Common use of Personal Data Breach Clause in Contracts

Personal Data Breach. 11.1 The Data Controller acknowledge and agree that the Data Processor shall not be deemed responsible for Personal Data Breach not imputable to the Data Processor’s negligence. 11.2 If the Data Processor becomes aware of a Personal Data Breach, it will: a) take appropriate actions to contain and mitigate such Personal Data Breach, including notifying the Data Controller, without undue delay, to enable the Data Controller to expeditiously implement its response program. Notwithstanding the above, the Data Processor reserves the right to determine the measures it will take to comply with Applicable Data Protection Laws or to protect its rights and interests; b) cooperate with the Data Controller to investigate: the nature, the categories and approximate number of Data Subjects concerned, the categories and approximate number of Personal Data records concerned and the likely consequences of any such Personal Data Breach in a manner which is commensurate with its seriousness and its overall impact on the Data Controller and the delivery of the Service under this DPA; c) where Applicable Data Protection Laws require notification to relevant Supervisory Authorities and impacted Data Subjects of such a Personal Data Breach, and as it relates to the Client Personal Data, defer to and take instructions from Data Controller, as Data Controller has the sole right to determine the measures that it will take to comply with Applicable Data Protection Laws or remediate any risk, including without limitation: i. whether notice is to be provided to any individuals, regulators, law enforcement agencies, consumer reporting agencies, or others as required Applicable Data Protection Laws, or in Data Controller's discretion; and ii. the contents of such notice, whether any type of remediation may be offered to affected Client Data Subjects, and the nature and extent of any such remediation.

Personal Data Breach. 11.1 The Data Controller acknowledge acknowledges and agree accepts that the Data Processor Sub-contractor shall not be deemed responsible held liable for Personal Data Breach Breaches that are not imputable attributable to the Data ProcessorSub-contractor’s negligence. 11.2 . If the Data Processor Sub-contractor of the data becomes aware of a Personal Data Breach, it will: a) he shall do as follows: ○ take the appropriate actions measures to contain limit and mitigate such Personal Data Breach, including in particular, by notifying the Data ControllerController as soon as possible, without undue delaybut under no circumstances more than twenty-four (24) hours after the Sub-contractor has become aware of this Personal Data Breach, to enable the Data Controller to expeditiously implement its response program. Notwithstanding the above, the Data Processor reserves the right to determine the measures it will take to comply with Applicable Data Protection Laws or to protect its rights and interests; b) promptly setup his program accordingly; ○ cooperate with the Data Controller to investigatedefine the following: the naturetype, the categories and approximate number of Data Subjects concernedSubjects, the categories and the approximate number of registrations of Personal Data records concerned made and the likely potential consequences of any such Personal Data Breach in a manner which is commensurate with order for the latter to be proportionate to its seriousness gravity and its overall global impact on the Data Controller and the delivery of service provision herein; When the Service under this DPA; c) where Applicable Personal Data Protection Laws require Regulations and/or any applicable regulation requires a notification to relevant the competent Supervisory Authorities and impacted the Data Subjects of such a Personal Data Breachinvolved, and insofar as it relates to the Client latter concerns the Data Controller’s Personal Data, the Sub-contractor shall defer to the latter and take the instructions from Data Controller, as the Data Controller has the sole right who, in its official capacity, is exclusively entitled to determine define the measures that it will take to be taken to comply with Applicable the Personal Data Protection Laws Regulations or remediate to remedy any risk, including without limitation: i. whether notice is to including, but not exhaustively: ○ if a notification must be provided to any individualsperson, regulatorsRegulatory body or statutory application body, law enforcement agenciesconsumption information agency or other, consumer reporting agenciessuch as required by the Personal Data Regulations, or others as required Applicable Data Protection Laws, or in at the Data Controller's ’s discretion; and ii. and ○ the contents content of such noticethis notification, whether any type of remediation if corrective measures may be offered to affected Client the Data Subjects, ’ relevant Data Controller and the nature type and extent of any such remediationthese corrective measures.

Personal Data Breach. 11.1 The Data Controller Client acknowledge and agree that the Data Processor Register shall not be deemed responsible for Personal Data Breach not imputable to the Data ProcessorRegister’s negligence. 11.2 If the Data Processor Register becomes aware of a Personal Data Breach, it will: a) take appropriate actions to contain and mitigate such Personal Data Breach, including notifying the Data ControllerClient, without undue delay, to enable the Data Controller Client to expeditiously implement its response program. Notwithstanding the above, the Data Processor Register reserves the right to determine the measures it will take to comply with Applicable Data Protection Laws or to protect its rights and interests; b) cooperate with the Data Controller Client to investigate: the nature, the categories and approximate number of Data Subjects concerned, the categories and approximate number of Personal Data records concerned and the likely consequences of any such Personal Data Breach in a manner which is commensurate with its seriousness and its overall impact on the Data Controller Client and the delivery of the Service under this DPA; c) where Applicable Data Protection Laws require notification to relevant Supervisory Authorities and impacted Data Subjects of such a Personal Data Breach, and as it relates to the Client Personal Data, defer to and take instructions from Data ControllerClient, as Data Controller Client has the sole right to determine the measures that it will take to comply with Applicable Data Protection Laws or remediate any risk, including without limitation: i. whether notice is to be provided to any individuals, regulators, law enforcement agencies, consumer reporting agencies, or others as required Applicable Data Protection Laws, or in Data ControllerClient's discretion; and ii. the contents of such notice, whether any type of remediation may be offered to affected Client Data Subjects, and the nature and extent of any such remediation.

Personal Data Breach. 11.1 The Data Controller acknowledge Client acknowledges and agree agrees that the Data Processor Swizzonic shall not be deemed responsible for Personal Data Breach not imputable to the Data ProcessorSwizzonic’s negligence. 11.2 If the Data Processor Swizzonic becomes aware of a Personal Data Breach, it will: a) take appropriate actions to contain and mitigate such Personal Data Breach, including notifying the Data ControllerClient, without undue delay, to enable the Data Controller Client to expeditiously implement its response program. Notwithstanding the above, the Data Processor Swizzonic reserves the right to determine the measures it will take to comply with Applicable Data Protection Laws or to protect its rights and interests; b) cooperate with the Data Controller Client to investigate: the nature, the categories and approximate number of Data Subjects concerned, the categories and approximate number of Personal Data records concerned and the likely consequences of any such Personal Data Breach in a manner which is commensurate with its seriousness and its overall impact on the Data Controller Client and the delivery of the Service under this DPA; c) where Applicable Data Protection Laws require notification to relevant Supervisory Authorities and impacted Data Subjects of such a Personal Data Breach, and as it relates to the Client Personal Data, defer to and take instructions from Data ControllerClient, as Data Controller has the sole right to determine the measures that it will take to comply with Applicable Data Protection Laws or remediate any risk, including without limitation: i. whether notice is to be provided to any individuals, regulators, law enforcement agencies, consumer reporting agencies, or others as required Applicable Data Protection Laws, or in Data ControllerClient's discretion; and ii. the contents of such notice, whether any type of remediation may be offered to affected Client Data Subjects, and the nature and extent of any such remediation.

Personal Data Breach. 11.1 The Data Controller acknowledge Client acknowledges and agree agrees that the Data Processor Register shall not be deemed responsible for Personal Data Breach not imputable to the Data ProcessorRegister’s negligence. 11.2 If the Data Processor Register becomes aware of a Personal Data Breach, it will: a) take appropriate actions to contain and mitigate such Personal Data Breach, including notifying the Data ControllerClient, without undue delay, to enable the Data Controller Client to expeditiously implement its response program. Notwithstanding the above, the Data Processor Register reserves the right to determine the measures it will take to comply with Applicable Data Protection Laws or to protect its rights and interests; b) cooperate with the Data Controller Client to investigate: the nature, the categories and approximate number of Data Subjects concerned, the categories and approximate number of Personal Data records concerned and the likely consequences of any such Personal Data Breach in a manner which is commensurate with its seriousness and its overall impact on the Data Controller Client and the delivery of the Service under this DPA; c) where Applicable Data Protection Laws require notification to relevant Supervisory Authorities and impacted Data Subjects of such a Personal Data Breach, and as it relates to the Client Personal Data, defer to and take instructions from Data ControllerClient, as Data Controller has the sole right to determine the measures that it will take to comply with Applicable Data Protection Laws or remediate any risk, including without limitation: i. whether notice is to be provided to any individuals, regulators, law enforcement agencies, consumer reporting agencies, or others as required Applicable Data Protection Laws, or in Data ControllerClient's discretion; and ii. the contents of such notice, whether any type of remediation may be offered to affected Client Data Subjects, and the nature and extent of any such remediation.

Personal Data Breach. 11.1 The Data Controller Client acknowledge and agree that the Data Processor Swizzonic shall not be deemed responsible for Personal Data Breach not imputable to the Data ProcessorSwizzonic’s negligence. 11.2 If the Data Processor Swizzonic becomes aware of a Personal Data Breach, it will: a) take appropriate actions to contain and mitigate such Personal Data Breach, including notifying the Data ControllerClient, without undue delay, to enable the Data Controller Client to expeditiously implement its response program. Notwithstanding the above, the Data Processor Swizzonic reserves the right to determine the measures it will take to comply with Applicable Data Protection Laws or to protect its rights and interests; b) cooperate with the Data Controller Client to investigate: the nature, the categories and approximate number of Data Subjects concerned, the categories and approximate number of Personal Data records concerned and the likely consequences of any such Personal Data Breach in a manner which is commensurate with its seriousness and its overall impact on the Data Controller Client and the delivery of the Service under this DPA; c) where Applicable Data Protection Laws require notification to relevant Supervisory Authorities and impacted Data Subjects of such a Personal Data Breach, and as it relates to the Client Personal Data, defer to and take instructions from Data ControllerClient, as Data Controller Client has the sole right to determine the measures that it will take to comply with Applicable Data Protection Laws or remediate any risk, including without limitation: i. whether notice is to be provided to any individuals, regulators, law enforcement agencies, consumer reporting agencies, or others as required Applicable Data Protection Laws, or in Data ControllerClient's discretion; and ii. the contents of such notice, whether any type of remediation may be offered to affected Client Data Subjects, and the nature and extent of any such remediation.

Personal Data Breach. 11.1 The Data Controller acknowledge and agree that the Data Processor 9.1 Supplier shall not be deemed responsible for notify Customer without undue delay upon Supplier becoming aware of a Personal Data Breach not imputable affecting Customer Personal Data. Supplier shall provide Customer with information reasonably necessary to allow Customer to comply with notification obligations under Applicable Data Protection Laws. The notification, at a minimum, shall include: (i) the types of Customer Personal Data Processor’s negligencethat were or are reasonably believed to be the subject of the Personal Data Breach; (ii) the date or estimated date of the Personal Data Breach; (iii) a general description of the Personal Data Breach; (iv) the approximate number of impacted Data Subjects; (v) the likely consequences of the Personal Data Breach; and (vi) the steps Supplier has taken to remediate the Personal Data Breach. 11.2 If 9.2 In the Data Processor becomes aware event of a Personal Data Breach, Supplier is not authorized to notify a data protection or other authority of the Data Subjects concerned or any other third parties unless Supplier is required to do so under Applicable Data Protection Laws. In such event, Supplier shall, to the extent permitted under Applicable Data Protection Laws, liaise and coordinate with Customer prior to making a notification. 9.3 If it will: a) take appropriate actions to contain and mitigate such is determined that Supplier or a Sub-Processor is responsible for the Personal Data Breach, including notifying Supplier shall review the Data Controllerapplicable technical and organizational measures and, without undue delayif needed, make appropriate changes to enable the Data Controller to expeditiously implement its response program. Notwithstanding the above, the Data Processor reserves the right to determine the measures it will take to comply with Applicable Data Protection Laws or to protect its rights and interests; b) cooperate with the Data Controller to investigate: the nature, the categories and approximate number of Data Subjects concerned, the categories and approximate number of Personal Data records concerned and the likely consequences of any prevent such Personal Data Breach from occurring in a manner which is commensurate with its seriousness and its overall impact on the Data Controller and the delivery of the Service under this DPA; c) where Applicable Data Protection Laws require notification to relevant Supervisory Authorities and impacted Data Subjects of such a Personal Data Breachfuture. Further, and as it relates to the Client Personal Data, defer to and take instructions from Data Controller, as Data Controller has Supplier agrees that Customer shall have the sole right to determine the measures that it will take to comply with Applicable Data Protection Laws or remediate any risk, including without limitation: i. determine: (i) whether notice of the Personal Data Breach is to be provided to any individualsData Subjects, regulators, law enforcement agencies, consumer reporting agencies, or others as required by law (including Applicable Data Protection Laws, or in Data Controller's discretion); and and (ii. ) the contents of such notice, whether any type of remediation may be offered to affected Client Data Subjects, and the nature and extent of any such remediation.

Personal Data Breach. 11.1 The Data Controller acknowledge and agree (a) If HotDeskPlus becomes aware, or believes or suspects, that the Data Processor shall not be deemed responsible for a Personal Data Breach not imputable has or may have occurred in relation to any Relevant Data, HotDeskPlus must: (i) immediately notify the Data Processor’s negligence. 11.2 If Customer in writing and provide the Data Processor becomes aware of a Customer with all known details relating to that actual or suspected Personal Data Breach, it will:; a(ii) take appropriate actions cooperate and comply with all reasonable directions of the Customer in relation to contain and mitigate such that actual or suspected Personal Data Breach, including notifying ; (iii) promptly take all reasonable steps to rectify or remedy that actual or suspected Personal Data Breach where possible; and (iv) cooperate with the Data Controller, without undue delay, to enable Customer in: (A) the Data Controller to expeditiously implement its response program. Notwithstanding resolution of any complaint alleging a breach of the above, the Data Processor reserves the right to determine the measures it will take to comply with Applicable Data Protection Laws or to protect its rights and interestsregarding the Relevant Data; b(B) cooperate with assisting the Data Controller Customer to investigate: meet their obligation under clause 11(b) of this Addendum to notify the nature, occurrence of the categories and approximate number of Data Subjects concerned, the categories and approximate number of Personal Data records concerned and the likely consequences of any such Personal Data Breach in that affects or relates to Relevant Data to the Supervisory Authority and to affected Data Subjects, but only where the Customer determines that such a manner which is commensurate with its seriousness and its overall impact on the Data Controller and the delivery of the Service under this DPA; c) where notification would be required by Applicable Data Protection Laws require notification Laws; and (C) any investigation by the Customer or the Supervisory Authority or other competent data privacy authorities relating to relevant Supervisory Authorities and impacted Data Subjects of such a the Personal Data Breach, and as it Breach that affects or relates to Relevant Data. (b) If the Client Customer determines that notification of the Personal Data, defer to and take instructions from Data Controller, as Data Controller has the sole right to determine the measures that it will take to comply with Applicable Data Protection Laws or remediate any risk, including without limitation: i. whether notice is to Breach would be provided to any individuals, regulators, law enforcement agencies, consumer reporting agencies, or others as required by Applicable Data Protection Laws, or the Customer will prepare a proposed statement in accordance with Applicable Data Controller's discretion; and ii. Protection Laws, obtain HotDeskPlus' written approval to that statement and the contents method of notification for issuing such notice, whether any type of remediation may be offered statement to affected Client Data Subjects, Subjects and the nature Supervisory Authority, and, when such written approval is received, issue the statement to affected individuals and extent the Supervisory Authority on behalf of any such remediationitself and HotDeskPlus.

Personal Data Breach. 11.1 The 11.1. Data Controller acknowledge acknowledges and agree agrees that the Data Processor shall will not be deemed held responsible for any Personal Data Breach Breaches which are not imputable to the Data Processor’s negligencenegligence or wilful misconduct. 11.2 11.2. If the Data Processor becomes aware of a Personal Data Breach, it will: a) take appropriate actions to contain and mitigate such the Personal Data Breach, including notifying Data Controller as soon as possible, but in no event later than forty-eight (48) hours after Data Processor becomes aware of the Personal Data ControllerBreach, without undue delay, in order to enable the Data Controller to expeditiously implement its response programprogramme. Notwithstanding the above, the Data Processor reserves the right to determine the measures it will take to comply with the Applicable Data Protection Laws or to protect its own rights and interests; b) cooperate with the Data Controller to investigate: investigate the nature, categories and approximate number of affected Data Subjects, the categories and approximate number of Data Subjects concerned, the categories and approximate number of affected Personal Data records concerned and the likely consequences of any such the Personal Data Breach Breach, in a manner which is commensurate with its seriousness and its overall impact on the Data Controller and the delivery provision of the Service under this DPA; c) where the Applicable Data Protection Laws require notification that the Personal Data Breach be notified to relevant Supervisory Authorities and impacted affected Data Subjects of such a Personal Data Breach, and as it relates to the Client Personal DataSubjects, defer to and take instructions from Data Controller, as to the extent in which Client Personal Data is involved in the Personal Data Breach –Data Controller has the sole right is exclusively entitled to determine the measures that it will take to be taken in order to comply with the Applicable Data Protection Laws or to remediate any risk, including including, without limitation: i. whether notice is to be provided to any individuals, regulators, law enforcement agencies, consumer reporting agencies, or others others, as may be required by the Applicable Data Protection Laws, or in at Data Controller's discretion; and ii. the contents of such notice, whether any type of remediation may be offered to affected Client Data SubjectsSubjects under the Client’s responsibility, and the nature and extent of any such remediation.

Personal Data Breach. 11.1 6.1 The Data Controller acknowledge and agree that Processor will, without undue delay, notify the Data Processor shall not be deemed responsible for Customer if any Personal Data Breach not imputable to the is lost or destroyed or becomes damaged, corrupted, or unusable. The Processor will restore such Personal Data Processor’s negligenceat its own expense. 11.2 If 6.2 The Processor will within 12 hours and without undue delay notify the Customer if it becomes aware of any Personal Data Breach.‌ 6.3 Where the Processor becomes aware of a Personal Data Breach, it will: a) take appropriate actions to contain and mitigate such Personal Data Breach, including notifying the Data Controllershall, without undue delay, to enable also provide the Data Controller to expeditiously implement its response program. Notwithstanding the above, the Data Processor reserves the right to determine the measures it will take to comply with Applicable Data Protection Laws or to protect its rights and interests; b) cooperate Customer with the Data Controller to investigate: following information: (a) description of the naturenature of (a) and/or (b), including the categories and approximate number of both Data Subjects concerned, the categories and approximate number of Personal Data records concerned and concerned; (b) the likely consequences consequences; and (c) description of the measures taken, or proposed to be taken to address (a) and/or (b), including measures to mitigate its possible adverse effects. 6.4 Immediately following any such unauthorised or unlawful Personal Data processing or Personal Data Breach, the parties will co-ordinate with each other to investigate the matter. The Processor will reasonably co-operate with the Customer in the Customer's handling of the matter, including:‌ (a) assisting with any investigation; (b) providing the Customer with physical access to any facilities and operations affected; (c) facilitating interviews with the Processor's employees, former employees and others involved in the matter; (d) making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by the Customer; and (e) taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach in a manner which is commensurate with its seriousness and its overall impact on or unlawful Personal Data processing. 6.5 The Processor will not inform any third party of any Personal Data Breach without first obtaining the Data Controller and Customer's prior written consent, except when required to do so by law. 6.6 The Processor agrees that the delivery Customer has the sole right to determine:‌ (a) whether to provide notice of the Service Personal Data Breach to any Data Subjects, supervisory authorities, regulators, law enforcement agencies or others, as required by law or regulation or in the Customer's discretion, including the contents and delivery method of the notice; and (b) whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy. 6.7 The Processor will cover all reasonable expenses associated with the performance of the obligations under clause 6.2 and clause 6.4 unless the matter arose from the Customer's specific instructions, negligence, wilful default or breach of this DPA;Agreement, in which case the Customer will cover all reasonable expenses. c) where Applicable 6.8 The Processor will also reimburse the Customer for actual reasonable expenses that the Customer incurs when responding to a Personal Data Protection Laws require notification Breach to relevant Supervisory Authorities and impacted Data Subjects of the extent that the Processor caused such a Personal Data Breach, including all costs of notice and any remedy as it relates to the Client Personal Data, defer to and take instructions from Data Controller, as Data Controller has the sole right to determine the measures that it will take to comply with Applicable Data Protection Laws or remediate any risk, including without limitation: i. whether notice is to be provided to any individuals, regulators, law enforcement agencies, consumer reporting agencies, or others as required Applicable Data Protection Laws, or set out in Data Controller's discretion; and ii. the contents of such notice, whether any type of remediation may be offered to affected Client Data Subjects, and the nature and extent of any such remediationclause 6.6.

Personal Data Breach. 11.1 The Data Controller acknowledge and agree that the Data Processor shall not be deemed responsible for 6.1. In respect of any Personal Data Breach not imputable or any suspected Personal Data Breach which is related to the Data Processor’s negligence.terms of this Agreement, the Provider shall: 11.2 If (a) notify Keyloop without undue delay and provide Keyloop with such details as it reasonably requires, including: i. a description of the Data Processor becomes aware nature of a the Personal Data Breach, it will: a) take appropriate actions to contain and mitigate such Breach or suspected Personal Data Breach, including notifying the categories and approximate numbers of Data ControllerSubjects and Personal Data records concerned; ii. the likely consequences of the Personal Data Breach or suspected Personal Data Breach; iii. a description of the measures taken or proposed to be taken to address the Personal Data Breach, including measures to mitigate its possible adverse effects. Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay. (b) restore any lost, to enable the destroyed, damaged, corrupted or unusable Personal Data Controller to expeditiously implement at its response programown expense as soon as possible. 6.2. Notwithstanding the aboveImmediately following any Personal Data Breach, the Data Processor reserves Parties shall co-ordinate with each other to investigate the right matter. The Provider shall reasonably co-operate with Keyloop (including the End Customer where applicable), in Keyloop’s handling of the matter, including but not limited to, where necessary: (a) assisting with the investigation and obtaining information required by Supervisory Authorities; (b) providing Keyloop with physical access to determine any facilities and operations affected; (c) facilitating interviews with the measures it will take Provider’s employees, former employees and others involved in the matter, including its officers and directors; (d) making available all relevant records, logs, files, data reporting and other materials required to comply with Applicable all Data Protection Laws or as otherwise reasonably required by Keyloop; and (e) taking reasonable and prompt steps to protect its rights mitigate the effects and interests; b) cooperate with to minimise any damage resulting from the Data Controller to investigate: the nature, the categories and approximate number of Data Subjects concerned, the categories and approximate number of Personal Data records concerned and the likely consequences Breach. 6.3. The Provider will not inform any third-party (including any Data Subject) of any such Personal Data Breach in a manner which is commensurate with its seriousness and its overall impact on the Data Controller and the delivery of the Service without first obtaining Keyloop's written consent except where required to do so under this DPA; c) where Applicable Data Protection Laws require notification to relevant Supervisory Authorities and impacted Data Subjects of such a Personal Data Breach, and as it relates to the Client Personal Data, defer to and take instructions from Data Controller, as Data Controller has the sole right to determine the measures that it will take to comply with Applicable any applicable Data Protection Laws or remediate any risk, including without limitation: i. where required to inform its advisors engaged with respect to the investigation or remediation of the Personal Data Breach or to inform its insurers. The Provider agrees that Keyloop (or the End Customer where applicable) has the sole responsibility for determining whether and how notice of the Personal Data Breach is to be provided to any individualsData Subjects or any Supervisory Authority, regulators, law enforcement agencies, consumer reporting agencies, or others as required Applicable Data Protection Laws, or in Data Controller's discretion; and ii. including the contents and delivery of such notice, whether any type of remediation may be offered to affected Client Data Subjects, and the nature and extent of any such remediation.

Personal Data Breach. 11.1 The Data Controller acknowledge and agree that the Data Processor shall not be deemed responsible for Personal Data Breach not imputable to the Data Processor’s negligence. 11.2 If the Data Processor becomes aware of a Personal Data Breach, it will: a) take appropriate actions to contain and mitigate such Personal Data Breach, including notifying the Data Controller, Controller without undue delay, to enable the Data Controller to expeditiously implement its response program. Notwithstanding the above, the Data Processor reserves the right to determine the measures it will take to comply with Applicable Data Protection Laws or to protect its rights and interests; b) cooperate with the Data Controller to investigate: the nature, the categories and approximate number of Data Subjects concerned, the categories and approximate number of Personal Data records concerned and the likely consequences of any such Personal Data Breach in a manner which is commensurate with its seriousness and its overall impact on the Data Controller and the delivery of the Service under this DPA; c) where Applicable Data Protection Laws require notification to relevant Supervisory Authorities and impacted Data Subjects of such a Personal Data Breach, and as it relates to the Client Personal Data, defer to and take instructions from Data Controller, as Data Controller has the sole right to determine the measures that it will take to comply with Applicable Data Protection Laws or remediate any risk, including without limitation: i. whether notice is to be provided to any individuals, regulators, law enforcement agencies, consumer reporting agencies, or others as required Applicable Data Protection Laws, or in Data Controller's discretion; and ii. the contents of such notice, whether any type of remediation may be offered to affected Client Data Subjects, and the nature and extent of any such remediation.

Personal Data Breach. 11.1 The Data Controller acknowledge and agree that In the case of a personal data breach (incident) the Data Processor processor shall not be deemed responsible for Personal Data Breach not imputable to the Data Processor’s negligence. 11.2 If the Data Processor becomes aware of a Personal Data Breach, it will: a) take appropriate actions to contain and mitigate such Personal Data Breach, including notifying the Data Controller, without undue delay, not later than 24 hours after having become aware of it, notify the personal data breach to enable the Data Controller controller whether or not it is likely result in a high risk to expeditiously implement its response program. Notwithstanding the above, the Data Processor reserves the right to determine the measures it will take to comply with Applicable Data Protection Laws or to protect its rights and interests; b) cooperate with freedoms of natural persons. The Data processor’s notification of a personal data breach shall at least include the Data Controller to investigatefollowing information: the naturecontact details of the data protection officer or other contact person who can provide more information; brief description of the incident, including the expected consequences of the personal data breach for persons; description of the personal data affected, including, where possible, the categories and approximate number of relevant personal data records; description of the measures taken or proposed by the Data Subjects concernedprocessor to eliminate the security breach of personal data, including, where appropriate, measures to mitigate its potential negative consequences. Upon instruction from the Data controller the Data processor must promptly resolve the problem and prevent further damage, as well as mitigate the consequences of the personal data breach (incident) and take remedial actions to prevent similar incidents. The Data processor shall document all personal data breaches, suspected breaches, including the facts related to the personal data breach, its effects and the remedial actions taken. On request from the Data controller, the categories Data processor shall provide these documents to the Data controller. The Data processor shall also provide all possible assistance to the Data controller which is necessary to properly inform the data subjects of the personal data breach. Data protection impact assessment and approximate number prior consultation. The Data processor undertakes to provide the Data controller with the required assistance when carrying out a data protection impact assessment of the data processing operations, including the provision of any technical and other available information necessary for such assessment on the carried out or planned processing and consultations on these matters. When the Data controller consults the supervisory authority pursuant to Article 36 of the GDPR, the Data processor shall provide any available information required for consultation. The Data Processor shall comply with the requirements set forth in Articles 28(2) and 28(4) of Regulation (EU) 2016/679 in order to engage another data processor (hereinafter referred to as the “Sub-processor”). The Data controller authorises the Data processor to engage the Sub-processor(s) named in Annex No. 1 “Personal data processing instructions” hereto. Prior to engaging a new Sub-processor or replacing the existing Sub-processor the Data records concerned processor shall inform the Data controller in writing (by email ▇▇▇@▇▇▇.▇▇) and shall provide the Sub-processor’s contact details and other information related to the data processing activities as may be requested by the Data controller. If the Data controller disagrees with engaging of the new Subprocessor, it shall be entitled to unilaterally, without suffering any additional losses, to terminate the Main Agreement. The Data processor undertakes to use only Sub-processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the Data protection laws and ensure the protection of the data subjects rights. Where the Data processor uses the Sub-processor for carrying out specific processing activities, the Data processor undertakes to ensure that the same or more stringent requirements than those set out in this Agreement shall be imposed by way of a written contract between the Data processor and the likely consequences Subprocessor. Upon request from the Data controller the Data processor shall submit copies of these contracts. Prior to processing, the data processor shall inform the Sub-processor of the identity and contact details of the Data Controller for which the sub-processor processes personal data. Upon request of the Data Controller, a copy of the contract with a sub-processor and subsequent amendments thereto, shall be provided to the Data Controller, thus, enabling the Data Controller to ensure that the sub-processor was subject to the same data protection obligations as laid down by the Agreement. The Data Processor shall notify the Data Controller of any such Personal failure by the sub-processor to fulfil its obligations under that contract or other legal act binding on sub-processor. The Data Breach in a manner Processor is not obliged to provide the provisions of the data processing agreement on the business-related issues which is commensurate with its seriousness and its overall do not have an impact on the terms and conditions of the legal protection of personal data of the contract concluded with the sub-processor. The Data Processor shall agree on a third-party beneficiary clause with a sub-processor (if any) providing that in case of bankruptcy of the primary Data Processor, the Data Controller shall be entitled to enforce the data processing agreement directly against the sub-processor engaged by the primary Data Processor and/or issue direct instructions on processing, for example, instruct the sub-processor to delete or return personal data. The data processor shall be responsible for requiring that the sub-processor at least complies with the obligations to which the data processor is subject pursuant to the Agreement and the GDPR. If the sub-processor fails to fulfil the personal data protection obligations, the primary Data Processor with which/whom data processing agreement is concluded shall remain fully liable towards the Data Controller for fulfilment of the sub-processor’s obligations. This shall not affect the data subjects’ rights provided for in Regulation (EU) 2016/679, in particular, the rights provided for in Articles 79 and 82 of Regulation (EU) 2016/679 in respect of the Data Controller and the delivery Data Processor including the rights in respect of the Service under this DPA; c) sub-processors. The Data controller shall be entitled to request the Data processor to audit the Subprocessor used by it or provide confirmation that such audit has been performed or, where Applicable available, obtains or assists the Data Protection Laws require notification controller in obtaining a third-party audit report on the operations of the used Subprocessor in order to relevant Supervisory Authorities and impacted ensure compliance with the requirements of the Data Subjects of such a Personal Data Breach, and as it relates to the Client Personal Data, defer to and take instructions from Data Controller, as Data Controller has the sole right to determine the measures that it will take to comply with Applicable Data Protection Laws or remediate any risk, including without limitation: i. whether notice is to be provided to any individuals, regulators, law enforcement agencies, consumer reporting agencies, or others as required Applicable Data Protection Laws, or in Data Controller's discretion; and ii. the contents of such notice, whether any type of remediation may be offered to affected Client Data Subjects, and the nature and extent of any such remediationprotections laws.