Common use of OBLIGATIONS OF THE DATA IMPORTER Clause in Contracts

OBLIGATIONS OF THE DATA IMPORTER. The data importer warrants and undertakes that: (a) It will have in place appropriate technical and organizational measures to protect the personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, and which provide a level of security appropriate to the risk represented by the processing and the nature of the data to be protected. (b) To the extent the data exporter consents to the data importer transferring the personal data to, or providing access to the personal data to, a third party, it will have in place procedures so that any third party it authorizes to have access to the personal data, including processors, will respect and maintain the confidentiality and security of the personal data. Any person acting under the authority of the data importer, including a data processor, shall be obligated to process the personal data only on instructions from the data importer. This provision does not apply to persons authorized or required by law or regulation to have access to the personal data. (c) It has no reason to believe, at the time of entering into these clauses, in the existence of any local laws that would have a substantial adverse effect on the guarantees provided for under these clauses, and it will inform the data exporter (which will pass such notification on to the authority where required) if it becomes aware of any such laws. (d) It will process the personal data for purposes described in Annex B to this Exhibit 1, and has the legal authority to give the warranties and fulfil the undertakings set out in these clauses. (e) It will identify to the data exporter a contact point within its organization authorized to respond to enquiries concerning processing of the personal data, and will cooperate in good faith with the data exporter, the data subject and the authority concerning all such enquiries within a reasonable time. In case of legal dissolution of the data exporter, or if the parties have so agreed, the data importer will assume responsibility for compliance with the provisions of clause I(e). (f) At the request of the data exporter, it will provide the data exporter with evidence of financial resources sufficient to fulfil its responsibilities under Clause III (which may include insurance coverage). (g) Upon reasonable request of the data exporter, it will submit its data processing facilities, data files and documentation needed for processing to reviewing, auditing and/or certifying by the data exporter (or any independent or impartial inspection agents or auditors, selected by the data exporter and not reasonably objected to by the data importer) to ascertain compliance with the warranties and undertakings in these clauses, with reasonable notice and during regular business hours. The request will be subject to any necessary consent or approval from a regulatory or supervisory authority within the country of the data importer, which consent or approval the data importer will attempt to obtain in a timely fashion. (h) It will process the personal data, at its option, in accordance with the data processing principles set forth in Annex A to this Exhibit 1. (i) It will not disclose or transfer the personal data to a third party data controller located outside the European Economic Area ("EEA") without the prior written consent of the data exporter and (i) the third party data controller processes the personal data in accordance with a Commission decision finding that a third country provides adequate protection, or (ii) the third party data controller becomes a signatory to these clauses or another data transfer agreement approved by a competent authority in the EU, or (iii) data subjects have been given the opportunity to object, after having been informed of the purposes of the transfer, the categories of recipients and the fact that the countries to which data is exported may have different data protection standards, or (iv) with regard to onward transfers of sensitive data, data subjects have given their unambiguous consent to the onward transfer.

OBLIGATIONS OF THE DATA IMPORTER. The data importer Data Importer warrants and undertakes that: (a) It will have in place appropriate technical and organizational measures to protect provide a standard of protection, that is comparable to the protection required by the PDPA and any requirements set out in any advisory or other guidelines issued from time to time by the PDPC, to the personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, and which provide a level of security appropriate to the risk represented by the processing and the nature of the data to be protected. (b) To the extent the data exporter consents to the data importer transferring the personal data to, or providing access to the personal data to, a third party, it It will have in place procedures so that any third party it authorizes to have access to the personal data, including processors, will respect and maintain the confidentiality and security of the personal data. Any person acting under the authority of the data importerData Importer, including a data processor, processor shall be obligated to process the personal data only on instructions from the data importerData Importer. This provision does not apply to persons authorized or required by law or regulation to have access to the personal data. (c) It has no reason to believe, at the time of entering into these clauses, in the existence of any local laws that would have a substantial adverse effect on the guarantees provided for under these clauses, and it will inform the data exporter (which will pass such notification on to the authority where required) Data Exporter if it becomes aware of any such laws. (d) It will process the personal data for purposes described in Annex B to this Exhibit 1B, and has the legal authority to give the warranties and fulfil fulfill the undertakings set out in these clauses. (e) It will identify to the data exporter Data Exporter a contact point within its organization authorized to respond to enquiries concerning processing of the personal data, and will cooperate in good faith with the data exporterData Exporter, the data subject Data Subject and the authority concerning all such enquiries within a reasonable time. In case of legal dissolution of the data exporterData Exporter, or if the parties have so agreed, the data importer Data Importer will assume responsibility for compliance with the provisions of clause I(e). (f) At the request of the data exporterData Exporter, it will provide the data exporter Data Exporter with evidence of financial resources sufficient to fulfil fulfill its responsibilities under Clause clause III (which may include insurance coverage). (g) Upon reasonable request of the data exporterData Exporter, it will submit its data processing facilities, data files and documentation needed for processing to reviewing, auditing and/or and /or certifying by the data exporter Data Exporter (or any independent or impartial inspection agents or auditors, selected by the data exporter Data Exporter and not reasonably objected to by the data importerData Importer) to ascertain compliance with the warranties and undertakings in these clauses, with reasonable notice and during regular business hours. The request will be subject to any necessary consent or approval from a regulatory or supervisory authority within the country of the data importerData Importer, which consent or approval the data importer Data Importer will attempt to obtain in a timely fashion. (h) It will process the personal data, at its option, in accordance with with: (i) The data protection laws of Singapore, and the relevant regulations, provisions or (ii) other requirements issued by PDPC; and The data processing principles set forth in Annex A to this Exhibit 1. (i) A. It will not disclose or transfer the personal data to a third third-party data controller organization located outside the European Economic Area ("EEA") without the Singapore unless with prior written consent of the data exporter Data Exporter on the transfer and (i) the third The third-party data controller organization processes the personal data in accordance with a Commission decision requirements prescribed under PDPA finding that the third-party organization provides a third country provides adequate protection, orstandard of protection to personal data so transferred that is comparable to the protection under PDPA; (iij) the third party data controller becomes a signatory to these clauses or another data transfer agreement approved by a competent authority in the EU, or (iii) data Data subjects have been given the opportunity to object, after having been informed of the purposes of the transfer, the categories of recipients and the fact that the countries to which data is exported may have different data protection standards, or (iv) with regard to onward transfers of sensitive data, data subjects have given their unambiguous consent to the onward transfer.

OBLIGATIONS OF THE DATA IMPORTER. The data importer Data Importer warrants and undertakes that: (a) It will have in place appropriate technical and organizational measures to protect provide a standard of protection, that is comparable to the protection required by the PDPA and any requirements set out in any advisory or other guidelines issued from time to time by the PDPC, to the personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, and which provide a level of security appropriate to the risk represented by the processing and the nature of the data to be protected. (b) To the extent the data exporter consents to the data importer transferring the personal data to, or providing access to the personal data to, a third party, it It will have in place procedures so that any third party it authorizes to have access to the personal data, including processors, will respect and maintain the confidentiality and security of the personal data. Any person acting under the authority of the data importerData Importer, including a data processor, processor shall be obligated to process the personal data only on instructions from the data importerData Importer. This provision does not apply to persons authorized or required by law or regulation to have access to the personal data. (c) It has no reason to believe, at the time of entering into these clauses, in the existence of any local laws that would have a substantial adverse effect on the guarantees provided for under these clauses, and it will inform the data exporter (which will pass such notification on to the authority where required) Data Exporter if it becomes aware of any such laws. (d) It will process the personal data for purposes described in Annex B to this Exhibit 1B, and has the legal authority to give the warranties and fulfil fulfill the undertakings set out in these clauses. (e) It will identify to the data exporter Data Exporter a contact point within its organization authorized to respond to enquiries concerning processing of the personal data, and will cooperate in good faith with the data exporterData Exporter, the data subject Data Subject and the authority concerning all such enquiries within a reasonable time. In case of legal dissolution of the data exporterData Exporter, or if the parties have so agreed, the data importer Data Importer will assume responsibility for compliance with the provisions of clause I(eI (e). (f) At the request of the data exporterData Exporter, it will provide the data exporter Data Exporter with evidence of financial resources sufficient to fulfil fulfill its responsibilities under Clause clause III (which may include insurance coverage). (g) Upon reasonable request of the data exporterData Exporter, it will submit its data processing facilities, data files and documentation needed for processing to reviewing, auditing and/or and /or certifying by the data exporter Data Exporter (or any independent or impartial inspection agents or auditors, selected by the data exporter Data Exporter and not reasonably objected to by the data importerData Importer) to ascertain compliance with the warranties and undertakings in these clauses, with reasonable notice and during regular business hours. The request will be subject to any necessary consent or approval from a regulatory or supervisory authority within the country of the data importerData Importer, which consent or approval the data importer Data Importer will attempt to obtain in a timely fashion. (h) It will process the personal data, at its option, in accordance with with: (i) The data protection laws of Singapore, and the relevant regulations, provisions or other requirements issued by PDPC; and (ii) The data processing principles set forth in Annex A to this Exhibit 1.A. (i) It will not disclose or transfer the personal data to a third third-party data controller organization located outside the European Economic Area ("EEA") without the Singapore unless with prior written consent of the data exporter Data Exporter on the transfer and (i1) the third The third-party data controller organization processes the personal data in accordance with a Commission decision requirements prescribed under PDPA finding that the third-party organization provides a third country provides adequate protection, orstandard of protection to personal data so transferred that is comparable to the protection under PDPA; (ii2) the third party data controller becomes a signatory to these clauses or another data transfer agreement approved by a competent authority in the EU, or (iii) data Data subjects have been given the opportunity to object, after having been informed of the purposes of the transfer, the categories of recipients and the fact that the countries to which data is exported may have different data protection standards, or (iv) with regard to onward transfers of sensitive data, data subjects have given their unambiguous consent to the onward transfer.

OBLIGATIONS OF THE DATA IMPORTER. The data importer Data Importer warrants and undertakes that: (a) It will have in place appropriate technical and organizational measures to protect provide a standard of protection ,that is comparable to the protection required by the PDPA and any requirements set out in any advisory or other guidelines issued from time to time by the PDPC, to the personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, and which provide a level of security appropriate to the risk represented by the processing and the nature of the data to be protected. (b) To the extent the data exporter consents to the data importer transferring the personal data to, or providing access to the personal data to, a third party, it It will have in place procedures so that any third party it authorizes to have access to the personal data, including processors, will respect and maintain the confidentiality and security of the personal data. Any person acting under the authority of the data importerData Importer, including a data processor, processor shall be obligated to process the personal data only on instructions from the data importerData Importer. This provision does not apply to persons authorized or required by law or regulation to have access to the personal data. (c) It has no reason to believe, at the time of entering into these clauses, in the existence of any local laws that would have a substantial adverse effect on the guarantees provided for under these clauses, and it will inform the data exporter (which will pass such notification on to the authority where required) Data Exporter if it becomes aware of any such laws. (d) It will process the personal data for purposes described in Annex B to this Exhibit 1D, and has the legal authority to give the warranties and fulfil fulfill the undertakings set out in these clauses. (e) It will identify to the data exporter Data Exporter a contact point within its organization authorized to respond to enquiries concerning processing of the personal data, and will cooperate in good faith with the data exporterData Exporter, the data subject Data Subject and the authority concerning all such enquiries within a reasonable time. In case of legal dissolution of the data exporterData Exporter, or if the parties have so agreed, the data importer Data Importer will assume responsibility for compliance with the provisions of clause I(e). (f) At the request of the data exporterData Exporter, it will provide the data exporter Data Exporter with evidence of financial resources sufficient to fulfil fulfill its responsibilities under Clause clause III (which may include insurance coverage). (g) Upon reasonable request of the data exporter, it will submit its data processing facilities, data files and documentation needed for processing to reviewing, auditing and/or certifying by the data exporter (or any independent or impartial inspection agents or auditors, selected by the data exporter and not reasonably objected to by the data importer) to ascertain compliance with the warranties and undertakings in these clauses, with reasonable notice and during regular business hours. The request will be subject to any necessary consent or approval from a regulatory or supervisory authority within the country of the data importer, which consent or approval the data importer will attempt to obtain in a timely fashion. (h) It will process the personal data, at its option, in accordance with the data processing principles set forth in Annex A to this Exhibit 1. (i) It will not disclose or transfer the personal data to a third party data controller located outside the European Economic Area ("EEA") without the prior written consent of the data exporter and (i) the third party data controller processes the personal data in accordance with a Commission decision finding that a third country provides adequate protection, or (ii) the third party data controller becomes a signatory to these clauses or another data transfer agreement approved by a competent authority in the EU, or (iii) data subjects have been given the opportunity to object, after having been informed of the purposes of the transfer, the categories of recipients and the fact that the countries to which data is exported may have different data protection standards, or (iv) with regard to onward transfers of sensitive data, data subjects have given their unambiguous consent to the onward transfer.

OBLIGATIONS OF THE DATA IMPORTER. The data importer warrants and undertakes that: (a) It will have in place appropriate technical and organizational measures to protect the personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, and which provide a level of security appropriate to the risk represented by the processing and the nature of the data to be protected. (b) To the extent the data exporter consents to the data importer transferring the personal data to, or providing access to the personal data to, a third party, it will have in place procedures so that any third party it authorizes to have access to the personal data, including processors, will respect and maintain the confidentiality and security of the personal data. Any person acting under the authority of the data importer, including a data processor, shall be obligated to process the personal data only on instructions from the data importer. This provision does not apply to persons authorized or required by law or regulation to have access to the personal data. (c) It has no reason to believe, at the time of entering into these clauses, in the existence of any local laws that would have a substantial adverse effect on the guarantees provided for under these clauses, and it will inform the data exporter (which will pass such notification on to the authority where required) if it becomes aware of any such laws. (d) It will process the personal data for purposes described in Annex B to this Exhibit 1, and has the legal authority to give the warranties and fulfil the undertakings set out in these clauses. (e) It will identify to the data exporter a contact point within its organization authorized to respond to enquiries concerning processing of the personal data, and will cooperate in good faith with the data exporter, the data subject and the authority concerning all such enquiries within a reasonable time. In case of legal dissolution of the data exporter, or if the parties have so agreed, the data importer will assume responsibility for compliance with the provisions of clause I(e). (f) At the request of the data exporter, it will provide the data exporter with evidence of financial resources sufficient to fulfil its responsibilities under Clause III (which may include insurance coverage). (g) Upon reasonable request of the data exporter, it will submit its data processing facilities, data files and documentation needed for processing to reviewing, auditing and/or certifying by the data exporter (or any independent or impartial inspection agents or auditors, selected by the data exporter and not reasonably objected to by the data importer) to ascertain compliance with the warranties and undertakings in these clauses, with reasonable notice and during regular business hours. The request will be subject to any necessary consent or approval from a regulatory or supervisory authority within the country of the data importer, which consent or approval the data importer will attempt to obtain in a timely fashion. (h) It will process the personal data, at its option, in accordance with the data processing principles set forth in Annex A to this Exhibit 1. (i) It will not disclose or transfer the personal data to a third party data controller located outside the European Economic Area ("EEA") without the prior written consent of the data exporter and (i) the third party data controller processes the personal data in accordance with a Commission decision finding that a third country provides adequate protection, or (ii) the third party data controller becomes a signatory to these clauses or another data transfer agreement approved by a competent authority in the EU, or (iii) data subjects have been given the opportunity to object, after having been informed of the purposes of the transfer, the categories of recipients and the fact that the countries to which data is exported may have different data protection standards, or (iv) with regard to onward transfers of sensitive data, data subjects have given their unambiguous consent to the onward transfer.the

OBLIGATIONS OF THE DATA IMPORTER. The data importer warrants and undertakes that: (a) It will have in place appropriate technical and organizational organisational measures to protect the personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized unauthorised disclosure or access, and which provide a level of security appropriate to the risk represented by the processing and the nature of the data to be protected. (b) To the extent the data exporter consents to the data importer transferring the personal data to, or providing access to the personal data to, a third party, it It will have in place procedures so that any third party it authorizes authorises to have access to the personal data, including processors, will respect and maintain the confidentiality and security of the personal data. Any person acting under the authority of the data importer, including a data processor, shall be obligated to process the personal data only on instructions from the data importer. This provision does not apply to persons authorized authorised or required by law or regulation to have access to the personal data. (c) It has no reason to believe, at the time of entering into these clauses, in the existence of any local laws that would have a substantial adverse effect on the guarantees provided for under these clauses, and it will inform the data exporter (which will pass such notification on to the authority where required) if it becomes aware of any such laws. (d) It will process the personal data for purposes described in Annex B to this Exhibit 1, and has the legal authority to give the warranties and fulfil the undertakings set out in these clauses. (e) It will identify to the data exporter a contact point within its organization authorized organisation authorised to respond to enquiries concerning processing of the personal data, and will cooperate in good faith with the data exporter, the data subject and the authority concerning all such enquiries within a reasonable time. In case of legal dissolution of the data exporter, or if the parties have so agreed, the data importer will assume responsibility for compliance with the provisions of clause I(e1(e). (f) At the request of the data exporter, it will provide the data exporter with evidence of financial resources sufficient to fulfil its responsibilities under Clause III clause 3 (which may include insurance coverage). (g) Upon reasonable request of the data exporter, it will submit its data processing facilities, data files and documentation needed for processing to reviewing, auditing and/or certifying by the data exporter (or any independent or impartial inspection agents or auditors, selected by the data exporter and not reasonably objected to by the data importer) to ascertain compliance with the warranties and undertakings in these clauses, with reasonable notice and during regular business hours. The request will be subject to any necessary consent or approval from a regulatory or supervisory authority within the country of the data importer, which consent or approval the data importer will attempt to obtain in a timely fashion. (h) It will process the personal data, at its option, in accordance with the data processing principles set forth in Annex A to this Exhibit 1. (i) It will not disclose or transfer the personal data to a third party data controller located outside the European Economic Area ("EEA") without the prior written consent of the data exporter andwith: (i) the third party data controller processes protection laws of the personal country in which the data in accordance with a Commission decision finding that a third country provides adequate protectionexporter is established, or (ii) the third party data controller becomes a signatory to these clauses or another data transfer agreement approved by a competent authority in the EU, or (iii) data subjects have been given the opportunity to object, after having been informed of the purposes of the transfer, the categories of recipients and the fact that the countries to which data is exported may have different data protection standards, or (iv) with regard to onward transfers of sensitive data, data subjects have given their unambiguous consent to the onward transfer.

OBLIGATIONS OF THE DATA IMPORTER. The data importer warrants and undertakes that: (a) It will have in place appropriate technical and organizational organisational measures to protect the personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized unauthorised disclosure or access, and which provide a level of security appropriate to the risk represented by the processing and the nature of the data to be protected. (b) To the extent the data exporter consents to the data importer transferring the personal data to, or providing access to the personal data to, a third party, it It will have in place procedures so that any third party it authorizes authorises to have access to the personal data, including processors, will respect and maintain the confidentiality and security of the personal data. Any person acting under the authority of the data importer, including a data processor, shall be obligated to process the personal data only on instructions from the data importer. This provision does not apply to persons authorized authorised or required by law or regulation to have access to the personal data. (c) It has no reason to believe, at the time of entering into these clauses, in the existence of any local laws that would have a substantial adverse effect on the guarantees provided for under these clauses, and it will inform the data exporter (which will pass such notification on to the authority where required) if it becomes aware of any such laws. (d) It will process the personal data for purposes described in Annex B to this Exhibit 1B, and has the legal authority to give the warranties and fulfil the undertakings set out in these clauses. (e) It will identify to the data exporter a contact point within its organization authorized organisation authorised to respond to enquiries concerning processing of the personal data, and will cooperate in good faith with the data exporter, the data subject and the authority concerning all such enquiries within a reasonable time. In case of legal dissolution of the data exporter, or if the parties have so agreed, the data importer will assume responsibility for compliance with the provisions of clause I(eClause 1(e). (f) At the request of the data exporter, it will provide the data exporter with evidence of financial resources sufficient to fulfil its responsibilities under Clause III 3 (which may include insurance coverage). (g) Upon reasonable request of the data exporter, it will submit its data processing facilities, data files and documentation needed for processing to reviewing, auditing and/or certifying by the data exporter (or any independent or impartial inspection agents or auditors, selected by the data exporter and not reasonably objected to by the data importer) to ascertain compliance with the warranties and undertakings in these clauses, with reasonable notice and during regular business hours. The request will be subject to any necessary consent or approval from a regulatory or supervisory authority within the country of the data importer, which consent or approval the data importer will attempt to obtain in a timely fashion. (h) It will process the personal data, at its option, in accordance with the data processing principles set forth in Annex A to this Exhibit 1. (i) It will not disclose or transfer the personal data to a third party data controller located outside the European Economic Area ("EEA") without the prior written consent of the data exporter and (i) the third party data controller processes the personal data in accordance with a Commission decision finding that a third country provides adequate protection, or (ii) the third party data controller becomes a signatory to these clauses or another data transfer agreement approved by a competent authority in the EU, or (iii) data subjects have been given the opportunity to object, after having been informed of the purposes of the transfer, the categories of recipients and the fact that the countries to which data is exported may have different data protection standards, or (iv) with regard to onward transfers of sensitive data, data subjects have given their unambiguous consent to the onward transfer.

OBLIGATIONS OF THE DATA IMPORTER. ‌ The data importer Data Importer warrants and undertakes that: (a) It it will have in place appropriate technical and organizational organisational measures to protect the personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized unauthorised disclosure or access, and which provide a level of security appropriate to the risk represented by the processing and the nature of the data to be protected.; (b) To the extent the data exporter consents to the data importer transferring the personal data to, or providing access to the personal data to, a third party, it will have in place procedures so that any third party it authorizes authorises to have access to the personal data, including processors, will respect and maintain the confidentiality and security of the personal data. Any person acting under the authority of the data importerData Importer, including a data processor, shall be obligated to process the personal data only on instructions from the data importerData Importer. This provision does not apply to persons authorized authorised or required by law or regulation to have access to the personal data.; (c) It it has no reason to believe, at the time of entering into these clauses, in the existence of any local laws that would have a substantial adverse effect on the guarantees provided for under these clausesClauses, and it will inform the data exporter Data Exporter (which will pass such notification on to the authority Authority where required) if it becomes aware of any such laws.; (d) It it will process the personal data for purposes described in Annex B to this Exhibit 1Appendix 3, and has the legal authority to give the warranties and fulfil the undertakings set out in these clausesClauses. (e) It it will identify to the data exporter Data Exporter a contact point within its organization authorized organisation authorised to respond to enquiries concerning processing of the personal data, and will cooperate in good faith with the data exporterData Exporter, the data subject and the authority Authority concerning all such enquiries within a reasonable time. In case of legal dissolution of the data exporterData Exporter, or if the parties Parties have so agreed, the data importer Data Importer will assume responsibility for compliance with the provisions of clause I(eClause 2(e).; (f) At at the request of the data exporterData Exporter, it will provide the data exporter Data Exporter with evidence of financial resources sufficient to fulfil its responsibilities under Clause III 4 (which may include insurance coverage).; (g) Upon upon reasonable request of the data exporterData Exporter, it will submit its data processing facilities, data files and documentation needed for processing to reviewing, auditing and/or certifying by the data exporter Data Exporter (or any independent or impartial inspection agents or auditors, selected by the data exporter Data Exporter and not reasonably objected to by the data importerData Importer) to ascertain compliance with the warranties and undertakings in these clauses, with reasonable notice and during regular business hours. The request will be subject to any necessary consent or approval from a regulatory or supervisory authority within the country of the data importerData Importer, which consent or approval the data importer Data Importer will attempt to obtain in a timely fashion. (h) It it will process the personal data, at its option, data in accordance with the data processing principles set forth in Annex A to this Exhibit 1.forth; and (i) It it will not disclose or transfer the personal data to a third party data controller located outside the European Economic Area ("EEA") without unless it notifies the prior written consent of Data Exporter about the data exporter transfer and: (i) the third party data controller processes the personal data in accordance with a Commission decision finding that a third country provides adequate protection, ; or (ii) the third party data controller becomes a signatory to these clauses Clauses or another data transfer agreement approved by a competent authority in the EU, ; or (iii) data subjects have been given the opportunity to object, after having been informed of the purposes of the transfer, the categories of recipients and the fact that the countries to which data is exported may have different data protection standards, or (iv) with regard to onward transfers of sensitive data, data subjects have given their unambiguous consent to the onward transfer.

OBLIGATIONS OF THE DATA IMPORTER. The data importer Data Importer warrants and undertakes that: (a) It will have in place appropriate technical and organizational measures to protect provide a standard of protection, that is comparable to the protection required by the PDPA and any requirements set out in any advisory or other guidelines issued from time to time by the PDPC, to the personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, and which provide a level of security appropriate to the risk represented by the processing and the nature of the data to be protected. (b) To the extent the data exporter consents to the data importer transferring the personal data to, or providing access to the personal data to, a third party, it It will have in place procedures so that any third party it authorizes to have access to the personal data, including processors, will respect and maintain the confidentiality and security of the personal data. Any person acting under the authority of the data importerData Importer, including a data processor, processor shall be obligated to process the personal data only on instructions from the data importerData Importer. This provision does not apply to persons authorized or required by law or regulation to have access to the personal data. (c) It has no reason to believe, at the time of entering into these clauses, in the existence of any local laws that would have a substantial adverse effect on the guarantees provided for under these clauses, and it will inform the data exporter (which will pass such notification on to the authority where required) Data Exporter if it becomes aware of any such laws. (d) It will process the personal data for purposes described in Annex B to this Exhibit 1B, and has the legal authority to give the warranties and fulfil fulfill the undertakings set out in these clauses. (e) It will identify to the data exporter Data Exporter a contact point within its organization authorized to respond to enquiries concerning processing of the personal data, and will cooperate in good faith with the data exporterData Exporter, the data subject Data Subject and the authority concerning all such enquiries within a reasonable time. In case of legal dissolution of the data exporterData Exporter, or if the parties have so agreed, the data importer Data Importer will assume responsibility for compliance with the provisions of clause I(eI (e). (f) At the request of the data exporterData Exporter, it will provide the data exporter Data Exporter with evidence of financial resources sufficient to fulfil fulfill its responsibilities under Clause clause III (which may include insurance coverage). (g) Upon reasonable request of the data exporter, it will submit its data processing facilities, data files and documentation needed for processing to reviewing, auditing and/or certifying by the data exporter (or any independent or impartial inspection agents or auditors, selected by the data exporter and not reasonably objected to by the data importer) to ascertain compliance with the warranties and undertakings in these clauses, with reasonable notice and during regular business hours. The request will be subject to any necessary consent or approval from a regulatory or supervisory authority within the country of the data importer, which consent or approval the data importer will attempt to obtain in a timely fashion. (h) It will process the personal data, at its option, in accordance with the data processing principles set forth in Annex A to this Exhibit 1. (i) It will not disclose or transfer the personal data to a third party data controller located outside the European Economic Area ("EEA") without the prior written consent of the data exporter and (i) the third party data controller processes the personal data in accordance with a Commission decision finding that a third country provides adequate protection, or (ii) the third party data controller becomes a signatory to these clauses or another data transfer agreement approved by a competent authority in the EU, or (iii) data subjects have been given the opportunity to object, after having been informed of the purposes of the transfer, the categories of recipients and the fact that the countries to which data is exported may have different data protection standards, or (iv) with regard to onward transfers of sensitive data, data subjects have given their unambiguous consent to the onward transfer.

OBLIGATIONS OF THE DATA IMPORTER. The data importer Data Importer warrants and undertakes that: (a) It will have in place appropriate technical and organizational measures to protect provide a standard of protection, which is comparable to the protection required by the PDPA and any requirements by authority, to the personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, and which provide a level of security appropriate to the risk represented by the processing and the nature of the data to be protected. (b) To the extent the data exporter consents to the data importer transferring the personal data to, or providing access to the personal data to, a third party, it It will have in place procedures so that any third party it authorizes to have access to the personal data, including processors, will respect and maintain the confidentiality and security of the personal data. Any person acting under the authority of the data importerData Importer, including a data processor, processor shall be obligated to process the personal data only on instructions from the data importerData Importer. This provision does not apply to persons authorized or required by law or regulation to have access to the personal data. (c) It has no reason to believe, at the time of entering into these clauses, in the existence of any local laws that would have a substantial adverse effect on the guarantees provided for under these clauses, and it will inform the data exporter (which will pass such notification on to the authority where required) Data Exporter if it becomes aware of any such laws. (d) It will process the personal data for purposes described in Annex B to this Exhibit 1A, and has the legal authority to give the warranties and fulfil fulfill the undertakings set out in these clauses. (e) It will identify to the data exporter Data Exporter a contact point within its organization authorized to respond to enquiries concerning processing of the personal data, and will cooperate in good faith with the data exporterData Exporter, the data subject Data Subject and the authority concerning all such enquiries within a reasonable time. In case of legal dissolution of the data exporterData Exporter, or if the parties have so agreed, the data importer Data Importer will assume responsibility for compliance with the provisions of clause I(eI(d). (f) At the request of the data exporterData Exporter, it will provide the data exporter Data Exporter with evidence of financial resources sufficient to fulfil fulfill its responsibilities under Clause clause III (which may include insurance coverage). (g) Upon reasonable request of the data exporter, it will submit its data processing facilities, data files and documentation needed for processing to reviewing, auditing and/or certifying by the data exporter (or any independent or impartial inspection agents or auditors, selected by the data exporter and not reasonably objected to by the data importer) to ascertain compliance with the warranties and undertakings in these clauses, with reasonable notice and during regular business hours. The request will be subject to any necessary consent or approval from a regulatory or supervisory authority within the country of the data importer, which consent or approval the data importer will attempt to obtain in a timely fashion. (h) It will process the personal data, at its option, in accordance with the data processing principles set forth in Annex A to this Exhibit 1. (i) It will not disclose or transfer the personal data to a third party data controller located outside the European Economic Area ("EEA") without the prior written consent of the data exporter and (i) the third party data controller processes the personal data in accordance with a Commission decision finding that a third country provides adequate protection, or (ii) the third party data controller becomes a signatory to these clauses or another data transfer agreement approved by a competent authority in the EU, or (iii) data subjects have been given the opportunity to object, after having been informed of the purposes of the transfer, the categories of recipients and the fact that the countries to which data is exported may have different data protection standards, or (iv) with regard to onward transfers of sensitive data, data subjects have given their unambiguous consent to the onward transfer.

OBLIGATIONS OF THE DATA IMPORTER. The data importer warrants and undertakes that: (a) It will have in place appropriate technical and organizational organisational measures to protect the personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized unauthorised disclosure or access, and which provide a level of security appropriate to the risk represented by the processing and the nature of the data to be protected. (b) To the extent the data exporter consents to the data importer transferring the personal data to, or providing access to the personal data to, a third party, it It will have in place procedures so that any third party it authorizes authorises to have access to the personal data, including processors, will respect and maintain the confidentiality and security of the personal data. Any person acting under the authority of the data importer, including a data processor, shall be obligated to process the personal data only on instructions from the data importer. This provision does not apply to persons authorized authorised or required by law or regulation to have access to the personal data. (c) It has no reason to believe, at the time of entering into these clauses, in the existence of any local laws that would have a substantial adverse effect on the guarantees provided for under these clauses, and it will inform the data exporter (which will pass such notification on to the authority where required) if it becomes aware of any such laws. (d) It will process the personal data for purposes described in Annex B to this Exhibit 1B, and has the legal authority to give the warranties and fulfil the undertakings set out in these clauses. (e) It will identify to the data exporter a contact point within its organization authorized organisation authorised to respond to enquiries concerning processing of the personal data, and will cooperate in good faith with the data exporter, the data subject and the authority concerning all such enquiries within a reasonable time. In case of legal dissolution of the data exporter, or if the parties have so agreed, the data importer will assume responsibility for compliance with the provisions of clause I(e1(e). (f) At the request of the data exporter, it will provide the data exporter with evidence of financial resources sufficient to fulfil its responsibilities under Clause III clause 3 (which may include insurance coverage). (g) Upon reasonable request of the data exporter, it will submit its data processing facilities, data files and documentation needed for processing to reviewing, auditing and/or certifying by the data exporter (or any independent or impartial inspection agents or auditors, selected by the data exporter and not reasonably objected to by the data importer) to ascertain compliance with the warranties and undertakings in these clauses, with reasonable notice and during regular business hours. The request will be subject to any necessary consent or approval from a regulatory or supervisory authority within the country of the data importer, which consent or approval the data importer will attempt to obtain in a timely fashion. (h) It will process the personal data, at its option, in accordance with: (i) the data protection laws of the country in which the data exporter is established, or (ii) the relevant provisions of any Commission decision pursuant to Article 25(6) of Directive 95/46/EC, where the data importer complies with the relevant provisions of such an authorisation or decision and is based in a country to which such an authorisation or decision pertains, but is not covered by such authorisation or decision for the purposes of the transfer(s) of the personal data, or (iii) the data processing principles set forth in Annex A to this Exhibit 1.A. (i) It will not disclose or transfer the personal data to a third party data controller located outside the European Economic Area ("EEA") without the prior written consent of unless it notifies the data exporter about the transfer and (i) the third party data controller processes the personal data in accordance with a Commission decision finding that a third country provides adequate protection, or (ii) the third party data controller becomes a signatory to these clauses or another data transfer agreement approved by a competent authority in the EU, or (iii) data subjects have been given the opportunity to object, after having been informed of the purposes of the transfer, the categories of recipients and the fact that the countries to which data is exported may have different data protection standards, or (iv) with regard to onward transfers of sensitive data, data subjects have given their unambiguous consent to the onward transfer.

OBLIGATIONS OF THE DATA IMPORTER. The data importer warrants and undertakes that: (a) It will have in place appropriate technical and organizational organisational measures to protect the personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized unauthorised disclosure or access, and which provide a level of security appropriate to the risk represented by the processing and the nature of the data to be protected. (b) To the extent the data exporter consents to the data importer transferring the personal data to, or providing access to the personal data to, a third party, it It will have in place procedures so that any third party it authorizes authorises to have access to the personal data, including processors, will respect and maintain the confidentiality and security of the personal data. Any person acting under the authority of the data importer, including a data processor, shall be obligated to process the personal data only on instructions from the data importer. This provision does not apply to persons authorized authorised or required by law or regulation to have access to the personal data. (c) It has no reason to believe, at the time of entering into these clauses, in the existence of any local laws that would have a substantial adverse effect on the guarantees provided for under these clauses, and it will inform the data exporter (which will pass such notification on to the authority where required) if it becomes aware of any such laws. (d) It will process the personal data for purposes described in Annex B to this Exhibit 1B, and has the legal authority to give the warranties and fulfil the undertakings set out in these clauses. (e) It will identify to the data exporter a contact point within its organization authorized organisation authorised to respond to enquiries concerning processing of the personal data, and will cooperate in good faith with the data exporter, the data subject and the authority concerning all such enquiries within a reasonable time. In case of legal dissolution of the data exporter, or if the parties have so agreed, the data importer will assume responsibility for compliance with the provisions of clause I(e). (f) At the request of the data exporter, it will provide the data exporter with evidence of financial resources sufficient to fulfil its responsibilities under Clause clause III (which may include insurance coverage). (g) Upon reasonable request of the data exporter, it will submit its data processing facilities, data files and documentation needed for processing to reviewing, auditing and/or certifying by the data exporter (or any independent or impartial inspection agents or auditors, selected by the data exporter and not reasonably objected to by the data importer) to ascertain compliance with the warranties and undertakings in these clauses, with reasonable notice and during regular business hours. The request will be subject to any necessary consent or approval from a regulatory or supervisory authority within the country of the data importer, which consent or approval the data importer will attempt to obtain in a timely fashion. (h) It will process the personal data, at its option, in accordance with: i. the data protection laws of the country in which the data exporter is established, or ii. the relevant provisions (1) of any Commission decision pursuant to Article 25(6) of Directive 95/46/EC, where the data importer complies with the relevant provisions of such an authorisation or decision and is based in a country to which such an authorisation or decision pertains, but is not covered by such authorisation or decision for the purposes of the transfer(s) of the personal data (2), or iii. the data processing principles set forth in Annex A A. (Data importer to this Exhibit 1.indicate which option it selects: iii) (i) It will not disclose or transfer the personal data to a third party data controller located outside the European Economic Area ("EEA") without the prior written consent of unless it notifies the data exporter about the transfer and (i) i. the third party data controller processes the personal data in accordance with a Commission decision finding that a third country provides adequate protection, or (ii) . the third party data controller becomes a signatory to these clauses or another data transfer agreement approved by a competent authority in the EU, or (iii) . data subjects have been given the opportunity to object, after having been informed of the purposes of the transfer, the categories of recipients and the fact that the countries to which data is exported may have different data protection standards, or (iv) . with regard to onward transfers of sensitive data, data subjects have given their unambiguous consent to the onward transfer.

OBLIGATIONS OF THE DATA IMPORTER. The data importer warrants and undertakes that: (a) It will have in place appropriate technical and organizational organisational measures to protect the personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized unauthorised disclosure or access, and which provide a level of security appropriate to the risk represented by the processing and the nature of the data to be protected. (b) To the extent the data exporter consents to the data importer transferring the personal data to, or providing access to the personal data to, a third party, it It will have in place procedures so that any third party it authorizes authorises to have access to the personal data, including processors, will respect and maintain the confidentiality and security of the personal data. Any person acting under the authority of the data importer, including a data processor, shall be obligated to process the personal data only on instructions from the data importer. This provision does not apply to persons authorized authorised or required by law or regulation to have access to the personal data. (c) It has no reason to believe, at the time of entering into these clauses, in the existence of any local laws that would have a substantial adverse effect on the guarantees provided for under these clauses, and it will inform the data exporter (which will pass such notification on to the authority where required) if it becomes aware of any such laws. (d) It will process the personal data for purposes described in Annex B to this Exhibit 1B, and has the legal authority to give the warranties and fulfil the undertakings set out in these clauses. (e) It will identify to the data exporter a contact point within its organization authorized organisation authorised to respond to enquiries concerning processing of the personal data, and will cooperate in good faith with the data exporter, the data subject and the authority concerning all such enquiries within a reasonable time. In case of legal dissolution of the data exporter, or if the parties have so agreed, the data importer will assume responsibility for compliance with the provisions of clause I(e1(e). (f) At the request of the data exporter, it will provide the data exporter with evidence of financial resources sufficient to fulfil its responsibilities under Clause III (which clause 3(which may include insurance coverage). (g) Upon reasonable request of the data exporter, it will submit its data processing facilities, data files and documentation needed for processing to reviewing, auditing and/or certifying by the data exporter (or any independent or impartial inspection agents or auditors, selected by the data exporter and not reasonably objected to by the data importer) to ascertain compliance with the warranties and undertakings in these clauses, with reasonable notice and during regular business hours. The request will be subject to any necessary consent or approval from a regulatory or supervisory authority within the country of the data importer, which consent or approval the data importer will attempt to obtain in a timely fashion. (h) It will process the personal data, at its option, in accordance with: (i) the data protection laws of the country in which the data exporter is established, or (ii) the relevant provisions of any Commission decision pursuant to Article 25(6) of Directive 95/46/EC, where the data importer complies with the relevant provisions of such an authorisation or decision and is based in a country to which such an authorisation or decision pertains, but is not covered by such authorisation or decision for the purposes of the transfer(s) of the personal data, or (iii) the data processing principles set forth in Annex A A. Data importer to this Exhibit 1.indicate which option it selects: 2(h)(i) Initials of data importer: VTCT (i) It will not disclose or transfer the personal data to a third party data controller located outside the European Economic Area ("EEA") without the prior written consent of unless it notifies the data exporter about the transfer and (i) the third party data controller processes the personal data in accordance with a Commission decision finding that a third country provides adequate protection, or (ii) the third party data controller becomes a signatory to these clauses or another data transfer agreement approved by a competent authority in the EU, or (iii) data subjects have been given the opportunity to object, after having been informed of the purposes of the transfer, the categories of recipients and the fact that the countries to which data is exported may have different data protection standards, or (iv) with regard to onward transfers of sensitive data, data subjects have given their unambiguous consent to the onward transfer.

OBLIGATIONS OF THE DATA IMPORTER. The data importer Data Importer warrants and undertakes that: (a) It will have in place appropriate technical and organizational measures to protect provide a standard of protection, which is comparable to the protection required by the PDPA and any requirements set out in any advisory or other guidelines issued from time to time by the PDPC, to the personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, and which provide a level of security appropriate to the risk represented by the processing and the nature of the data to be protected. (b) To the extent the data exporter consents to the data importer transferring the personal data to, or providing access to the personal data to, a third party, it It will have in place procedures so that any third party it authorizes to have access to the personal data, including processors, will respect and maintain the confidentiality and security of the personal data. Any person acting under the authority of the data importerData Importer, including a data processor, processor shall be obligated to process the personal data only on instructions from the data importerData Importer. This provision does not apply to persons authorized or required by law or regulation to have access to the personal data. (c) It has no reason to believe, at the time of entering into these clauses, in the existence of any local laws that would have a substantial adverse effect on the guarantees provided for under these clauses, and it will inform the data exporter (which will pass such notification on to the authority where required) Data Exporter if it becomes aware of any such laws. (d) It will process the personal data for purposes described in Annex B to this Exhibit 1B, and has the legal authority to give the warranties and fulfil fulfill the undertakings set out in these clauses. (e) It will identify to the data exporter Data Exporter a contact point within its organization authorized to respond to enquiries concerning processing of the personal data, and will cooperate in good faith with the data exporterData Exporter, the data subject Data Subject and the authority concerning all such enquiries within a reasonable time. In case of legal dissolution of the data exporterData Exporter, or if the parties have so agreed, the data importer Data Importer will assume responsibility for compliance with the provisions of clause I(e). (f) At the request of the data exporterData Exporter, it will provide the data exporter Data Exporter with evidence of financial resources sufficient to fulfil fulfill its responsibilities under Clause clause III (which may include insurance coverage). (g) Upon reasonable request of the data exporter, it will submit its data processing facilities, data files and documentation needed for processing to reviewing, auditing and/or certifying by the data exporter (or any independent or impartial inspection agents or auditors, selected by the data exporter and not reasonably objected to by the data importer) to ascertain compliance with the warranties and undertakings in these clauses, with reasonable notice and during regular business hours. The request will be subject to any necessary consent or approval from a regulatory or supervisory authority within the country of the data importer, which consent or approval the data importer will attempt to obtain in a timely fashion. (h) It will process the personal data, at its option, in accordance with the data processing principles set forth in Annex A to this Exhibit 1. (i) It will not disclose or transfer the personal data to a third party data controller located outside the European Economic Area ("EEA") without the prior written consent of the data exporter and (i) the third party data controller processes the personal data in accordance with a Commission decision finding that a third country provides adequate protection, or (ii) the third party data controller becomes a signatory to these clauses or another data transfer agreement approved by a competent authority in the EU, or (iii) data subjects have been given the opportunity to object, after having been informed of the purposes of the transfer, the categories of recipients and the fact that the countries to which data is exported may have different data protection standards, or (iv) with regard to onward transfers of sensitive data, data subjects have given their unambiguous consent to the onward transfer.

OBLIGATIONS OF THE DATA IMPORTER. The data importer Data Importer warrants and undertakes that: (a) It will have in place appropriate technical and organizational organisational measures to protect the personal data Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized unauthorised disclosure or access, and which provide a level of security appropriate to the risk represented by the processing Processing and the nature of the data to be protected. (b) To the extent the data exporter consents to the data importer transferring the personal data to, or providing access to the personal data to, a third party, it It will have in place procedures so that any third party it authorizes authorises to have access to the personal dataPersonal Data, including processorsProcessors, will respect and maintain the confidentiality and security of the personal dataPersonal Data. Any person acting under the authority Authority of the data importerData Importer, including a data processorProcessor, shall be obligated to process Process the personal data Personal Data only on instructions from the data importerData Importer. This provision does not apply to persons authorized authorised or required by law or regulation to have access to the personal dataPersonal Data. (c) It has no reason to believe, at the time of entering into these clausesClauses, in the existence of any local laws that would have a substantial adverse effect on the guarantees provided for under these clausesClauses, and it will inform the data exporter Data Exporter (which will pass such notification on to the authority Authority where required) if it becomes aware of any such laws. (d) It will process Process the personal data Personal Data for purposes described in Annex B to this Exhibit 1, and has the legal authority to give the warranties and fulfil the undertakings set out in these clausesClauses. (e) It will identify to the data exporter Data Exporter a contact point within its organization authorized to respond to enquiries concerning processing Processing of the personal data, Personal Data and will cooperate in good faith with the data exporterData Exporter, the data subject Data Subject and the authority Authority concerning all such enquiries within a reasonable time. In case of legal dissolution of the data exporterData Exporter, or if the parties Parties have so agreed, the data importer Data Importer will assume responsibility for compliance with the provisions of clause I(eClause 2(e). (f) At the request of the data exporterData Exporter, it will provide the data exporter Data Exporter with evidence of financial resources sufficient to fulfil its responsibilities under Clause III 4 (which may include insurance coverage). (g) Upon reasonable request of the data exporterData Exporter, it will submit its data processing Processing facilities, data files and documentation needed for processing Processing to reviewing, auditing and/or certifying by the data exporter Data Exporter (or any independent or impartial inspection agents or auditors, selected by the data exporter Data Exporter and not reasonably objected to by the data importerData Importer) to ascertain compliance with the warranties and undertakings in these clausesClauses, with reasonable notice and during regular business hours. The request will be subject to any necessary consent or approval from a regulatory or supervisory authority Supervisory Authority within the country of the data importerData Importer, which consent or approval the data importer Data Importer will attempt to obtain in a timely fashion. (h) It will process Process the personal data, at its option, Personal Data in accordance with the data processing Processing principles set forth in Annex A to this Exhibit 1.A. (i) It will not disclose or transfer the personal data Personal Data to a third party data controller Controller located outside the European Economic Area ("EEA") without unless it notifies the prior written consent of Data Exporter about the data exporter transfer and (i) the third party data controller processes Controller Processes the personal data Personal Data in accordance with a Commission decision finding that a third country provides adequate protection, or (ii) the third party data controller Controller becomes a signatory to these clauses Clauses or another data transfer agreement approved by a competent authority Authority in the EU, or (iii) data subjects Data Subjects have been given the opportunity to object, after having been informed of the purposes of the transfer, the categories of recipients and the fact that the countries to which data is exported may have different data protection standards, or (iv) with regard to onward transfers of sensitive dataSensitive Data, data subjects Data Subjects have given their unambiguous consent to the onward transfer.

OBLIGATIONS OF THE DATA IMPORTER. The data importer warrants and undertakes that: (a) It will have in place appropriate technical and organizational organisational measures to protect the personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized unauthorised disclosure or access, and which provide a level of security appropriate to the risk represented by the processing and the nature of the data to be protected. (b) To the extent the data exporter consents to the data importer transferring the personal data to, or providing access to the personal data to, a third party, it It will have in place procedures so that any third party it authorizes authorises to have access to the personal data, including processors, will respect and maintain the confidentiality and security of the personal data. Any person acting under the authority of the data importer, including a data processor, shall be obligated to process the personal data only on instructions from the data importer. This provision does not apply to persons authorized authorised or required by law or regulation to have access to the personal data. (c) It has no reason to believe, at the time of entering into these clauses, in the existence of any local laws that would have a substantial adverse effect on the guarantees provided for under these clauses, and it will inform the data exporter (which will pass such notification on to the authority where required) if it becomes aware of any such laws. (d) It will process the personal data for purposes described in Annex B to this Exhibit 1B, and has the legal authority to give the warranties and fulfil the undertakings set out in these clauses. (e) It will identify to the data exporter a contact point within its organization authorized organisation authorised to respond to enquiries concerning processing of the personal data, and will cooperate in good faith with the data exporter, the data subject and the authority concerning all such enquiries within a reasonable time. In case of legal dissolution of the data exporter, or if the parties have so agreed, the data importer will assume responsibility for compliance with the provisions of clause I(e). (f) At the request of the data exporter, it will provide the data exporter with evidence of financial resources sufficient to fulfil its responsibilities under Clause clause III (which may include insurance coverage). (g) Upon reasonable request of the data exporter, it will submit its data processing facilities, data files and documentation needed for processing to reviewing, auditing and/or certifying by the data exporter (or any independent or impartial inspection agents or auditors, selected by the data exporter and not reasonably objected to by the data importer) to ascertain compliance with the warranties and undertakings in these clauses, with reasonable notice and during regular business hours. The request will be subject to any necessary consent or approval from a regulatory or supervisory authority within the country of the data importer, which consent or approval the data importer will attempt to obtain in a timely fashion. (h) It will process the personal data, at its option, in accordance with: i. the data protection laws of the country in which the data exporter is established, or ii. the relevant provisions1 of any Commission decision pursuant to Article 25(6) of Directive 95/46/EC, where the data importer complies with the relevant provisions of such an authorisation or decision and is based in a country to which such an authorisation or decision pertains, but is not covered by such authorisation or decision for the purposes of the transfer(s) of the personal data2, or iii. the data processing principles set forth in Annex A A. Data importer to this Exhibit 1.indicate which option it selects: (i) Initials of data importer ; (i) It will not disclose or transfer the personal data to a third party data controller located outside the European Economic Area ("EEA") without the prior written consent of unless it notifies the data exporter about the transfer and (i) i. the third party data controller processes the personal data in accordance with a Commission decision finding that a third country provides adequate protection, or (ii) . the third party data controller becomes a signatory to these clauses or another data transfer agreement approved by a competent authority in the EU, or (iii) . data subjects have been given the opportunity to object, after having been informed of the purposes of the transfer, the categories of recipients and the fact that the countries to which data is exported may have different data protection standards, or or 1 “Relevant provisions” means those provisions of any authorisation or decision except for the enforcement provisions of any authorisation or decision (iv) with regard to onward transfers of sensitive data, data subjects have given their unambiguous consent to the onward transferwhich shall be governed by these clauses).

OBLIGATIONS OF THE DATA IMPORTER. The data importer warrants and undertakes that: (a) It will have in place appropriate technical and organizational organisational measures to protect the personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized unauthorised disclosure or access, and which provide a level of security appropriate to the risk represented by the processing and the nature of the data to be protected. (b) To the extent the data exporter consents to the data importer transferring the personal data to, or providing access to the personal data to, a third party, it It will have in place procedures so that any third party it authorizes authorises to have access to the personal data, including processors, will respect and maintain the confidentiality and security of the personal data. Any person acting under the authority of the data importer, including a data processor, shall be obligated to process the personal data only on instructions from the data importer. This provision does not apply to persons authorized authorised or required by law or regulation to have access to the personal data. (c) It has no reason to believe, at the time of entering into these clauses, in the existence of any local laws that would have a substantial adverse effect on the guarantees provided for under these clauses, and it will inform the data exporter (which will pass such notification on to the authority where required) if it becomes aware of any such laws. (d) It will process the personal data for purposes described in Annex B to this Exhibit 1B, and has the legal authority to give the warranties and fulfil the undertakings set out in these clauses. (e) It will identify to the data exporter a contact point within its organization authorized organisation authorised to respond to enquiries concerning processing of the personal data, and will cooperate in good faith with the data exporter, the data subject and the authority concerning all such enquiries within a reasonable time. In case of legal dissolution of the data exporter, or if the parties have so agreed, the data importer will assume responsibility for compliance with the provisions of clause I(e). (f) At the request of the data exporter, it will provide the data exporter with evidence of financial resources sufficient to fulfil its responsibilities under Clause clause III (which may include insurance coverage). (g) Upon reasonable request of the data exporter, it will submit its data processing facilities, data files and documentation needed for processing to reviewing, auditing and/or certifying by the data exporter (or any independent or impartial inspection agents or auditors, selected by the data exporter and not reasonably objected to by the data importer) to ascertain compliance with the warranties and undertakings in these clauses, with reasonable notice and during regular business hours. The request will be subject to any necessary consent or approval from a regulatory or supervisory authority within the country of the data importer, which consent or approval the data importer will attempt to obtain in a timely fashion. (h) It will process the personal data, at its option, in accordance with: (i) the data protection laws of the country in which the data exporter is established, or (ii) the relevant provisions1 of any Commission decision pursuant to Article 25(6) of Directive 95/46/EC, where the data importer complies with the relevant provisions of such an authorisation or decision and is based in a country to which such an authorisation or decision pertains, but is not covered by such authorisation or decision for the purposes of the transfer(s) of the personal data2, or (iii) the data processing principles set forth in Annex A A. Data importer to this Exhibit 1.indicate which option it selects: Initials of data importer: (i) It will not disclose or transfer the personal data to a third party data controller located outside the European Economic Area ("EEA") without the prior written consent of unless it notifies the data exporter about the transfer and (i) the third party data controller processes the personal data in accordance with a Commission decision finding that a third country provides adequate protection, or (ii) the third party data controller becomes a signatory to these clauses or another data transfer agreement approved by a competent authority in the EU, or (iii) data subjects have been given the opportunity to object, after having been informed of the purposes of the transfer, the categories of recipients and the fact that the countries to which data is exported may have different data protection standards, or (iv) with regard to onward transfers of sensitive data, data subjects have given their unambiguous consent to the onward transfer.

OBLIGATIONS OF THE DATA IMPORTER. (1) The data importer Data Importer warrants and undertakes that:– (a) It it will have in place appropriate technical and organizational organisational measures to protect the personal data Personal Data against unauthorised or unlawful processing and against accidental loss or unlawful destruction or accidental loss, alteration, unauthorized disclosure or accessdamage, and which provide a level of security appropriate to the risk represented by the processing Processing and the nature of the data Data to be protected.; (b) To the extent the data exporter consents to the data importer transferring the personal data to, or providing access to the personal data to, a third party, it will have in place procedures so that any third party Third Party it authorizes authorises to have access to the personal dataPersonal Data, including processorsData Processors, will respect and maintain the confidentiality and security of the personal dataPersonal Data. Any person acting under the authority of the data importerData Importer, including a data processorData Processor, shall be obligated to process Process the personal data Personal Data only on instructions from the data importerData Importer. This provision does not apply to persons authorized authorised or required by law or regulation the Regulations to have access to the personal data.Personal Data; (c) It it has no reason to believe, at the time of entering into these clauses, believe in the existence of any local non‐Abu Dhabi Global Market laws that would have a substantial adverse effect on the guarantees provided for under enforceability of these clausesClauses, and it will promptly inform the data exporter Data Exporter (which will pass such notification on to the authority Registrar where required) if it becomes aware of any such laws.laws or any changes in such laws which have such a substantial adverse effect; (d) It it will process Process the personal data Personal Data for purposes described in Annex B to this Exhibit 1B, and has the legal authority to give the warranties and fulfil the undertakings set out in these clauses.Clauses; (e) It it will identify to the data exporter Data Exporter a contact point within its organization authorized organisation authorised to respond to enquiries concerning processing Processing of the personal dataPersonal Data, and will cooperate in good faith with the data exporterData Exporter, the data subject Data Subject and the authority Registrar concerning all such enquiries within a reasonable time. In case of legal dissolution of the data exporter, or if the parties have so agreed, the data importer will assume responsibility for compliance with the provisions of clause I(e).; (f) At at the request of the data exporterData Exporter, it will provide the data exporter Data Exporter with evidence of financial resources sufficient to fulfil its responsibilities under Clause III 4 (which may include insurance coverage).; (g) Upon upon reasonable request of the data exporterData Exporter, it will submit its data processing Data Processing facilities, data Data files and documentation needed for processing Processing to reviewing, auditing and/or certifying by the data exporter Data Exporter (or any independent or impartial inspection agents or auditors, selected by the data exporter Data Exporter and not reasonably objected to by the data importerData Importer) to ascertain compliance with the warranties and undertakings in these clausesClauses, with reasonable notice and during regular business hours. The request will be subject to any necessary consent or approval from a regulatory or supervisory authority within the country of the data importerData Importer, which consent or approval the data importer Data Importer will attempt to obtain in a timely fashion.; (h) It it will process Process the personal dataPersonal Data, at its option, in accordance with with– (i) the data processing Regulations, or (ii) the Data Processing principles set forth in Annex A A, Data Importer to this Exhibit 1.indicate which option it selects: ……………………… Initials of Data Importer ; and (i) It it will promptly notify the Data Exporter about– (i) any legally binding request for disclosure of the Personal Data by a law enforcement authority unless otherwise prohibited, such as a prohibition under the criminal law of any jurisdiction outside the Abu Dhabi Global Market to preserve the confidentiality of a law enforcement investigation; (ii) any accidental or unauthorised access; and (iii) any request received directly from the Data Subjects without responding to that request, unless it has been otherwise authorised to do so. (2) The Data Importer warrants and undertakes that it will not disclose or transfer the personal data Personal Data to a third party data controller located outside the European Economic Area ("EEA") without Abu Dhabi Global Market unless it notifies the prior written consent of Data Exporter about the data exporter transfer and– (i) the third party data controller processes the personal data Personal Data in accordance with the laws of a Commission decision finding jurisdiction outside the Abu Dhabi Global Market that a third country provides has been designated under the Regulations or by the Registrar as providing adequate protection, orprotection for Personal Data; (ii) the third party data controller becomes a signatory to these clauses Clauses or another data transfer agreement approved by a competent authority in the EU, orRegistrar; (iii) data subjects Data Subjects have been given the opportunity to object, after having been informed of the purposes of the transfer, the categories of recipients and the fact that the countries jurisdictions to which data Data is exported may have different data protection standards, ; or (iv) with regard to onward transfers of sensitive dataSensitive Personal Data, data subjects Data Subjects have given their unambiguous consent to the onward transfer.

OBLIGATIONS OF THE DATA IMPORTER. The data importer warrants and undertakes that: (a) It will have in place appropriate technical and organizational organisational measures to protect the personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized unauthorised disclosure or access, and which provide a level of security appropriate to the risk represented by the processing and the nature of the data to be protected. (b) To the extent the data exporter consents to the data importer transferring the personal data to, or providing access to the personal data to, a third party, it It will have in place procedures so that any third party it authorizes authorises to have access to the personal data, including processors, will respect and maintain the confidentiality and security of the personal data. Any person acting under the authority of the data importer, including a data processor, shall be obligated to process the personal data only on instructions from the data importer. This provision does not apply to persons authorized authorised or required by law or regulation to have access to the personal data. (c) It has no reason to believe, at the time of entering into these clauses, in the existence of any local laws that would have a substantial adverse effect on the guarantees provided for under these clauses, and it will inform the data exporter (which will pass such notification on to the authority where required) if it becomes aware of any such laws. (d) It will process the personal data for purposes described in Annex B to this Exhibit 1B, and has the legal authority to give the warranties and fulfil the undertakings set out in these clauses. (e) It will identify to the data exporter a contact point within its organization authorized organisation authorised to respond to enquiries concerning processing of the personal data, and will cooperate in good faith with the data exporter, the data subject and the authority concerning all such enquiries within a reasonable time. In case of legal dissolution of the data exporter, or if the parties have so agreed, the data importer will assume responsibility for compliance with the provisions of clause I(eClause 1(e). (f) At the request of the data exporter, it will provide the data exporter with evidence of financial resources sufficient to fulfil its responsibilities under Clause III (which may include insurance coverage).under (g) Upon reasonable request of the data exporter, it will submit its data processing facilities, data files and documentation needed for processing to reviewing, auditing and/or certifying by the data exporter (or any independent or impartial inspection agents or auditors, selected by the data exporter and not reasonably objected to by the data importer) to ascertain compliance with the warranties and undertakings in these clauses, with reasonable notice and during regular business hours. The request will be subject to any necessary consent or approval from a regulatory or supervisory authority within the country of the data importer, which consent or approval the data importer will attempt to obtain in a timely fashion. (h) It will process the personal data, at its option, in accordance with: (i) the data protection laws of the country in which the data exporter is established, or (ii) the relevant provisions of any Commission decision pursuant to Article 25(6) of Directive 95/46/EC, where the data importer complies with the relevant provisions of such an authorisation or decision and is based in a country to which such an authorisation or decision pertains, but is not covered by such authorisation or decision for the purposes of the transfer(s) of the personal data, or (iii) the data processing principles set forth in Annex A to this Exhibit 1.A. (i) The data protection laws of the country in which the data exporter is established. Initials of data importer: (i) It will not disclose or transfer the personal data to a third party data controller located outside the European Economic Area ("EEA") without the prior written consent of unless it notifies the data exporter about the transfer and (i) the third party data controller processes the personal data in accordance with a Commission decision finding that a third country provides adequate protection, or (ii) the third party data controller becomes a signatory to these clauses or another data transfer agreement approved by a competent authority in the EU, or (iii) data subjects have been given the opportunity to object, after having been informed of the purposes of the transfer, the categories of recipients and the fact that the countries to which data is exported may have different data protection standards, or (iv) with regard to onward transfers of sensitive data, data subjects have given their unambiguous consent to the onward transfer.

OBLIGATIONS OF THE DATA IMPORTER. The data importer warrants and undertakes that: (a) It will have in place appropriate technical and organizational organisational measures to protect the personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized unauthorised disclosure or access, and which provide a level of security appropriate to the risk represented by the processing and the nature of the data to be protected. (b) To the extent the data exporter consents to the data importer transferring the personal data to, or providing access to the personal data to, a third party, it It will have in place procedures so that any third party it authorizes authorises to have access to the personal data, including processors, will respect and maintain the confidentiality and security of the personal data. Any person acting under the authority of the data importer, including a data processor, shall be obligated to process the personal data only on instructions from the data importer. This provision does not apply to persons authorized authorised or required by law or regulation to have access to the personal data. (c) It has no reason to believe, at the time of entering into these clauses, in the existence of any local laws that would have a substantial adverse effect on the guarantees provided for under these clauses, and it will inform the data exporter (which will pass such notification on to the authority where required) if it becomes aware of any such laws. (d) It will process the personal data for purposes described in Annex B to this Exhibit 1B, and has the legal authority to give the warranties and fulfil the undertakings set out in these clauses. (e) It will identify to the data exporter a contact point within its organization authorized organisation authorised to respond to enquiries concerning processing of the personal data, and will cooperate in good faith with the data exporter, the data subject and the authority concerning all such enquiries within a reasonable time. In case of legal dissolution of the data exporter, or if the parties have so agreed, the data importer will assume responsibility for compliance with the provisions of clause I(e). (f) At the request of the data exporter, it will provide the data exporter with evidence of financial resources sufficient to fulfil its responsibilities under Clause clause III (which may include insurance coverage). (g) Upon reasonable request of the data exporter, it will submit its data processing facilities, data files and documentation needed for processing to reviewing, auditing and/or certifying by the data exporter (or any independent or impartial inspection agents or auditors, selected by the data exporter and not reasonably objected to by the data importer) to ascertain compliance with the warranties and undertakings in these clauses, with reasonable notice and during regular business hours. The request will be subject to any necessary consent or approval from a regulatory or supervisory authority within the country of the data importer, which consent or approval the data importer will attempt to obtain in a timely fashion. (h) It will process the personal data, at its option, in accordance with the data processing principles set forth in Annex A to this Exhibit 1. (i) It will not disclose or transfer the personal data to a third party data controller located outside the European Economic Area ("EEA") without the prior written consent of the data exporter andwith: (i) the third party data controller processes protection laws of the personal country in which the data in accordance with a exporter is established, or (ii)the relevant provisions of any Commission decision finding that pursuant to Article 25(6) of Directive 95/46/EC, where the data importer complies with the relevant provisions of such an authorisation or decision and is based in a third country provides adequate protectionto which such an authorisation or decision pertains, or (ii) the third party data controller becomes a signatory to these clauses but is not covered by such authorisation or another data transfer agreement approved by a competent authority in the EU, or (iii) data subjects have been given the opportunity to object, after having been informed of decision for the purposes of the transfer, transfer(s) of the categories of recipients and the fact that the countries to which data is exported may have different data protection standardspersonal data, or (iv) with regard to onward transfers of sensitive data, data subjects have given their unambiguous consent to the onward transfer.

OBLIGATIONS OF THE DATA IMPORTER. The data importer warrants and undertakes that: (a) It will have in place appropriate technical and organizational organisational measures to protect the personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized unauthorised disclosure or access, and which provide a level of security appropriate to the risk represented by the processing and the nature of the data to be protected. (b) To the extent the data exporter consents to the data importer transferring the personal data to, or providing access to the personal data to, a third party, it It will have in place procedures so that any third party it authorizes authorises to have access to the personal data, including processors, will respect and maintain the confidentiality and security of the personal data. Any person acting under the authority of the data importer, including a data processor, shall be obligated to process the personal data only on instructions from the data importer. This provision does not apply to persons authorized authorised or required by law or regulation to have access to the personal data. (c) It has no reason to believe, at the time of entering into these clauses, in the existence of any local laws that would have a substantial adverse effect on the guarantees provided for under these clauses, and it will inform the data exporter (which will pass such notification on to the authority where required) if it becomes aware of any such laws. (d) It will process the personal data for purposes described in Annex B to this Exhibit 1the Annex, and has the legal authority to give the warranties and fulfil the undertakings set out in these clauses. (e) It will identify to the data exporter a contact point within its organization authorized organisation authorised to respond to enquiries concerning processing of the personal data, and will cooperate in good faith with the data exporter, the data subject and the authority concerning all such enquiries within a reasonable time. In case of legal dissolution of the data exporter, or if the parties have so agreed, the data importer will assume responsibility for compliance with the provisions of clause I(e1(e). (f) At the request of the data exporter, it will provide the data exporter with evidence of financial resources sufficient to fulfil its responsibilities under Clause III clause 3 (which may include insurance coverage). (g) Upon reasonable request of the data exporter, it will submit its data processing facilities, data files and documentation needed for processing to reviewing, auditing and/or certifying by the data exporter (or any independent or impartial inspection agents or auditors, selected by the data exporter and not reasonably objected to by the data importer) to ascertain compliance with the warranties and undertakings in these clauses, with reasonable notice and during regular business hours. The request will be subject to any necessary consent or approval from a regulatory or supervisory authority within the country of the data importer, which consent or approval the data importer will attempt to obtain in a timely fashion. (h) It will process the personal data, at its option, data in accordance with the data processing principles set forth protection laws and regulation of its own country being a country located in Annex A to this Exhibit 1the EEA or a country where the European Commission has found that the country’s data protection regime provides adequate protection. (i) It will not disclose or transfer the personal data to a third party data controller located outside the European Economic Area ("EEA") without the prior written consent of unless it notifies the data exporter about the transfer and (i) the third party data controller processes the personal data in accordance with a Commission decision finding that a third country provides adequate protection, or (ii) the third party data controller becomes a signatory to these clauses or another data transfer agreement approved by a competent authority in the EU, or (iii) data subjects have been given the opportunity to object, after having been informed of the purposes of the transfer, the categories of recipients and the fact that the countries to which data is exported may have different data protection standards, or (iv) with regard to onward transfers of sensitive data, data subjects have given their unambiguous consent to the onward transfer.

OBLIGATIONS OF THE DATA IMPORTER. The data importer Data Importer warrants and undertakes that: (a) It will have in place appropriate technical and organizational measures to protect provide a standard of protection, that is comparable to the protection required by the PDPA and any requirements set out in any advisory or other guidelines issued from time to time by the PDPC, to the personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, and which provide a level of security appropriate to the risk represented by the processing and the nature of the data to be protected. (b) To the extent the data exporter consents to the data importer transferring the personal data to, or providing access to the personal data to, a third party, it It will have in place procedures so that any third party it authorizes to have access to the personal data, including processors, will respect and maintain the confidentiality and security of the personal data. Any person acting under the authority of the data importerData Importer, including a data processor, processor shall be obligated to process the personal data only on instructions from the data importerData Importer. This provision does not apply to persons authorized or required by law or regulation to have access to the personal data. (c) It has no reason to believe, at the time of entering into these clauses, in the existence of any local laws that would have a substantial adverse effect on the guarantees provided for under these clauses, and it will inform the data exporter (which will pass such notification on to the authority where required) Data Exporter if it becomes aware of any such laws. (d) It will process the personal data for purposes described in Annex B to this Exhibit 1D, and has the legal authority to give the warranties and fulfil fulfill the undertakings set out in these clauses. (e) It will identify to the data exporter Data Exporter a contact point within its organization authorized to respond to enquiries concerning processing of the personal data, and will cooperate in good faith with the data exporterData Exporter, the data subject Data Subject and the authority concerning all such enquiries within a reasonable time. In case of legal dissolution of the data exporterData Exporter, or if the parties have so agreed, the data importer Data Importer will assume responsibility for compliance with the provisions of clause I(e). (f) At the request of the data exporterData Exporter, it will provide the data exporter Data Exporter with evidence of financial resources sufficient to fulfil fulfill its responsibilities under Clause clause III (which may include insurance coverage). (g) Upon reasonable request of the data exporter, it will submit its data processing facilities, data files and documentation needed for processing to reviewing, auditing and/or certifying by the data exporter (or any independent or impartial inspection agents or auditors, selected by the data exporter and not reasonably objected to by the data importer) to ascertain compliance with the warranties and undertakings in these clauses, with reasonable notice and during regular business hours. The request will be subject to any necessary consent or approval from a regulatory or supervisory authority within the country of the data importer, which consent or approval the data importer will attempt to obtain in a timely fashion. (h) It will process the personal data, at its option, in accordance with the data processing principles set forth in Annex A to this Exhibit 1. (i) It will not disclose or transfer the personal data to a third party data controller located outside the European Economic Area ("EEA") without the prior written consent of the data exporter and (i) the third party data controller processes the personal data in accordance with a Commission decision finding that a third country provides adequate protection, or (ii) the third party data controller becomes a signatory to these clauses or another data transfer agreement approved by a competent authority in the EU, or (iii) data subjects have been given the opportunity to object, after having been informed of the purposes of the transfer, the categories of recipients and the fact that the countries to which data is exported may have different data protection standards, or (iv) with regard to onward transfers of sensitive data, data subjects have given their unambiguous consent to the onward transfer.

OBLIGATIONS OF THE DATA IMPORTER. The data importer warrants and undertakes that: (a) It will have in place appropriate technical and organizational organisational measures to protect the personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized unauthorised disclosure or access, and which provide a level of security appropriate to the risk represented by the processing and the nature of the data to be protected. (b) To the extent the data exporter consents to the data importer transferring the personal data to, or providing access to the personal data to, a third party, it It will have in place procedures so that any third party it authorizes authorises to have access to the personal data, including processors, will respect and maintain the confidentiality and security of the personal data. Any person acting under the authority of the data importer, including a data processor, shall be obligated to process the personal data only on instructions from the data importer. This provision does not apply to persons authorized authorised or required by law or regulation to have access to the personal data. (c) It has no reason to believe, at the time of entering into these clausesthe Agreement, in the existence of any local laws that would have a substantial adverse effect on the guarantees provided for under these clausesthe Agreement, and it will inform the data exporter (which will pass such notification on to the authority where required) if it becomes aware of any such laws. (d) It will process the personal data only for purposes described in Annex B to this Exhibit 1B, and has the legal authority to give the warranties and fulfil the undertakings set out in these clausesthe Agreement. (e) It will identify to the data exporter a contact point within its organization authorized organisation authorised to respond to enquiries concerning processing of the personal data, and will cooperate in good faith with the data exporter, the data subject and the authority concerning all such enquiries within a reasonable time. In case of legal dissolution of the data exporter, or if the parties Parties have so agreed, the data importer will assume responsibility for compliance with the provisions of clause I(e). (f) At the request of the data exporter, it will provide the data exporter with evidence of financial resources sufficient to fulfil its responsibilities under Clause clause III (which may include insurance coverage). (g) Upon reasonable request of the data exporter, it will submit its data processing facilities, data files and documentation needed for processing to reviewing, auditing and/or certifying by the data exporter (or any independent or impartial inspection agents or auditors, selected by the data exporter and not reasonably objected to by the data importer) to ascertain compliance with the warranties and undertakings in these clauses, with reasonable notice and during regular business hours. The request will be subject to any necessary consent or approval from a regulatory or supervisory authority within the country of the data importer, which consent or approval the data importer will attempt to obtain in a timely fashion. (h) It will process the personal data, at its option, data in accordance with with: i. the data processing principles set forth in Annex A to this Exhibit 1.A. Initials of data importer: ZZZ, Executive Director (i) It will not disclose or transfer the personal data to a third party data controller located outside the European Economic Area ("EEA") without the prior written consent of unless it notifies the data exporter about the transfer and (i) i. the third party data controller processes the personal data in accordance with a Commission decision finding that a third country provides adequate protection, or (ii) . the third party data controller becomes a signatory to these clauses the Agreement or another data transfer agreement approved by a competent authority in the EU, or (iii) . data subjects have been given the opportunity to object, after having been informed of the purposes of the transfer, the categories of recipients and the fact that the countries to which data is exported may have different data protection standards, or (iv) . with regard to onward transfers of sensitive data, data subjects have given their unambiguous consent to the onward transfer.

OBLIGATIONS OF THE DATA IMPORTER. The data importer warrants and undertakes that: (a) 2.1 It will have in place appropriate technical and organizational organisational measures to protect the personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized unauthorised disclosure or access, and which provide a level of security appropriate to the risk represented by the processing and the nature of the data to be protected. (b) To the extent the data exporter consents to the data importer transferring the personal data to, or providing access to the personal data to, a third party, it 2.2 It will have in place procedures so that any third party it authorizes authorises to have access to the personal data, including processors, will respect and maintain the confidentiality and security of the personal data. Any person acting under the authority of the data importer, including a data processor, shall be obligated to process the personal data only on instructions from the data importer. This provision does not apply to persons authorized authorised or required by law or regulation to have access to the personal data. (c) 2.3 It has no reason to believe, at the time of entering into these clauses, in the existence of any local laws that would have a substantial adverse effect on the guarantees provided for under these clauses, and it will inform the data exporter (which will pass such notification on to the authority where required) if it becomes aware of any such laws. (d) 2.4 It will process the personal data for purposes described in Annex B to this Exhibit 1B, and has the legal authority to give the warranties and fulfil the undertakings set out in these clauses. (e) 2.5 It will identify to the data exporter a contact point within its organization authorized organisation authorised to respond to enquiries concerning processing of the personal data, and will cooperate in good faith with the data exporter, the data subject and the authority concerning all such enquiries within a reasonable time. In case of legal dissolution of the data exporter, or if the parties have so agreed, the data importer will assume responsibility for compliance with the provisions of clause I(e)1.5. (f) 2.6 At the request of the data exporter, it will provide the data exporter with evidence of financial resources sufficient to fulfil its responsibilities under Clause clause III (which may include insurance coverage). (g) 2.7 Upon reasonable request of the data exporter, it will submit its data processing facilities, data files and documentation needed for processing to reviewing, auditing and/or certifying by the data exporter (or any independent or impartial inspection agents or auditors, selected by the data exporter and not reasonably objected to by the data importer) to ascertain compliance with the warranties and undertakings in these clauses, with reasonable notice and during regular business hours. The request will be subject to any necessary consent or approval from a regulatory or supervisory authority within the country of the data importer, which consent or approval the data importer will attempt to obtain in a timely fashion. (h) 2.8 It will process the personal data, at its option, in accordance with: 2.8.1. the data protection laws of the country in which the data exporter is established; or 2.8.2. the relevant provisions of any Commission decision pursuant to Article 25(6) of Directive 95/46/EC, where the data importer complies with the relevant provisions of such an authorisation or decision and is based in a country to which such an authorisation or decision pertains, but is not covered by such authorisation or decision for the purposes of the transfer(s) of the personal data; or 2.8.3. the data processing principles set forth in Annex A A. Data importer to this Exhibit 1.indicate which option it selects: Initials of data importer: (i) 2.9 It will not disclose or transfer the personal data to a third party data controller located outside the European Economic Area ("EEA") without the prior written consent of unless it notifies the data exporter about the transfer and (i) 2.9.1. the third party data controller processes the personal data in accordance with a Commission decision finding that a third country provides adequate protection, ; or (ii) 2.9.2. the third party data controller becomes a signatory to these clauses or another data transfer agreement approved by a competent authority in the EU, ; or (iii) 2.9.3. data subjects have been given the opportunity to object, after having been informed of the purposes of the transfer, the categories of recipients and the fact that the countries to which data is exported may have different data protection standards, ; or (iv) 2.9.4. with regard to onward transfers of sensitive data, data subjects have given their unambiguous consent to the onward transfer.

OBLIGATIONS OF THE DATA IMPORTER. The data importer Data Importer warrants and undertakes that: (a) It will have in place appropriate technical and organizational measures to protect provide a standard of protection, which is comparable to the protection required by the PDPA and any requirements set out in any advisory or other guidelines issued from time to time by the PDPC, to the personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, and which provide a level of security appropriate to the risk represented by the processing and the nature of the data to be protected. (b) To the extent the data exporter consents to the data importer transferring the personal data to, or providing access to the personal data to, a third party, it It will have in place procedures so that any third party it authorizes to have access to the personal data, including processors, will respect and maintain the confidentiality and security of the personal data. Any person acting under the authority of the data importerData Importer, including a data processor, processor shall be obligated to process the personal data only on instructions from the data importerData Importer. This provision does not apply to persons authorized or required by law or regulation to have access to the personal data. (c) It has no reason to believe, at the time of entering into these clauses, in the existence of any local laws that would have a substantial adverse effect on the guarantees provided for under these clauses, and it will inform the data exporter (which will pass such notification on to the authority where required) Data Exporter if it becomes aware of any such laws. (d) It will process the personal data for purposes described in Annex B to this Exhibit 1B, and has the legal authority to give the warranties and fulfil fulfill the undertakings set out in these clauses. (e) It will identify to the data exporter Data Exporter a contact point within its organization authorized to respond to enquiries concerning processing of the personal data, and will cooperate in good faith with the data exporterData Exporter, the data subject Data Subject and the authority concerning all such enquiries within a reasonable time. In case of legal dissolution of the data exporterData Exporter, or if the parties have so agreed, the data importer Data Importer will assume responsibility for compliance with the provisions of clause I(e). (f) At the request of the data exporterData Exporter, it will provide the data exporter Data Exporter with evidence of financial resources sufficient to fulfil fulfill its responsibilities under Clause clause III (which may include insurance coverage). (g) Upon reasonable request of the data exporterData Exporter, it will submit its data processing facilities, data files and documentation needed for processing to reviewing, auditing and/or and /or certifying by the data exporter Data Exporter (or any independent or impartial inspection agents or auditors, selected by the data exporter Data Exporter and not reasonably objected to by the data importerData Importer) to ascertain compliance with the warranties and undertakings in these clauses, with reasonable notice and during regular business hours. The request will be subject to any necessary consent or approval from a regulatory or supervisory authority within the country of the data importerData Importer, which consent or approval the data importer Data Importer will attempt to obtain in a timely fashion. (h) It will process the personal data, at its option, in accordance with with: (i) The data protection laws of Singapore, and the relevant regulations, provisions or other requirements issued by PDPC; and (ii) The data processing principles set forth in Annex A to this Exhibit 1.A. (i) It will not disclose or transfer the personal data to a third third-party data controller organization located outside the European Economic Area ("EEA") without the Singapore unless with prior written consent of the data exporter Data Exporter on the transfer and (i1) the third The third-party data controller organization processes the personal data in accordance with a Commission decision requirements prescribed under PDPA finding that the third-party organization provides a third country provides adequate protection, orstandard of protection to personal data so transferred that is comparable to the protection under PDPA; (ii2) the third party data controller becomes a signatory to these clauses or another data transfer agreement approved by a competent authority in the EU, or (iii) data Data subjects have been given the opportunity to object, after having been informed of the purposes of the transfer, the categories of recipients and the fact that the countries to which data is exported may have different data protection standards, or (iv) with regard to onward transfers of sensitive data, data subjects have given their unambiguous consent to the onward transfer.

OBLIGATIONS OF THE DATA IMPORTER. The data importer warrants and undertakes that: (a) It will have in place appropriate technical and organizational measures to protect the personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, and which provide a level of security appropriate to the risk represented by the processing and the nature of the data to be protected. (b) To the extent the data exporter consents to the data importer transferring the personal data to, or providing access to the personal data to, a third party, it It will have in place procedures so that any third party it authorizes to have access to the personal data, including processors, will respect and maintain the confidentiality and security of the personal data. Any person acting under the authority of the data importer, including a data processor, shall be obligated to process the personal data only on instructions from the data importer. This provision does not apply to persons authorized or required by law or regulation to have access to the personal data. (c) It has no reason to believe, at the time of entering into these clauses, in the existence of any local laws that would have a substantial adverse effect on the guarantees provided for under these clauses, and it will inform the data exporter (which will pass such notification on to the authority where required) if it becomes aware of any such laws. (d) It will process the personal data for purposes described in Annex B to this Exhibit 1B, and has the legal authority to give the warranties and fulfil fulfill the undertakings set out in these clauses. (e) It will identify to the data exporter a contact point within its organization organisation authorized to respond to enquiries inquiries concerning processing of the personal data, and will cooperate in good faith with the data exporter, the data subject and the authority concerning all such enquiries inquiries within a reasonable time. In case of legal dissolution of the data exporter, or if the parties have so agreed, the data importer will assume responsibility for compliance with the provisions of clause I(e). (f) At the request of the data exporter, it will provide the data exporter with evidence of financial resources sufficient to fulfil fulfill its responsibilities under Clause clause III (which may include insurance coverage). (g) Upon reasonable request of the data exporter, it will submit its data processing facilities, data files and documentation needed for processing to reviewing, auditing and/or certifying by the data exporter (or any independent or impartial inspection agents or auditors, selected by the data exporter and not reasonably objected to by the data importer) to ascertain compliance with the warranties and undertakings in these clauses, with reasonable notice and during regular business hours. The request will be subject to any necessary consent or approval from a regulatory or supervisory authority within the country of the data importer, which consent or approval the data importer will attempt to obtain in a timely fashion. (h) It will process the personal data, at its option, in accordance with: i. the data protection laws of the country in which the data exporter is established, or ii. the relevant provisions1 of any Commission decision pursuant to Article 25(6) of Directive 95/46/EC, where the data importer complies with the relevant provisions of such an authorization or decision and is based in a country to which such an authorization or decision pertains, but is not covered by such authorization or decision for the purposes of the transfer(s) of the personal data2, or iii. the data processing principles set forth in Annex A A. Data importer to this Exhibit 1indicate which option it selects: Clause iii. (i) It will not disclose or transfer the personal data to a third party data controller located outside the European Economic Area ("EEA") without the prior written consent of unless it notifies the data exporter about the transfer and (i) i. the third party data controller processes the personal data in accordance with a Commission decision finding that a third country provides adequate protection, or (ii) . the third party data controller becomes a signatory to these clauses or another data transfer agreement approved by a competent authority in the EU, or (iii) . data subjects have been given the opportunity to object, after having been informed of the purposes of the transfer, the categories of recipients and the fact that the countries to which data is exported may have different data protection standards, or (iv) . with regard to onward transfers of sensitive data, data subjects have given their unambiguous consent to the onward transfer.

OBLIGATIONS OF THE DATA IMPORTER. The data importer Data Importer undertakes and warrants and undertakes that: (a) It 2.1 it will have in place appropriate technical and organizational organisational measures to protect the personal data Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized unauthorised disclosure or access, and which provide a level of security appropriate to the risk represented by the processing and the nature of the data to be protected.; (b) To the extent the data exporter consents to the data importer transferring the personal data to, or providing access to the personal data to, a third party, 2.2 it will have in place procedures so that any third party it authorizes authorises to have access to the personal data, Personal Data including processors, Processors and Sub-Processors will respect and maintain the confidentiality and security of the personal dataPersonal Data. Any person acting under the authority of the data importerData Importer, including a data processorData Processor or Sub-Processor, shall be obligated to process the personal data Personal Data only on instructions from the data importerData Importer. This provision does not apply to persons authorized authorised or required by law or regulation to have access to the personal dataPersonal Data. (c) It 2.3 it has no reason to believe, at the time of entering into these clausesStandard Clauses, in the existence of any local laws that would have a substantial adverse effect on the guarantees provided for under these clauses, and it will inform the data exporter Data Exporter (which will pass such notification on to the authority Authority, where required) if it becomes aware of any such laws. (d) It 2.4 it will process the personal data Personal Data for the purposes described in Annex B to this Exhibit 1Annexure C, and has the legal authority to give the warranties and fulfil the undertakings set out in these clauses. (e) It 2.5 it will identify to the data exporter Data Exporter a contact point within its organization authorized organisation authorised to respond to enquiries concerning processing of the personal data, Personal Data and will cooperate in good faith with the data exporterData Exporter, the data subject Data Subject and the authority Authority concerning all such enquiries within a reasonable time. In case of legal dissolution of the data exporterData Exporter, or if the parties Parties have so agreed, the data importer Data Importer will assume responsibility for compliance with the provisions of clause I(e)this Agreement. (f) At 2.6 at the request of the data exporterData Exporter, it will provide the data exporter Data Exporter with evidence of financial resources sufficient to fulfil its responsibilities under Clause III (clause 3, which may include insurance coverage). (g) Upon 2.7 upon reasonable request of the data exporterData Exporter, it will submit its data processing facilities, data files and documentation needed for processing to reviewing, auditing and/or certifying by the data exporter Data Exporter (or any independent or impartial inspection agents or auditors, selected by the data exporter Data Exporter and not reasonably objected to by the data importerData Importer) to ascertain compliance with the warranties and undertakings in these clauses, with reasonable notice and during regular business hours. The request will be subject to any necessary consent or approval from a regulatory or supervisory authority within the country of the data importerData Importer, which consent or approval the data importer Data Importer will attempt to obtain in a timely fashion. (h) It 2.8 it will process the personal dataPersonal Data, at its option, in accordance with the data processing principles set forth in Annex A to this Exhibit 1.C, as adjusted for each jurisdiction in which the Personal Data is Processed. USA South America United Kingdom Europe Australia Asia Pacific South Africa Middle East (the initials set out above are provided by the signatory on behalf of all of the Data Importers in the relevant region/country) (i) It 2.9 it will not disclose or transfer the personal data Personal Data to a third party data controller Data Controller located outside the European Economic Area ("EEA") without the prior written consent of the data exporter jurisdiction in which it is located unless it notifies the original Data Exporter about the transfer and (i) the third party data controller processes the personal data in accordance with a Commission decision finding that a third country provides adequate protection, or (ii) the third party data controller becomes a signatory to these clauses or another data transfer agreement approved by a competent authority in the EU, or (iii) data subjects have been given the opportunity to object, after having been informed of the purposes of the transfer, the categories of recipients and the fact that the countries to which data is exported may have different data protection standards, or (iv) with regard to onward transfers of sensitive data, data subjects have given their unambiguous consent to the onward transfer.

OBLIGATIONS OF THE DATA IMPORTER. The data importer warrants and undertakes that: (a) It will have in place appropriate technical and organizational organisational measures to protect the personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized unauthorised disclosure or access, and which provide a level of security appropriate to the risk represented by the processing and the nature of the data to be protected. (b) To the extent the data exporter consents to the data importer transferring the personal data to, or providing access to the personal data to, a third party, it It will have in place procedures so that any third party it authorizes authorises to have access to the personal data, including processors, will respect and maintain the confidentiality and security of the personal data. Any person acting under the authority of the data importer, including a data processor, shall be obligated to process the personal data only on instructions from the data importer. This provision does not apply to persons authorized authorised or required by law or regulation to have access to the personal data. (c) It has no reason to believe, at the time of entering into these clauses, in the existence of any local laws that would have a substantial adverse effect on the guarantees provided for under these clauses, and it will inform the data exporter (which will pass such notification on to the authority where required) if it becomes aware of any such laws. (d) It will process the personal data for purposes described in Annex B to this Exhibit 1B, and has the legal authority to give the warranties and fulfil the undertakings set out in these clauses. (e) It will identify to the data exporter a contact point within its organization authorized organisation authorised to respond to enquiries concerning processing of the personal data, and will cooperate in good faith with the data exporter, the data subject and the authority concerning all such enquiries within a reasonable time. In case of legal dissolution of the data exporter, or if the parties have so agreed, the data importer will assume responsibility for compliance with the provisions of clause I(eClause 2(e). (f) At the request of the data exporter, it will provide the data exporter with evidence of financial resources sufficient to fulfil its responsibilities under Clause III (which 4(which may include insurance coverage). (g) Upon reasonable request of the data exporter, it will submit its data processing facilities, data files and documentation needed for processing to reviewing, auditing and/or certifying by the data exporter (or any independent or impartial inspection agents or auditors, selected by the data exporter and not reasonably objected to by the data importer) to ascertain compliance with the warranties and undertakings in these clauses, with reasonable notice and during regular business hours. The request will be subject to any necessary consent or approval from a regulatory or supervisory authority within the country of the data importer, which consent or approval the data importer will attempt to obtain in a timely fashion. (h) It will process the personal data, at its option, in accordance with the data processing principles set forth in Annex A to this Exhibit 1.A. (i) It will not disclose or transfer the personal data to a third party data controller located outside the European Economic Area ("EEA") without the prior written consent of unless it notifies the data exporter about the transfer and: (i) the third party data controller processes the personal data in accordance with a Commission decision finding that a third country provides adequate protection, or (ii) the third party data controller becomes a signatory to these clauses or another data transfer agreement approved by a competent authority in the EU, or (iii) data subjects have been given the opportunity to object, after having been informed of the purposes of the transfer, the categories of recipients and the fact that the countries to which data is exported may have different data protection standards, or (iv) with regard to onward transfers of sensitive data, data subjects have given their unambiguous consent to the onward transfer.

OBLIGATIONS OF THE DATA IMPORTER. (1) The data importer Data Importer warrants and undertakes that:– (a) It it will have in place appropriate technical and organizational organisational measures to protect the personal data Personal Data against unauthorised or unlawful processing and against accidental loss or unlawful destruction or accidental loss, alteration, unauthorized disclosure or accessdamage, and which provide a level of security appropriate to the risk represented by the processing Processing and the nature of the data Data to be protected.; (b) To the extent the data exporter consents to the data importer transferring the personal data to, or providing access to the personal data to, a third party, it will have in place procedures so that any third party Third Party it authorizes authorises to have access to the personal dataPersonal Data, including processorsData Processors, will respect and maintain the confidentiality and security of the personal dataPersonal Data. Any person acting under the authority of the data importerData Importer, including a data processorData Processor, shall be obligated to process Process the personal data Personal Data only on instructions from the data importerData Importer. This provision does not apply to persons authorized authorised or required by law or regulation the Regulations to have access to the personal data.Personal Data; (c) It it has no reason to believe, at the time of entering into these clauses, believe in the existence of any local non-Abu Dhabi Global Market laws that would have a substantial adverse effect on the guarantees provided for under enforceability of these clausesClauses, and it will promptly inform the data exporter Data Exporter (which will pass such notification on to the authority Registrar where required) if it becomes aware of any such laws.laws or any changes in such laws which have such a substantial adverse effect; (d) It it will process Process the personal data Personal Data for purposes described in Annex B to this Exhibit 1B, and has the legal authority to give the warranties and fulfil the undertakings set out in these clauses.Clauses; (e) It it will identify to the data exporter Data Exporter a contact point within its organization authorized organisation authorised to respond to enquiries concerning processing Processing of the personal dataPersonal Data, and will cooperate in good faith with the data exporterData Exporter, the data subject Data Subject and the authority Registrar concerning all such enquiries within a reasonable time. In case of legal dissolution of the data exporter, or if the parties have so agreed, the data importer will assume responsibility for compliance with the provisions of clause I(e).; (f) At at the request of the data exporterData Exporter, it will provide the data exporter Data Exporter with evidence of financial resources sufficient to fulfil its responsibilities under Clause III 4 (which may include insurance coverage).; (g) Upon upon reasonable request of the data exporterData Exporter, it will submit its data processing Data Processing facilities, data Data files and documentation needed for processing Processing to reviewing, auditing and/or certifying by the data exporter Data Exporter (or any independent or impartial inspection agents or auditors, selected by the data exporter Data Exporter and not reasonably objected to by the data importerData Importer) to ascertain compliance with the warranties and undertakings in these clausesClauses, with reasonable notice and during regular business hours. The request will be subject to any necessary consent or approval from a regulatory or supervisory authority within the country of the data importerData Importer, which consent or approval the data importer Data Importer will attempt to obtain in a timely fashion.; (h) It it will process Process the personal dataPersonal Data, at its option, in accordance with with– (i) the data processing Regulations, or (ii) the Data Processing principles set forth in Annex A A, Data Importer to this Exhibit 1.indicate which option it selects: (ii) Initials of Data Importer: CGSH; and (i) It it will promptly notify the Data Exporter about– (i) any legally binding request for disclosure of the Personal Data by a law enforcement authority unless otherwise prohibited, such as a prohibition under the criminal law of any jurisdiction outside the Abu Dhabi Global Market to preserve the confidentiality of a law enforcement investigation; (ii) any accidental or unauthorised access; and (iii) any request received directly from the Data Subjects without responding to that request, unless it has been otherwise authorised to do so. (2) The Data Importer warrants and undertakes that it will not disclose or transfer the personal data Personal Data to a third party data controller located outside the European Economic Area ("EEA") without Abu Dhabi Global Market unless it notifies the prior written consent of Data Exporter about the data exporter transfer and– (i) the third party data controller processes the personal data Personal Data in accordance with the laws of a Commission decision finding jurisdiction outside the Abu Dhabi Global Market that a third country provides has been designated under the Regulations or by the Registrar as providing adequate protection, orprotection for Personal Data; (ii) the third party data controller becomes a signatory to these clauses Clauses or another data transfer agreement approved by a competent authority in the EU, orRegistrar; (iii) data subjects Data Subjects have been given the opportunity to object, after having been informed of the purposes of the transfer, the categories of recipients and the fact that the countries jurisdictions to which data Data is exported may have different data protection standards, orstandards;or (iv) with regard to onward transfers of sensitive dataSensitive Personal Data, data subjects Data Subjects have given their unambiguous consent to the onward transfer.

OBLIGATIONS OF THE DATA IMPORTER. The data importer Data Importer warrants and undertakes that: (a) It will have in place appropriate technical and organizational organisational measures to protect the personal data Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized unauthorised disclosure or access, and which provide a level of security appropriate to the risk represented by the processing Processing and the nature of the data to be protected. (b) To the extent the data exporter consents to the data importer transferring the personal data to, or providing access to the personal data to, a third party, it It will have in place procedures so that any third party it authorizes authorises to have access to the personal dataPersonal Data, including processorsProcessors, will respect and maintain the confidentiality and security of the personal dataPersonal Data. Any person acting under the authority of the data importerData Importer, including a data processorProcessor, shall be obligated to process Process the personal data Personal Data only on instructions from the data importerData Importer. This provision does not apply to persons authorized authorised or required by law or regulation to have access to the personal dataPersonal Data. (c) It has no reason to believe, at the time of entering into these clauses, in the existence of any local laws that would have a substantial adverse effect on the guarantees provided for under these clauses, and it will inform the data exporter Data Exporter (which will pass such notification on to the authority authority, where required) if it becomes aware of any such laws. (d) It will process Process the personal data Personal Data for purposes described in Annex B to this Exhibit 1B, and has the legal authority to give the warranties and fulfil the undertakings set out in these clauses. (e) It will identify to the data exporter Data Exporter a contact point within its organization authorized organisation authorised to respond to enquiries concerning processing Processing of the personal dataPersonal Data, and will cooperate in good faith with the data exporterData Exporter, the data subject Data Subject and the authority concerning all such enquiries within a reasonable time. In case of legal dissolution of the data exporterData Exporter, or if the parties have so agreed, the data importer Data Importer will assume responsibility for compliance with the provisions of clause I(e). (f) At the request of the data exporterData Exporter, it will provide the data exporter Data Exporter with evidence of financial resources sufficient to fulfil its responsibilities under Clause clause III (which may include insurance coverage). (g) Upon reasonable request of the data exporterData Exporter, it will submit its data processing Processing facilities, data files and documentation needed for processing Processing to reviewing, auditing and/or certifying by the data exporter Data Exporter (or any independent or impartial inspection agents or auditors, selected by the data exporter Data Exporter and not reasonably objected to by the data importerData Importer) to ascertain compliance with the warranties and undertakings in these clauses, with reasonable notice and during regular business hours. The request will be subject to any necessary consent or approval from a regulatory or supervisory authority Supervisory Authority within the country of the data importerData Importer, which consent or approval the data importer Data Importer will attempt to obtain in a timely fashion. (h) It will process Process the personal dataPersonal Data, at its option, in accordance with the data processing Processing principles set forth in Annex A to this Exhibit 1.A. (i) It will not disclose or transfer the personal data Personal Data to a third party data controller Controller located outside the European Economic Area ("EEA") without (or such other country or territory as may be specified by Applicable Data Protection Law) unless it notifies the prior written consent of Data Exporter about the data exporter transfer and: (i) i. the third party data controller processes Controller Processes the personal data Personal Data in accordance with a Commission decision finding that a third country provides adequate protection, or (ii) . the third party data controller Controller becomes a signatory to these clauses or another data transfer agreement approved by a competent authority in the EU, or (iii) data subjects . Data Subjects have been given the opportunity to object, after having been informed of the purposes of the transfer, to the categories of recipients and the fact that the countries to which data is exported may have different data protection standards, or (iv) . with regard to onward transfers of sensitive data, data subjects Data Subjects have given their unambiguous consent to the onward transfer.

OBLIGATIONS OF THE DATA IMPORTER. The data importer warrants and undertakes that: (a) It will have in place appropriate technical and organizational organisational measures to protect the personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized unauthorised disclosure or access, and which provide a level of security appropriate to the risk represented by the processing and the nature of the data to be protected. (b) To the extent the data exporter consents to the data importer transferring the personal data to, or providing access to the personal data to, a third party, it It will have in place procedures so that any third party it authorizes authorises to have access to the personal data, including processors, will respect and maintain the confidentiality and security of the personal data. Any person acting under the authority of the data importer, including a data processor, shall be obligated to process the personal data only on instructions from the data importer. This provision does not apply to persons authorized authorised or required by law or regulation to have access to the personal data. (c) It has no reason to believe, at the time of entering into these clauses, in the existence of any local laws that would have a substantial adverse effect on the guarantees provided for under these clauses, and it will inform the data exporter (which will pass such notification on to the authority where required) if it becomes aware of any such laws. (d) It will process the personal data for purposes described in Annex B to this Exhibit 1B, and has the legal authority to give the warranties and fulfil the undertakings set out in these clauses. (e) It will identify to the data exporter a contact point within its organization authorized organisation authorised to respond to enquiries concerning processing of the personal data, and will cooperate in good faith with the data exporter, the data subject and the authority concerning all such enquiries within a reasonable time. In case of legal dissolution of the data exporter, or if the parties have so agreed, the data importer will assume responsibility for compliance with the provisions of clause I(e). (f) At the request of the data exporter, it will provide the data exporter with evidence of financial resources sufficient to fulfil its responsibilities under Clause clause III (which may include insurance coverage). (g) Upon reasonable request of the data exporter, it will submit its data processing facilities, data files and documentation needed for processing to reviewing, auditing and/or certifying by the data exporter (or any independent or impartial inspection agents or auditors, selected by the data exporter and not reasonably objected to by the data importer) to ascertain compliance with the warranties and undertakings in these clauses, with reasonable notice and during regular business hours. The request will be subject to any necessary consent or approval from a regulatory or supervisory authority within the country of the data importer, which consent or approval the data importer will attempt to obtain in a timely fashion. (h) It will process the personal data, at its option, in accordance with: (i) the data protection laws of the country in which the data exporter is established, or (ii) the relevant provision of any Commission decision pursuant to Article 25(6) of Directive 95/46/EC, where the data importer complies with the relevant provisions of such an authorisation or decision and is based in a country to which such an authorisation or decision pertains, but is not covered by such authorisation or decision for the purposes of the transfer(s) of the personal data, or (iii) the data processing principles set forth in Annex A A. Data importer to this Exhibit 1.indicate which option it selects: Initials of data importer:_; (i) It will not disclose or transfer the personal data to a third party data controller located outside the European Economic Area ("EEA") without the prior written consent of unless it notifies the data exporter about the transfer and (i) the third party data controller processes the personal data in accordance with a Commission decision finding that a third country provides adequate protection, or (ii) the third party data controller becomes a signatory to these clauses or another data transfer agreement approved by a competent authority in the EU, or (iii) data subjects have been given the opportunity to object, after having been informed of the purposes of the transfer, the categories of recipients and the fact that the countries to which data is exported may have different data protection standards, or (iv) with regard to onward transfers of sensitive data, data subjects have given their unambiguous consent to the onward transfer.