Common use of Joint Controller Status and Allocation of Responsibilities Clause in Contracts

Joint Controller Status and Allocation of Responsibilities. 1.1 With respect to Personal Data under Joint Control of the Parties, the Parties envisage that they shall each be a Data Controller in respect of that Personal Data in accordance with the terms of this Annex 2 (Joint Controller Agreement) in replacement of paragraphs 2 to 15 of Schedule 4 of the Framework Agreement (Where one Party is Controller and the other Party is Processor) and paragraphs 17-27 of Schedule 4 (Independent Controllers of Personal Data). Accordingly, the Parties each undertake to comply with the applicable Data Protection Legislation in respect of their Processing of such Personal Data as Data Controllers. 1.2 The Parties agree that the [delete as appropriate Supplier/Buyer]: (a) is the exclusive point of contact for Data Subjects and is responsible for all steps necessary to comply with the GDPR regarding the exercise by Data Subjects of their rights under the GDPR; (b) shall direct Data Subjects to its Data Protection Officer or suitable alternative in connection with the exercise of their rights as Data Subjects and for any enquiries concerning their Personal Data or privacy; (c) is solely responsible for the Parties’ compliance with all duties to provide information to Data Subjects under Articles 13 and 14 of the GDPR; (d) is responsible for obtaining the informed consent of Data Subjects, in accordance with the GDPR, for Processing in connection with the Services where consent is the relevant legal basis for that Processing; and (e) shall make available to Data Subjects the essence of this Annex (and notify them of any changes to it) concerning the allocation of responsibilities as Joint Controller and its role as exclusive point of contact, the Parties having used their best endeavours to agree the terms of that essence. This must be outlined in the [Supplier’s/Buyer’s] privacy policy (which must be readily available by hyperlink or otherwise on all of its public facing services and marketing). 1.3 Notwithstanding the terms of clause 1.2, the Parties acknowledge that a data subject has the right to exercise their legal rights under the Data Protection Legislation as against the relevant Party as Controller.

Joint Controller Status and Allocation of Responsibilities. 1.1 With respect to Personal Data under Joint Control of the Parties, the Parties envisage that they shall each be a Data Controller in respect of that Personal Data in accordance with the terms of this Annex 2 (Joint Controller Agreement) in replacement of paragraphs 2 to 15 of Schedule 4 of the Framework Agreement 7 (Where one Party is Controller and the other Party is Processor) and paragraphs 17-17 to 27 of Schedule 4 7 (Independent Controllers of Personal Data). Accordingly, the Parties each undertake to comply with the applicable Data Protection Legislation in respect of their Processing of such Personal Data as Data Controllers. 1.2 The Parties agree that the [delete as appropriate Supplier/select: Supplier or Buyer]: (a) is the exclusive point of contact for Data Subjects and is responsible for all steps necessary to comply with the UK GDPR regarding the exercise by Data Subjects of their rights under the UK GDPR; (b) shall direct Data Subjects to its Data Protection Officer or suitable alternative in connection with the exercise of their rights as Data Subjects and for any enquiries concerning their Personal Data or privacy; (c) is solely responsible for the Parties’ compliance with all duties to provide information to Data Subjects under Articles 13 and 14 of the UK GDPR; (d) is responsible for obtaining the informed consent of Data Subjects, in accordance with the UK GDPR, for Processing in connection with the Services where consent is the relevant legal basis for that Processing; and (e) shall make available to Data Subjects the essence of this Annex (and notify them of any changes to it) concerning the allocation of responsibilities as Joint Controller and its role as exclusive point of contact, the Parties having used their best endeavours to agree the terms of that essence. This must be outlined in the [Supplier’s/select: Supplier’s or Buyer’s] privacy policy (which must be readily available by hyperlink or otherwise on all of its public facing services and marketing). 1.3 Notwithstanding the terms of clause 1.2, the Parties acknowledge that a data subject Data Subject has the right to exercise their legal rights under the Data Protection Legislation as against the relevant Party as Controller.

Joint Controller Status and Allocation of Responsibilities. 1.1 With respect to Personal Data under Joint Control of the Parties, the Parties envisage that they shall each be a Data Controller in respect of that Personal Data in accordance with the terms of this Annex 2 (Joint Controller Agreement) in replacement of paragraphs 2 to 15 3-16 of Joint Schedule 4 of the Framework Agreement 11 (Where one Party is Controller and the other Party is Processor) and paragraphs 1718-27 28 of Joint Schedule 4 11 (Independent Controllers of Personal Data). Accordingly, the Parties each undertake to comply with the applicable Data Protection Legislation in respect of their Processing of such Personal Data as Data Controllers. 1.2 The Parties agree that the [delete as appropriate Supplier/BuyerRelevant Authority]: (a) is the exclusive point of contact for Data Subjects and is responsible for all steps necessary to comply with the UK GDPR regarding the exercise by Data Subjects of their rights under the UK GDPR; (b) shall direct Data Subjects to its Data Protection Officer or suitable alternative in connection with the exercise of their rights as Data Subjects and for any enquiries concerning their Personal Data or privacy; (c) is solely responsible for the Parties’ compliance with all duties to provide information to Data Subjects under Articles 13 and 14 of the UK GDPR; (d) is responsible for obtaining the informed consent of Data Subjects, in accordance with the UK GDPR, for Processing in connection with the Services Deliverables where consent is the relevant legal basis for that Processing; and (e) shall make available to Data Subjects the essence of this Annex (and notify them of any changes to it) concerning the allocation of responsibilities as Joint Controller and its role as exclusive point of contact, the Parties having used their best endeavours to agree the terms of that essence. This must be outlined in the [Supplier’s/BuyerRelevant Authority’s] privacy policy (which must be readily available by hyperlink or otherwise on all of its public facing services and marketing). 1.3 Notwithstanding the terms of clause 1.2, the Parties acknowledge that a data subject Data Subject has the right to exercise their legal rights under the Data Protection Legislation as against the relevant Party as Controller.

Joint Controller Status and Allocation of Responsibilities. 1.1 With respect to Personal Data under Joint Control of the Parties, the Parties envisage that they shall each be a Data Controller in respect of that Personal Data in accordance with the terms of this Annex 2 (Joint Controller Agreement) in replacement of paragraphs 2 to 15 of Schedule 4 of the Framework Agreement (Where one Party is Controller and the other Party is Processor) and paragraphs 17-27 of Schedule 4 (Independent Controllers of Personal Data). Accordingly, the Parties each undertake to comply with the applicable Data Protection Legislation in respect of their Processing of such Personal Data as Data Controllers. 1.2 The Parties agree that the [delete as appropriate Supplier/Buyer]: (a) is the exclusive point of contact for Data Subjects and is responsible for all steps necessary to comply with the GDPR regarding the exercise by Data Subjects of their rights under the GDPR; (b) shall direct Data Subjects to its Data Protection Officer or suitable alternative in connection with the exercise of their rights as Data Subjects and for any enquiries concerning their Personal Data or privacy; (c) is solely responsible for the Parties’ compliance with all duties to provide information to Data Subjects under Articles 13 and 14 of the GDPR; (d) is responsible for obtaining the informed consent of Data Subjects, in accordance with the GDPR, for Processing in connection with the Services where consent is the relevant legal basis for that Processing; and (e) shall make available to Data Subjects the essence of this Annex (and notify them of any changes to it) concerning the allocation of responsibilities as Joint Controller and its role as exclusive point of contact, the Parties having used their best endeavours to agree the terms of that essence. This must be outlined in the [Supplier’s/Buyer’s] Supplier’s privacy policy (which must be readily available by hyperlink or otherwise on all of its public facing services and marketing). 1.3 Notwithstanding the terms of clause 1.2, the Parties acknowledge that a data subject has the right to exercise their legal rights under the Data Protection Legislation as against the relevant Party as Controller.

Joint Controller Status and Allocation of Responsibilities. 1.1 With respect to Personal Data under Joint Control of the Parties, the Parties envisage that they shall each be a Data Controller in respect of that Personal Data in accordance with the terms of this Annex 2 (Joint Controller Agreement) in replacement of paragraphs 2 to 15 3-16 of Joint Schedule 4 of the Framework Agreement 11 (Where one Party is Controller and the other Party is Processor) and paragraphs 1718-27 28 of Joint Schedule 4 11 (Independent Controllers of Personal Data). Accordingly, the Parties each undertake to comply with the applicable Data Protection Legislation in respect of their Processing of such Personal Data as Data Controllers. 1.2 The Parties agree that the [delete as appropriate Supplier/Buyer]: (a) is the exclusive point of contact for Data Subjects and is responsible for all steps necessary to comply with the UK GDPR regarding the exercise by Data Subjects of their rights under the UK GDPR; (b) shall direct Data Subjects to its Data Protection Officer or suitable alternative alternativ e in connection with the exercise of their rights as Data Subjects and for any enquiries concerning their Personal Data or privacy; (c) is solely responsible for the Parties’ compliance with all duties to provide information to Data Subjects under Articles 13 and 14 of the UK GDPR; (d) is responsible for obtaining the informed consent of Data Subjects, in accordance with the UK GDPR, for Processing in connection with the Services Deliverables where consent is the relevant legal basis for that Processing; and (e) shall make available to Data Subjects the essence of this Annex (and notify them of any changes to it) concerning the allocation of responsibilities as Joint Controller and its role as exclusive point of contact, the Parties having used their best endeavours to agree the terms of that essence. This must be outlined in the [Supplier’s/BuyerRelevant Authority’s] privacy policy (which must be readily available by hyperlink or otherwise on all of its public facing services and marketing). 1.3 Notwithstanding the terms of clause 1.2, the Parties acknowledge that a data subject Data Subject has the right to exercise their legal rights under the Data Protection Legislation as against the relevant Party as Controller.

Joint Controller Status and Allocation of Responsibilities. 1.1 With respect to Personal Data under Joint Control of the Parties, the Parties envisage that they shall each be a Data Controller in respect of that Personal Data in accordance with the terms of this Annex 2 (Joint Controller Agreement) in replacement of paragraphs 2 to 15 3-16 of Joint Schedule 4 of the Framework Agreement 11 (Where one Party is Controller and the other Party is Processor) and paragraphs 1718-27 28 of Joint Schedule 4 11 (Independent Controllers of Personal Data). Accordingly, the Parties each undertake to comply with the applicable Data Protection Legislation in respect of their Processing of such Personal Data as Data Controllers. 1.2 The Parties agree that the [delete as appropriate Supplier/Buyer]Authority: (a) is the exclusive point of contact for Data Subjects and is responsible for all steps necessary to comply with the UK GDPR regarding the exercise by Data Subjects of their rights under the UK GDPR; (b) shall direct Data Subjects to its Data Protection Officer or suitable alternative in connection with the exercise of their rights as Data Subjects and for any enquiries concerning their Personal Data or privacy; (c) is solely responsible for the Parties’ compliance with all duties to provide information to Data Subjects under Articles 13 and 14 of the UK GDPR; (d) is responsible for obtaining the informed consent of Data Subjects, in accordance with the UK GDPR, for Processing in connection with the Services Deliverables where consent is the relevant legal basis for that Processing; and (e) shall make available to Data Subjects the essence of this Annex (and notify them of any changes to it) concerning the allocation of responsibilities as Joint Controller and its role as exclusive point of contact, the Parties having used their best endeavours to agree the terms of that essence. This must be outlined in the [Supplier’s/BuyerRelevant Authority’s] privacy policy (which must be readily available by hyperlink or otherwise on all of its public facing services and marketing). 1.3 Notwithstanding the terms of clause 1.2, the Parties acknowledge that a data subject Data Subject has the right to exercise their legal rights under the Data Protection Legislation as against the relevant Party as Controller.

Joint Controller Status and Allocation of Responsibilities. 1.1 With respect to Personal Data under Joint Control of the Parties, the Parties envisage that they shall each be a Data Controller in respect of that Personal Data in accordance with the terms of this Annex 2 (Joint Controller Agreement) in replacement of paragraphs 2 to 15 3-16 of Joint Schedule 4 of the Framework Agreement 11 (Where one Party is Controller and the other Party is Processor) and paragraphs 1718-27 28 of Joint Schedule 4 11 (Independent Controllers of Personal Data). Accordingly, the Parties each undertake to comply with the applicable Data Protection Legislation in respect of their Processing of such Personal Data as Data Controllers. 1.2 The Parties agree that the [delete as appropriate Supplier/Buyer]: (a) : is the exclusive point of contact for Data Subjects and is responsible for all steps necessary to comply with the UK GDPR regarding the exercise by Data Subjects of their rights under the UK GDPR; (b) ; shall direct Data Subjects to its Data Protection Officer or suitable alternative in connection with the exercise of their rights as Data Subjects and for any enquiries concerning their Personal Data or privacy; (c) ; is solely responsible for the Parties’ compliance with all duties to provide information to Data Subjects under Articles 13 and 14 of the UK GDPR; (d) ; is responsible for obtaining the informed consent of Data Subjects, in accordance with the UK GDPR, for Processing in connection with the Services Deliverables where consent is the relevant legal basis for that Processing; and (e) and shall make available to Data Subjects the essence of this Annex (and notify them of any changes to it) concerning the allocation of responsibilities as Joint Controller and its role as exclusive point of contact, the Parties having used their best endeavours to agree the terms of that essence. This must be outlined in the [Supplier’s/BuyerRelevant Authority’s] privacy policy (which must be readily available by hyperlink or otherwise on all of its public facing services and marketing). 1.3 Notwithstanding the terms of clause 1.2, the Parties acknowledge that a data subject Data Subject has the right to exercise their legal rights under the Data Protection Legislation as against the relevant Party as Controller. The Supplier and the Relevant Authority each undertake that they shall: report to the other Party as reasonably requested on: the volume of Data Subject Access Request (or purported Data Subject Access Requests) from Data Subjects (or third parties on their behalf); the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data; any other requests, complaints or communications from Data Subjects (or third parties on their behalf) relating to the other Party’s obligations under applicable Data Protection Legislation; any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and any requests from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law, that it has received in relation to the subject matter of the Contract during that period; notify each other immediately if it receives any request, complaint or communication made as referred to in Clauses 2.1(a)(i) to (v); provide the other Party with full cooperation and assistance in relation to any request, complaint or communication made as referred to in Clauses 2.1(a)(iii) to (v) to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation; not disclose or transfer the Personal Data to any third party unless necessary for the provision of the Deliverables and, for any disclosure or transfer of Personal Data to any third party, (save where such disclosure or transfer is specifically authorised under the Contract or is required by Law) ensure consent has been obtained from the Data Subject prior to disclosing or transferring the Personal Data to the third party. For the avoidance of doubt, the third party to which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Annex; request from the Data Subject only the minimum information necessary to provide the Deliverables and treat such extracted information as Confidential Information; ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data; take all reasonable steps to ensure the reliability and integrity of any of its Personnel who have access to the Personal Data and ensure that its Personnel: are aware of and comply with their duties under this Annex 2 (Joint Controller Agreement) and those in respect of Confidential Information; are informed of the confidential nature of the Personal Data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the Personal Data to any third party where the that Party would not be permitted to do so; and have undergone adequate training in the use, care, protection and handling of personal data as required by the applicable Data Protection Legislation; ensure that it has in place Protective Measures as appropriate to protect against a Personal Data Breach having taken account of the: nature of the data to be protected; harm that might result from a Personal Data Breach; state of technological development; and cost of implementing any measures; ensure that it has the capability (whether technological or otherwise), to the extent required by Data Protection Legislation, to provide or correct or delete at the request of a Data Subject all the Personal Data relating to that Data Subject that it holds; and ensure that it notifies the other Party as soon as it becomes aware of a Personal Data Breach. Each Joint Controller shall use its reasonable endeavours to assist the other Controller to comply with any obligations under applicable Data Protection Legislation and shall not perform its obligations under this Annex in such a way as to cause the other Joint Controller to breach any of its obligations under applicable Data Protection Legislation to the extent it is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations.

Joint Controller Status and Allocation of Responsibilities. 1.1 With respect to Personal Data under Joint Control of the Parties, the Parties envisage that they shall each be a Data Controller in respect of that Personal Data in accordance with the terms of this Annex 2 (Joint Controller Agreement) in replacement of paragraphs 2 to 2-15 of Joint Schedule 4 of the Framework Agreement 11 (Where one Party is Controller and the other Party is Processor) and paragraphs 177-27 of Joint Schedule 4 11 (Independent Controllers of Personal Data). Accordingly, the Parties each undertake to comply with the applicable Data Protection Legislation Law in respect of their Processing of such Personal Data as Data Controllers. 1.2 The Parties agree that the [delete as appropriate Supplier/BuyerCCS]: (a) is the exclusive point of contact for Data Subjects and is responsible for all steps necessary to comply with the GDPR regarding the exercise by Data Subjects of their rights under the GDPR; (b) shall direct Data Subjects to its Data Protection Officer or suitable alternative in connection with the exercise of their rights as Data Subjects and for any enquiries concerning their Personal Data or privacy; (c) is solely responsible for the Parties’ compliance with all duties to provide information to Data Subjects under Articles 13 and 14 of the GDPR; (d) is responsible for obtaining the informed consent of Data Subjects, in accordance with the GDPR, for Processing in connection with the Services where consent is the relevant legal basis for that Processing; and (e) shall make available to Data Subjects the essence of this Annex (and notify them of any changes to it) concerning the allocation of responsibilities as Joint Controller and its role as exclusive point of contact, the Parties having used their best endeavours to agree the terms of that essence. This must be outlined in the [Supplier’s/BuyerCCS’s] privacy policy (which must be readily available by hyperlink or otherwise on all of its public facing services and marketing). 1.3 Notwithstanding the terms of clause 1.2, the Parties acknowledge that a data subject Data Subject has the right to exercise their legal rights under the Data Protection Legislation Law as against the relevant Party as Controller.. Undertakings of both Parties The Supplier and the CCS each undertake that they shall: (a) report to the other Party every [x] months on: (i) the volume of Data Subject Request (or purported Data Subject Requests) from Data Subjects (or third parties on their behalf); (ii) the volume of requests from Data Subjects (or third parties on their behalf) to rectify, block or erase any Personal Data; (iii) any other requests, complaints or communications from Data Subjects (or third parties on their behalf) relating to the other Party’s obligations under applicable Data Protection Legislation; (iv) any communications from the Information Commissioner or any other regulatory authority in connection with Personal Data; and (v) any requests from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law, that it has received in relation to the subject matter of the Contract during that period; (b) notify each other immediately if it receives any request, complaint or communication made as referred to in Clauses 2.1(a)(i) to (v); (c) provide the other Party with full cooperation and assistance in relation to any request, complaint or communication made as referred to in Clauses 2.1(a)(iii) to (v) to enable the other Party to comply with the relevant timescales set out in the Data Protection Legislation; (d) not disclose or transfer the Personal Data to any third party unless necessary for the provision of the Services and, for any disclosure or transfer of Personal Data to any third party, save where such disclosure or transfer is specifically authorised under the Contract or is required by Law). For the avoidance of doubt to which Personal Data is transferred must be subject to equivalent obligations which are no less onerous than those set out in this Annex; (e) request from the Data Subject only the minimum information necessary to provide the Services and treat such extracted information as Confidential Information; (f) ensure that at all times it has in place appropriate Protective Measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and unauthorised or unlawful disclosure of or access to the Personal Data; (g) take all reasonable steps to ensure the reliability and integrity of any of its Personnel who have access to the Personal Data and ensure that its Personnel: (i) are aware of and comply with their ’s duties under this Annex 2 (Data Sharing Agreement) and those in respect of Confidential Information (ii) are informed of the confidential nature of the Personal Data, are subject to appropriate obligations of confidentiality and do not publish, disclose or divulge any of the Personal Data to any third party where the that Party would not be permitted to do so; (iii) have undergone adequate training in the use, care, protection and handling of personal data as required by the applicable Data Protection Law; (h) ensure that it has in place Protective Measures as appropriate to protect against a Data Loss Event having taken account of the: (i) nature of the data to be protected; (i) harm that might result from a Data Loss Event;

Joint Controller Status and Allocation of Responsibilities. 1.1 With respect to Personal Data under Joint Control of the Parties, the Parties envisage that they shall each be a Data Controller in respect of that Personal Data in accordance with the terms of this Annex 2 3 (Joint Controller Agreement) in replacement of paragraphs 2 to 15 3-16 of Joint Schedule 4 of the Framework Agreement 11 (Where one Party is Controller and the other Party is Processor) and paragraphs 1718-27 28 of Joint Schedule 4 11 (Independent Controllers of Personal Data). Accordingly, the Parties each undertake to comply with the applicable Data Protection Legislation in respect of their Processing of such Personal Data as Data Controllers. 1.2 The Parties agree that the [delete as appropriate Supplier/BuyerRelevant Authority]: (a) is the exclusive point of contact for Data Subjects and is responsible for all steps necessary to comply with the UK GDPR regarding the exercise by Data Subjects of their rights under the UK GDPR; (b) shall direct Data Subjects to its Data Protection Officer or suitable alternative in connection with the exercise of their rights as Data Subjects and for any enquiries concerning their Personal Data or privacy; (c) is solely responsible for the Parties’ compliance with all duties to provide information to Data Subjects under Articles 13 and 14 of the UK GDPR; (d) is responsible for obtaining the informed consent of Data Subjects, in accordance with the UK GDPR, for Processing in connection with the Services Deliverables where consent is the relevant legal basis for that Processing; and (e) shall make available to Data Subjects the essence of this Annex (and notify them of any changes to it) concerning the allocation of responsibilities as Joint Controller and its role as exclusive point of contact, the Parties having used their best endeavours to agree the terms of that essence. This must be outlined in the [Supplier’s/BuyerRelevant Authority’s] privacy policy (which must be readily available by hyperlink or otherwise on all of its public facing services and marketing). 1.3 Notwithstanding the terms of clause 1.2, the Parties acknowledge that a data subject Data Subject has the right to exercise their legal rights under the Data Protection Legislation as against the relevant Party as Controller.

Joint Controller Status and Allocation of Responsibilities. 1.1 With respect to Personal Data under Joint Control of the Parties, the Parties envisage that they shall each be a Data Controller in respect of that Personal Data in accordance with the terms of this Annex 2 (Joint Controller Agreement) in replacement of paragraphs 2 to 2-15 of Joint Schedule 4 of the Framework Agreement 11 (Where one Party is Controller and the other Party is Processor) and paragraphs 177-27 of Joint Schedule 4 11 (Independent Controllers of Personal Data). Accordingly, the Parties each undertake to comply with the applicable Data Protection Legislation in respect of their Processing of such Personal Data as Data Controllers. 1.2 The Parties agree that the [delete as appropriate Supplier/Buyer]Relevant Authority: (a) is the exclusive point of contact for Data Subjects and is responsible for all steps necessary to comply with the GDPR regarding the exercise by Data Subjects of their rights under the GDPR; (b) shall direct Data Subjects to its Data Protection Officer or suitable alternative in connection with the exercise of their rights as Data Subjects and for any enquiries concerning their Personal Data or privacy; (c) is solely responsible for the Parties’ compliance with all duties to provide information to Data Subjects under Articles 13 and 14 of the GDPR; (d) is responsible for obtaining the informed consent of Data Subjects, in accordance with the GDPR, for Processing in connection with the Services where consent is the relevant legal basis for that Processing; and (e) shall make available to Data Subjects the essence of this Annex (and notify them of any changes to it) concerning the allocation of responsibilities as Joint Controller and its role as exclusive point of contact, the Parties having used their best endeavours to agree the terms of that essence. This must be outlined in the [Supplier’s/Buyer’s] Relevant Authority’s privacy policy (which must be readily available by hyperlink or otherwise on all of its public facing services and marketing). 1.3 Notwithstanding the terms of clause 1.2, the Parties acknowledge that a data subject Data Subject has the right to exercise their legal rights under the Data Protection Legislation as against the relevant Party as Controller.

Joint Controller Status and Allocation of Responsibilities. 1.1 With respect to Personal Data under Joint Control of the Parties, the Parties envisage that they shall each be a Data Controller in respect of that Personal Data in accordance with the terms of this Annex 2 (Joint Controller Agreement) in replacement of paragraphs 2 to 2-15 of Joint Schedule 4 of the Framework Agreement 11 (Where one Party is Controller and the other Party is Processor) and paragraphs 177-27 of Joint Schedule 4 11 (Independent Controllers of Personal Data). Accordingly, the Parties each undertake to comply with the applicable Data Protection Legislation Law in respect of their Processing of such Personal Data as Data Controllers. 1.2 The Parties agree that the [delete as appropriate Supplier/BuyerCCS]: (a) is the exclusive point of contact for Data Subjects and is responsible for all steps necessary to comply with the GDPR regarding the exercise by Data Subjects of their rights under the GDPR; (b) shall direct Data Subjects to its Data Protection Officer or suitable alternative in connection with the exercise of their rights as Data Subjects and for any enquiries concerning their Personal Data or privacy; (c) is solely responsible for the Parties’ compliance with all duties to provide information to Data Subjects under Articles 13 and 14 of the GDPR; (d) is responsible for obtaining the informed consent of Data Subjects, in accordance with the GDPR, for Processing in connection with the Services where consent is the relevant legal basis for that Processing; and (e) shall make available to Data Subjects the essence of this Annex (and notify them of any changes to it) concerning the allocation of responsibilities as Joint Controller and its role as exclusive point of contact, the Parties having used their best endeavours to agree the terms of that essence. This must be outlined in the [Supplier’s/BuyerCCS’s] privacy policy (which must be readily available by hyperlink or otherwise on all of its public facing services and marketing). 1.3 Notwithstanding the terms of clause 1.2, the Parties acknowledge that a data subject Data Subject has the right to exercise their legal rights under the Data Protection Legislation Law as against the relevant Party as Controller.

Joint Controller Status and Allocation of Responsibilities. 1.1 With respect to Personal Data under Joint Control of the Parties, the Parties envisage that they shall each be a Data Controller in respect of that Personal Data in accordance with the terms of this Annex 2 (Joint Controller Agreement) in replacement of paragraphs 2 to 15 of Schedule 4 of the Framework Agreement 7 (Where one Party is Controller and the other Party is Processor) and paragraphs 17-17 to 27 of Schedule 4 7 (Independent Controllers of Personal Data). Accordingly, the Parties each undertake to comply with the applicable Data Protection Legislation in respect of their Processing of such Personal Data as Data Controllers. 1.2 The Parties agree that the [delete as appropriate Supplier/select: Supplier or Buyer]: (a) : is the exclusive point of contact for Data Subjects and is responsible for all steps necessary to comply with the UK GDPR regarding the exercise by Data Subjects of their rights under the UK GDPR; (b) ; shall direct Data Subjects to its Data Protection Officer or suitable alternative in connection with the exercise of their rights as Data Subjects and for any enquiries concerning their Personal Data or privacy; (c) ; is solely responsible for the Parties’ compliance with all duties to provide information to Data Subjects under Articles 13 and 14 of the UK GDPR; (d) ; is responsible for obtaining the informed consent of Data Subjects, in accordance with the UK GDPR, for Processing in connection with the Services where consent is the relevant legal basis for that Processing; and (e) and shall make available to Data Subjects the essence of this Annex (and notify them of any changes to it) concerning the allocation of responsibilities as Joint Controller and its role as exclusive point of contact, the Parties having used their best endeavours to agree the terms of that essence. This must be outlined in the [Supplier’s/select: Supplier’s or Buyer’s] privacy policy (which must be readily available by hyperlink or otherwise on all of its public facing services and marketing). 1.3 Notwithstanding the terms of clause 1.2, the Parties acknowledge that a data subject Data Subject has the right to exercise their legal rights under the Data Protection Legislation as against the relevant Party as Controller.

Joint Controller Status and Allocation of Responsibilities. 1.1 With respect to Personal Data under for which the Parties are Joint Control of the PartiesControllers, the Parties envisage that they shall each be a Data Controller in respect of that Personal Data in accordance with the terms of this Annex 2 (Part B – Joint Controller Agreement) Agreement of Annex 1 – Processing Personal Data in replacement of paragraphs 2 Clauses 14.9(a) to 15 of Schedule 4 14.9(q) of the Framework Agreement (Where one Party is Controller and the other Party is Processor) and paragraphs 17-27 Conditions of Schedule 4 (Independent Controllers of Personal Data)this Contract. Accordingly, the Parties each undertake to comply with the applicable Data Protection Legislation in respect of their Processing processing of such Personal Data as Data Controllers. 1.2 The Parties agree that the [delete as appropriate Supplier/Buyer]: (a) is the exclusive point of contact for Data Subjects and is responsible for using all steps necessary reasonable endeavours to comply with the UK GDPR regarding the exercise by Data Subjects of their rights under the UK GDPR; (b) shall direct Data Subjects to its Data Protection Officer or suitable alternative in connection with the exercise of their rights as Data Subjects and for any enquiries concerning their Personal Data or privacy; (c) is solely responsible for the Parties’ compliance with all duties to provide information to Data Subjects under Articles 13 and 14 of the UK GDPR; (d) is responsible for obtaining the informed consent of Data Subjects, in accordance with the UK GDPR, for Processing processing in connection with the Services Deliverables where consent is the relevant legal basis for that Processingprocessing; and (e) shall make available to Data Subjects the essence of this Part B – Joint Controller Agreement of Annex 1 – Processing Personal Data (and notify them of any changes to it) concerning the allocation of responsibilities as Joint Controller and its role as exclusive point of contact, the Parties having used their best endeavours to agree the terms of that essence. This must be outlined in the [Supplier’s/Buyer’s] privacy policy (which must be readily available by hyperlink or otherwise on all of its public facing services and marketing). 1.3 Notwithstanding the terms of clause 1.2paragraph 1.2 of this Part B – Joint Controller Agreement of Annex 1 – Processing Personal Data, the Parties acknowledge that a data subject Data Subject has the right to exercise their legal rights under the Data Protection Legislation as against the relevant Party as Controller.

Joint Controller Status and Allocation of Responsibilities. 1.1 With respect to Personal Data under Joint Control of the Parties, the Parties envisage that they shall each be a Data Controller in respect of that Personal Data in accordance with the terms of this Annex 2 (Joint Controller Agreement) in replacement of paragraphs 2 to 15 of Schedule 4 of the Framework Agreement 7 (Where one Party is Controller and the other Party is Processor) and paragraphs 17-17 to 27 of Schedule 4 7 (Independent Controllers of Personal Data). Accordingly, the Parties each undertake to comply with the applicable Data Protection Legislation in respect of their Processing of such Personal Data as Data Controllers. 1.2 The Parties agree that the [delete as appropriate Supplier/select: Supplier or Buyer]: (a) is the exclusive point of contact for Data Subjects and is responsible for all steps necessary to comply with the UK GDPR regarding the exercise by Data Subjects of their rights under the UK GDPR; (b) shall direct Data Subjects to its Data Protection Officer or suitable alternative in connection with the exercise of their rights as Data Subjects and for any enquiries concerning their Personal Data or privacy; (c) is solely responsible for the Parties’ compliance with all duties to provide information to Data Subjects under Articles 13 and 14 of the UK GDPR; (d) is responsible for obtaining the informed consent of Data Subjects, in accordance with the UK GDPR, for Processing in connection with the Services where consent is the relevant legal basis for that Processing; and (e) shall make available to Data Subjects the essence of this Annex (and notify them of any changes to it) concerning the allocation of responsibilities as Joint Controller and its role as exclusive point of contact, the Parties having used their best endeavours to agree the terms of that essence. This must be outlined in the [Supplier’s/[ select: Supplier’s or Buyer’s] privacy policy (which must be readily available by hyperlink or otherwise on all of its public facing services and marketing). 1.3 Notwithstanding the terms of clause 1.2, the Parties acknowledge that a data subject Data Subject has the right to exercise their legal rights under the Data Protection Legislation as against the relevant Party as Controller.

Joint Controller Status and Allocation of Responsibilities. 1.1 With respect to Personal Data under Joint Control of the Parties, the Parties envisage that they shall each be a Data Controller in respect of that Personal Data in accordance with the terms of this Annex 2 (Joint Controller Agreement) in replacement of paragraphs 2 to 15 of Schedule 4 of the Framework Agreement (Where one Party is Controller and the other Party is Processor) and paragraphs 17-27 of Schedule 4 (Independent Controllers of Personal Data). Accordingly, the Parties each undertake to comply with the applicable Data Protection Legislation in respect of their Processing of such Personal Data as Data Controllers. 1.2 The Parties agree that the [delete as appropriate Supplier/BuyerBuyer ]: (a) is the exclusive point of contact for Data Subjects and is responsible for all steps necessary to comply with the GDPR regarding the exercise by Data Subjects Subject s of their rights under the GDPR; (b) shall direct Data Subjects to its Data Protection Officer or suitable alternative in connection with the exercise of their rights as Data Subjects and for any enquiries concerning their Personal Data or privacy; (c) is solely responsible for the Parties’ compliance with all duties to provide information to Data Subjects under Articles 13 and 14 of the GDPR; (d) is responsible for obtaining the informed consent of Data Subjects, in accordance with the GDPR, for Processing in connection with the Services where consent is the relevant legal basis for that Processing; and (e) shall make available to Data Subjects the essence of this Annex (and notify them of any changes to it) concerning the allocation of responsibilities responsib ilities as Joint Controller and its role as exclusive point of contact, the Parties having used their best endeavours to agree the terms of that essence. This must be outlined in the [Supplier’s/Buyer’s] privacy policy (which must be readily available by hyperlink or otherwise on all of its public facing services and marketing). 1.3 Notwithstanding the terms of clause 1.2, the Parties acknowledge that a data subject has the right to exercise their legal rights under the Data Protection Legislation as against the relevant Party as Controller.

Joint Controller Status and Allocation of Responsibilities. 1.1 With respect to Personal Data under Joint Control of the Parties, the Parties envisage that they shall each be a Data Controller in respect of that Personal Data in accordance with the terms of this Annex 2 (Joint Controller Agreement) in replacement of paragraphs 2 to 2-15 of Schedule 4 of the Framework Agreement (Where one Party is Controller and the other Party is Processor) and paragraphs 17-27 of Schedule 4 (Independent Controllers of Personal Data). Accordingly, the Parties each undertake to comply with the applicable Data Protection Legislation in respect of their Processing of such Personal Data as Data Controllers. 1.2 The Parties agree that the [delete as appropriate Supplier/BuyerCCS]: (a) is the exclusive point of contact for Data Subjects and is responsible for all steps necessary to comply with the GDPR regarding the exercise by Data Subjects of their rights under the GDPR; (b) shall direct Data Subjects to its Data Protection Officer or suitable alternative in connection with the exercise of their rights as Data Subjects and for any enquiries concerning their Personal Data or privacy; (c) is solely responsible for the Parties’ compliance with all duties to provide information to Data Subjects under Articles 13 and 14 of the GDPR; (d) is responsible for obtaining the informed consent of Data Subjects, in accordance with the GDPR, for Processing in connection with the Services where consent is the relevant legal basis for that Processing; and (e) shall make available to Data Subjects the essence of this Annex (and notify them of any changes to it) concerning the allocation of responsibilities as Joint Controller and its role as exclusive point of contact, the Parties having used their best endeavours to agree the terms of that essence. This must be outlined in the [Supplier’s/BuyerCCS’s] privacy policy (which must be readily available by hyperlink or otherwise on all of its public facing services and marketing). 1.3 Notwithstanding the terms of clause 1.2, the Parties acknowledge that a data subject Data Subject has the right to exercise their legal rights under the Data Protection Legislation as against the relevant Party as Controller.

Joint Controller Status and Allocation of Responsibilities. 1.1 With respect to Personal Data under Joint Control of the Parties, the Parties envisage that they shall each be a Data Controller in respect of that Personal Data in accordance with the terms of this Annex 2 (Joint Controller Agreement) in replacement of paragraphs 2 to 15 3-16 of Joint Schedule 4 of the Framework Agreement 11 (Where one Party is Controller and the other Party is Processor) and paragraphs 1718-27 28 of Joint Schedule 4 11 (Independent Controllers of Personal Data). Accordingly, the Parties each undertake to comply with the applicable Data Protection Legislation in respect of their Processing of such Personal Data as Data Controllers. 1.2 The Parties agree that the [delete as appropriate Supplier/Buyer]Relevant Authority: (ai) is the exclusive point of contact for Data Subjects and is responsible for all steps necessary to comply with the UK GDPR regarding the exercise by Data Subjects of their rights under the UK GDPR; (bii) shall direct Data Subjects to its Data Protection Officer or suitable alternative in connection with the exercise of their rights as Data Subjects and for any enquiries concerning their Personal Data or privacy; (ciii) is solely responsible for the Parties’ compliance with all duties to provide information to Data Subjects under Articles 13 and 14 of the UK GDPR; (div) is responsible for obtaining the informed consent of Data Subjects, in accordance with the UK GDPR, for Processing in connection with the Services Deliverables where consent is the relevant legal basis for that Processing; and (ev) shall make available to Data Subjects the essence of this Annex (and notify them of any changes to it) concerning the allocation of responsibilities as Joint Controller and its role as exclusive point of contact, the Parties having used their best endeavours to agree the terms of that essence. This must be outlined in the [Supplier’s/BuyerRelevant Authority’s] privacy policy (which must be readily available by hyperlink or otherwise on all of its public facing services and marketing). 1.3 Notwithstanding the terms of clause 1.2, the Parties acknowledge that a data subject Data Subject has the right to exercise their legal rights under the Data Protection Legislation as against the relevant Party as Controller.

Joint Controller Status and Allocation of Responsibilities. 1.1 With respect to Personal Data under Joint Control of the Parties, the Parties envisage that they shall each be a Data Controller in respect of that Personal Data in accordance with the terms of this Annex 2 Schedule 8 (Joint Controller Agreement) in replacement of paragraphs 2 Clauses 23.25 to 15 of Schedule 4 23.39 of the Framework Agreement (Where one Party is Controller Contract and the other Party is Processor) and paragraphs 17-27 Part 2 of Contract Schedule 4 7 (Independent Controllers of Personal Data)) as set out in Part 2 of Appendix 1 to the Contract Order Form. Accordingly, the Parties each undertake to comply with the applicable Data Protection Legislation in respect of their Processing of such Personal Data as Data Controllers. 1.2 The Parties agree that the [delete as appropriate Supplier/Buyer]Customer: (a) 1.2.1 is the exclusive point of contact for Data Subjects and is responsible for using all steps necessary reasonable endeavours to comply with the UK GDPR regarding the exercise by Data Subjects of their rights under the UK GDPR; (b) 1.2.2 shall direct Data Subjects to its Data Protection Officer or suitable alternative in connection with the exercise of their rights as Data Subjects and for any enquiries concerning their Personal Data or privacy; (c) 1.2.3 is solely responsible for the Parties’ compliance with all duties to provide information to Data Subjects under Articles 13 and 14 of the UK GDPR; (d) 1.2.4 is responsible for obtaining the informed consent of Data Subjects, in accordance with the UK GDPR, for Processing in connection with the Services where consent is the relevant legal basis for that Processing; and (e) 1.2.5 shall make available to Data Subjects the essence of this Annex (and notify them of any changes to it) concerning the allocation of responsibilities as Joint Controller and its role as exclusive point of contact, the Parties having used their best endeavours to agree the terms of that essence. This must be outlined in the [Supplier’s/Buyer’s] Customer’s privacy policy (which must be readily available by hyperlink or otherwise on all of its public facing services and marketing). 1.3 Notwithstanding the terms of clause Paragraph 1.2, the Parties acknowledge that a data subject Data Subject has the right to exercise their legal rights under the Data Protection Legislation as against the relevant Party as Controller.

Joint Controller Status and Allocation of Responsibilities. 1.1 ‌ With respect to Personal Data under for which the Parties are Joint Control of the PartiesControllers, the Parties envisage that they shall each be a Data Controller in respect of that Personal Data in accordance with the terms of this Annex 2 (Part B Joint Controller AgreementAgreement (Optional) of Annex 1 – Processing Personal Data in replacement of paragraphs 2 Clauses 14.9 to 15 of Schedule 4 14.9.13 of the Framework Agreement (Where one Party is Controller and the other Party is Processor) and paragraphs 17-27 Conditions of Schedule 4 (Independent Controllers of Personal Data)this Contract. Accordingly, the Parties each undertake to comply with the applicable Data Protection Legislation in respect of their Processing processing of such Personal Data as Data Controllers. 1.2 . The Parties agree that the [delete as appropriate Supplier/Buyer]: (a) Buyer]:‌ is the exclusive point of contact for Data Subjects and is responsible for all steps necessary using best endeavours to comply with the UK GDPR regarding the exercise by Data Subjects of their rights under the UK GDPR; (b) ; shall direct Data Subjects to its Data Protection Officer or suitable alternative in connection with the exercise of their rights as Data Subjects and for any enquiries concerning their Personal Data or privacy; (c) ; is solely responsible for the Parties’ compliance with all duties to provide information to Data Subjects under Articles 13 and 14 of the UK GDPR; (d) ; is responsible for obtaining the informed consent of Data Subjects, in accordance with the UK GDPR, for Processing processing in connection with the Services Deliverables where consent is the relevant legal basis for that Processingprocessing; and (e) and shall make available to Data Subjects the essence of this Part B Joint Controller Agreement (Optional) of Annex 1 – Processing Personal Data (and notify them of any changes to it) concerning the allocation of responsibilities as Joint Controller and its role as exclusive point of contact, the Parties having used their best endeavours to agree the terms of that essence. This must be outlined in the [Supplier’s/Buyer’s] privacy policy (which must be readily available by hyperlink or otherwise on all of its public facing services and marketing). 1.3 . Notwithstanding the terms of clause 1.2paragraph 1.2 of this Part B Joint Controller Agreement (Optional) of Annex 1 – Processing Personal Data, the Parties acknowledge that a data subject Data Subject has the right to exercise their legal rights under the Data Protection Legislation as against the relevant Party as Controller.

Joint Controller Status and Allocation of Responsibilities. 1.1 With Where it has been determined by the parties and/or the Onboarding Application and/or Confirmation form states that the parties shall be Joint Controllers of Personal Data, with respect to Personal Data under Joint Control of the Parties, the Parties envisage that they shall each be a Data Controller in respect of that Personal Data in accordance with the terms of this Annex 2 Appendix 3 (Joint Controller Agreement) in replacement of paragraphs 2 to 15 of Schedule 4 of the Framework Agreement (Where one Party is Controller and the other Party is Processor) and paragraphs 17-27 of Schedule 4 (Independent Controllers of Personal Data). Accordingly, the Parties each undertake to comply with the applicable Data Protection Legislation Laws in respect of their Processing of such Personal Data as Data Controllers. 1.2 The Parties agree that terms set out in this Appendix govern only the [delete Processing of Personal Data of which the parties are Joint Controller, for the Purpose. Processing of Personal Data carried out by the Connecting Party for the purposes of providing products or services to an End User Organisation, Individual End User or other third party which are not under the Joint Control of the parties shall be subject to and governed by separate data protection terms (Controller to Processor, Controller to Data Subject, Controller to Controller or joint Controller terms as appropriate Supplier/Buyer]appropriate) between the Connecting Party and the relevant End User Organisation, Individual End User or other third party. 1.3 The Confirmation Form shall set out which party: (a) 1.3.1 is the exclusive point of contact for Data Subjects and is responsible for using all steps necessary reasonable endeavours to comply with the UK GDPR regarding the exercise by Data Subjects of their rights under the UK GDPR; (b) shall direct 1.3.2 to whom Data Subjects shall be directed to its Data Protection Officer or suitable alternative in connection with the exercise of their rights as Data Subjects and for any enquiries concerning their Personal Data or privacy; (c) 1.3.3 is solely responsible for the Parties’ compliance with all duties to provide information to Data Subjects under Articles 13 and 14 of the UK GDPR; (d) 1.3.4 is responsible for obtaining the informed consent of Data Subjects, in accordance with the UK GDPR, for Processing in connection with the Services where consent is the relevant legal basis for that Processing; and (e) 1.3.5 shall make available to Data Subjects the essence of this Annex (and notify them of any changes to it) concerning the allocation of responsibilities as Joint Controller and its role as exclusive point of contact, the Parties having used their best endeavours to agree the terms of that essence. This must be outlined in the [Supplier’s/Buyer’s] privacy policy (which must be readily available by hyperlink or otherwise on all of its public facing services and marketing). 1.3 1.4 Notwithstanding the terms of clause 1.2Paragraph 1.3, the Parties parties acknowledge that a data subject Data Subject has the right to exercise their legal rights under the Data Protection Legislation Laws as against the relevant Party party as Controller.

Joint Controller Status and Allocation of Responsibilities. 1.1 With respect to Personal Data under Joint Control of the Parties, the Parties envisage that they shall each be a Data Controller in respect of that Personal Data in accordance with the terms of this Annex 2 (Joint Controller Agreement) in replacement of paragraphs 2 to 15 of Schedule 4 of the Framework Agreement (Where one Party is Controller and the other Party is Processor) and paragraphs 17-27 of Schedule 4 (Independent Controllers of Personal Data). Accordingly, the Parties each undertake to comply with the applicable Data Protection Legislation in respect of their Processing of such Personal Data as Data Controllers. 1.2 The Parties agree that the [delete as appropriate Supplier/Buyer]buyer: (a) is the exclusive point of contact for Data Subjects and is responsible for all steps necessary to comply with the GDPR regarding the exercise by Data Subjects of their rights under the GDPR; (b) shall direct Data Subjects to its Data Protection Officer or suitable alternative in connection with the exercise of their rights as Data Subjects and for any enquiries concerning their Personal Data or privacy; (c) is solely responsible for the Parties’ compliance with all duties to provide information to Data Subjects under Articles 13 and 14 of the GDPR; (d) is responsible for obtaining the informed consent of Data Subjects, in accordance with the GDPR, for Processing in connection with the Services where consent is the relevant legal basis for that Processing; and (e) shall make available to Data Subjects the essence of this Annex (and notify them of any changes to it) concerning the allocation of responsibilities as Joint Controller and its role as exclusive point of contact, the Parties having used their best endeavours to agree the terms of that essence. This must be outlined in the [Supplier’s/Buyer’s] buyers privacy policy (which must be readily available by hyperlink or otherwise on all of its public facing services and marketing). 1.3 Notwithstanding the terms of clause 1.2, the Parties acknowledge that a data subject has the right to exercise their legal rights under the Data Protection Legislation as against the relevant Party as Controller.

Joint Controller Status and Allocation of Responsibilities. 1.1 With respect to Personal Data under Joint Control of the Parties, the Parties envisage that they shall each be a Data Controller in respect of that Personal Data in accordance with the terms of this Annex 2 (Joint Controller Agreement) in replacement of paragraphs 2 to 15 3-16 of Joint Schedule 4 of the Framework Agreement 11 (Where one Party is Controller and the other Party is Processor) and paragraphs 1718-27 28 of Joint Schedule 4 11 (Independent Controllers of Personal Data). Accordingly, the Parties each undertake to comply with the applicable Data Protection Legislation in respect of their Processing of such Personal Data as Data Controllers. 1.2 The Parties agree that the [delete as appropriate Supplier/Buyer]: (a) is the exclusive point of contact for Data Subjects and is responsible for all steps necessary to comply with the UK GDPR regarding the exercise by Data Subjects of their rights under the UK GDPR; (b) shall direct Data Subjects to its Data Protection Officer or suitable alternative in connection with the exercise of their rights as Data Subjects and for any enquiries concerning their Personal Data or privacy; (c) is solely responsible for the Parties’ compliance with all duties to provide information to Data Subjects under Articles 13 and 14 of the UK GDPR; (d) is responsible for obtaining the informed consent of Data Subjects, in accordance with the UK GDPR, for Processing in connection with the Services Deliverables where consent is the relevant legal basis for that Processing; and (e) shall make available to Data Subjects the essence of this Annex (and notify them of any changes to it) concerning the allocation of responsibilities as Joint Controller and its role as exclusive point of contact, the Parties having used their best endeavours to agree the terms of that essence. This must be outlined in the [Supplier’s/BuyerRelevant Authority’s] privacy policy (which must be readily available by hyperlink or otherwise on all of its public facing services and marketing). 1.3 Notwithstanding the terms of clause 1.2, the Parties acknowledge that a data subject Data Subject has the right to exercise their legal rights under the Data Protection Legislation as against the relevant Party as Controller.

Joint Controller Status and Allocation of Responsibilities. 1.1 With respect to Personal Data under Joint Control of the Parties, the Parties envisage that they shall each be a Data Controller in respect of that Personal Data in accordance with the terms of this Annex 2 (Joint Controller Agreement) in replacement of paragraphs 2 to 15 of Schedule 4 of the Framework Agreement 7 (Where one Party is Controller and the other Party is Processor) and paragraphs 17-17 to 27 of Schedule 4 7 (Independent Controllers of Personal Data). Accordingly, the Parties each undertake to comply with the applicable Data Protection Legislation in respect of their Processing of such Personal Data as Data Controllers. 1.2 The Parties agree that the [delete as appropriate Supplier/select: Supplier or Buyer]: (a) is the exclusive point of contact for Data Subjects and is responsible for using all steps necessary reasonable endeavours to comply with the UK GDPR regarding the exercise by Data Subjects of their rights under the UK GDPR; (b) shall direct Data Subjects to its Data Protection Officer or suitable alternative in connection with the exercise of their rights as Data Subjects and for any enquiries concerning their Personal Data or privacy; (c) is solely responsible for the Parties’ compliance with all duties to provide information to Data Subjects under Articles 13 and 14 of the UK GDPR; (d) is responsible for obtaining the informed consent of Data Subjects, in accordance with the UK GDPR, for Processing in connection with the Services where consent is the relevant legal basis for that Processing; and (e) shall make available to Data Subjects the essence of this Annex (and notify them of any changes to it) concerning the allocation of responsibilities as Joint Controller and its role as exclusive point of contact, the Parties having used their best endeavours to agree the terms of that essence. This must be outlined in the [Supplier’s/select: Supplier’s or Buyer’s] privacy policy (which must be readily available by hyperlink or otherwise on all of its public facing services and marketing). 1.3 Notwithstanding the terms of clause 1.2, the Parties acknowledge that a data subject Data Subject has the right to exercise their legal rights under the Data Protection Legislation as against the relevant Party as Controller.

Joint Controller Status and Allocation of Responsibilities. 1.1 With respect to Personal Data under for which the Parties are Joint Control of the PartiesControllers, the Parties envisage that they shall each be a Data Controller in respect of that Personal Data in accordance with the terms of this Annex 2 (Part B – Joint Controller Agreement) Agreement of Annex 1 – Processing Personal Data in replacement of paragraphs 2 Clauses 14.9(a) to 15 of Schedule 4 14.9(q) of the Framework Agreement (Where one Party is Controller and the other Party is Processor) and paragraphs 17-27 Conditions of Schedule 4 (Independent Controllers of Personal Data)this Contract. Accordingly, the Parties each undertake to comply with the applicable Data Protection Legislation in respect of their Processing processing of such Personal Data as Data Controllers. 1.2 The Parties agree that the [delete as appropriate Supplier/Buyer]:: ‌ (a) is the exclusive point of contact for Data Subjects and is responsible for using all steps necessary reasonable endeavours to comply with the UK GDPR regarding the exercise by Data Subjects of their rights under the UK GDPR; (b) shall direct Data Subjects to its Data Protection Officer or suitable alternative in connection with the exercise of their rights as Data Subjects and for any enquiries concerning their Personal Data or privacy; (c) is solely responsible for the Parties’ compliance with all duties to provide information to Data Subjects under Articles 13 and 14 of the UK GDPR; (d) is responsible for obtaining the informed consent of Data Subjects, in accordance with the UK GDPR, for Processing processing in connection with the Services Deliverables where consent is the relevant legal basis for that Processingprocessing; and (e) shall make available to Data Subjects the essence of this Part B – Joint Controller Agreement of Annex 1 – Processing Personal Data (and notify them of any changes to it) concerning the allocation of responsibilities as Joint Controller and its role as exclusive point of contact, the Parties having used their best endeavours to agree the terms of that essence. This must be outlined in the [Supplier’s/Buyer’s] privacy policy (which must be readily available by hyperlink or otherwise on all of its public facing services and marketing). 1.3 Notwithstanding the terms of clause 1.2paragraph 1.2 of this Part B – Joint Controller Agreement of Annex 1 – Processing Personal Data, the Parties acknowledge that a data subject Data Subject has the right to exercise their legal rights under the Data Protection Legislation as against the relevant Party as Controller.