall notify the Controller CITB immediately if it considers that any of the ControllerCITB's instructions infringe the Data Protection Legislation. . 17.3 The Processor ATO shall provide all reasonable assistance to the Controller CITB in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the ControllerCITB, include: : (a) a systematic description of the envisaged processing operations and the purpose of the processing; ; (b) an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; (c) an assessment of the risks to the rights and freedoms of Data Subjects; and and (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 17.4 The Processor ATO shall, in relation to any Personal Data processed in connection with its obligations the ATO’s Obligations under this Agreement: : (a) process that Personal Data only in accordance with Contract Schedule 7Annex A, unless the Processor ATO is required to do otherwise by Law. If it is so required the Processor ATO shall promptly notify the Controller CITB before processing the Personal Data unless prohibited by Law; ; (b) ensure that it has in place Protective Measures, which are have been reviewed and approved by CITB as appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), Event having taken account of the: : (i) nature of the data to be protected; ; (ii) harm that might result from a Data Loss Event; ; (iii) state of technological development; and and (iv) cost of implementing any measures; ; (c) ensure that : that: (i) the Processor ATO Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 7Annex A); ; (ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor ATO Personnel who have access to the Personal Data and ensure that they: (A) are aware of and comply with the ATO’s duties under this clause; (B) are subject to appropriate confidentiality undertakings with the ATO or any Sub-processor; (C) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by CITB or as otherwise permitted by this Agreement; and (D) have undergone adequate training in the use, care, protection and handling of Personal Data; and (d) not transfer Personal Data outside of the EU unless the prior written consent of CITB has been obtained and the following conditions are fulfilled: (i) CITB or the ATO has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article

Data Protection. 1.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the Controller and the Supplier Contractor is the Processor unless otherwise specified in Contract Schedule 7Appendix 1. The only processing that the Processor is authorised to do is listed in Contract Schedule 7 Appendix 1 by the Controller and may not be determined by the Processor. . 1.2 The Processor shall notify the Controller immediately if it considers that any of the Controller's instructions infringe the Data Protection Legislation. . 1.3 The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller, include: : (a) a systematic description of the envisaged processing operations and the purpose of the processing; ; (b) an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; (c) an assessment of the risks to the rights and freedoms of Data Subjects; and and (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 1.4 The Processor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: : (a) process that Personal Data only in accordance with Contract Schedule 7Appendix 1, unless the Processor is required to do otherwise by Law. If it is so required required, the Processor shall promptly notify the Controller before processing the Personal Data unless prohibited by Law; ; (b) ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), having taken account of the: : (i) nature of the data to be protected; ; (ii) harm that might result from a Data Loss Event; ; (iii) state of technological development; and and (iv) cost of implementing any measures; ; (c) ensure that : that: (i) the Processor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 7Appendix 1); ; (ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they: (A) are aware of and comply with the Processor’s duties under this clause; (B) are subject to appropriate confidentiality undertakings with the Processor or any Sub-processor; (C) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Controller or as otherwise permitted by this Agreement; and (D) have undergone adequate training in the use, care, protection and handling of Personal Data; and (d) not transfer Personal Data outside of the EU unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled: (i) the Controller or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Controller; (ii) the Data Subject has enforceable rights and effective legal remedies; (iii) the Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and (iv) the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing of the Personal Data; (e) at the written direction of the Controller, delete or return Personal Data (and any copies of it) to the Controller on termination of the Agreement unless the Processor is required by Law to retain the Personal Data. 1.5 Subject to clause 1.6, the Processor shall notify the Controller immediately if it: (a) receives a Data Subject Request (or purported Data Subject Request); (b) receives a request to rectify, block or erase any Personal Data; (c) receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; (d) receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Agreement; (e) receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or (f) becomes aware of a Data Loss Event. 1.6 The Processor’s obligation to notify under clause 1.5 shall include the provision of further information to the Controller in phases, as details become available. 1.7 Taking into account the nature of the processing, the Processor shall provide the Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under clause 1.5 (and insofar as possible within the timescales reasonably required by the Controller) including by promptly providing: (a) the Controller with full details and copies of the complaint, communication or request; (b) such assistance as is reasonably requested by the Controller to enable the Controller to comply with a Data Subject Request within the relevant timescales set out in the Data Protection Legislation; (c) the Controller, at its request, with any Personal Data it holds in relation to a Data Subject; (d) assistance as requested by the Controller following any Data Loss Event; (e) assistance as requested by the Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Controller with the Information Commissioner's Office.

Data Protection. The Parties acknowledge 19.1 To the extent that for in relation to the purposes delivery of the Services the Authority is the Data Protection LegislationController and that the Contractor is the Data Processor, the Customer is the Controller and the Supplier is the Processor unless otherwise specified in Contract Schedule 7. The only processing Processing that the Processor Contractor is authorised to do is as listed in Contract Table 1 in Schedule 7 1 or as otherwise instructed by the Controller Authority and may not be determined by the Processor. Contractor. 19.2 The Processor Contractor shall notify the Controller Authority immediately if it considers that any of the Controller's Authority’s instructions infringe the Data Protection Legislation. 19.3 The Processor Contractor shall provide all reasonable assistance to the Controller Authority in the preparation of any Data Protection Impact Assessment prior to commencing any processingProcessing. Such assistance may, at the discretion of the ControllerAuthority, include: : a) a systematic description of the envisaged processing Processing operations and the purpose of the processing; Processing; b) an assessment of the necessity and proportionality of the processing Processing operations in relation to the Services; ; c) an assessment of the risks to the rights and freedoms of the Data Subjects; and and d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of the Personal Data. . 19.4 The Processor Contractor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: process that Contract: a) Process the Personal Data only in accordance with Contract Schedule 7the instructions of the Authority, unless the Processor Contractor is required to do otherwise by Law. If it is so required required, the Processor Contractor shall promptly notify the Controller Authority before processing Processing the Personal Data unless notification is prohibited by Law; ensure ; b) Ensure that it has in place Protective Measures, which are have been reviewed and approved by the Authority as appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), Event having taken account of the:  nature of the data to be protected;  harm that might result from a Data Loss Event;  state of technological development; and  cost of implementing any measures; ensure that . c) Ensure that: the Processor  The Contractor Personnel do not process Process Personal Data except in accordance with this Agreement (and in particular Schedule 7)Contract; it  It takes all reasonable steps to ensure the reliability and integrity of any Processor Contractor Personnel who have access to the Personal Data and ensure including making sure that they: A. Are aware of and comply with the Contractors duties under this clause 19 (Data Protection); B. Are subject to appropriate confidentiality undertakings with the Contractor or any Sub-Processor; C. Are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to a third party unless directed in writing to do so by the Authority or as otherwise permitted by this Contract; and D. Have undergone adequate training in the use, care, protection and handling of Personal Data. d) Not transfer Personal Data outside of the EEA unless the prior written consent of the Authority has been obtained (unless the transfer is required by EU or member state law to which the Contractor is subject, and if this is the case then the Contractor shall inform the Authority of that legal requirement before Processing that Personal Data, unless that law prohibits such information being provided on important grounds of public interest) and the following conditions are fulfilled:  The Authority or the Contractor has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Authority;  The Contractor complies with its obligations under the Data Protection Legislation by providing and adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Authority in meeting its obligations); and  The Contractor complies with any reasonable instructions notified to it in advance by the Authority with respect to the Processing of the Personal Data. e) Subject to any alternative notification by the Authority pursuant to clause 27 (Consequences of Termination), delete or return Personal Data in accordance with the Personal Data processing plan in Table 1of Schedule 1 (Services). 19.5 The Contractor shall notify the Authority without undue delay upon becoming aware of a Personal Data Breach or circumstances that are likely to give rise to a Personal Data Breach (except where statutory guidance indicates that a Personal Data Breach is not required to be notified by a Data Processor to a Data Controller), providing the Authority with sufficient information and in a timescale which allows the Authority to meet its obligations to report a Personal Data Breach within 72 hours under Article 33 of the GDPR. Such notification shall as a minimum: a) describe the nature of the Personal Data Breach, the categories and numbers of Data Subjects concerned, and the categories and numbers of Personal Data records concerned; b) communicate the name and contact details of the data protection officer or other relevant contact from whom more information may be obtained; c) describe the likely consequences of the Personal Data Breach; and d) describe the measures taken or proposed to be taken to address the Personal Data Breach, 19.6 The Contractor shall notify the Authority (within five (5) Working Days) if it receives: a) a request from a Data Subject to have access to that person's Personal Data; b) a request to rectify any inaccurate Personal Data; c) a request to have any Personal Data erased; d) a request to obtain a portable copy of part of the Personal Data, or to transfer such a copy to any third party; e) an objection to any processing of Personal Data; f) a complaint or request relating to the Authority's obligations under the Data Protection Legislation; g) any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Contract; or h) a request from a third party for disclosure of Personal Data processed under this Contract where compliance with such request is required or purported to be required by Law. 19.7 The Contractor’s obligation to notify under clauses 19.5 and 19.6 shall include the provision of further information to the Authority in phases, as such information becomes available. 19.8 The Contractor shall provide the Authority with full cooperation and assistance in relation to any complaint or request made in relation to either party’s obligations under the Data Protection Legislation and any complaint, communication or request made under clause

Data Protection. 2.1 The Parties acknowledge that for the purposes of Data Protection Legislation in relation to the Data Protection Legislation, the Customer Processing Services (insert here) is the Controller data controller and the Supplier DDL is the Processor unless otherwise specified in Contract Schedule 7. The only processing that the Processor is authorised to do is listed in Contract Schedule 7 by the Controller and may not be determined by the Data Processor. The Processor shall must process the Processor Data only to the extent necessary to perform the Data Processing Services and only in accordance with written instructions set out in this Schedule, including instructions regarding transfers of Personal Data outside the EU or to an international organisation unless such transfer is required by law, in which case the Processor must inform the Controller of that requirement before processing takes place unless this is prohibited by law on the grounds of public interest. 2.2 The Processor must notify the Controller immediately if it considers that carrying out any of the Controller's ’s instructions would infringe the Data Protection Legislation. . 2.3 The Processor shall must provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller, include: : (a) a systematic description of the envisaged processing operations and the purpose of the processing; ; (b) an assessment of the necessity and proportionality of the processing operations in relation to the Data Processing Services; ; (c) an assessment of the risks to the rights and freedoms of Data Subjects; and and (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 2.4 The Processor shallmust, in relation to any Personal Data processed in connection with its obligations under this Agreement: : (a) process that Personal Data only in accordance with Contract Schedule 7Annex A, unless the Processor is required to do otherwise by Law. If it is so required the Processor shall must promptly notify the Controller before processing the Personal Data unless prohibited by Law; law; (b) ensure that it has in place Protective Measures, which are have been reviewed and approved by the Controller as appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), Event having taken account of the: nature : (i) nature, scope, context and purposes of processing the data to be protected; ; (ii) likelihood and level of harm that might result from a Data Loss Event; ; (iii) state of technological development; and and (iv) cost of implementing any measures; ; (c) ensure that : that: (i) when delivering the Processor Personnel do not Data Processing Services the Processor’s Staff only process Personal Data except in accordance with this Agreement (and in particular Schedule 7Annex A); ; (ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel Staff who have access to the Personal Data and ensure that they: (A) are aware of and comply with the Processor’s duties under this paragraph; (B) are subject to appropriate confidentiality undertakings with the Processor and any Sub-processor; (C) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal data to any third party unless directed in writing to do so by the Controller or as otherwise permitted by this Agreement; (D) have undergone adequate training in the use, care, protection and handling of Personal Data; and (E) are aware of and trained in the policies and procedures (Patient Confidentiality, Data Protection, Freedom of Information and Transparency). (d) not transfer Personal Data outside of the EU unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled: (i) the Controller or the Processor has provided appropriate safeguards in relation to the transfer as determined by the Controller; (ii) the Data Subject has enforceable rights and effective legal remedies; (iii) the Processor complies with its obligations under Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and (iv) the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing of the Personal Data; (e) at the written direction of the Controller, delete or return Personal Data (and any copies of it) to the Controller on termination of the Data Processing Services and certify to the Controller that it has done so within five Operational Days of any such instructions being issued unless the Processor is required by law to retain the Personal Data, (f) if the Processor is required by any Law or Regulatory or Supervisory Body to retain any Processor Data that it would otherwise be required to destroy under this paragraph 2.4, notify the Controller in writing of that retention giving details of the Processor Data that it must retain and the reasons for its retention; and (g) co-operate fully with the Controller during any handover arising from the cessation of any part of the Data Processing Services, and if the Controller directs the Processor to migrate Processor Data to the Controller or to a third party, provide all reasonable assistance with ensuring safe migration including ensuring the integrity of Processor Data and the nomination of a named point of contact for the Controller. 2.5 Subject to paragraph 2.6, the Processor must notify the Controller immediately if, in relation to any Personal Data processed in connection with its obligations under this Agreement, it: (a) receives a Data Subject Access Request (or purported Data Subject Access Request); (b) receives a request to rectify, block or erase any Personal Data; (c) receives any other request, complaint or communication relating to obligations under Data Protection Legislation owed by the Processor or Controller; (d) receives any communication from the Information Commissioner or any other Regulatory or Supervisory Body (including any communication concerned with the systems on which Personal Data is processed under this Agreement); (e) receives a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by law; (f) becomes aware of or reasonably suspects a Data Loss Event; or (g) becomes aware of or reasonably suspects that it has in any way caused the Controller or any other person to breach Data Protection Legislation. 2.6 The Processor’s obligation to notify under paragraph 2.5 includes the provision of further information to the Controller in phases, as details become available. 2.7 The Processor must provide whatever co-operation the Controller reasonably requires to remedy any issue notified to the Controller under paragraphs 2.5 and 2.6 as soon as reasonably practicable. 2.8 Taking into account the nature of the processing, the Processor must provide the Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under paragraph 2.5 (and insofar as possible within the timescales reasonably required by the Controller) including by promptly providing: (a) the Controller with full details and copies of the complaint, communication or request; (b) such assistance as is reasonably requested by the Controller to enable the Controller to comply with a Data Subject Access Request within the relevant timescales set out in Data Protection Legislation; (c) assistance as requested by the Controller following any Data Loss Event; (d) assistance as requested by the Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Controller with the Information Commissioner's Office. 2.9 Without prejudice to the generality of NHS Standard Terms (▇▇▇▇▇://▇▇▇.▇▇▇▇▇▇▇.▇▇▇.▇▇/nhs-standard-contract/21-22/) GC15 (Governance, Transaction Records and Audit), the Processor must allow for audits of its delivery of the Data Processing Services by the Controller or the Controller’s designated auditor. 2.10 For the avoidance of doubt, the provisions of NHS Standard Terms GC12 (Assignment and Sub-contracting) apply to the delivery of any Data Processing Services. 2.11 Without prejudice to NHS Standard GC12, before allowing any Sub-processor to process any Personal Data related to this Agreement, the Processor must: (a) notify the Controller in writing of the intended Sub-processor and processing; (b) obtain the written consent of the Controller; (c) carry out appropriate due diligence of the Sub-processor and ensure this is documented; (d) enter into a binding written agreement with the Sub-processor which as far as practicable includes equivalent terms to those set out in this Agreement and in any event includes the requirements set out at NHS Standard Terms GC21.16.3; and (e) provide the Controller with such information regarding the Sub-processor as the Controller may reasonably require. 2.12 The Processor must create and maintain a record of all categories of data processing activities carried out under this Agreement, containing: (a) the categories of processing carried out under this Agreement; (b) where applicable, transfers of Personal Data to a third country or an international organisation, including the identification of that third country or international organisation and, where relevant, the documentation of suitable safeguards; (c) a general description of the Protective Measures taken to ensure the security and integrity of the Personal Data processed under this Agreement; and (d) a log recording the processing of the Processor Data by or on behalf of the Processor comprising, as a minimum, details of the Processor Data concerned, how the Processor Data was processed, when the Processor Data was processed and the identity of any individual carrying out the processing. 2.13 The Processor warrants and undertakes that it will deliver the Data Processing Services in accordance with all Data Protection Legislation and this Agreement and in particular that it has in place Protective Measures that are sufficient to ensure that the delivery of the Data Processing Services complies with Data Protection Legislation and ensures that the rights of Data Subjects are protected. 2.14 The Processor must comply at all times with those obligations set out at Article 32 of the GDPR and equivalent provisions implemented into Law by DPA 2018. 2.15 The Processor must assist the Controller in ensuring compliance with the obligations set out at Article 32 to 36 of the GDPR and equivalent provisions implemented into Law, taking into account the nature of processing and the information available to the Provider. 2.16 The Processor must take prompt and proper remedial action regarding any Data Loss Event. 2.17 The Processor must assist the Controller by taking appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controllers’ obligation to respond to requests for exercising rights granted to individuals by Data Protection Legislation.

Data Protection. 2.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer Authority is the Controller and the Supplier Provider is the Processor unless otherwise specified in Contract Schedule 7Appendix 1 to this Data Processor Schedule. The only processing that the Processor is authorised to do is listed in Contract Appendix 1 to this Data Processor Schedule 7 by the Controller and may not be determined by the Processor. . 2.2 The Processor shall notify the Controller immediately if it considers that any of the Controller's instructions infringe the Data Protection Legislation. . 2.3 The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller, include: : (a) a systematic description of the envisaged processing operations and the purpose of the processing; ; (b) an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; (c) an assessment of the risks to the rights and freedoms of Data Subjects; and and (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 2.4 The Processor shall, in relation to any Personal Data processed in connection with its obligations under this the Agreement: : (a) process that Personal Data only in accordance with Contract Schedule 7Appendix 1 to this Data Processor Schedule, unless the Processor is required to do otherwise by Law. If it is so required required, the Processor shall promptly notify the Controller before processing the Personal Data unless prohibited by Law; ; (b) ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), having taken account of the: : (i) nature of the data to be protected; ; (ii) harm that might result from a Data Loss Event; ; (iii) state of technological development; and and (iv) cost of implementing any measures; ; (c) ensure that : that: (i) the Processor Personnel Staff do not process Personal Data except in accordance with the Agreement, including the terms of this Agreement Data Processor Schedule and Appendix 1 to it; (and in particular Schedule 7); ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel Staff who have access to the Personal Data and ensure that they: (A) are aware of and comply with the Processor’s duties under this paragraph; (B) are subject to appropriate confidentiality undertakings with the Processor or any Sub-processor; (C) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Controller or as otherwise permitted by the Agreement; and (D) have undergone adequate training in the use, care, protection and handling of Personal Data; and (d) not transfer Personal Data outside of the UK unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled: (i) the transfer is to a country approved under the applicable Data Protection Legislation as providing adequate protection; (ii) the Controller or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with UK GDPR Article 46 or LED Article 37) as determined by the Controller; (iii) the Data Subject has enforceable rights and effective legal remedies; (iv) the Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and

Data Protection. The 8.1 In this Framework Agreement, the terms Personal Data, Data Processor, Supervisory Authority, Data Subject, process, and Data Controller are as defined in the Data Protection Laws, and cognate terms shall be construed accordingly. Subprocessor means any person (including any third party, but excluding an employee of Transfermate or any of its sub-contractors) appointed by or on behalf of Transfermate to process Personal Data in connection with this Framework Agreement 8.2 Both Parties acknowledge that for in performing its obligations under this Framework Agreement and in the purposes Customer availing of the Services, Transfermate may process Personal Data Protection Legislationon behalf of Customer. In such circumstances, the Parties acknowledge that Customer is the Data Controller and the Supplier Transfermate is the Data Processor in respect of the Personal Data it Processes on behalf of the Customer, and Transfermate shall comply with its then in force Privacy Policy. 8.3 Transfermate agrees that it shall acquire no rights or interest in the Personal Data, and shall only Process the Personal Data in accordance with this Framework Agreement and any other written instructions of the Customer unless otherwise specified in Contract Schedule 7. The only processing that the Processor is authorised required to do so by applicable Data Protection Law to which the Data Processor (or its Subsidiaries) is listed subject, and in Contract Schedule 7 by such a case, the Controller and may not be determined by the Processor. The Data Processor shall notify the Controller immediately if it considers Customer of that any legal requirement before processing, unless that law prohibits such notification. 8.4 Customer understands that the delivery of the Controller's instructions infringe Services shall necessitate Transfermate on occasion to transfer Customer Personal Data internationally, and the Customer consents to such transfer on the understanding that Transfermate shall take the necessary legal and contractual safeguards to ensure that the data transfer is compliant with the applicable Data Protection Legislation. The Processor Law. 8.5 Transfermate agrees to assist the Customer, including taking appropriate technical and organisational measures, to respond to requests by data subjects, exercising their rights under Data Protection Law, within such reasonable timescale as may be specified by the Customer. 8.6 Transfermate will ensure that its Personnel who Process Personal Data under this Framework Agreement are subject to obligations of confidentiality in relation to such Personal Data. 8.7 Transfermate shall provide all reasonable assistance implement appropriate technical and organisational measures to assure a level of security appropriate to the Controller risk to the security of Personal Data, in particular, from accidental or unlawful destruction, loss, alteration, unauthorised, disclosure of or access to Personal Data including: 8.7.1 the pseudonymisation and encryption of Personal Data; 8.7.2 the ability to ensure the ongoing confidentiality, integrity and availability and resilience of Transfermate's systems used for such Processing; 8.7.3 the ability to restore the availability and access to Personal Data in the preparation event of an incident; and 8.7.4 a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. 8.8 Transfermate agrees that neither it nor its Subsidiaries shall engage any third party to Process the Customer 's Personal Data without imposing on such third party, by means of a written contract, the same data protection obligations as set out in this Framework Agreement and shall ensure that if any third party engaged by Transfermate in turn engages another person to Process any Personal Data, the third party is required to comply with all of this Clause’s obligations in respect of Processing of Personal Data. 8.9 Transfermate shall remain fully liable to the Customer for Processing by any third party as if the Processing was being conducted by Transfermate. 8.10 Transfermate will immediately inform the Customer if, in its opinion, an instruction given or request made pursuant to this agreement infringes any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller, include: a systematic description of the envisaged processing operations and the purpose of the processing; an assessment of the necessity and proportionality of the processing operations in relation to the Services; an assessment of the risks to the rights and freedoms of Data Subjects; and the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. The Processor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: process that Personal Data only in accordance with Contract Schedule 7, unless the Processor is required to do otherwise by Law. If it is so required the Processor shall promptly notify the Controller before processing the Personal Data unless prohibited by Law; ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), having taken account of the: nature of the data to be protected; harm that might result from a Data Loss Event; state of technological development; and cost of implementing any measures; ensure that : the Processor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 7); it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they:.

Data Protection. The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer Authority is the Controller and the Supplier is the Processor unless otherwise specified in Contract Schedule 7Processor. The only processing that the Processor Supplier is authorised to do is listed in Contract Framework Schedule 7 21 by the Controller Authority and may not be determined by the ProcessorSupplier. The Processor Supplier shall notify the Controller Authority immediately if it considers that any of the ControllerAuthority's instructions infringe the Data Protection Legislation. The Processor Supplier shall provide all reasonable assistance to the Controller Authority in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the ControllerAuthority, include: a systematic description of the envisaged processing operations and the purpose of the processing; an assessment of the necessity and proportionality of the processing operations in relation to the Servicesoperations; an assessment of the risks to the rights and freedoms of Data Subjects; and the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. Data The Processor Supplier shall, in relation to any Personal Data processed in connection with its obligations under this Framework Agreement: process that Personal Data only in accordance with Contract Framework Schedule 7, 21 unless the Processor Supplier is required to do otherwise by Law. If it is so required the Processor Supplier shall promptly notify the Controller Authority before processing the Personal Data unless prohibited by Law; ensure that it has in place Protective Measures, which are have been reviewed and approved by the Authority as appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), Event having taken account of the: nature of the data to be protected; harm that might result from a Data Loss Event; state of technological development; and cost of implementing any measuresmeasures ensure that; ensure that : the Processor Supplier Personnel do not process Personal Data except in accordance with this Framework Agreement (and in particular Framework Schedule 721); it takes all reasonable steps to ensure the reliability and integrity of any Processor Supplier Personnel who have access to the Personal Data and ensure that they:; i are aware of and comply with the Supplier’s duties under this clause; ii are subject to appropriate confidentiality undertakings with the Supplier or any Sub-processor; iii are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority or as otherwise permitted by this Framework Agreement; and iv have undergone adequate training in the use, care, protection and handling of Personal Data; and not transfer Personal Data outside of the European Economic Area unless the prior written consent of the Authority has been obtained and the following conditions are fulfilled: the Authority or the Supplier has provided appropriate safeguards in relation to the transfer; the Data Subject has enforceable rights and effective legal remedies; the Supplier complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and the Supplier complies with any reasonable instructions notified to it in advance by the Authority with respect to the processing of the Personal Data; at the written direction of the Authority, delete or return Personal Data (and any copies of it) to the Authority on termination of the Framework Agreement unless the Supplier is required by Law to retain the Personal Data Subject to clause 24.5.6, the Supplier shall notify the Authority immediately if it: receives a Data Subject Access Request (or purported Data Subject Access Request); receives a request to rectify, block or erase any Personal Data; receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Framework Agreement; receives a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or becomes aware of a Data Loss Event. The Supplier’s obligation to notify under clause 24.5.5 shall include the provision of further information to the Authority in phases, as details become available. Taking into account the nature of the processing, the Supplier shall provide the Authority with full assistance in relation to either party's obligations under Data Protection Legislation and any complaint, communication or request made under Clause 24.5.5 (and insofar as possible within the timescales reasonably required by the Authority) including by promptly providing: the Authority with full details and copies of the complaint, communication or request; such assistance as is reasonably requested by the Authority to enable the Authority to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation; the Authority, at its request, with any Personal Data it holds in relation to a Data Subject; assistance as requested by the Authority following any Data Loss Event; assistance as requested by the Authority with respect to any request from the Information Commissioner’s Office, or any consultation by the Authority with the Information Commissioner's Office. The Supplier shall maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Supplier employs fewer than 250 staff, unless: the Authority determines that the processing is not occasional; the Authority determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; and the Authority determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects. The Supplier shall allow for audits of its Data Processing activity by the Authority or the Authority’s designated auditor. The Supplier shall designate a Data Protection Officer if required by the Data Protection Legislation. 1 Before allowing any Sub-processor to process any Personal Data related to this Framework Agreement, the Supplier must: notify the Authority in writing of the intended Sub-processor and processing; obtain the written consent of the Authority; enter into a written agreement with the Sub-processor which give effect to the terms set out in this clause 24.5 such that they apply to the Subprocessor; and provide the Authority with such information regarding the Sub-processor as the Authority may reasonably require. The Supplier shall remain fully liable for all acts or omissions of any Sub-processor. The Authority may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Framework Agreement). The Parties agree to take account of any non-mandatory guidance issued by the Information Commissioner’s Office publishes guidance. The Authority may on not less than 30 Working Days’ notice to the Supplier amend this agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Officer. “

Data Protection. (1) The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer Authority is the Data Controller and the Supplier Contractor is the Processor unless otherwise specified in Contract Schedule 7Data Processor. The only processing that the Processor Contractor is authorised to do is listed in Contract Schedule 7 Annex 1 by the Controller Authority and may not be determined by the Processor. Contractor. (2) The Processor Contractor shall notify the Controller Authority immediately if it considers that any of the ControllerAuthority's instructions infringe the Data Protection Legislation. . (3) The Processor Contractor shall provide all reasonable assistance to the Controller Authority in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the ControllerAuthority, include: : (a) a systematic description of the envisaged processing operations and the purpose of the processing; ; (b) an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; (c) an assessment of the risks to the rights and freedoms of Data Subjects; and and (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . (4) The Processor Contractor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: Contract: (a) process that Personal Data only in accordance with Contract Schedule 7Annex 1, unless the Processor Contractor is required to do otherwise by Law. If it is so required the Processor Contractor shall promptly notify the Controller Authority before processing the Personal Data unless prohibited by Law; ; (b) ensure that it has in place Protective Measures, which are have been reviewed and approved by the Authority as appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), Event having taken account of the: : (i) nature of the data to be protected; ; (ii) harm that might result from a Data Loss Event; ; (iii) state of technological development; and and (iv) cost of implementing any measures; The review and approval of the Protective Measures by the Authority shall not relieve the Contractor of its obligations under Data Protection Legislation, and the Contractor acknowledges that it is solely responsible for determining whether such Protective Measures are sufficient for it to have met its obligations under the Data Protection Legislation. (c) ensure that : that: (i) the Processor Contractor Personnel do not process Personal Data except in accordance with this Agreement (Contract and in particular Schedule 7); Annex 1; (ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Contractor Personnel who have access to the Personal Data and ensure that they: (A) are aware of and comply with the Contractor’s duties under this clause; (B) are subject to appropriate confidentiality undertakings with the Contractor or any Sub-Processor; (C) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Authority or as otherwise permitted by this Contract; and (D) have undergone adequate training in the use, care, protection and handling of Personal Data. (d) do not transfer Personal Data outside of the European Union unless the prior written consent of the Authority has been obtained and provided the following conditions are fulfilled:- (i) the Authority or the Contractor has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Authority; (ii) the Data Subject has enforceable rights and effective legal remedies; (iii) the Contractor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Authority in meeting its obligations); and (iv) the Contractor complies with any reasonable instructions notified to it in advance by the Authority with respect to the processing of the Personal Data. (5) Subject to clause (6), the Contractor shall notify the Authority immediately if it: (a) receives a Data Subject Request (or purported Data Subject Request); (b) receives a request to rectify, block or erase any Personal Data; (c) receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; (d) receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Contract; (e) receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or (f) becomes aware of a Data Loss Event. (6) The Contractor’s obligation to notify under clause (5) shall include the provision of further information to the Authority in phases, as details become available. (7) Taking into account the nature of the processing, the Contractor shall provide the Authority with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under clause (5) (and insofar as possible within the timescales reasonably required by the Authority) including by promptly providing: (a) the Authority with full details and copies of the complaint, communication or request; (b) such assistance as is reasonably requested by the Authority to enable the Authority to comply with a Data Subject Request within the relevant timescales set out in the Data Protection Legislation; (c) the Authority, at its request, with any Personal Data it holds in relation to a Data Subject; (d) assistance as requested by the Authority following any Data Loss Event; (e) assistance as requested by the Authority with respect to any request from the Information Commissioner’s Office, or any consultation by the Authority with the Information Commissioner's Office. (8) The Contractor shall maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Contractor employs fewer than 250 staff, unless: (a) the Authority determines that the processing is not occasional; (b) the Authority determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; and (c) the Authority determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects. (9) The Contractor shall allow for audits of its Data Processing activity by the Authority or the Authority’s designated auditor. (10) The Contractor shall designate a Data Protection Officer if required by the Data Protection Legislation. (11) Before allowing any Sub-Processor to process any Personal Data related to this Contract, the Contractor must: (a) notify the Authority in writing of the intended Sub-Processor; (b) obtain the written consent of the Authority; (c) enter into a written Contract with the Sub-Processor which give effect to the terms set out in this Condition 30 such that they apply to the Sub- Processor; and (d) provide the Authority with such information regarding the Sub-Processor as the Authority may reasonably require. (12) The Contractor shall remain fully liable for all acts or omissions of any Sub- Processor. (13) The Parties agree to take account of any guidance issued by the Information Commissioner’s Office in respect of the Data Protection Legislation that is applicable to this Contract and shall make such variations to this Contract as the Authority may reasonably require to give effect to such guidance in accordance with Condition 10. (14) If the Contractor fails to comply with any provision of this Condition 30, the Authority may terminate the Contract immediately in which event the provisions of Condition 20 shall apply. (15) The Contractor shall indemnify the Authority against all claims and proceedings, and all costs and expenses incurred in connection therewith, made or brought against the Authority by any person in respect of the Data Protection Legislation or equivalent applicable legislation in any other country which claims would not have arisen but for some act, omission, misrepresentation or negligence on the part of the Contractor, its sub-contractors and Sub-Processors and hold it harmless against all costs, fines, losses and liability whatsoever incurred by it arising out of any action or inaction on its part in relation to any of its obligations as set out in this Contract which results in the Authority being in breach of its obligations under the Data Protection Legislation or equivalent applicable legislation in any other country. (16) Upon expiry of this Contract or termination of this Contract for whatever reason, the Contractor shall, unless specified in Annex 1, notified otherwise by the Authority or required by law, immediately cease any processing of the Personal Data on the Authority’s behalf and as required by the Authority: (a) provide the Authority with a complete and uncorrupted version of the Personal Data in electronic form (or such other format as reasonably required by the Authority); and (b) erase from any computers, storage devices and storage media that are to be retained by the Contractor after the expiry of the Contract. The Contractor will certify to the Authority that it has completed such deletion. (17) Where processing of the Personal Data continues after the expiry or termination of this Contract as specified in Annex 1, notified otherwise by the Authority or required by law, the Contractor shall comply with the provisions of this Condition 30 for as long as the Contractor continues to process the Personal Data and such provisions shall survive the expiry or termination of this Contract. (18) Where the Contractor is required to collect any Personal Data on behalf of the Authority, it shall ensure that it provides the data subjects from whom the Personal Data are collected with a privacy notice in a form to be agreed with the Authority.

Data Protection. The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer London Councils is the Controller and the Supplier Contractor is the Processor unless otherwise specified in Contract Schedule 7Processor. The For the avoidance of doubt the only processing that the Processor Contractor is authorised to do is listed in Contract the DP Schedule 7 by the Controller and may not be determined by the ProcessorContractor. The Processor shall notify the Controller immediately if it considers that any of the Controller's instructions infringe the Data Protection Legislation. The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller, include: a systematic description of the envisaged processing operations and the purpose of the processing; an assessment of the necessity and proportionality of the processing operations in relation to the Services; an assessment of the risks to the rights and freedoms of Data Subjects; and the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. The Processor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: process that Personal Data only in accordance with Contract Schedule 7, the DP schedule unless the Processor is required to do otherwise by Law. If it is so required the Processor shall promptly notify the Controller before processing the Personal Data unless prohibited by Law; ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), having taken account of the: nature of the data to be protected; harm that might result from a Data Loss Event; state of technological development; and cost of implementing any measures; ensure that : the Processor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 7); it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they:

Data Protection. 1.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer Authority is the Controller and the Supplier Grant Recipient is the Processor unless otherwise specified in Contract Schedule 7. Annex A. The only processing that the Processor is authorised to do is listed in Contract Schedule 7 Annex A by the Controller and may not be determined by the Processor. . 1.2 The Processor shall notify the Controller immediately if it considers that any of the Controller's instructions infringe the Data Protection Legislation. . 1.3 The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller, include: : (a) a systematic description of the envisaged processing operations and the purpose of the processing; ; (b) an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; (c) an assessment of the risks to the rights and freedoms of Data Subjects; and and (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 1.4 The Processor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: these Conditions: (a) process that Personal Data only in accordance with Contract Schedule 7Annex A, unless the Processor is required to do otherwise by Law. If it is so required the Processor shall promptly notify the Controller before processing the Personal Data unless prohibited by Law; ; (b) ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), having taken account of the: : (i) nature of the data to be protected; ; (ii) harm that might result from a Data Loss Event; ; (iii) state of technological development; and and (iv) cost of implementing any measures; ; (c) ensure that : : (i) the Processor Personnel do not process Personal Data except in accordance with this Agreement these Conditions (and in particular Schedule 7Part 1 of Annex A); ; (ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they:

Data Protection. The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the Controller and the Supplier Contractor is the Processor unless otherwise specified in Contract Schedule 7Processor. The only processing that the Processor Contractor is authorised to do is listed in Contract Schedule 7 [X] by the Controller Customer and may not be determined by the Processor. Contractor The Processor Contractor shall notify the Controller Customer immediately if it considers that any of the ControllerCustomer's instructions infringe the Data Protection Legislation. The Processor Contractor shall provide all reasonable assistance to the Controller Customer in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the ControllerCustomer, include: a systematic description of the envisaged processing operations and the purpose of the processing; an assessment of the necessity and proportionality of the processing operations in relation to the Services; an assessment of the risks to the rights and freedoms of Data Subjects; and the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. The Processor Contractor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: process that Personal Data only in accordance with Contract Schedule 7[X], unless the Processor Contractor is required to do otherwise by Law. If it is so required the Processor Contractor shall promptly notify the Controller Customer before processing the Personal Data unless prohibited by Law; ensure that it has in place Protective Measures, which are have been reviewed and approved by the Customer as appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), Event having taken account of the: nature of the data to be protected; harm that might result from a Data Loss Event; state of technological development; and cost of implementing any measures; ensure that that: the Processor Contractor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 7X); it takes all reasonable steps to ensure the reliability and integrity of any Processor Contractor Personnel who have access to the Personal Data and ensure that they:: are aware of and comply with the Contractor’s duties under this clause; are subject to appropriate confidentiality undertakings with the Contractor or any Sub-processor; are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Customer or as otherwise permitted by this Agreement; and have undergone adequate training in the use, care, protection and handling of Personal Data; and not transfer Personal Data outside of the EU unless the prior written consent of the Customer has been obtained and the following conditions are fulfilled: the Customer or the Contractor has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Customer; the Data Subject has enforceable rights and effective legal remedies; the Contractor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Customer in meeting its obligations); and the Contractor complies with any reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data; at the written direction of the Customer, delete or return Personal Data (and any copies of it) to the Customer on termination of the Agreement unless the Contractor is required by Law to retain the Personal Data. Subject to clause 1.6, the Contractor shall notify the Customer immediately if it: receives a Data Subject Access Request (or purported Data Subject Access Request); receives a request to rectify, block or erase any Personal Data; receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Agreement; receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or becomes aware of a Data Loss Event. The Contractor’s obligation to notify under clause 13.5 shall include the provision of further information to the Customer in phases, as details become available. Taking into account the nature of the processing, the Contractor shall provide the Customer with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under clause 13.5 (and insofar as possible within the timescales reasonably required by the Customer) including by promptly providing: the Customer with full details and copies of the complaint, communication or request; such assistance as is reasonably requested by the Customer to enable the Customer to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation; the Customer, at its request, with any Personal Data it holds in relation to a Data Subject; assistance as requested by the Customer following any Data Loss Event; assistance as requested by the Customer with respect to any request from the Information Commissioner’s Office, or any consultation by the Customer with the Information Commissioner's Office. The Contractor shall maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Contractor employs fewer than 250 staff, unless: the Customer determines that the processing is not occasional; the Customer determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; and the Customer determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects. The Contractor shall allow for audits of its Data Processing activity by the Customer or the Customer’s designated auditor. The Contractor shall designate a data protection officer if required by the Data Protection Legislation. Before allowing any Sub-processor to process any Personal Data related to this Agreement, the Contractor must: notify the Customer in writing of the intended Sub-processor and processing; obtain the written consent of the Customer; enter into a written agreement with the Sub-processor which give effect to the terms set out in this clause [X] such that they apply to the Sub-processor; and provide the Customer with such information regarding the Sub-processor as the Customer may reasonably require. The Contractor shall remain fully liable for all acts or omissions of any Sub-processor. The Customer may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Agreement). The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Customer may on not less than 30 Working Days’ notice to the Contractor amend this agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office.

Data Protection. 19.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the Controller and the Supplier Contractor is the Processor unless otherwise specified in Contract Schedule 7PPN 02\18 (▇▇▇▇▇://▇▇▇▇▇▇.▇▇▇▇▇▇▇▇▇▇.▇▇▇▇▇▇▇.▇▇▇.▇▇/government/uploads/system/uploads/att achment_data/file/708836/18.docx.pdf). The only processing that the Processor is authorised to do is listed in Contract Schedule 7 PPN 02/18 by the Controller and may not be determined by the Processor. . 19.2 The Processor shall notify the Controller immediately if it considers that any of the Controller's instructions infringe the Data Protection Legislation. . 19.3 The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller, include: : (a) a systematic description of the envisaged processing operations and the purpose of the processing; ; (b) an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; (c) an assessment of the risks to the rights and freedoms of Data Subjects; and and (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. take reasonable steps to ensure the reliability of any of the Supplier Staff who have access to the Personal Data; 19.4 The Processor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: : (a) process that Personal Data only in accordance with Contract Schedule 7PPN 02/18, unless the Processor is required to do otherwise by Law. If it is so required the Processor shall promptly notify the Controller before processing the Personal Data unless prohibited by Law; ; (b) ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), having taken account of the: : (i) nature of the data to be protected; ; (ii) harm that might result from a Data Loss Event; ; (iii) state of technological development; and and (iv) cost of implementing any measures; ; 19.5 ensure that : : (a) the Processor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 7PPN 02/18); ; (b) it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they: (i) are aware of and comply with the Processor’s duties under this clause; (ii) are subject to appropriate confidentiality undertakings with the Processor or any Sub-processor; (iii) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Controller or as otherwise permitted by this Agreement; and (iv) have undergone adequate training in the use, care, protection and handling of Personal Data; and 19.6 not transfer Personal Data outside of the EU unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled: (a) the Controller or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Controller; (b) the Data Subject has enforceable rights and effective legal remedies; (c) the Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and (d) the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing of the Personal Data; 19.7 at the written direction of the Controller, delete or return Personal Data (and any copies of it) to the Controller on termination of the Agreement unless the Processor is required by Law to retain the Personal Data. 19.8 Subject to clause 19.6, the Processor shall notify the Controller immediately if it: (a) receives a Data Subject Request (or purported Data Subject Request); (b) receives a request to rectify, block or erase any Personal Data; (c) receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; (d) receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Agreement; (e) receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or (f) becomes aware of a Data Loss Event. 19.9 The Processor’s obligation to notify under clause 19.5 shall include the provision of further information to the Controller in phases, as details become available. 19.10 Taking into account the nature of the processing, the Processor shall provide the Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under clause 19.5 (and insofar as possible within the timescales reasonably required by the Controller) including by promptly providing: (a) the Controller with full details and copies of the complaint, communication or request; (b) such assistance as is reasonably requested by the Controller to enable the Controller to comply with a Data Subject Request within the relevant timescales set out in the Data Protection Legislation; (c) the Controller, at its request, with any Personal Data it holds in relation to a Data Subject; (d) assistance as requested by the Controller following any Data Loss Event; (e) assistance as requested by the Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Controller with the Information Commissioner's Office. 19.11 The Processor shall maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Processor employs fewer than 250 staff, unless: (a) the Controller determines that the processing is not occasional; (b) the Controller determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; or (c) the Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects. 19.12 The Processor shall allow for audits of its Data Processing activity by the Controller or the Controller’s designated auditor. 19.13 Each Party shall designate its own data protection officer if required by the Data Protection Legislation. 19.14 Before allowing any Sub-processor to process any Personal Data related to this Agreement, the Processor must: (a) notify the Controller in writing of the intended Sub-processor and processing; (b) obtain the written consent of the Controller; (c) enter into a written agreement with the Sub-processor which give effect to the terms set out in this clause 19.9 such that they apply to the Sub-processor; and (d) provide the Controller with such information regarding the Sub- processor as the Controller may reasonably require. 19.15 The Processor shall remain fully liable for all acts or omissions of any of its Sub- processors. 19.16 The Controller may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Agreement). 19.17 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Controller may on not less than 30 Working Days’ notice to the Processor amend this agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office. 19.18 Where the Parties include two or more Joint Controllers as identified in PPN 02\18 in accordance with GDPR Article 26, those Parties shall enter into a Joint Controller Agreement based on the terms outlined in PPN 02/18 in replacement of Clauses 19.1- 19.17 for the Personal Data under Joint Control

Data Protection. The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the Controller and the Supplier Contractor is the Processor unless otherwise specified in Contract Schedule 7. A. The only processing that the Processor is authorised to do is listed in Contract Schedule 7 A by the Controller and may not be determined by the Processor. The Processor shall notify the Controller immediately if it considers that any of the Controller's instructions infringe the Data Protection Legislation. The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller, include: a systematic description of the envisaged processing operations and the purpose of the processing; an assessment of the necessity and proportionality of the processing operations in relation to the Services; an assessment of the risks to the rights and freedoms of Data Subjects; and the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. The Processor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: process that Personal Data only in accordance with Contract Schedule 7A, unless the Processor is required to do otherwise by Law. If it is so required the Processor shall promptly notify the Controller before processing the Personal Data unless prohibited by Law; ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), having taken account of the: nature of the data to be protected; harm that might result from a Data Loss Event; state of technological development; and cost of implementing any measures; ensure Ensure that : the Processor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 7A); it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they:: are aware of and comply with the Processor’s duties under this clause; are subject to appropriate confidentiality undertakings with the Processor or any Sub-processor; are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Controller or as otherwise permitted by this Agreement; and have undergone adequate training in the use, care, protection and handling of Personal Data; and not transfer Personal Data outside of the EU unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled: the Controller or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Controller; the Data Subject has enforceable rights and effective legal remedies; the Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing of the Personal Data; at the written direction of the Controller, delete or return Personal Data (and any copies of it) to the Controller on termination of the Agreement unless the Processor is required by Law to retain the Personal Data. Subject to clause 13.6, the Processor shall notify the Controller immediately if it: receives a Data Subject Request (or purported Data Subject Request); receives a request to rectify, block or erase any Personal Data; receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Agreement; receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or becomes aware of a Data Loss Event. The Processor’s obligation to notify under clause 13.5 shall include the provision of further information to the Controller in phases, as details become available. Taking into account the nature of the processing, the Processor shall provide the Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under clause 13.5 (and insofar as possible within the timescales reasonably required by the Controller) including by promptly providing: the Controller with full details and copies of the complaint, communication or request; such assistance as is reasonably requested by the Controller to enable the Controller to comply with a Data Subject Request within the relevant timescales set out in the Data Protection Legislation; the Controller, at its request, with any Personal Data it holds in relation to a Data Subject; assistance as requested by the Controller following any Data Loss Event; assistance as requested by the Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Controller with the Information Commissioner's Office. The Processor shall maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Processor employs fewer than 250 staff, unless: the Controller determines that the processing is not occasional; the Controller determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; or the Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects. The Processor shall allow for audits of its Data Processing activity by the Controller or the Controller’s designated auditor. Each Party shall designate its own data protection officer if required by the Data Protection Legislation. Before allowing any Sub-processor to process any Personal Data related to this Agreement, the Processor must: notify the Controller in writing of the intended Sub-processor and processing; obtain the written consent of the Controller; enter into a written agreement with the Sub-processor which give effect to the terms set out in this clause 13 such that they apply to the Sub-processor; and provide the Controller with such information regarding the Sub-processor as the Controller may reasonably require. The Processor shall remain fully liable for all acts or omissions of any of its Sub-processors. The Controller may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Agreement). The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Controller may on not less than 30 Working Days’ notice to the Processor amend this agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office. Where the Parties include two or more Joint Controllers as identified in Schedule A in accordance with GDPR Article 26, those Parties shall enter into a Joint Controller Agreement based on the terms outlined in Schedule B in replacement of Clauses 13.1-13.14 for the Personal Data under Joint Control Liability.

Data Protection. 19.1 The Parties parties acknowledge that for the purposes of the Data Protection Legislation, the Customer HCC is the Controller and the Supplier Service Provider is the Processor unless otherwise specified in Contract Schedule 74. The only processing that the Processor is authorised to do is listed in Contract Schedule 7 4 by the Controller and may not be determined by the Processor. . 19.2 The Processor shall notify the Controller immediately if it considers that any of the Controller's instructions infringe the Data Protection Legislation. . 19.3 The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller, include: : (a) a systematic description of the envisaged processing operations and the purpose of the processing; ; (b) an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; (c) an assessment of the risks to the rights and freedoms of Data Subjects; and and (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 19.4 The Processor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: : (a) process that Personal Data only in accordance with Contract Schedule 74, unless the Processor is required to do otherwise by Law. If it is so required the Processor shall promptly notify the Controller before processing the Personal Data unless prohibited by Law; ; (b) ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), having taken account of the: : (i) nature of the data to be protected; ; (ii) harm that might result from a Data Loss Event; ; (iii) state of technological development; and and (iv) cost of implementing any measures; ; (c) ensure that : that: (i) the Processor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 74); ; (ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they: (A) are aware of and comply with the Processor’s duties under this clause 19; (B) are subject to appropriate confidentiality undertakings with the Processor or any Sub-processor; (C) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any Third Party unless directed in writing to do so by the Controller or as otherwise permitted by this Agreement; and (D) have undergone adequate training in the use, care, protection and handling of Personal Data; and (d) not transfer Personal Data outside of the EU unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled: (i) the Controller or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Controller; (ii) the Data Subject has enforceable rights and effective legal remedies; (iii) the Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and (iv) the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing of the Personal Data; (e) at the written direction of the Controller, delete or return Personal Data (and any copies of it) to the Controller on termination, cancellation or expiry of this Agreement unless the Processor is required by Law to retain the Personal Data.

Data Protection. The Parties acknowledge that for 14.1 Each party shall comply with the purposes provisions of the Data Protection LegislationAct 1998 (and any subsequent amendment or re-enactment) (“the Act”), which definitions and interpretations shall apply to this clause. Where necessary to enable Linea to deliver the Customer Services, Linea shall have the Client’s authority to process personal data on the Client’s behalf in accordance with this clause. Linea shall take appropriate technical and organisational measures designed to protect against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data and shall act only on the Client’s instructions and shall comply at all times with the seventh principle in Part 1 of Schedule 1 to the Act as if applicable to Linea directly. 14.2 The Parties will comply with the Data Protection Legislation and agree that the Client is the Controller and the Supplier Linea is the Processor unless otherwise specified in Contract Schedule 7. The only processing that Processor. 14.3 Linea will assist the Processor is authorised to do is listed in Contract Schedule 7 by the Controller and may not be determined by the Processor. The Processor shall notify the Controller immediately if it considers that any of the Controller's instructions infringe the Data Protection Legislation. The Processor shall provide all reasonable assistance to the Controller in Client with the preparation of any Data Protection Impact Assessment prior to Assessments required by the Data Protection Legislation before commencing any processing. Such assistance may, at the discretion Processing (including provision of the Controller, include: a systematic description of the envisaged processing operations detailed information and the purpose of the processing; an assessment of the necessity and proportionality of the processing operations assessments in relation to the Services; an assessment of the Processing operations, risks to the rights and freedoms of Data Subjects; measures) and the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. The Processor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: process that Personal Data only in accordance with Contract Schedule 7, unless the Processor is required to do otherwise by Law. If it is so required the Processor shall promptly will notify the Controller before processing Client immediately if it considers that the Personal Client’s instructions infringe the Data unless prohibited by Law; ensure that it has Protection Legislation. 14.4 Linea have in place Protective Measures, Measures (details of which are appropriate can be provided on request) to protect guard against a Data Loss Event, which takes into account the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), having taken account of the: nature of the data to be protected; data, the harm that might result from a Data Loss Event; result, the state of technological development; technology and the cost of implementing any the measures; . 14.5 Linea will ensure that : the Processor Personnel do not its Staff only process Personal Data except in accordance with this Agreement (Contract and in particular Schedule 7); it takes take all reasonable steps to ensure the reliability and integrity of any Processor Supplier Personnel who have with access to Personal Data, including by ensuring they: i) are aware of and comply with Linea’s obligations under this Clause; ii) are subject to appropriate confidentiality undertakings with Linea iii) are informed of the confidential nature of the Personal Data and don’t publish, disclose or divulge it to any third party unless directed by the Client or in accordance with this Call-Off Contract iv) are given training in the use, protection and handling of Personal Data. 14.6 Linea will not transfer Personal Data outside of the European Union unless the prior written consent of the Client has been obtained, which shall be dependent on such a transfer satisfying relevant Data Protection Legislation requirements. 14.7 Linea will delete or return Client’s Personal Data (including copies) if requested in writing by the Client at the End or Expiry of this Contract, unless required to retain the Personal Data by Law. 14.8 Linea will notify the Client without undue delay if it receives any communication from a third party relating to the Parties’ obligations under the Data Protection Legislation, or it becomes aware of a Data Loss Event, and will provide the Client with full and ongoing assistance in relation to each Party’s obligations under the Data Protection Legislation, and insofar as this is possible, in accordance with any timescales reasonably required by the Client 14.9 Linea will maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where Linea employs fewer than 250 staff, unless: i) the Client determines that the Processing is not occasional; ii) the Client determines the Processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; and iii) the Client determines that the Processing is likely to result in a risk to the rights and freedoms of Data Subjects. 14.10 Before allowing any Sub-processor to Process any Personal Data related to this Contract, Linea must: i. notify the Client in writing of the proposed Sub-processor(s) and obtain its written consent; ii. ensure that they:it has entered into a written agreement with the Sub-processor(s) which gives effect to obligations set out in this Clause such that they apply to the Sub-processor(s); and iii. inform the Client of any additions to, or replacements of the notified Sub- processors and the Client shall either i) provide its written consent or ii) object. 33.10 The Client may at any time put forward a Variation request to amend this Call-Off Contract to ensure that it complies with any guidance issued by the Information Commissioner’s Office.

Data Protection. The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer if Table A of this Protocol has been completed then HEE is the Controller and the Supplier Provider is the Processor unless otherwise specified in Contract Schedule 7. The relation to the Processing described at Table A. Where the Provider acts as a Processor they are only processing that the Processor is authorised to do is carry out the Processing listed in Contract Schedule 7 by the Controller and may not be determined by the Processor. Table A. The Processor Provider shall notify the Controller ▇▇▇ immediately if it considers that any of the Controller▇▇▇'s instructions infringe the Data Protection Legislation. The Processor Provider shall provide all reasonable assistance to the Controller HEE in the preparation of any Data Protection Impact Assessment prior to commencing any processingProcessing. Such assistance may, at the discretion of the ControllerHEE, include: a systematic description of the envisaged processing Processing operations and the purpose of the processingProcessing; an assessment of the necessity and proportionality of the processing Processing operations in relation to the Services; an assessment of the risks to the rights and freedoms of Data Subjects; and the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. The Processor Provider shall, in relation to any Personal Data processed Processed in connection with its obligations as a Processor under this Agreementcontract: process that Personal Data only in accordance with Contract Schedule 7Table A of this Protocol, unless the Processor Provider is required to do otherwise by Law. If Where the Provider is required by Law to Process the Personal Data it is so required the Processor shall promptly notify the Controller HEE before processing Processing the Personal Data or at the 12003202.279 NHS Education and Tr ining Contract vl — published [INSERT DATE] first a ailable opport nity where prior notification is not possible unless prohibited notification to HEE is proh' ▇▇▇ by Law▇▇▇; ensure ensur that it has in place lace Protective Measures, which are Measures as appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), Event having taken account a :Count of the: nature of the data to be protected; harm that might result from a Data Loss Event; state of technological development; and cost of implementing any measures; ensure that that: the Processor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 7); it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they:fulfil d: 0.0.0

Data Protection. 19.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the Controller and the Supplier Contractor is the Processor unless otherwise specified in Contract Schedule 7PPN 02\18 (▇▇▇▇▇://▇▇▇▇▇▇.▇▇▇▇▇▇▇▇▇▇.▇▇▇▇▇▇▇.▇▇▇.▇▇/government/uploads/system/uploads/att achment_data/file/708836/18.docx.pdf). The only processing that the Processor is authorised to do is listed in Contract Schedule 7 PPN 02/18 by the Controller and may not be determined by the Processor. . 19.2 The Processor shall notify the Controller immediately if it considers that any of the Controller's instructions infringe the Data Protection Legislation. . 19.3 The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller, include: : (a) a systematic description of the envisaged processing operations and the purpose of the processing; ; (b) an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; (c) an assessment of the risks to the rights and freedoms of Data Subjects; and and (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. take reasonable steps to ensure the reliability of any of the Supplier Staff who have access to the Personal Data; 19.4 The Processor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: : (a) process that Personal Data only in accordance with Contract Schedule 7PPN 02/18, unless the Processor is required to do otherwise by Law. If it is so required the Processor shall promptly notify the Controller before processing the Personal Data unless prohibited by Law; ; (b) ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), having taken account of the: : (i) nature of the data to be protected; ; (ii) harm that might result from a Data Loss Event; ; (iii) state of technological development; and and (iv) cost of implementing any measures; ; 19.5 ensure that : : (a) the Processor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 7PPN 02/18); ; (b) it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they: (i) are aware of and comply with the Processor’s duties under this clause; (ii) are subject to appropriate confidentiality undertakings with the Processor or any Sub-processor; (iii) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Controller or as otherwise permitted by this Agreement; and (iv) have undergone adequate training in the use, care, protection and handling of Personal Data; and 19.6 not transfer Personal Data outside of the EU unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled: (a) the Controller or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Controller; (b) the Data Subject has enforceable rights and effective legal remedies; (c) the Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and (d) the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing of the Personal Data; 19.7 at the written direction of the Controller, delete or return Personal Data (and any copies of it) to the Controller on termination of the Agreement unless the Processor is required by Law to retain the Personal Data. 19.8 Subject to clause 19.6, the Processor shall notify the Controller immediately if it: (a) receives a Data Subject Request (or purported Data Subject Request); (b) receives a request to rectify, block or erase any Personal Data; (c) receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; (d) receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Agreement; (e) receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or (f) becomes aware of a Data Loss Event. 19.9 The Processor’s obligation to notify under clause 19.5 shall include the provision of further information to the Controller in phases, as details become available. 19.10 Taking into account the nature of the processing, the Processor shall provide the Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under clause 19.5 (and insofar as possible within the timescales reasonably required by the Controller) including by promptly providing: (a) the Controller with full details and copies of the complaint, communication or request; (b) such assistance as is reasonably requested by the Controller to enable the Controller to comply with a Data Subject Request within the relevant timescales set out in the Data Protection Legislation; (c) the Controller, at its request, with any Personal Data it holds in relation to a Data Subject; (d) assistance as requested by the Controller following any Data Loss Event; (e) assistance as requested by the Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Controller with the Information Commissioner's Office. 19.11 The Processor shall maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Processor employs fewer than 250 staff, unless: (a) the Controller determines that the processing is not occasional; (b) the Controller determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; or (c) the Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects. 19.12 The Processor shall allow for audits of its Data Processing activity by the Controller or the Controller’s designated auditor. 19.13 Each Party shall designate its own data protection officer if required by the Data Protection Legislation. 19.14 Before allowing any Sub-processor to process any Personal Data related to this Agreement, the Processor must: (a) notify the Controller in writing of the intended Sub-processor and processing; (b) obtain the written consent of the Controller; (c) enter into a written agreement with the Sub-processor which give effect to the terms set out in this clause 19 such that they apply to the Sub-processor; and (d) provide the Controller with such information regarding the Sub- processor as the Controller may reasonably require. 19.15 The Processor shall remain fully liable for all acts or omissions of any of its Sub- processors. 19.16 The Controller may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Agreement). 19.17 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Controller may on not less than 30 Working Days’ notice to the Processor amend this agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office. 19.18 Where the Parties include two or more Joint Controllers as identified in PPN 02\18 in accordance with GDPR Article 26, those Parties shall enter into a Joint Controller Agreement based on the terms outlined in PPN 02/18 in replacement of Clauses 19.1- 19.17 for the Personal Data under Joint Control

Data Protection. 2.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer Authority is the Controller and the Supplier Provider is the Processor unless otherwise specified in Contract Schedule 7Appendix 1 to this Data Processor Schedule. The only processing that the Processor is authorised to do is listed in Contract Appendix 1 to this Data Processor Schedule 7 by the Controller and may not be determined by the Processor. . 2.2 The Processor shall notify the Controller immediately if it considers that any of the Controller's instructions infringe the Data Protection Legislation. . 2.3 The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller, include: : (a) a systematic description of the envisaged processing operations and the purpose of the processing; ; (b) an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; (c) an assessment of the risks to the rights and freedoms of Data Subjects; and and (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 2.4 The Processor shall, in relation to any Personal Data processed in connection with its obligations under this the Agreement: : (a) process that Personal Data only in accordance with Contract Schedule 7Appendix 1 to this Data Processor Schedule, unless the Processor is required to do otherwise by Law. If it is so required the Processor shall promptly notify the Controller before processing the Personal Data unless prohibited by Law; ; (b) ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), having taken account of the: : (i) nature of the data to be protected; ; (ii) harm that might result from a Data Loss Event; ; (iii) state of technological development; and and (iv) cost of implementing any measures; ; (c) ensure that : that: (i) the Processor Personnel Staff do not process Personal Data except in accordance with the Agreement, including the terms of this Agreement Data Processor Schedule and Appendix 1 to it; (and in particular Schedule 7); ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel Staff who have access to the Personal Data and ensure that they: (A) are aware of and comply with the Processor’s duties under this paragraph; (B) are subject to appropriate confidentiality undertakings with the Processor or any Sub-processor; (C) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Controller or as otherwise permitted by the Agreement; and (D) have undergone adequate training in the use, care, protection and handling of Personal Data; and (d) not transfer Personal Data outside of the EU unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled: (i) the Controller or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Controller; (ii) the Data Subject has enforceable rights and effective legal remedies; (iii) the Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and (iv) the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing of the Personal Data; (e) at the written direction of the Controller, delete or return Personal Data (and any copies of it) to the Controller on termination of the Agreement unless the Processor is required by Law to retain the Personal Data. 2.5 Subject to paragraph 2.6, the Processor shall notify the Controller immediately if it: (a) receives a Data Subject Request (or purported Data Subject Request); (b) receives a request to rectify, block or erase any Personal Data; (c) receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; (d) receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under the Agreement; (e) receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or (f) becomes aware of a Data Loss Event. 2.6 The Provider will provide all reasonable assistance to the Controller in investigating and mitigating any potential or confirmed Data Loss Event. 2.7 The Processor’s obligation to notify under paragraph 2.5 shall include the provision of further information to the Controller in phases, as details become available. 2.8 Taking into account the nature of the processing, the Processor shall provide the Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under paragraph 2.5 (and insofar as possible within the timescales reasonably required by the Controller) including by promptly providing: (a) the Controller with full details and copies of the complaint, communication or request; (b) such assistance as is reasonably requested by the Controller to enable the Controller to comply with a Data Subject Request within the relevant timescales set out in the Data Protection Legislation; (c) the Controller, at its request, with any Personal Data it holds in relation to a Data Subject; (d) assistance as requested by the Controller following any Data Loss Event; (e) assistance as requested by the Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Controller with the Information Commissioner's Office. 2.9 The Processor shall maintain complete and accurate records and information to demonstrate its compliance with this paragraph. This requirement does not apply where the Processor employs fewer than 250 staff, unless: (a) the Controller determines that the processing is not occasional; (b) the Controller determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; or (c) the Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects. 2.10 The Processor shall allow for audits of its Data Processing activity by the Controller or the Controller’s designated auditor. 2.11 Each Party shall designate its own data protection officer if required by the Data Protection Legislation. 2.12 Before allowing any Sub-processor to process any Personal Data related to the Agreement, the Processor must: (a) notify the Controller in writing of the intended Sub-processor and processing; (b) obtain the written consent of the Controller; (c) enter into a written agreement with the Sub-processor which give effect to the terms set out in this paragraph 2.11 such that they apply to the Sub-processor; and (d) provide the Controller with such information regarding the Sub-processor as the Controller may reasonably require. 2.13 The Processor shall remain fully liable for all acts or omissions of any of its Sub- processors. 2.14 The Controller may, at any time on not less than 30 Working Days’ notice, revise this paragraph by replacing it with any applicable controller to processor standard paragraphs or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to the Agreement). 2.15 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Controller may on not less than 30 Working Days’ notice to the Processor amend the Agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office. 1. The contact details of the Controller’s Data Protection Officer are: ▇▇▇▇▇▇▇▇ ▇▇▇▇▇▇▇▇, Data Protection Officer, Town Hall, ▇▇▇▇▇▇. ▇▇▇▇▇▇▇▇.▇▇▇▇▇▇▇▇@▇▇▇▇▇▇.▇▇▇.▇▇ 2. The contact details of the Processor’s Data Protection Officer are: