Common use of Personal Data Breach Clause in Contracts

Personal Data Breach. 6.1 The Provider will promptly and in any event without undue delay notify the Customer in writing if it becomes aware of: (a) the loss, unintended destruction or damage, corruption, or unusability of part or all of the Personal Data. The Provider will restore such Personal Data at its own expense as soon as possible. (b) any accidental, unauthorised or unlawful processing of the Personal Data; or (c) any Personal Data Breach. 6.2 Where the Provider becomes aware of (a), (b) and/or (c) above, it will, without undue delay, also provide the Customer with the following written information: (a) description of the nature of (a), (b) and/or (c), including the categories of in-scope Personal Data and approximate number of both Data Subjects and the Personal Data records concerned; (b) the likely consequences; and (c) a description of the measures taken or proposed to be taken to address (a), (b) and/or (c), including measures to mitigate its possible adverse effects. 6.3 Immediately following any accidental, unauthorised or unlawful Personal Data processing or Personal Data Breach, the parties will co-ordinate with each other to investigate the matter. Further, the Provider will reasonably co-operate with the Customer at no additional cost to the Customer, in the Customer's handling of the matter, including but not limited to: (a) assisting with any investigation; (b) providing the Customer with physical access to any facilities and operations affected; (c) facilitating interviews with the Provider's employees, former employees and others involved in the matter including, but not limited to, its officers and directors; (d) making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by the Customer; and (e) taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach or accidental, unauthorised or unlawful Personal Data processing. 6.4 The Provider will not inform any third-party of any accidental, unauthorised or unlawful processing of all or part of the Personal Data and/or a Personal Data Breach without first obtaining the Customer's written consent, except when required to do so by domestic law. 6.5 The Provider agrees that the Customer has the sole right to determine: (a) whether to provide notice of the accidental, unauthorised or unlawful processing and/or the Personal Data Breach to any Data Subjects, the Commissioner, other in-scope regulators, law enforcement agencies or others, as required by law or regulation or in the Customer's discretion, including the contents and delivery method of the notice; and (b) whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy. 6.6 The Provider will cover all reasonable expenses associated with the performance of the obligations under clause 6.1 to clause 6.3 unless the matter arose from the Customer's specific written instructions, negligence, wilful default or breach of this Agreement, in which case the Customer will cover all reasonable expenses. 6.7 The Provider will also reimburse the Customer for actual reasonable expenses that the Customer incurs when responding to an incident of accidental, unauthorised or unlawful processing and/or a Personal Data Breach to the extent that the Provider caused such, including all costs of notice and any remedy as set out in Clause 6.5.

Personal Data Breach. 6.1 The Provider 5.1 Processor will promptly and in any event without undue delay notify the Customer in writing Controller if any Personal Data is lost or destroyed or becomes damaged, corrupted, or unusable. Processor will restore such Personal Data at its own expense. 5.2 Processor will immediately and without undue delay notify Controller if it becomes aware of: (a) the loss, unintended destruction or damage, corruption, or unusability of part or all of the Personal Data. The Provider will restore such Personal Data at its own expense as soon as possible. (b) any accidental, unauthorised or unlawful processing of the Personal Data; or (cb) any Personal Data Breach. 6.2 5.3 Where the Provider Processor becomes aware of (a), ) and/or (b) and/or (c) aboveof clause 5.2, it willshall, without undue delay, also provide the Customer Controller with the following written information: (a) description of the causes and nature of (a), (b) and/or (cb), including the categories of in-scope Personal Data and approximate number of both Data Subjects and the Personal Data records concerned; (b) the likely consequences; and (c) a description of the measures taken or proposed to be taken to address (a), (b) and/or (cb), including measures to mitigate its possible adverse effects. 6.3 5.4 Immediately following any accidental, unauthorised or unlawful Personal Data processing or Personal Data Breach, the parties will co-ordinate coordinate with each other to investigate the matter. Further, the Provider Processor will reasonably co-operate cooperate with the Customer at no additional cost to the Customer, Controller in the CustomerController's handling of the matter, including but not limited toincluding: (a) assisting with any investigation; (b) providing the Customer Controller with physical access to any facilities and operations affected; (c) facilitating interviews with the ProviderProcessor's employees, former employees and others involved in the matter including, but not limited to, its officers and directorsmatter; (d) making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by the CustomerController; and (e) taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach or accidental, unauthorised or unlawful Personal Data processing. 6.4 The Provider 5.5 Processor will not inform any third-third party of any accidental, unauthorised or unlawful processing of all or part of the Personal Data and/or a Personal Data Breach without first obtaining the CustomerController's prior written consent, except when required to do so by domestic law. 6.5 The Provider 5.6 Processor agrees that the Customer Controller has the sole right to determine: (a) whether to provide notice of the accidental, unauthorised or unlawful processing and/or the Personal Data Breach to any Data Subjects, the Commissionersupervisory authorities, other in-scope regulators, law enforcement agencies or others, as required by law or regulation or in the CustomerController's discretion, including the contents and delivery method of the notice; and (b) whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy. 6.6 The Provider 5.7 Processor will cover all reasonable expenses associated with the performance of the obligations under clause 6.1 to 5.2 and clause 6.3 5.4 unless the matter arose from the CustomerController's specific written instructions, negligence, wilful default or breach of this Agreement, in which case the Customer Controller will cover all reasonable expenses. 6.7 The Provider will also reimburse the Customer for actual reasonable expenses that the Customer incurs when responding to an incident of accidental, unauthorised or unlawful processing and/or a Personal Data Breach to the extent that the Provider caused such, including all costs of notice and any remedy as set out in Clause 6.5.

Personal Data Breach. 6.1 The Provider Supplier will promptly and in any event without undue delay notify the Customer in writing Buyer if any Personal Data is lost or destroyed or becomes damaged, corrupted, or unusable. The Supplier will restore such Personal Data at its own expense. 6.2 The Supplier will [immediately OR within [NUMBER] hours] and without undue delay notify the Buyer if it becomes aware of: (a) the loss, unintended destruction or damage, corruption, or unusability of part or all of the Personal Data. The Provider will restore such Personal Data at its own expense as soon as possible. (b) any accidental, unauthorised or unlawful processing of the Personal Data; or (cb) any Personal Data Breach. 6.2 6.3 Where the Provider Supplier becomes aware of (a), (b) and/or (cb) above, it willshall, without undue delay, also provide the Customer Buyer with the following written information: (a) description of the nature of (a), (b) and/or (cb), including the categories of in-scope Personal Data and approximate number of both Data Subjects and the Personal Data records concerned; (b) the likely consequences; and (c) a description of the measures taken or proposed to be taken to address (a), (b) and/or (cb), including measures to mitigate its possible adverse effects. 6.3 6.4 Immediately following any accidental, unauthorised or unlawful Personal Data processing or Personal Data Breach, the parties will co-ordinate with each other to investigate the matter. Further, the Provider The Supplier will reasonably co-co- operate with the Customer at no additional cost to the Customer, Buyer in the CustomerBuyer's handling of the matter, including but not limited toincluding: (a) assisting with any investigation; (b) providing the Customer Buyer with physical access to any facilities and operations affected; (c) facilitating interviews with the ProviderSupplier's employees, former employees and others involved in the matter including, but not limited to, its officers and directorsmatter; (d) making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by the CustomerBuyer; and (e) taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach or accidental, unauthorised or unlawful Personal Data processing. 6.4 6.5 The Provider Supplier will not inform any third-third party of any accidental, unauthorised or unlawful processing of all or part of the Personal Data and/or a Personal Data Breach without first obtaining the CustomerBuyer's prior written consent, except when required to do so by domestic law. 6.5 6.6 The Provider Supplier agrees that the Customer Buyer has the sole right to determine: (a) whether to provide notice of the accidental, unauthorised or unlawful processing and/or the Personal Data Breach to any Data Subjects, the Commissionersupervisory authorities, other in-scope regulators, law enforcement agencies or others, as required by law or regulation or in the CustomerBuyer's discretion, including the contents and delivery method of the notice; and (b) whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy. 6.6 6.7 The Provider Supplier will cover all reasonable expenses associated with the performance of the obligations under clause 6.1 to clause 6.3 Clause 6.2 and Clause 6.4 unless the matter arose from the CustomerBuyer's specific written instructions, negligence, wilful default or breach of this Agreement, in which case the Customer Buyer will cover all reasonable expenses. 6.7 6.8 The Provider Supplier will also reimburse the Customer Buyer for actual reasonable expenses that the Customer Buyer incurs when responding to an incident of accidental, unauthorised or unlawful processing and/or a Personal Data Breach to the extent that the Provider Supplier caused suchsuch a Personal Data Breach, including all costs of notice and any remedy as set out in Clause 6.56.6.

Personal Data Breach. 6.1 The Provider 5.1 Nuclei will promptly and in any event without undue delay notify the Customer in writing if any Personal Data is lost or destroyed or becomes damaged, corrupted, or unusable. Nuclei will restore such Personal Data at its own expense. 5.2 Nuclei will promptly and without undue delay notify the Customer if it becomes aware of: (a) the loss, unintended destruction or damage, corruption, or unusability of part or all of the Personal Data. The Provider will restore such Personal Data at its own expense as soon as possible. (b) any accidental, unauthorised unauthorized or unlawful processing of the Personal Data; or (cb) any Personal Data Breach. 6.2 5.3 Where the Provider Nuclei becomes aware of (a), (b) and/or (cb) above, it willshall, without undue delay, also provide the Customer with the following written information: (a) description of the nature of (a), (b) and/or (cb), including the categories of in-scope Personal Data and approximate number of both Data Subjects and the Personal Data records concerned; (b) the likely consequences; and (c) a description of the measures taken taken, or proposed to be taken to address (a), (b) and/or (cb), including measures to mitigate its possible adverse effects. 6.3 5.4 Immediately following any accidental, unauthorised unauthorized or unlawful Personal Data processing or Personal Data Breach, the parties will co-ordinate with each other to investigate the matter. Further, the Provider Nuclei will reasonably co-operate with the Customer at no additional cost to the Customer, in the Customer's handling of the matter, including but not limited toincluding: (a) assisting with any investigation; (b) providing the Customer with physical access to any facilities and operations affected; (c) facilitating interviews with the Provider's ▇▇▇▇▇▇’s employees, former employees and others involved in the matter including, but not limited to, its officers and directorsmatter; (d) making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by the Customer; and (e) taking reasonable and prompt steps to mitigate the effects and to minimise minimize any damage resulting from the Personal Data Breach or accidental, unauthorised or unlawful Personal Data processing. 6.4 The Provider 5.5 Nuclei will not inform any third-third party of any accidental, unauthorised or unlawful processing of all or part of the Personal Data and/or a Personal Data Breach without first obtaining the Customer's prior written consent, except when required to do so by domestic law. 6.5 The Provider 5.6 ▇▇▇▇▇▇ agrees that the Customer has the sole right to determine: (a) whether to provide notice of the accidental, unauthorised or unlawful processing and/or the Personal Data Breach to any Data Subjects, the Commissionersupervisory authorities, other in-scope regulators, law enforcement agencies or others, as required by law or regulation or in the Customer's discretion, including the contents and delivery method of the notice; and (b) whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy. 6.6 5.7 The Provider Customer will cover all reasonable expenses associated with the performance of the obligations under clause 6.1 to 5.2 and clause 6.3 unless the matter arose from the Customer's specific written instructions, negligence, wilful default or breach of this Agreement, in which case the Customer will cover all reasonable expenses5.4. 6.7 5.8 The Provider Customer will also reimburse the Customer Nuclei for actual reasonable expenses that the Customer Nuclei incurs when responding to an incident of accidental, unauthorised or unlawful processing and/or a Personal Data Breach to the extent that the Provider Customer caused suchsuch a Personal Data Breach, including all costs of notice and any remedy as set out in Clause 6.5clause.

Personal Data Breach. 6.1 The Provider will promptly immediately or within 72 hours and in any event without undue delay notify the Customer in writing if it becomes aware of: (a) the loss, unintended destruction or damage, corruption, or unusability of part or all of the Personal Data. The Provider will restore such Personal Data at its own expense as soon as possible. (b) any accidental, unauthorised unauthorized or unlawful processing of the Personal Data; or (c) any Personal Data Breach. 6.2 Where the Provider becomes aware of (a), (b) and/or (c) above, it willshall, without undue delay, also provide the Customer with the following written information: (a) description of the nature of (a), (b) and/or (c), including the categories of in-scope Personal Data and approximate number of both Data Subjects and the Personal Data records concerned; (b) the likely consequences; and (c) a description of the measures taken or proposed to be taken to address (a), (b) and/or (c), including measures to mitigate its possible adverse effects. 6.3 Immediately following any accidental, unauthorised unauthorized or unlawful Personal Data processing or Personal Data Breach, the parties will co-ordinate with each other to investigate the matter. Further, the Provider will reasonably co-operate with the Customer at no additional cost to the Customer, in the Customer's handling of the matter, including but not limited to: (a) assisting with any investigation; (b) providing the Customer with physical access to any facilities and operations affected; (c) facilitating interviews with the Provider's employees, former employees and others involved in the matter including, but not limited to, its officers and directors; (d) making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by the Customer; and (e) taking reasonable and prompt steps to mitigate the effects and to minimise minimize any damage resulting from the Personal Data Breach or accidental, unauthorised unauthorized or unlawful Personal Data processing. 6.4 The Provider will not inform any third-third party of any accidental, unauthorised unauthorized or unlawful processing of all or part of the Personal Data and/or a Personal Data Breach without first obtaining the Customer's written consent, except when required to do so by domestic law. 6.5 The Provider agrees that the Customer has the sole right to determine: (a) whether to provide notice of the accidental, unauthorised unauthorized or unlawful processing and/or the Personal Data Breach to any Data Subjects, the Commissioner, other in-scope regulators, law enforcement agencies or others, as required by law or regulation or in the Customer's discretion, including the contents and delivery method of the notice; and (b) whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy. 6.6 The Provider will cover all reasonable expenses associated with the performance of the obligations under clause 6.1 to clause Clause 6.3 unless the matter arose from the Customer's specific written instructions, negligence, wilful willful default or breach of this Agreement, in which case the Customer will cover all reasonable expenses. 6.7 The Provider will also reimburse the Customer for actual reasonable expenses that the Customer incurs when responding to an incident of accidental, unauthorised unauthorized or unlawful processing and/or a Personal Data Breach to the extent that the Provider caused such, including all costs of notice and any remedy as set out in Clause clause 6.5.

Personal Data Breach. 6.1 The Provider will promptly and in any event without undue delay immediately notify the Customer Chemonics in writing if it becomes aware of:of:‌ (a) the loss, unintended destruction or damage, corruption, or unusability of part or all of the Chemonics Personal Data. The Provider will restore such Chemonics Personal Data at its own expense as soon as possible. (b) any accidental, unauthorised or unlawful processing of the Chemonics Personal Data; or (c) any Personal Data Breachpersonal data breach. 6.2 Where the Provider becomes aware of (a), (b) and/or (c) above, it will, without undue delay, also provide the Customer Chemonics with the following written information: (a) description of the nature of (a), (b) and/or (c), including the categories of in-scope Chemonics Personal Data and approximate number of both Data Subjects data subjects and the Chemonics Personal Data records concerned; (b) the likely consequences; and (c) a description of the measures taken or proposed to be taken to address (a), (b) and/or (c), including measures to mitigate its possible adverse effects. 6.3 Immediately following any accidental, unauthorised or unlawful Chemonics Personal Data processing or Personal Data Breachpersonal data breach, the parties will co-ordinate with each other to investigate the matter. Further, the Provider will reasonably co-operate with the Customer Chemonics at no additional cost to the CustomerChemonics, in the Customer's Chemonics’ handling of the matter, including but not limited to:to:‌ (a) assisting with any investigation; (b) providing the Customer Chemonics with physical access to any facilities and operations affected; (c) facilitating interviews with the Provider's employees, former employees and others involved in the matter including, but not limited to, its officers and directors; (d) making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by the CustomerChemonics; and (e) taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach personal data breach or accidental, unauthorised or unlawful Chemonics Personal Data processing. 6.4 The Provider will not inform any third-party of any accidental, unauthorised or unlawful processing of all or part of the Chemonics Personal Data and/or a Personal Data Breach personal data breach without first obtaining the Customer's Chemonics’ written consent, except when required to do so by domestic law. 6.5 The Provider agrees that the Customer Chemonics has the sole right to determine: (a) whether to provide notice of the accidental, unauthorised or unlawful processing and/or the Personal Data Breach personal data breach to any Data Subjectsdata subjects, the Commissioner, other in-scope regulators, law enforcement agencies or others, as required by law or regulation or in the Customer's Chemonics’ discretion, including the contents and delivery method of the notice; and (b) whether to offer any type of remedy to affected Data Subjectsdata subjects, including the nature and extent of such remedy. 6.6 The Provider will cover all reasonable expenses associated with the performance of the obligations under clause 6.1 to clause 6.3 unless the matter arose from the Customer's Chemonics’ specific written instructions, negligence, wilful default or breach of this AgreementDPA, in which case the Customer Chemonics will cover all reasonable expenses. 6.7 The Provider will also reimburse the Customer Chemonics for actual reasonable all expenses that the Customer Chemonics incurs when responding to an incident of accidental, unauthorised or unlawful processing and/or a Personal Data Breach personal data breach to the extent that the Provider caused such, including all costs of notice and any remedy as set out in Clause clause 6.5.

Personal Data Breach. 6.1 The Provider will promptly immediately and in any event without undue delay notify the Customer in writing if it becomes aware of: (a) the loss, unintended destruction or damage, corruption, or unusability of any Personal Data Breach involving part or all of the Personal Data. The Provider will restore such Personal Data at its own expense as soon as possible. (b) any accidental, unauthorised or unlawful processing of the Personal Data; or (c) any Personal Data Breach. 6.2 Where the Provider becomes aware of (a), (b) and/or (c) abovea Personal Data Breach, it will, without undue delay, also provide the Customer with the following written information: (a) description of the nature of (a), (b) and/or (c)the breach, including the categories of in-scope Personal Data and approximate number of both Data Subjects and the Personal Data records concerned; (b) the likely consequences; and (c) a description of the measures taken or proposed to be taken to address (a), (b) and/or (c)the breach, including measures to mitigate its possible adverse effects. 6.3 Immediately following any accidental, unauthorised or unlawful Personal Data processing or Personal Data Breach, the parties will co-ordinate with each other to investigate the matter. Further, the Provider will reasonably co-operate with the Customer at no additional cost to the Customer, in the Customer's handling of the matter, including but not limited to: (a) assisting with any investigation; (b) providing the Customer with physical access to any facilities and operations affected; (c) facilitating interviews with the Provider's employees, former employees and others involved in the matter including, but not limited to, its officers and directors; (d) making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by the Customer; and (e) taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach or accidental, unauthorised or unlawful Personal Data processing. 6.4 The Provider will not inform any third-party of any accidental, unauthorised or unlawful processing of all or part of the Personal Data and/or a Personal Data Breach without first obtaining the Customer's written consent, except when required to do so by domestic or EU law. 6.5 The Provider agrees that the Customer has the sole right to determine: (a) whether to provide notice of the accidental, unauthorised or unlawful processing and/or the Personal Data Breach to any Data Subjects, the Commissioner, other in-scope regulators, law enforcement agencies or others, as required by law or regulation or in the Customer's discretion, including the contents and delivery method of the notice; and (b) whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy. 6.6 The Provider will cover all reasonable expenses associated with the performance of the obligations under clause 6.1 to clause 6.3 unless the matter arose from the Customer's specific written instructions, negligence, wilful default or breach of this Agreement, in which case the Customer will cover all reasonable expenses. 6.7 The Provider will also reimburse the Customer for actual reasonable expenses that the Customer incurs when responding to an incident of accidental, unauthorised or unlawful processing and/or a Personal Data Breach to the extent that the Provider caused such, including all costs of notice and any remedy as set out in Clause 6.5.

Personal Data Breach. 6.1 The Provider 5.1 Kura will promptly and in any event without undue delay notify the Customer in writing if it becomes aware of:of:‌ (a) the loss, unintended destruction or damage, corruption, or unusability of part or all of the Personal Data. The Provider will restore such Personal Data at its own expense as soon as possible. (b) any accidental, unauthorised or unlawful processing of the Personal Data; or (c) any Personal Data Breach. 6.2 5.2 Where the Provider Kura becomes aware of (a), (b) and/or (c) above, it will, without undue delay, also provide the Customer with the following written information: (a) description of the nature of (a), (b) and/or (c), including the categories of in-in- scope Personal Data and approximate number of both Data Subjects and the Personal Data records concerned; (b) the likely consequences; and (c) a description of the measures taken or proposed to be taken to address (a), , (b) and/or (c), including measures to mitigate its possible adverse effects. 6.3 5.3 Immediately following any accidental, unauthorised or unlawful Personal Data processing or Personal Data Breach, the parties will co-ordinate with each other to investigate the matter. Further, the Provider Kura will reasonably co-operate with the Customer at no additional cost to the Customer, in the Customer's handling of the matter, including but not limited to:to:‌ (a) assisting with any investigation; (b) providing the Customer with physical access to any facilities and operations affected; (cb) facilitating interviews with the Provider▇▇▇▇'s employees, former employees and others involved in the matter including, but not limited to, its officers and directors; (dc) making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by the Customer; and (ed) taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach or accidental, unauthorised or unlawful Personal Data processing. 6.4 The Provider will not inform any third-party of any accidental, unauthorised or unlawful processing of all or part of the Personal Data and/or a Personal Data Breach without first obtaining the Customer's written consent, except when required to do so by domestic law. 6.5 The Provider agrees that the Customer has the sole right to determine: (a) whether to provide notice of the accidental, unauthorised or unlawful processing and/or the Personal Data Breach to any Data Subjects, the Commissioner, other in-scope regulators, law enforcement agencies or others, as required by law or regulation or in the Customer's discretion, including the contents and delivery method of the notice; and (b) whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy. 6.6 The Provider 5.4 Kura will cover all reasonable expenses associated with the performance of the obligations under clause 6.1 5.1 to clause 6.3 5.3 unless the matter arose from or in connection with the Customer's specific written instructions, negligence, wilful default or breach of this Agreement, in which case the Customer will cover all reasonable expenses. 6.7 The Provider will also reimburse the Customer for actual reasonable expenses that the Customer incurs when responding to an incident of accidental, unauthorised or unlawful processing and/or a Personal Data Breach to the extent that the Provider caused such, including all costs of notice and any remedy as set out in Clause 6.5.

Personal Data Breach. 6.1 The Provider [PROCESSOR] will promptly and in any event without undue delay notify the Customer in writing [CONTROLLER] if any Personal Data is lost or destroyed or becomes damaged, corrupted, or unusable. [PROCESSOR] will restore such Personal Data at its own expense. 6.2 [PROCESSOR] will as soon as reasonably practicable notify [CONTROLLER] if it becomes aware of: (a) the loss, unintended destruction or damage, corruption, or unusability of part or all of the Personal Data. The Provider will restore such Personal Data at its own expense as soon as possible. (b) any accidental, unauthorised or unlawful processing of the Personal Data; or (cb) any Personal Data Breach. 6.2 6.3 Where the Provider [PROCESSOR] becomes aware of (a), (b) and/or (cb) above, it willshall, without undue delay, also provide the Customer [CONTROLLER] with the following written information: (a) description of the nature of (a), (b) and/or (cb), including the categories of in-scope Personal Data and approximate number of both Data Subjects and the Personal Data records concerned; (b) the likely consequences; and (c) a description of the measures taken taken, or proposed to be taken to address (a), (b) and/or (cb), including measures to mitigate its possible adverse effects. 6.3 6.4 Immediately following any accidental, unauthorised or unlawful Personal Data processing or Personal Data Breach, the parties will co-ordinate with each other to investigate the matter. Further, the Provider [PROCESSOR] will reasonably co-operate with the Customer at no additional cost to the Customer, [CONTROLLER] in the Customer's [CONTROLLER]’s handling of the matter, including but not limited toincluding: (a) assisting with any investigation; (b) providing the Customer [CONTROLLER] with physical access to any facilities and operations affected; (c) facilitating interviews with the Provider's [PROCESSOR]’s employees, former employees and others involved in the matter including, but not limited to, its officers and directorsmatter; (d) making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by the Customer[CONTROLLER]; and (e) taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach or accidental, unauthorised or unlawful Personal Data processing. 6.4 The Provider 6.5 [PROCESSOR] will not inform any third-third party of any accidental, unauthorised or unlawful processing of all or part of the Personal Data and/or a Personal Data Breach without first obtaining the Customer's [CONTROLLER]’s prior written consent, except when required to do so by domestic law. 6.5 The Provider 6.6 [PROCESSOR] agrees that the Customer [CONTROLLER] has the sole right to determine: (a) whether to provide notice of the accidental, unauthorised or unlawful processing and/or the Personal Data Breach to any Data Subjects, the Commissionersupervisory authorities, other in-scope regulators, law enforcement agencies or others, as required by law or regulation or in the Customer's [CONTROLLER]’s discretion, including the contents and delivery method of the notice; and (b) whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy. 6.6 The Provider 6.7 [PROCESSOR] will cover all reasonable expenses associated with the performance of the obligations under clause 6.1 to 6.2 and clause 6.3 6.4 unless the matter arose from the Customer's [CONTROLLER]’s specific written instructions, negligence, wilful default or breach of this Agreement, in which case the Customer [CONTROLLER] will cover all reasonable expenses. 6.7 The Provider 6.8 [PROCESSOR] will also reimburse the Customer [CONTROLLER] for actual reasonable expenses that the Customer [CONTROLLER] incurs when responding to an incident of accidental, unauthorised or unlawful processing and/or a Personal Data Breach to the extent that the Provider [PROCESSOR] caused suchsuch a Personal Data Breach, including all costs of notice and any remedy as set out in Clause 6.5clause 6.6.

Personal Data Breach. 6.1 The Provider will promptly and in any event without undue delay notify the Customer in writing if it becomes aware of: (a) : the loss, unintended destruction or damage, corruption, or unusability of part or all of the Personal Data. The Provider will restore such Personal Data at its own expense as soon as possible. (b) . any accidental, unauthorised or unlawful processing of the Personal Data; or (c) or any Personal Data Breach. 6.2 . Where the Provider becomes aware of (a), (b) and/or (c) above, it will, without undue delay, also provide the Customer with the following written information: (a) : description of the nature of (a), (b) and/or (c), including the categories of in-scope Personal Data and approximate number of both Data Subjects and the Personal Data records concerned; (b) ; the likely consequences; and (c) and a description of the measures taken or proposed to be taken to address (a), (b) and/or (c), including measures to mitigate its possible adverse effects. 6.3 . Immediately following any accidental, unauthorised or unlawful Personal Data processing or Personal Data Breach, the parties will co-ordinate with each other to investigate the matter. Further, the Provider will reasonably co-operate with the Customer at no additional cost to the Customer, in the Customer's handling of the matter, including but not limited to: (a) : assisting with any investigation; (b) ; providing the Customer with physical access to any facilities and operations affected; (c) ; facilitating interviews with the Provider's employees, former employees and others involved in the matter including, but not limited to, its officers and directors; (d) ; making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by the Customer; and (e) and taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach or accidental, unauthorised or unlawful Personal Data processing. 6.4 . The Provider will not inform any third-party of any accidental, unauthorised or unlawful processing of all or part of the Personal Data and/or a Personal Data Breach without first obtaining the Customer's written consent, except when required to do so by domestic law. 6.5 . The Provider agrees that the Customer has the sole right to determine: (a) : whether to provide notice of the accidental, unauthorised or unlawful processing and/or the Personal Data Breach to any Data Subjects, the Commissioner, other in-scope regulators, law enforcement agencies or others, as required by law or regulation or in the Customer's discretion, including the contents and delivery method of the notice; and (b) and whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy. 6.6 . The Provider will cover all reasonable expenses associated with the performance of the obligations under clause 6.1 46.1 to clause 6.3 46.3 unless the matter arose from the Customer's specific written instructions, negligence, wilful default or breach of this Agreement, in which case the Customer will cover all reasonable expenses. 6.7 . The Provider will also reimburse the Customer for actual reasonable expenses that the Customer incurs when responding to an incident of accidental, unauthorised or unlawful processing and/or a Personal Data Breach to the extent that the Provider caused such, including all costs of notice and any remedy as set out in Clause 6.556.5. The Provider (and any subcontractor) must not transfer or otherwise process the Personal Data outside the UK or, the EEA without obtaining the Customer's prior written consent. Other than those subcontractors as set out in ANNEX A, the Provider may not authorise any other third-party or subcontractor to process the Personal Data unless the Customer is provided with an opportunity to object to the appointment of each subcontractor within 14 days after the Provider supplies the Customer with full details regarding such subcontractor Those subcontractors approved as at the commencement of this Agreement are as set out in 10ANNEX A. The Provider must list all approved subcontractors in Annex A and include any subcontractor's name and location and the contact information for the person responsible for privacy and data protection compliance. Where the subcontractor fails to fulfil its obligations under the written agreement with the Provider which contains terms substantially the same as those set out in this Agreement, the Provider remains fully liable to the Customer for the subcontractor's performance of its agreement obligations. The Parties agree that the Provider will be deemed by them to control legally any Personal Data controlled practically by or in the possession of its subcontractors. On the Customer's written request, the Provider will audit a subcontractor's compliance with its obligations regarding the Personal Data and provide the Customer with the audit results. The Provider must, at no additional cost to the Customer, take such technical and organisational measures as may be appropriate, and promptly provide such information to the Customer as the Customer may reasonably require, to enable the Customer to comply with: the rights of Data Subjects under the Data Protection Legislation, including, but not limited to, subject access rights, the rights to rectify, port and erase personal data, object to the processing and automated processing of personal data, and restrict the processing of personal data; and information or assessment notices served on the Customer by the Commissioner under the Data Protection Legislation. The Provider must notify the Customer immediately in writing if it receives any complaint, notice or communication that relates directly or indirectly to the processing of the Personal Data or to either party's compliance with the Data Protection Legislation. The Provider must notify the Customer within 3 working days if it receives a request from a Data Subject for access to their Personal Data or to exercise any of their other rights under the Data Protection Legislation. The Provider will give the Customer, at no additional cost to the Customer, its full co-operation and assistance in responding to any complaint, notice, communication or Data Subject request. The Provider must not disclose the Personal Data to any Data Subject or to a third-party other than in accordance with the Customer's written instructions, or as required by domestic law. This Agreement will remain in full force and effect so long as: the Master Agreement remains in effect; or the Provider retains any of the Personal Data related to the Master Agreement in its possession or control (Term). Any provision of this Agreement that expressly or by implication should come into or continue in force on or after termination of the Master Agreement in order to protect the Personal Data will remain in full force and effect. The Provider's failure to comply with the terms of this Agreement is a material breach of the Master Agreement. In such event, the Customer may terminate the Master Agreement OR any part of the Master Agreement involving the processing of the Personal Data effective immediately on written notice to the Provider without further liability or obligation of the Customer. If a change in any Data Protection Legislation prevents either party from fulfilling all or part of its Master Agreement obligations, the parties may agree to suspend the processing of the Personal Data until that processing complies with the new requirements. If the parties are unable to bring the Personal Data processing into compliance with the Data Protection Legislation within 30 days, either party may terminate the Master Agreement on not less than 30 working days on written notice to the other party. At the Customer's request, the Provider will give the Customer, or a third-party nominated in writing by the Customer, a copy of or access to all or part of the Personal Data in its possession or control in the format and on the media reasonably specified by the Customer. On termination of the Master Agreement for any reason or expiry of its term, if requested to do so the Provider will securely delete or destroy or, if directed in writing by the Customer, return and not retain, all or any of the Personal Data related to this Agreement in its possession or control. If any law, regulation, or government or regulatory body requires the Provider to retain any documents, materials or Personal Data that the Provider would otherwise be required to return or destroy, it will notify the Customer in writing of that retention requirement, giving details of the documents, materials or Personal Data that it must retain, the legal basis for such retention, and establishing a specific timeline for deletion or destruction once the retention requirement ends. The Provider will certify in writing to the Customer that it has deleted or destroyed the Personal Data within 30 days after it completes the deletion or destruction.

Personal Data Breach. 6.1 The Provider will promptly within 24 hours and in any event without undue delay notify the Customer in writing if it becomes aware of:of:‌ (a) the loss, unintended destruction or damage, corruption, or unusability of part or all of the Personal Data. The Provider will restore such Personal Data at its own expense as soon as possible. (b) any accidental, unauthorised or unlawful processing of the Personal Data; or (c) any Personal Data Breach. 6.2 Where the Provider becomes aware of (a), (b) and/or (c) above, it will, without undue delay, also provide the Customer with the following written information: (a) description of the nature of (a), (b) and/or (c), including the categories of in-scope Personal Data and approximate number of both Data Subjects and the Personal Data records concerned; (b) the likely consequences; and (c) a description of the measures taken or proposed to be taken to address (a), (b) and/or (c), including measures to mitigate its possible adverse effects. 6.3 Immediately following any accidental, unauthorised or unlawful Personal Data processing or Personal Data Breach, the parties will co-ordinate with each other to investigate the matter. Further, the Provider will reasonably co-operate with the Customer at no additional cost to the Customer, in the Customer's handling of the matter, including but not limited to:to:‌ (a) assisting with any investigation; (b) providing the Customer with physical access to any facilities and operations affected; (c) facilitating interviews with the Provider's employees, former employees and others involved in the matter including, but not limited to, its officers and directors; (d) making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by the Customer; and (e) taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach or accidental, unauthorised or unlawful Personal Data processing. 6.4 The Provider will not inform any third-party of any accidental, unauthorised or unlawful processing of all or part of the Personal Data and/or a Personal Data Breach without first obtaining the Customer's written consent, except when required to do so by domestic law. 6.5 The Provider agrees that the Customer has the sole right to determine:determine:‌ (a) whether to provide notice of the accidental, unauthorised or unlawful processing and/or the Personal Data Breach to any Data Subjects, the Commissioner, other in-scope regulators, law enforcement agencies or others, as required by law or regulation or in the Customer's discretion, including the contents and delivery method of the notice; and (b) whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy. 6.6 The Provider will cover all reasonable expenses associated with the performance of the obligations under clause 6.1 to clause 6.3 unless the matter arose from the Customer's specific written instructions, negligence, wilful default or breach of this Agreement, in which case the Customer will cover all reasonable expenses. 6.7 The Provider will also reimburse the Customer for actual reasonable expenses that the Customer incurs when responding to an incident of accidental, unauthorised or unlawful processing and/or a Personal Data Breach to the extent that the Provider caused such, including all costs of notice and any remedy as set out in Clause 6.5.

Personal Data Breach. 6.1 The Provider will promptly and in any event without undue delay notify the Customer in writing if it becomes aware of: (a) : the loss, unintended destruction or damage, corruption, or unusability of part or all of the Personal Data. The Provider will restore such Personal Data at its own expense as soon as possible. (b) . any accidental, unauthorised or unlawful processing of the Personal Data; or (c) or any Personal Data Breach. 6.2 . Where the Provider becomes aware of (a), (b) and/or (c) above, it will, without undue delay, also provide the Customer with the following written information: (a) : description of the nature of (a), (b) and/or (c), including the categories of in-scope Personal Data and approximate number of both Data Subjects and the Personal Data records concerned; (b) ; the likely consequences; and (c) and a description of the measures taken or proposed to be taken to address (a), (b) and/or (c), including measures to mitigate its possible adverse effects. 6.3 . Immediately following any accidental, unauthorised or unlawful Personal Data processing or Personal Data Breach, the parties will co-ordinate with each other to investigate the matter. Further, the Provider will reasonably co-operate with the Customer at no additional cost to the Customer, in the Customer's handling of the matter, including but not limited to: (a) : assisting with any investigation; (b) ; providing the Customer with physical access to any facilities and operations affected; (c) ; facilitating interviews with the Provider's employees, former employees and others involved in the matter including, but not limited to, its officers and directors; (d) ; making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by the Customer; and (e) and taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach or accidental, unauthorised or unlawful Personal Data processing. 6.4 . The Provider will not inform any third-party of any accidental, unauthorised or unlawful processing of all or part of the Personal Data and/or a Personal Data Breach without first obtaining the Customer's written consent, except when required to do so by domestic law. 6.5 . The Provider agrees that the Customer has the sole right to determine: (a) : whether to provide notice of the accidental, unauthorised or unlawful processing and/or the Personal Data Breach to any Data Subjects, the Commissioner, other in-scope regulators, law enforcement agencies or others, as required by law or regulation or in the Customer's discretion, including the contents and delivery method of the notice; and (b) and whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy. 6.6 . The Provider will cover all reasonable expenses associated with the performance of the obligations under clause 6.1 46.1 to clause 6.3 46.3 unless the matter arose from the Customer's specific written instructions, negligence, wilful default or breach of this Agreement, in which case the Customer will cover all reasonable expenses. 6.7 . The Provider will also reimburse the Customer for actual reasonable expenses that the Customer incurs when responding to an incident of accidental, unauthorised or unlawful processing and/or a Personal Data Breach to the extent that the Provider caused such, including all costs of notice and any remedy as set out in Clause 6.556.5. The Provider (and any subcontractor) must not transfer or otherwise process the Personal Data outside the UK or, the EEA without obtaining the Customer's prior written consent.

Personal Data Breach. 6.1 The Provider will promptly immediately and in any event without undue delay notify the Customer in writing Chemonics if it becomes aware of:of:‌ (a) the loss, unintended destruction or damage, corruption, or unusability of part or all of the Authority Personal Data. The Provider will restore such Authority Personal Data at its own expense as soon as possible.; (b) any accidental, unauthorised or unlawful processing of the Authority Personal Data; or (c) any Personal Data Breachpersonal data breach. 6.2 Where the Provider becomes aware of (a), (b) and/or (c) above, it willshall, without undue delay, also provide the Customer Chemonics with the following written information: (a) description of the nature of (a), (b) and/or (c), including the categories of in-scope Authority Personal Data and approximate number of both Data Subjects data subjects and the Authority Personal Data records concerned; (b) the likely consequences; and (c) a description of the measures taken or proposed to be taken to address (a), (b) and/or (c), including measures to mitigate its possible adverse effects. 6.3 Immediately following any accidental, unauthorised or unlawful Authority Personal Data processing or Personal Data Breachpersonal data breach, the parties will co-ordinate with each other to investigate the matter. Further, the Provider will reasonably co-co- operate with Chemonics and/or the Customer Authority at no additional cost to the CustomerChemonics, in the Customer's Chemonics’ handling of the matter, including but not limited to:to:‌ (a) assisting with any investigation; (b) providing Chemonics and/or the Customer Authority with physical access to any facilities and operations affected; (c) facilitating interviews with the Provider's employees, former employees and others involved in the matter including, but not limited to, its officers and directors; (d) making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by Chemonics and/or the CustomerAuthority; and (e) taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach personal data breach or accidental, unauthorised or unlawful Authority Personal Data processing. 6.4 The Provider will not inform any third-third party of any accidental, unauthorised or unlawful processing of all or part of the Authority Personal Data and/or a Personal Data Breach personal data breach without first obtaining the Customer's Chemonics’ written consent, except when required to do so by domestic law. 6.5 The Provider agrees that Chemonics and/or the Customer has Authority have the sole right to determine:determine:‌ (a) whether to provide notice of the accidental, unauthorised or unlawful processing and/or the Personal Data Breach personal data breach to any Data Subjectsdata subjects, the Commissioner, other in-scope regulators, law enforcement agencies or others, as required by law or regulation or in Chemonics’ and/or the Customer's Authority’s discretion, including the contents and delivery method of the notice; and (b) whether to offer any type of remedy to affected Data Subjectsdata subjects, including the nature and extent of such remedy. 6.6 The Provider will cover all reasonable expenses associated with the performance of the obligations under clause 6.1 to clause 6.3 unless the matter arose from Chemonics’ and/or the CustomerAuthority's specific written instructions, negligence, wilful default or breach of this AgreementDSPA, in which case the Customer Chemonics will cover all reasonable expenses. 6.7 The Provider will also reimburse the Customer Chemonics for actual reasonable all expenses that Chemonics and/or the Customer Authority incurs when responding to an incident of accidental, unauthorised or unlawful processing and/or a Personal Data Breach personal data breach to the extent that the Provider caused such, including all costs of notice and any remedy as set out in Clause clause 6.5.

Personal Data Breach. 6.1 The Provider will promptly immediately and in any event without undue delay notify the Customer in writing if it becomes aware of: (a) : the loss, unintended destruction or damage, corruption, or unusability of part or all of the Personal Data. The Provider will restore such Personal Data at its own expense as soon as possible. (b) . any accidental, unauthorised or unlawful processing of the Personal Data; or (c) or any Personal Data Breach. 6.2 . Where the Provider becomes aware of (a), (b) and/or (c) above, it willshall, without undue delay, also provide the Customer with the following written information: (a) : description of the nature of (a), (b) and/or (c), including the categories of in-scope Personal Data and approximate number of both Data Subjects and the Personal Data records concerned; (b) ; the likely consequences; and (c) and a description of the measures taken or proposed to be taken to address (a), (b) and/or (c), including measures to mitigate its possible adverse effects. 6.3 . Immediately following any accidental, unauthorised or unlawful Personal Data processing or Personal Data Breach, the parties will co-ordinate with each other to investigate the matter. Further, the Provider will reasonably co-operate with the Customer at no additional cost to the Customer, in the Customer's handling of the matter, including but not limited to: (a) : assisting with any investigation; (b) ; providing the Customer with physical access to any facilities and operations affected; (c) ; facilitating interviews with the Provider's employees, former employees and others involved in the matter including, but not limited to, its officers and directors; (d) ; making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by the Customer; and (e) and taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach or accidental, unauthorised or unlawful Personal Data processing. 6.4 . The Provider will not inform any third-third party of any accidental, unauthorised or unlawful processing of all or part of the Personal Data and/or a Personal Data Breach without first obtaining the Customer's written consent, except when required to do so by domestic law. 6.5 . The Provider agrees that the Customer has the sole right to determine: (a) : whether to provide notice of the accidental, unauthorised or unlawful processing and/or the Personal Data Breach to any Data Subjects, the Commissioner, other in-scope regulators, law enforcement agencies or others, as required by law or regulation or in the Customer's discretion, including the contents and delivery method of the notice; and (b) and whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy. 6.6 . The Provider will cover all reasonable expenses associated with the performance of the obligations under clause 6.1 46.1 to clause 6.3 46.3 unless the matter arose from the Customer's specific written instructions, negligence, wilful default or breach of this Agreement, in which case the Customer will cover all reasonable expenses. 6.7 . The Provider will also reimburse the Customer for actual reasonable expenses that the Customer incurs when responding to an incident of accidental, unauthorised or unlawful processing and/or a Personal Data Breach to the extent that the Provider caused such, including all costs of notice and any remedy as set out in Clause clause 6.5. The Provider (and any subcontractor) must not transfer or otherwise process the Personal Data outside the EEA without obtaining the Customer's prior written consent. Where such consent is granted, the Provider may only process, or permit the processing, of the Personal Data outside the EEA under the following conditions: the Provider is processing the Personal Data in a territory which is subject to adequacy regulations under the Data Protection Legislation that the territory provides adequate protection for the privacy rights of individuals. The Provider must identify in 12ANNEX A the territory that is subject to such adequacy regulations; or the Provider participates in a valid cross-border transfer mechanism under the Data Protection Legislation, so that the Provider (and, where appropriate, the Customer) can ensure that appropriate safeguards are in place to ensure an adequate level of protection with respect to the privacy rights of individuals as required by Article 46 of the UK GDPR and EU GDPR. The Provider must identify in 12ANNEX A the transfer mechanism that enables the parties to comply with these cross-border data transfer provisions and the Provider must immediately inform the Customer of any change to that status; or the transfer otherwise complies with the Data Protection Legislation for the reasons set out in 12ANNEX A. If any Personal Data transfer between the Customer and the Provider requires execution of SCCs in order to comply with the Data Protection Legislation (where the Customer is the entity exporting Personal Data to the Provider outside the EEA), the parties will complete all relevant details in, and execute, the SCCs contained in 12, and take all other actions required to legitimise the transfer. If the Customer consents to appointment by the Provider of a subcontractor located outside the EEA in compliance with the provisions of clause 8, then the Customer authorises the Provider to enter into SCCs contained in Annex B with the subcontractor in the Customer’s name and on its behalf. The Provider will make the executed SCCs available to the Customer on request.

Personal Data Breach. 6.1 The Provider CloudRock will promptly within twenty-four hours and in any event without undue delay notify the Customer in writing Client if it becomes aware of: (a) the loss, unintended destruction or damage, corruption, or unusability of part or all of the Personal Data. The Provider CloudRock will restore such Personal Data at its own expense as soon as possible.; (b) any accidental, unauthorised or unlawful processing of the Personal Data; or (c) any Personal Data Breach. 6.2 Where the Provider CloudRock becomes aware of (a), (b) and/or (c) above, it willshall, without undue delay, also provide the Customer Client with the following written information: (a) description of the nature of (a), (b) and/or (c), including the categories of in-scope Personal Data and approximate number of both Data Subjects and the Personal Data records concerned; (b) the likely consequences; and (c) a description of the measures taken or proposed to be taken to address (a), (b) and/or (c), including measures to mitigate its possible adverse effects. 6.3 Immediately following any accidental, unauthorised or unlawful Personal Data processing or Personal Data Breach, the parties will co-ordinate with each other to investigate the matter. Further, the Provider CloudRock will reasonably co-operate with the Customer at no additional cost to the Customer, Client in the CustomerClient's handling of the matter, including but not limited to: (a) assisting with any investigation; (b) providing the Customer Client with physical access to any facilities and operations affected; (c) facilitating interviews with the ProviderCloudRock's employees, former employees and others involved in the matter including, but not limited to, its officers and directors; (d) making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by the CustomerClient; and (e) taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach or accidental, unauthorised or unlawful Personal Data processing. 6.4 The Provider CloudRock will not inform any third-third party of any accidental, unauthorised or unlawful processing of all or part of the Personal Data and/or a Personal Data Breach without first obtaining the CustomerClient's written consent, except when required to do so by domestic law. 6.5 The Provider CloudRock agrees that the Customer Client has the sole right to determine: (a) whether to provide notice of the accidental, unauthorised or unlawful processing and/or the Personal Data Breach to any Data Subjects, the Commissioner, other in-scope regulators, law enforcement agencies or others, as required by law or regulation or in the CustomerClient's discretion, including the contents and delivery method of the notice; and (b) whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy. 6.6 The Provider CloudRock will cover all reasonable expenses associated with the performance of the obligations under clause 6.1 to clause 6.3 inclusive unless the matter arose from the CustomerClient's specific written instructions, negligence, wilful default default, breach of this Schedule or breach of this Agreementthe Data Protection Legislation, in which case the Customer Client will cover all reasonable expenses. 6.7 The Provider will also reimburse the Customer for actual reasonable expenses that the Customer incurs when responding to an incident of accidental, unauthorised or unlawful processing and/or a Personal Data Breach to the extent that the Provider caused such, including all costs of notice and any remedy as set out in Clause 6.5.

Personal Data Breach. 6.1 The Provider Emspace will promptly promptly, and in any event without undue delay within 48 hours, notify the Customer in writing if it becomes aware of: (a) the loss, unintended destruction or damage, corruption, or unusability un-useability of part or all of the Personal Data. The Provider Emspace will restore as soon as possible such Personal Data at its own expense as soon as possible.expense; (b) any accidental, unauthorised or unlawful processing of the Personal Data; or (c) any Personal Data Breach. 6.2 Where the Provider Emspace becomes aware of (a), (b) and/or (c) above, it will, without undue delay, also provide the Customer with the following written information: (a) description of the nature of (a), (b) and/or (c), including the categories of in-scope Personal Data and approximate number of both Data Subjects and the Personal Data records concerned; (b) the likely consequences; and (c) a description of the measures taken or proposed to be taken to address (a), (b) and/or (c), including measures to mitigate its possible adverse effects. 6.3 Immediately after the Customer has been notified pursuant to clause 6.1, following any accidental, unauthorised or unlawful Personal Data processing or Personal Data Breach, the parties will co-ordinate with each other to investigate the matter. Further, the Provider Emspace will reasonably co-operate with the Customer at no additional cost to the Customer, in the Customer's handling of the matter, including but not limited to: (a) assisting with any investigation; (b) providing the Customer with physical access to any facilities and operations affected; (c) facilitating interviews with the Provider's Emspace’s employees, former employees and others involved in the matter including, but not limited to, its officers and directors; (d) making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by the Customer; and (e) taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach or accidental, unauthorised or unlawful Personal Data processing. 6.4 The Provider Emspace will not inform any third-party of any accidental, unauthorised or unlawful processing of all or part of the Personal Data and/or a Personal Data Breach without first obtaining the Customer's written consent, except when required to do so by domestic or EU law. 6.5 The Provider Emspace agrees that the Customer has the sole right to determine: (a) determine whether to provide notice of the accidental, unauthorised or unlawful processing and/or the Personal Data Breach to any Data Subjects, the Commissioner, other in-scope regulators, law enforcement agencies or others, as required by law or regulation or in the Customer's discretion, including the contents and delivery method of the notice; and (b) whether to . The Customer shall not offer any type of remedy to affected Data SubjectsSubjects without the prior written approval of Emspace, including the nature and extent of such remedyapproval not to be unreasonably withheld or delayed. 6.6 The Provider Customer will cover all reasonable expenses and time costs associated with the performance of the Emspace’s obligations under clause clauses 6.1 to clause 6.3 inclusive unless the matter arose from the Customer's specific written instructions, Emspace’s negligence, wilful default or breach of this Agreement, in which case the Customer Emspace will cover all reasonable expensesof its expenses and time costs. 6.7 The Provider Emspace will also reimburse the Customer for actual reasonable expenses that the Customer incurs when responding to an incident of accidental, unauthorised or unlawful processing and/or a Personal Data Breach to the extent that the Provider Emspace caused suchsuch an incident and/or Personal Data Breach, including all costs of notice and any remedy as set out in Clause clause 6.5.

Personal Data Breach. 6.1 The Provider If MSite becomes aware of a Personal Data Breach or other security incident affecting or relating to Customer Data, MSite will promptly and in any event without undue delay promptly: (a) notify the Customer in writing if it becomes aware of: (a) the loss, unintended destruction or damage, corruption, or unusability of part or all of the Personal Data. The Provider will restore such Personal Data at its own expense as soon as possible. Security Breach; (b) any accidental, unauthorised or unlawful processing of investigate the Personal DataData Breach and provide the Customer with information about the Personal Data Breach; or and (c) take reasonable steps to mitigate the effects and to minimize any damage resulting from the Personal Data Breach. MSite’s obligation to report or respond to any Personal Data Breach under this Clause is not and will not be construed as an acknowledgement by MSite of any fault or liability with respect to the Personal Data Breach. 6.2 Where the Provider becomes aware of (a), (b) and/or (c) above, it will, without undue delay, also provide the Customer with the following written information: (a) description of the nature of (a), (b) and/or (c), including the categories of in-scope Personal Data and approximate number of both Data Subjects and the Personal Data records concerned; (b) the likely consequences; and (c) a description of the measures taken or proposed to be taken to address (a), (b) and/or (c), including measures to mitigate its possible adverse effects. 6.3 Immediately following any accidental, unauthorised or unlawful Personal Data processing or Personal Data Breach, the parties Parties will co-ordinate coordinate with each other to investigate the matter. Further, the Provider MSite will reasonably co-operate cooperate with the Customer at no additional cost and MSite shall be compensated for any costs and time incurred in relation to the Customerassistance provided, in the Customer's handling of the matter, including but not limited to: (a) 6.2.1 assisting with any investigation; (b) 6.2.2 providing the Customer with physical access to any facilities and operations affected; (c) 6.2.3 facilitating interviews with the ProviderMSite's employees, former employees and others involved in the matter including, but not limited to, its officers and directors; (d) 6.2.4 making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by the Customer; and (e) 6.2.5 taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Customer Data Breach or accidental, unauthorised or unlawful Personal Customer Data processing. 6.4 The Provider 6.3 Notification(s) of Personal Data Breaches, if any, will not inform any third-party of any accidental, unauthorised be delivered to one or unlawful processing of all or part more of the Personal Data and/or a Personal Data Breach without first obtaining Customer’s business, technical or administrative contacts by any means MSite selects, including via email. It is the Customer's written consent, except when required ’s sole responsibility to do so by domestic lawensure it maintains accurate contact information on MSite’s support systems at all times. 6.5 The Provider agrees that the Customer has the sole right to determine: (a) whether to provide notice of the accidental, unauthorised or unlawful processing and/or the Personal Data Breach to any Data Subjects, the Commissioner, other in-scope regulators, law enforcement agencies or others, as required by law or regulation or in the Customer's discretion, including the contents and delivery method of the notice; and (b) whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy. 6.6 The Provider will cover all reasonable expenses associated with the performance of the obligations under clause 6.1 to clause 6.3 unless the matter arose from the Customer's specific written instructions, negligence, wilful default or breach of this Agreement, in which case the Customer will cover all reasonable expenses. 6.7 The Provider will also reimburse the Customer for actual reasonable expenses that the Customer incurs when responding to an incident of accidental, unauthorised or unlawful processing and/or a Personal Data Breach to the extent that the Provider caused such, including all costs of notice and any remedy as set out in Clause 6.5.

Personal Data Breach. 6.1 9.11.1 The Provider Supplier will promptly immediately and in any event without undue delay notify the Customer in writing if it becomes aware of: (a) the loss, unintended destruction or damage, corruption, or unusability of part or all of the Personal Data. The Provider Supplier will restore such Personal Data at its own expense as soon as possible. (b) any accidental, unauthorised or unlawful processing of the Personal Data; or (c) any Personal Data Breach. 6.2 9.11.2 Where the Provider Supplier becomes aware of (a), (b) and/or (c) above, it willshall, without undue delay, also provide the Customer with the following written information: (a) description of the nature of (a), (b) and/or (c), including the categories of in-scope Personal Data and approximate number of both Data Subjects and the Personal Data records concerned; (b) the likely consequences; and (c) a description of the measures taken or proposed to be taken to address (a), (b) and/or (c), including measures to mitigate its possible adverse effects. 6.3 9.11.3 Immediately following any accidental, unauthorised or unlawful Personal Data processing or Personal Data Breach, the parties will co-ordinate with each other to investigate the matter. Further, the Provider Supplier will reasonably co-operate with the Customer at no additional cost to the Customer, in the Customer's handling of the matter, including but not limited to: (a) assisting with any investigation; (b) providing the Customer with physical access to any facilities and operations affected; (c) facilitating interviews with the ProviderSupplier's employees, former employees and others involved in the matter including, but not limited to, its officers and directors; (d) making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by the Customer; and (e) taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach or accidental, unauthorised or unlawful Personal Data processing. 6.4 9.11.4 The Provider Supplier will not inform any third-third party of any accidental, unauthorised or unlawful processing of all or part of the Personal Data and/or a Personal Data Breach without first obtaining the Customer's written consent, except when required to do so by domestic law. 6.5 9.11.5 The Provider Supplier agrees that the Customer has the sole right to determine: (a) whether to provide notice of the accidental, unauthorised or unlawful processing and/or the Personal Data Breach to any Data Subjects, the Commissioner, other in-scope regulators, law enforcement agencies or others, as required by law or regulation or in the Customer's discretion, including the contents and delivery method of the notice; and (b) whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy. 6.6 9.11.6 The Provider Supplier will cover all reasonable expenses associated with the performance of the obligations under clause 6.1 9.11.11.1 to clause 6.3 9.11.11.3 unless the matter arose from the Customer's specific written instructions, negligence, wilful default or breach of this Agreement, in which case the Customer will cover all reasonable expenses. 6.7 9.11.7 The Provider Supplier will also reimburse the Customer for actual reasonable expenses that the Customer incurs when responding to an incident of accidental, unauthorised or unlawful processing and/or a Personal Data Breach to the extent that the Provider Supplier caused such, including all costs of notice and any remedy as set out in Clause 6.5clause 9.11.5.

Personal Data Breach. 6.1 The Provider will promptly within 24 hours from discovery and in any event without undue delay notify the Customer in writing if it becomes aware of: (a) the loss, unintended destruction or damage, corruption, or unusability of part or all of the Personal Data. The Provider will restore such Personal Data at its own expense as soon as possible. (b) any accidental, unauthorised unauthorized or unlawful processing of the Personal Data; or (c) any Personal Data Breach. 6.2 Where the Provider becomes aware of any situation occurring in clause 6.1 (a), (b) and/or (c) above, it willshall, without undue delay, also provide the Customer with the following written information: (a) description of the nature of (a), (b) and/or (c), including the categories of in-scope Personal Data and approximate number of both Data Subjects and the Personal Data records concerned; (b) the likely consequences; and (c) a description of the measures taken or proposed to be taken to address situations (a), (b) and/or (c), including measures to mitigate its possible adverse effects. 6.3 Immediately following any accidental, unauthorised unauthorized or unlawful Personal Data processing or Personal Data Breach, the parties will co-ordinate with each other to investigate the matter. Further, the Provider will reasonably co-operate with the Customer at no additional cost to the Customer, in the Customer's handling of the matter, including but not limited to: (a) assisting with any investigation; (b) providing the Customer with physical access to any facilities and operations affected; (c) facilitating interviews with the Provider's employees, former employees and others involved in the matter including, but not limited to, its officers and directors; (d) making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by the Customer; and (e) taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach or accidental, unauthorised unauthorized or unlawful Personal Data processing. 6.4 The Provider will not inform any third-third party of any accidental, unauthorised unauthorized, or unlawful processing of all or part of the Personal Data and/or a Personal Data Breach without first obtaining the Customer's written consent, except when required to do so by domestic applicable law. 6.5 The Provider agrees that the Customer has the sole right to determine: (a) whether to provide notice of the accidental, unauthorised unauthorized or unlawful processing and/or the Personal Data Breach to any Data Subjects, the Commissioner, other in-scope regulators, law enforcement agencies or others, as required by law or regulation or in the Customer's discretion, including the contents and delivery method of the notice; and (b) whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy. 6.6 The Provider will cover all reasonable expenses associated with the performance of the obligations under clause 6.1 to clause 6.3 unless the matter arose directly from the Customer's specific written instructions, negligence, wilful default or breach of this Agreement, in which case the Customer will cover all reasonable proven expenses. 6.7 The Provider will also reimburse the Customer for actual reasonable expenses that the Customer incurs when responding to an incident of accidental, unauthorised unauthorized or unlawful processing and/or a Personal Data Breach to the extent that the Provider caused suchsuch an incident, including all costs of notice and any remedy as set out in Clause clause 6.5.

Personal Data Breach. 6.1 The Provider TripStax will promptly within 48 hours and in any event without undue delay notify the Customer in writing if it becomes aware of: (a) the loss, unintended destruction or damage, corruption, or unusability un-usability of part or all of the Personal Data. The Provider TripStax will restore such Personal Data at its own expense as soon as possible. (b) any accidental, unauthorised or unlawful processing of the Personal Data; or (c) any Personal Data Breach. 6.2 Where the Provider TripStax becomes aware of (a), (b) and/or (c) above, it will, without undue delay, also provide the Customer with the following written information: (a) description of the nature of (a), (b) and/or (c), including the categories of in-scope Personal Data and approximate number of both Data Subjects and the Personal Data records concerned; (b) the likely consequences; and (c) a description of the measures taken or proposed to be taken to address (a), (b) and/or (c), including measures to mitigate its possible adverse effects. 6.3 Immediately following any accidental, unauthorised or unlawful Personal Data processing or Personal Data Breach, the parties will co-ordinate with each other to investigate the matter. Further, the Provider TripStax will reasonably co-operate with the Customer at no additional cost to the CustomerCustomer (if the Data Breach is caused by TripStax), in the Customer's handling of the matter, including but not limited to: (a) assisting with any investigation; (b) providing the Customer with physical access to any facilities and operations affected; (c) facilitating interviews with the Provider's TripStax employees, former employees and others involved in the matter including, but not limited to, its officers and directors; (d) making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by the Customer; and (e) taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach or accidental, unauthorised or unlawful Personal Data processing. 6.4 The Provider TripStax will not inform any third-party of any accidental, unauthorised or unlawful processing of all or part of the Personal Data and/or a Personal Data Breach without first obtaining the Customer's written consent, except when required to do so by domestic or EU law. 6.5 The Provider TripStax agrees that the Customer has the sole right to determine: (a) whether to provide notice of the accidental, unauthorised or unlawful processing and/or the Personal Data Breach to any Data Subjects, the Commissioner, other in-scope regulators, law enforcement agencies or others, as required by law or regulation or in the Customer's discretion, including the contents and delivery method of the notice; and (b) whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy. 6.6 The Provider TripStax will cover all reasonable expenses associated with the performance of the its obligations under clause 6.1 to clause 6.3 unless the matter arose from the Customer's specific written instructions, negligence, wilful default or breach of this Agreement, in which case the Customer will cover all reasonable expensesexpenses including those incurred by TripStax. 6.7 The Provider will also reimburse the Customer for actual reasonable expenses that the Customer incurs when responding to an incident of accidental, unauthorised or unlawful processing and/or a Personal Data Breach to the extent that the Provider caused such, including all costs of notice and any remedy as set out in Clause 6.5.

Personal Data Breach. 6.1 The Provider 6.1. Plentific will promptly and without undue delay and in any event within 72 hours notify the Customer if any Personal Data is lost or destroyed or becomes damaged, corrupted, or unusable. 6.2. Plentific will without undue delay notify the Customer in writing if it becomes aware of: (a) the loss, unintended destruction or damage, corruption, or unusability of part or all of the Personal Data. The Provider will restore such Personal Data at its own expense as soon as possible. (b) any accidental, unauthorised or unlawful processing of the Personal Data; or (cb) any Personal Data Breach. 6.2 6.3. Where the Provider Plentific becomes aware of (a), (b) and/or (cb) above, it willshall, without undue delay, also provide the Customer with the following written information: (a) description of the nature of (a), (ban occurrence falling within the provisions of clause 6.2(a) and/or (cb), including the categories of in-scope Personal Data and approximate number of both Data Subjects data subjects and the Personal Data records concerned; (b) the likely consequences; and (c) a description of the measures taken or proposed to be taken to address (a), (bthe occurrence falling within the provisions of clause 6.2(a) and/or (cb), including measures to mitigate its possible adverse effects. 6.3 6.4. Immediately following any accidental, unauthorised or unlawful Personal Data processing or Personal Data Breach, the parties will co-ordinate with each other to investigate the matter. Further, the Provider Plentific will reasonably co-co- operate with the Customer at no additional cost to the Customer, in the Customer's handling of the matter, including but not limited toincluding: (a) assisting with any investigation; (b) providing the Customer with physical access to any facilities and operations affected; (c) facilitating interviews with the ProviderPlentific's employees, former employees and others involved in the matter including, but not limited to, its officers and directorsmatter; (d) making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by the Customer; and (e) taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach or accidental, unauthorised or unlawful Personal Data processing. 6.4 The Provider 6.5. Plentific will not inform any third-third party of any accidental, unauthorised or unlawful processing of all or part of the Personal Data and/or a Personal Data Breach without first obtaining the Customer's prior written consent, except when required to do so by domestic law. 6.5 The Provider 6.6. ▇▇▇▇▇▇▇▇▇ agrees that the Customer has the sole right to determine: (a) 6.6.1. whether to provide notice of the accidental, unauthorised or unlawful processing and/or the Personal Data Breach to any Data Subjects, the Commissionersupervisory authorities, other in-scope regulators, law enforcement agencies or others, as required by law or regulation or in the Customer's discretion, including the contents and delivery method of the notice; and (b) 6.6.2. whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy. 6.6 The Provider will cover all reasonable expenses associated with the performance of the obligations under clause 6.1 to clause 6.3 unless the matter arose from the Customer's specific written instructions, negligence, wilful default or breach of this Agreement, in which case the Customer will cover all reasonable expenses. 6.7 The Provider will also reimburse the Customer for actual reasonable expenses that the Customer incurs when responding to an incident of accidental, unauthorised or unlawful processing and/or a Personal Data Breach to the extent that the Provider caused such, including all costs of notice and any remedy as set out in Clause 6.5.

Personal Data Breach. 6.1 The Provider Processor will promptly immediately and in any event without undue delay notify the Customer Controller in writing if it becomes aware of: (a) the loss, unintended destruction or damage, corruption, or unusability of part or all of the Personal Data. The Provider will restore such Personal Data at its own expense as soon as possible. (b) any accidental, unauthorised or unlawful processing of the Personal Data; or (c) any Personal Data Breach. 6.2 Where the Provider Processor becomes aware of (a), (b) and/or (c) above, it will, without undue delay, also provide the Customer Controller with the following written information: (a) description of the nature of (a), (b) and/or (c), including the categories of in-scope Personal Data and approximate number of both Data Subjects and the Personal Data records concerned; (b) the likely consequences; and (c) a description of the measures taken or proposed to be taken to address (a), (b) and/or (c), including measures to mitigate its possible adverse effects. 6.3 Immediately following any accidental, unauthorised or unlawful Personal Data processing or Personal Data Breach, the parties will co-ordinate with each other to investigate the matter. Further, the Provider Processor will reasonably co-operate with the Customer at no additional cost to the Customer, Controller in the Customer's Controller’s handling of the matter, including but not limited to: (a) assisting with any investigation; (b) providing the Customer with physical access to any facilities and operations affected; (c) facilitating interviews with the Provider's Processor’s employees, former employees and others involved in the matter including, but not limited to, its officers officers and directors; (dc) making available all relevant records, logs, filesfiles, data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by the CustomerController; and (ed) taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach or accidental, unauthorised or unlawful Personal Data processing. 6.4 The Provider Processor will not inform any third-party (including the Supervisory Authority) of any accidental, unauthorised or unlawful processing of all or part of the Personal Data and/or a Personal Data Breach without first first obtaining the Customer's Controller’s written consent, except when required to do so by domestic or EU law. 6.5 The Provider Processor agrees that the Customer Controller has the sole right to determine: (a) whether to provide notice of the accidental, unauthorised or unlawful processing and/or the Personal Data Breach to any Data Subjects, the CommissionerSupervisory Authority, other in-scope regulators, law enforcement agencies or others, as required by law or regulation or in the Customer's Controller’s discretion, including the contents and delivery method of the notice; and (b) whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy. 6.6 The Provider Processor will cover all reasonable expenses associated with the performance of the obligations under clause 6.1 to clause 6.3 unless the matter arose from the Customer's specific Controller’s specific written instructions, negligence, wilful default or breach of this Agreement, in which case the Customer Controller will cover all reasonable expenses. 6.7 The Provider Processor will also reimburse the Customer Controller for actual reasonable expenses that the Customer Controller incurs when responding to an incident of accidental, unauthorised or unlawful processing and/or a Personal Data Breach to the extent that the Provider Processor caused such, including all costs of notice and any remedy as set out in Clause 6.5.

Personal Data Breach. 6.1 The Provider will promptly immediately and in any event without undue delay notify the Customer in writing to the registration email address if it becomes aware of: (a) the loss, unintended destruction or damage, corruption, or unusability of part or all of the Personal Data. The Provider will restore such Personal Data at its own expense as soon as possible. (b) any accidental, unauthorised or unlawful processing of the Personal Data; or (c) any Personal Data Breach. 6.2 Where the Provider becomes aware of (a), (b) and/or (c) above, it will, without undue delay, also provide the Customer with the following written information: (a) description of the nature of (a), (b) and/or (c), including the categories of in-scope Personal Data and approximate number of both Data Subjects and the Personal Data records concerned; (b) the likely consequences; and (c) a description of the measures taken or proposed to be taken to address (a), (b) and/or (c), including measures to mitigate its possible adverse effects. 6.3 Immediately following any accidental, unauthorised or unlawful Personal Data processing or Personal Data Breach, the parties will co-ordinate with each other to investigate the matter. Further, the Provider will reasonably co-operate with the Customer at no additional cost to the Customer, in the Customer's handling of the matter, including but not limited to: (a) assisting with any investigation; (b) providing the Customer with physical access to any facilities and operations affected; (c) facilitating interviews with the Provider's employees, former employees and others involved in the matter including, but not limited to, its officers and directors; (d) making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by the Customer; and (e) taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach or accidental, unauthorised or unlawful Personal Data processing. 6.4 The Provider will not inform any third-party of any accidental, unauthorised or unlawful processing of all or part of the Personal Data and/or a Personal Data Breach without first obtaining the Customer's written consent, except when required to do so by domestic or EU law. 6.5 The Provider agrees that the Customer has the sole right to determine: (a) whether to provide notice of the accidental, unauthorised or unlawful processing and/or the Personal Data Breach to any Data Subjects, the CommissionerSupervisory authority, other in-scope regulators, law enforcement agencies or others, as required by law or regulation or in the Customer's discretion, including the contents and delivery method of the notice; and (b) whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy. 6.6 The Provider will cover all reasonable expenses associated with the performance of the obligations under clause 6.1 to clause 6.3 unless the matter arose from the Customer's specific written instructions, negligence, wilful default or breach of this Agreement, in which case the Customer will cover all reasonable expenses. 6.7 The Provider will also reimburse the Customer for actual reasonable expenses that the Customer incurs when responding to an incident of accidental, unauthorised or unlawful processing and/or a Personal Data Breach to the extent that the Provider caused such, including all costs of notice and any remedy as set out in Clause 6.5.