Common use of Information Security and Confidentiality Clause in Contracts

Information Security and Confidentiality. 6.1 Taking into account the state of the art and the costs of implementation and the nature, scope, context and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of the Data Subjects, WSP shall implement appropriate technical and organizational measures (please check Anywhere365 TOMs Document) to ensure a level of security appropriate to the risk, including inter alia as appropriate: (i) If appropriate, the pseudonymization and encryption of Personal Data; (ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of systems and services Processing Personal Data; (iii) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing. 6.2 In assessing the appropriate level of security, WSP shall take into account the particular risks that are presented by Processing in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted stored or otherwise Processed. 6.3 WSP shall immediately and in any event not later than 24 hours after becoming aware of it notify the Personal Data Breach to the CUSTOMER. The notification shall at least: (i) describe the nature of the Personal Data Breach including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned; (ii) communicate the name and contact details of the data protection officer or another contact point where more information can be obtained; (iii) describe the likely consequences of the Personal Data Breach; (iv) describe the measures taken or proposed to be taken by WSP to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects; (v) include any other information available to WSP which the Controller is required by Applicable Data Protection Legislation to notify to the Data Protection Authorities and/or the Data Subjects. WSP will furthermore provide the reasonable assistance requested by the CUSTOMER in order to investigate the Personal Data Breach and notify it to the Data Protection Authorities and/or the Data Subjects as required by Applicable Data Protection Legislation. This includes inter alia an obligation to document the Personal Data Breach (e.g. circumstances, impacts and remedial actions). 6.4 WSP undertakes to not disclose or otherwise make the Personal Data Processed under this DPA available to any third party, without the CUSTOMER’s prior written approval. Notwithstanding the above, disclosure to a Subcontractor listed in Exhibit 1 or subsequently notified to the CUSTOMER in accordance with Section 4.2 above is permitted. 6.5 WSP undertakes to ensure that access to Personal Data under this DPA is restricted to those of its personnel who directly require access to the Personal Data in order to fulfill WSP’s obligations in accordance with this DPA and the Agreement. WSP shall ensure that such personnel (whether employees or others engaged by WSP) is bound by a confidentiality obligation concerning the Personal Data to the same extent as WSP in accordance with this DPA. 6.6 The duties of confidentiality set forth in this Section 6 shall survive the expiry or termination of the DPA.

Information Security and Confidentiality. 6.1 5.1. Provider shall be obliged to take appropriate technical and organizational measures to protect the Personal Data which is Processed. The measures shall result in a level of security which is appropriate taking into consideration: a) existing technical possibilities; b) the costs for carrying out the measures; c) the particular risks associated with the Processing of Personal Data; and d) the sensitivity of the Personal Data which is Processed. 5.2. Provider shall maintain adequate security for the Personal Data. Provider shall protect the Personal Data against destruction, modification, unlawful dissemination, accidental or unlawful access. The Personal Data shall also be protected against all other forms of unauthorized Processing in violation of this DPA or applicable laws and regulations. Taking into account the state of the art and the costs of implementation and the nature, scope, context and purposes of the processing Processing as well as the risk of varying likelihood and severity for the rights and freedoms of individuals, the Data Subjects, WSP shall implement appropriate technical and organizational measures (please check Anywhere365 TOMs Document) to ensure a level of security appropriate to the riskbe implemented by Provider shall include, including inter alia as appropriate: (ia) If appropriate, the pseudonymization and encryption of Personal Data; (iib) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of systems and services Processing Personal Data; (iiic) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or o r technical incident; and (ivd) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing. 6.2 In assessing 5.3. Provider shall notify the appropriate level Customer of security, WSP shall take into account the particular risks that are presented by Processing in particular from any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted stored or otherwise Processed. 6.3 WSP shall any other security incidents ( Personal Data Breach ) immediately and in any event not later than 24 hours after upon becoming aware of it notify the Personal Data Breach to the CUSTOMERsuch incidents. The notification shall should at least: (ia) describe the nature of the Personal Data Breach including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned; (iib) communicate the name and contact details of the data protection officer or another other contact point where more information can be obtained; (iiic) describe the likely consequences of the Personal Data Breach;; and (ivd) describe the measures taken by Provider or proposed to be taken by WSP the Customer to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects;. (v) include any other 5.4. In case of a Personal Data Breach, and taking into account the nature of Processing and the information available to WSP which the Controller is required by Applicable Data Protection Legislation to notify Provider, the Provider shall provide reasonable assistance to the Data Protection Authorities and/or Customer to help the Data Subjects. WSP will furthermore provide the reasonable assistance requested by the CUSTOMER in order to investigate the Customer comply with its obligations for (i) notification of a Personal Data Breach and notify it to the Data Protection Authorities and/or the Data Subjects relevant supervisory authority, as required by Applicable Data Protection Legislation. This includes inter alia an obligation to document the applicable, and (ii) communication of a Personal Data Breach (e.g. circumstancesto the relevant Data Subjects, impacts as applicable and remedial actions)appropriate. 6.4 WSP 5.5. The Provider undertakes to not disclose to, without the Customer or otherwise make the Personal Data Processed under this DPA available to any third party, without the CUSTOMER’s prior written approval. Notwithstanding the above, disclosure to a Subcontractor listed in Exhibit 1 or subsequently notified to the CUSTOMER except for Sub-processors engaged in accordance with Section 4.2 above is permittedthis DPA, unless otherwise required under applicable laws and regulations or pursuant to a decision by a competent court or authority. 6.5 WSP undertakes 5.6. The Provider shall be obliged to ensure that access to Personal Data under this DPA is restricted to those of its personnel who only such staff as directly require access to the Personal Data in order to fulfill WSP’s obligations in accordance with this fulfil the Provider DPA and the Agreementhave access to such information. WSP The Provider shall ensure that such personnel (whether employees or others engaged by WSP) is staff are bound by a confidentiality obligation concerning the Personal Data this information to the same extent as WSP the Provider in accordance with this DPA. 6.6 5.7. The duties of confidentiality set forth in this Section 6 section 5 shall survive the expiry or termination of the DPA. 5.8. Provider shall, in addition to 5.1-5.6, take the technical and organizational security measures agreed between the Parties in Schedule A attached to this DPA to protect the Personal Data against accidental or unlawful destruction or accidental loss, damage, alteration, unauthorized disclosure, use or access and against all other unlawful forms of Processing.