Common use of Obligations of the Processor Clause in Contracts

Obligations of the Processor. The Processor agrees to: 4.1 Process the personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law to which the Processor is subject; in such a case, the processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest. 4.2 Take into account the nature of the processing, and to assist the Controller through appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of the Regulation. In addition, the Processor shall: 4.2.1 Promptly notify the Controller if it receives a request from a Data Subject under any Data Protection Legislation in respect of Controller Personal Data; and 4.2.2 Ensure that the Processor does not respond to that request except on the documented instructions of Controller or as required by Data Protection Legislation to which the Processor is subject, in which case the Processor shall, to the extent permitted by Data Protection Legislation, inform the Controller of that legal requirement before the Processor responds to the request. 4.3 Take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, and the Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. 4.4 Take account in assessing the appropriate level of security the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed. 4.5 Have in place appropriate technical and organisational security measures, reviewed and approved by the Controller, to protect the personal data provided or made available by the Controller to the Processor in the context of this agreement, as required under the Data Protection Legislation. Further details, including the minimum standard of security protection, are set out in Appendix 1 of this agreement. 4.6 For the avoidance of doubt, nothing within this agreement relieves the Processor of its own direct responsibilities and liabilities under the GDPR.

Obligations of the Processor. The Processor agrees to: 4.1 Process the personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law to which the Processor is subject; in such a case, the processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest. 4.2 Take into account the nature of the processing, and to assist the Controller through appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of the RegulationData Protection Legislation. In addition, addition the Processor shall: 4.2.1 Promptly notify the Controller if it receives a request from a Data Subject under any Data Protection Legislation in respect of Controller Personal Data; and 4.2.2 Ensure that the Processor does not respond to that request except on the documented instructions of Controller or as required by Data Protection Legislation to which the Processor is subject, in which case the Processor shall, to the extent permitted by Data Protection Legislation, inform the Controller of that legal requirement before the Processor responds to the request. 4.3 Take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, and the Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. 4.4 Take account in assessing the appropriate level of security the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed. 4.5 Have in place appropriate technical and organisational security measures, reviewed and approved by the Controller, to protect the personal data provided or made available by the Controller to the Processor in the context of this agreement, as required under the Data Protection Legislation. Further details, including the minimum standard of security protection, are set out in Appendix 1 of this agreement. 4.6 For the avoidance of doubt, nothing within this agreement relieves the Processor of its own direct responsibilities and liabilities under the UK GDPR. 4.7 Within 30 days following the completion of the service the Processor shall destroy all such data unless the Processor is prohibited from doing so by any applicable law.

Obligations of the Processor. In fulfilling its obligations under the Data Protection Law, the Terms and Conditions and this DPA, the Processor shall: Only process Personal Data in so far as it is absolutely necessary for the purpose of performance of the Services and only on the documented instructions of the Controller. The Processor agrees to: 4.1 Process shall not process Personal Data for any other purposes, as well as not process any data inferred from Personal Data. Implement all appropriate technical and organizational measures, necessary to ensure that the personal data only on documented instructions Processing undertaken pursuant to this DPA meets the requirements laid down by the GDPR, providing the best possible level of security appropriate to the particular risks in question and take all measures as required by Article 32 of the GDPR. When assessing the appropriate level of security, the Processor shall take into consideration the risks that are present in processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data Processed. Ensure the protection of the rights of the Data Subject as listed in chapter III of the GDPR. Make available to the Controller all information necessary to demonstrate its compliance with its obligations under the GDPR and this DPA, including to allow for and contribute to audits and inspections conducted by the Controller or any other auditor as mandated by the Controller. For the avoidance of doubt, the right to conduct audits and/or inspections shall also include a right of the Controller, including its auditors, to access the Processor's premises, software, documentation and employees as may be reasonably required to carry out such audit and/or inspection. Inform the Controller if, in its opinion, the instructions of the Controller infringe the GDPR or any other Data Protection Law. Maintain a record of the Processing being undertaken on behalf of the Controller in accordance with regard to transfers Article 30 of personal data the GDPR, a copy of which shall be made available to a third Supervisory Authority and the Controller on request. Appoint a data protection officer, where required. Allow the Controller the right to: Access the Personal Data processed on its behalf at any time; Extract and/or download the Personal Data processed on its behalf at any time; Request the deletion and/or rectification of Personal Data processed on its behalf at any time; and Request implementation of its retention periods applicable to Personal Data processed hereunder, in accordance with the retention policy of the Controller which may be provided to the Processor from time to time. Not engage another processor (a “Subprocessor”) without the prior specific written authorization of the Controller. Where such authorization is given, the Processor shall ensure that the Subprocessor is bound by the same obligations set out in this DPA, including but not limited to providing sufficient guarantees to implement appropriate technical and organisational measures that meet the requirements laid down by the GDPR. For the avoidance of doubt, the Processor shall remain fully liable to the Controller for the performance of the Subprocessor’s obligations and any failure thereof. Not transfer Personal Data to a country or an international organisationoutside of the EU/EEA without the prior written authorization of the Controller, unless required to do so by Union or Member State law to which the Processor is subject; in . In such a case, the processor Processor shall inform the Controller of that legal such requirement before processingprior to Processing, unless that law prohibits such information doing so is prohibited on important grounds of public interest. 4.2 Take into account . Subject to the nature of foregoing Clause 3.1.10, where Personal Data processed under this DPA is transferred to a country outside the processing, and to assist the Controller through appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of the Regulation. In additionEU/EEA, the Processor shall: 4.2.1 Promptly notify : ensure that such transfer is carried out in full compliance with the GDPR, notably with the Chapter V thereof; ensure that the Personal Data is adequately protected; ensure that the transfer is carried out on a basis of valid transfer mechanism, which shall be notified to the Company in advance; and be obliged to provide the Controller if it receives a request from a Data Subject under any Data Protection Legislation in respect of Controller Personal Data; and 4.2.2 Ensure that the Processor does not respond to that request except on the documented instructions of Controller or as required by Data Protection Legislation to which the Processor is subjectwith all information and assistance necessary, in which case particular, in order to assess the Processor shalladequacy of the level of protection afforded to Personal Data in the country of import and assist the Controller in any assessment carried out to this end, should SCCs be selected as a transfer mechanism. At the discretion of the Controller, promptly, and in any event within fifteen (15) business days, delete or return all Personal Data to the extent permitted by Data Protection Legislation, inform Controller following the Controller of that legal requirement before the Processor responds to the request. 4.3 Take into account the state termination or expiration of the artagreement between the Parties, the costs of implementation and the nature, scope, context and purposes of processing as well as delete all existing copies, as well as procuring the risk deletion of varying likelihood and severity for any copies held by Subprocessors, unless Union or Member State law requires storage of the rights and freedoms of natural persons, and the Personal Data. The Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate provide written certification to the risk. 4.4 Take account in assessing the appropriate level of security the risks Controller that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed. 4.5 Have in place appropriate technical and organisational security measures, reviewed and approved by the Controller, to protect the personal data provided or made available by the Controller to the Processor in the context of it has fully complied with this agreement, as required under the Data Protection Legislationclause. Further details, including the minimum standard of security protection, are set out in Appendix 1 of this agreement. 4.6 For the avoidance of doubt, nothing within following the termination of this agreement relieves DPA, the Processor of its own direct responsibilities shall not Process Personal Data, save for their storage until their return or deletion pursuant to the foregoing. Ensure that all Personal Data is kept accurate and liabilities under complete and shall not make any changes to such Personal Data except as instructed by the GDPRController.

Obligations of the Processor. The Processor agrees to: 4.1 Process shall process the personal data Controller’s Data only on documented instructions from behalf of the Controller and solely for the purposes specified by the Controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law to which the Processor is subject; in such a case, the processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest. 4.2 Take into account the nature of the processing, and to assist the Controller through appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of the Regulation. In additionparticular, the Processor shall: 4.2.1 Promptly notify a. Process the Controller if it receives a request from a Controller’s Data Subject under any only in accordance with (i) this DPA; (ii) the instructions regarding processing of Controller’s Data provided by the Controller; and (iii) Applicable Data Protection Legislation Law. If the Processor, in respect of Controller Personal Data; and 4.2.2 Ensure that the Processor does not respond order to that request except on the documented instructions of Controller or as required by comply with Applicable Data Protection Legislation Law, is obliged to which deviate from the Processor is subjectprovisions of this DPA and/or the Controller’s instructions, in which case the Processor shall, to without undue delay and before further processing of the extent permitted by Data Protection LegislationController’s Data, inform the Controller of that legal requirement before the Processor responds such mandatory requirements, unless providing such information violates mandatory law. b. Implement such technical, physical, administrative and organisational security measures as required by Article 32 GDPR and appropriate to the request. 4.3 Take into account risk that the state processing of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for Controller’s Data may impose on the rights and freedoms of natural personsdata subjects. In assessing the appropriate security levels, and taking appropriate measures, the Processor shall implement ensure that account is taken in particular of the risks for accidental or unlawful destruction, loss or alteration and of the risks of unauthorised disclosure of, or unauthorised access to, the Controller’s Data as well as of the risk of personal data breaches. c. Ensure that individuals authorised to process Controller’s Data have committed to confidentiality or are under an appropriate statutory confidentiality obligation. d. Ensure that individuals processing Controller’s Data has undergone relevant training in relation to the processing of the Controller’s Data. e. Assist the Controller by ensuring that the Controller’s obligations under Applicable Data Protection Law and the DPA are complied with, for example, but not limited to regarding the performance of data protection impact assessments or audits performed by competent supervisory authorities. f. Assist the Controller by implementing appropriate technical and organisational measures to ensure a level of security appropriate comply with Controller’s obligations in relation to the risk. 4.4 Take account in assessing the appropriate level of security the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access data subjects’ requests to personal data transmitted, stored or otherwise processed. 4.5 Have in place appropriate technical and organisational security measures, reviewed and approved by the Controller, to protect the personal data provided or made available by the Controller to the Processor in the context of this agreement, as required exercise their rights under the Data Protection Legislation. Further details, including the minimum standard of security protection, are set out in Appendix 1 of this agreement. 4.6 For the avoidance of doubt, nothing within this agreement relieves the Processor of its own direct responsibilities and liabilities under the GDPR.Articles 12-23

Obligations of the Processor. 4.1 The Processing is described in detail in Appendix A. The Processor agrees to: 4.1 Process the undertakes only to process personal data only on necessary for the performance of its obligations under the Main Agreement, this DPA or according to the specific and documented instructions provided by the Controller in Appendix A and in connection with the conclusion of the Main Agreement, which have been approved by the Processor. The Processor may also process personal data in connection with the provision of additional services which from time to time may be ordered by the Controller and added under the Main Agreement. 4.2 Upon receipt of written instructions from the Controller regarding the Processing, such as provided for in Appendix A or additional written instructions, the Processor must, within a reasonable period of time, take appropriate measures to ensure that the Processing is carried out in accordance with the instructions. The Processor is not responsible for any ambiguities in such instructions and is not required to take any actions beyond what is expressly requested by the Controller. 4.3 The Processor undertakes to ensure that any natural person acting under the authority of the Processor and who has access to personal data, including is informed of the content of this DPA and only performs the Processing in accordance with regard to transfers of personal data this DPA and the Controller’s documented instructions. 4.4 The Processor agrees, to a third country or an international organisation, unless required to do so by Union or Member State law to which the Processor is subject; in such a case, the processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest. 4.2 Take into account the nature of the processing, and reasonable extent: to assist the Controller through with appropriate technical and organisational measures, insofar as this is possible, measures for the fulfilment of the Controller's ’s obligation to respond to requests for exercising the from data subject's rights laid down in Chapter III subjects regarding access to and rectification or erasure of the Regulation. In addition, the personal data. 4.5 The Processor shall: 4.2.1 Promptly , without undue delay, notify the Controller if it receives after becoming aware of a request from personal data breach involving personal data provided within the scope of the Main Agreement. The Processor shall assist the Controller to a Data Subject under any Data Protection Legislation in respect reasonable extent by providing information necessary for the fulfilment of Controller Personal Data; the Controller’s obligation to notify the relevant supervisory authority of a personal data breach and, when applicable, the Controller’s obligation to communicate the personal data breach to the affected data subjects. 4.2.2 Ensure that the Processor does not respond to that request except on the documented instructions of Controller or as required by Data Protection Legislation to which the Processor is subject, in which case the 4.6 The Processor shall, to a reasonable extent, assist the extent permitted by Data Protection Legislation, inform the Controller of that legal requirement before the Processor responds to the request. 4.3 Take into account the state of the art, the costs of implementation Controller: (i) in connection with any data protection impact assessments and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, and the Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. 4.4 Take account in assessing the appropriate level of security the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed. 4.5 Have in place appropriate technical and organisational security measures, reviewed and approved prior consultations carried out by the Controller, to protect ; and (ii) in any investigation carried out by the relevant supervisory authority regarding a personal data breach involving personal data provided or made available by within the scope of the Main Agreement. 4.7 The Processor is entitled to reasonable compensation from the Controller for any additional costs and expense incurred in connection with measures taken or services performed in relation to the Processor in the context of this agreement, as required under the Data Protection Legislation. Further details, including the minimum standard of security protection, are obligations set out in Appendix 1 of this agreementsections 4.4 to 4.6. 4.6 For the avoidance of doubt, nothing within this agreement relieves the Processor of its own direct responsibilities and liabilities under the GDPR.

Obligations of the Processor. When processing the data uploaded, stored and used by the Client within the Services, OVH is acting as Processor under the Controller’s instruction as provided under the Agreement, or in writing by the Client. The Processor agrees undertakes to: 4.1 Process a) process the Personal Data uploaded, stored and used by the Client within the Services only as necessary to provide the Services, subject to the Data Controller’s written instructions, b) neither access nor use the Controller’s data for any purposes other than as needed to carry out the Services (and, in particular, in relation to Incident management purposes), and notably not process any Controller Personal Data for the purposes of data mining, profiling or direct marketing activities as defined in the General Data Protection Regulation, c) set up the organizational and security measures described in this article to ensure the confidentiality and integrity of the personal data only on documented instructions from controlled and used by the Client within the Service, and particularly to prevent unauthorized or unlawful processing, accidental loss or destruction of or damage to such data, d) ensure that Processor’s employees authorized to process personal data under the Agreement are subject to a confidentiality obligation and receive a necessary appropriate training concerning the protection of personal data, e) inform the Controller, including with regard to transfers of personal data to if in its opinion and given the information at its disposal, a third country Controller‘s instruction infringes the GDPR or an international organisation, unless required to do so by other Union or Member State law data protection provisions. f) in case of request received from a competent judicial or legal authority and relating to which Controller’s data, the Processor is subject; in such a case, the processor shall undertakes to inform the Controller of that legal requirement before processingController, unless that prohibited by applicable law prohibits such information on important grounds of public interest. 4.2 Take into account the nature of the processingor authority’s injunction, and to assist limit the Controller through appropriate technical and organisational measures, insofar as communication of data to what the authority has expressly requested, g) comply with any other obligation provided under this is possible, for the fulfilment of the Controller's obligation DPA. The Processor undertakes to respond to requests for exercising the data subject's rights laid down in Chapter III of the Regulation. In addition, the Processor shallestablish: 4.2.1 Promptly notify the Controller if it receives a request from a Data Subject under any Data Protection Legislation in respect of Controller Personal Data; and 4.2.2 Ensure that the Processor does not respond (a) physical security measures intended to that request except on the documented instructions of Controller or as required prevent access by Data Protection Legislation to which the Processor is subject, in which case the Processor shall, unauthorized persons to the extent permitted by Data Protection Legislation, inform Infrastructure where the Controller of that legal requirement before the Processor responds to the request.Client data is stored, 4.3 Take into account the state of the art, the costs of implementation (b) identity and the nature, scope, context and purposes of processing access checks using an authentication system as well as a password policy, (c) an access management system which limits access to the risk premises to those persons which need to access them in the course of varying likelihood their duties and severity within their scope of responsibility, (d) security personnel responsible for monitoring the rights physical security of the Supplier premises, (e) a system that physically and freedoms of natural persons, logically isolates clients from each other, (f) user and the Processor shall implement appropriate technical and organisational administrator authentication processes as well as measures to ensure a level of security appropriate to the risk. 4.4 Take account in assessing the appropriate level of security the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or protect access to personal data transmittedadministration functions, (g) an access management system for support and maintenance operations that operates on the principles of least privilege and need- to-know, stored or otherwise processedand (h) processes and measures to trace all actions performed on its information system. 4.5 Have in place appropriate technical and organisational security measures, reviewed and approved by the Controller, to protect the personal data provided or made available by the Controller to the Processor in the context of this agreement, as required under the Data Protection Legislation. Further details, including the minimum standard of security protection, are set out in Appendix 1 of this agreement. 4.6 For the avoidance of doubt, nothing within this agreement relieves the Processor of its own direct responsibilities and liabilities under the GDPR.

Obligations of the Processor. The Processor agrees to: 4.1 Process the personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law to which the Processor is subject; in such a case, the processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest. 4.2 Take into account the nature of the processing, and to assist the Controller through appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of the RegulationData Protection Legislation. In addition, addition the Processor shall: 4.2.1 Promptly notify the Controller if it receives a request from a Data Subject under any Data Protection Legislation in respect of Controller Personal Data; and 4.2.2 Ensure that the Processor does not respond to that request except on the documented instructions of Controller or as required by Data Protection Legislation to which the Processor is subject, in which case the Processor shall, to the extent permitted by Data Protection Legislation, inform the Controller of that legal requirement before the Processor responds to the request. 4.3 Take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, and the Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. 4.4 Take account in assessing the appropriate level of security the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed. 4.5 Have in place appropriate technical and organisational security measures, reviewed and approved by the Controller, to protect the personal data provided or made available by the Controller to the Processor in the context of this agreement, as required under the Data Protection Legislation. Further details, including the minimum standard of security protection, are set out in Appendix 1 of this agreement. 4.6 For the avoidance of doubt, nothing within this agreement relieves the Processor of its own direct responsibilities and liabilities under the UK GDPR.

Obligations of the Processor. The Processor agrees towill: 4.1 (a) Process the personal data only Personal Data exclusively in accordance with the instructions of the Controller and on behalf of the Controller; these instructions are given in the Service Agreement, this DPA and otherwise in a documented form as mentioned in Article 2 above. This obligation to follow the instructions of the Controller also applies to the transfer of the Personal Data to a Third Country or an International Organization; (b) Inform the Controller immediately if the Processor cannot comply with instructions from the Controller for any reason; (c) ensure that persons authorized by the Processor to Process the Personal Data for the Controller, including commit to observe secrecy or that appropriate confidentiality is imposed on those persons and that the persons who have access to the Personal Data, will Process that Personal Data in accordance with regard the instructions of the Controller; (d) implement the Technical and Organizational Security Measures that meet the requirements of the Applicable Data Protection Act as further specified in Annex 2 before Processing the Personal Data, and ensure that he provides sufficient guarantees to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law to which the Processor is subject; in such a case, the processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.with respect to those Technical and Organizational Security Measures; 4.2 Take into account the nature of the processing, and to assist (e) Assist the Controller through by means of appropriate technical Technical and organisational measuresOrganizational Measures, insofar as this is possibleto the extent feasible, for the fulfilment of the Controller's obligation of the Controller to respond to requests for exercising the rights of Data Subjects regarding information, access, rectification and deletion, limitation of processing, notification, data subject's rights laid down transferability, objection and automated decision-making; insofar as these achievable Technical and Organizational Measures require changes or adjustments to the Technical and Organizational Measures as listed in Chapter III of the Regulation. In additionAnnex 2, the Processor shall: 4.2.1 Promptly notify the Controller if it receives a request from a Data Subject under any Data Protection Legislation in respect of Controller Personal Data; and 4.2.2 Ensure that the Processor does not respond to that request except on the documented instructions of Controller or as required by Data Protection Legislation to which the Processor is subject, in which case the Processor shall, to the extent permitted by Data Protection Legislation, will inform the Controller of that legal requirement before the Processor responds to the request. 4.3 Take into account the state of the art, the costs of implementation implementing such additional or altered Technical and the nature, scope, context and purposes of processing as well Organizational Measures. As soon as the risk of varying likelihood Controller has confirmed that these costs are for his account, the Processor will implement these additional or altered Technical and severity for Organizational Measures to assist the rights Controller in responding to requests from Data Subjects; (f) make all information available to the Controller that is required to demonstrate compliance with the obligations set out in this DPA and freedoms of natural personsin Art 28 GDPR, and make inspections possible, including inspections by the Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. 4.4 Take account in assessing the appropriate level of security the risks that are presented by processing, in particular from accidental Controller or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed. 4.5 Have in place appropriate technical and organisational security measures, reviewed and approved another inspector mandated by the Controller, and contribute to protect them. The Controller is aware that inspections in person and on location can significantly disrupt the personal business activities of the Processor and may cost a lot of time and money. The Controller may therefore only carry out an inspection in person and on location if the Controller reimburses the Processor for the costs incurred by the Processor as a result of the disruption of the business activities; (g) Inform the Controller without undue delay: i. of any legally binding request for the provision of the Personal Data by a law enforcement agency, unless this notification is otherwise prohibited, such as a criminal law prohibition to preserve the confidentiality of a law enforcement investigation; ii. of complaints and requests received directly from the data subjects (such as complaints and requests for access, rectification, removal, limitation of processing, data transferability, objection to processing of data, automated decision-making) without going into that request, unless he is otherwise authorized to do so; iii. if the Processor is required by EU legislation or the law of a Member State that applies to the Processor to process the Personal Data outside the scope of the assignment of the Controller, before carrying out such processing outside that framework, unless such EU legislation or legislation of that Member State forbids such information for important public interest reasons; that notification must state the legal requirement under that EU legislation or the legislation of the Member State; iv. if, in the opinion of the Processor, an instruction is in conflict with the Applicable Data Protection Act; when providing this notification, the Processor is not obliged to follow the instructions, unless and until the Controller has confirmed or modified them; and v. as soon as the Processor becomes aware of an Infringement in connection with Personal Data at the Processor, at the latest within 24 hours after discovery. In the event of such an Infringement in connection with Personal Data, the Processor will, at the written request of the Controller, assist with the obligation of the Controller pursuant to the Applicable Data Protection Act to inform the Data Subjects and the Supervisory Authorities respectively, and document the Infringement in connection with Personal Data. Contact details regarding the report are recorded in the CRM/ERP package of the Processor. Contacts are specified in Annex 1; (h) Assist the Controller with a Data Protection Impact Assessment as required by Article 35 of the GDPR relating to the Services provided or made available by the Processor to the Controller and the Personal Data processed by the Processor for the Controller. (i) deal with all questions from the Controller with regard to its Processing of the Personal Data to be processed (for example by enabling the Controller to respond in a timely manner to complaints or requests from the Data Subjects) and comply with the advice of the Supervisory Authority regarding the Processing of the transmitted data; (j) insofar as the Processor in is obliged and requested to rectify, delete and/or block any Personal Data processed on the context basis of this agreementDPA, do so without delay. If and insofar as required under Personal Data can not be deleted on the Data Protection Legislation. Further detailsbasis of legal requirements relating to data retention, including the minimum standard of security protection, are set out in Appendix 1 of this agreement. 4.6 For the avoidance of doubt, nothing within this agreement relieves the Processor must, instead of its own direct responsibilities and liabilities under deleting the GDPRrelevant Personal Data, restrict the further Processing and/or the further use of Personal Data, or remove the associated identity from the Personal Data.