Common use of Processing of Company Personal Data Clause in Contracts

Processing of Company Personal Data. 3.1 Vendor and each Vendor Affiliate shall: 3.1.1 comply with all applicable Data Protection Laws in the Processing of Company Personal Data; and 3.1.2 not Process Company Personal Data other than on the relevant Company Group Member’s documented instructions unless Processing is required by Applicable Laws to which the relevant Contracted Processor is subject, in which case Vendor or the relevant Vendor Affiliate shall to the extent permitted by Applicable Laws inform the relevant Company Group Member of that legal requirement before the relevant Processing of that Personal Data. 3.2 Each Company Group Member: 3.2.1 instructs Vendor and each Vendor Affiliate (and authorises Vendor and each Vendor Affiliate to instruct each Subprocessor) to: 3.2.1.1 Process Company Personal Data; and 3.2.1.2 in particular, transfer Company Personal Data to any country or territory, as reasonably necessary for the provision of the Services and consistent with the Principal Agreement; and 3.2.2 warrants and represents that it is and will at all relevant times remain duly and effectively authorised to give the instruction set out in section 3.2.1 on behalf of each relevant Company Affiliate. 3.3 Annex 1 to this Addendum sets out certain information regarding the Contracted Processors' Processing of the Company Personal Data as required by article 28(3) of the GDPR (and, possibly, equivalent requirements of other Data Protection Laws). Company may make reasonable amendments to Annex 1 by written notice to Vendor from time to time as Company reasonably considers necessary to meet those requirements. Nothing in Annex 1 (including as amended pursuant to this section 3.3) confers any right or imposes any obligation on any party to this Addendum. 3.4 It is hereby clarified and implied for the purposes of this Data Protection Addendum, that the Company has obtained sufficient authorization and written consent from its Data Subjects for the Personal Data provided to the Vendor or entered into Vendor’s systems/software, SaaS etc. It is further clarified that the Company also acts as a single point of contact and is solely responsible for obtaining any relevant authorizations, consents and permissions for the processing of Personal Data in accordance with this Addendum to use Vendor as a Processor.

Processing of Company Personal Data. 3.1 Vendor and each Vendor Affiliate shall: 3.1.1 comply with all applicable Data Protection Laws in the Processing of Company Personal Data; and 3.1.2 not Process Company Personal Data other than on the relevant Company Group Member’s documented instructions pursuant to the Company Group Member’s specified business purpose unless Processing is required by Applicable Laws to which the relevant Contracted Processor is subject, in which case Vendor or the relevant Vendor Affiliate shall to the extent permitted by Applicable Laws inform the relevant Company Group Member of that legal requirement before the relevant Processing of that Personal Data. Without limiting the foregoing, Vendor shall not sell, rent, release, disclose, disseminate, make available, transfer, or otherwise communicate orally, in writing, or by electronic or other means, any Company Personal Data to another business or a third party for monetary or other valuable consideration. 3.2 Vendor and each Vendor Affiliate hereby certifies that it understands its contractual restrictions under Section 3.1 and shall comply with them. 3.3 Each Company Group Member: 3.2.1 3.3.1 instructs Vendor and each Vendor Affiliate (and authorises Vendor and each Vendor Affiliate to instruct each Subprocessor) to: 3.2.1.1 3.3.1.1 Process Company Personal Data; and 3.2.1.2 3.3.1.2 in particular, transfer Company Personal Data to any country or territory, as reasonably necessary for the provision of the Services and consistent with the Principal Agreement; and 3.2.2 3.3.2 warrants and represents that it is and will at all relevant times remain duly and effectively authorised to give the instruction set out in section 3.2.1 on behalf of each relevant Company Affiliate. 3.3 3.4 Annex 1 to this Addendum sets out certain information regarding the Contracted Processors' Processing of the Company Personal Data as required by article 28(3) of the GDPR (and, possibly, equivalent requirements of other Data Protection Laws). Company may make reasonable amendments to Annex 1 by written notice to Vendor from time to time as Company reasonably considers necessary to meet those requirements. Nothing in Annex 1 (including as amended pursuant to this section 3.3) confers any right or imposes any obligation on any party to this Addendum. 3.4 It is hereby clarified 3.5 Company acknowledges and implied for the purposes of this Data Protection Addendumagrees that Vendor does not require or "pull" any specific data from Company, that Company controls which data, and content, is input through the use of the Vendor’s services and which data is sent and to whom such data is sent, and that Vendor has no obligation to monitor the content of any data. Company has obtained sufficient authorization shall be responsible for procuring any necessary consents and written consent from its Data Subjects for making any notifications under applicable law with respect to the provision of Company Personal Data provided to the Vendor or entered into Vendor’s systems/software, SaaS etc. It is further clarified that the Company also acts as a single point of contact and is solely responsible for obtaining any relevant authorizations, consents and permissions for the processing of such Company Personal Data in accordance by Vendor. 3.6 Company acknowledges and agrees that (a) Vendor’s system is not intended to transmit Sensitive Data (as hereinafter defined), or health-related or financial-related information (including nonpublic information collected by financial institutions subject to regulations specific to the conduct of financial services), and (b) that Vendor shall have no obligations with this Addendum respect to use Vendor as a Processorprivacy regulations for data other than Standard Personal Information. Company agrees that it shall not, under any circumstances, transmit any Sensitive Data to or through Vendor’s services.

Processing of Company Personal Data. 3.1 4.1 Vendor and each Vendor Affiliate shall:shall:‌ 3.1.1 4.1.1 comply with all applicable requirements of the Data Protection Laws in the Processing of Company Personal Data; and 3.1.2 4.1.2 not Process access or use Company Personal Data except as necessary to maintain or provide the Services for which the Principal Agreement was signed, or as necessary to comply with Applicable Laws. 4.1.3 not Process, Company Personal Data other than on the relevant Company Group Member’s documented written instructions unless Processing is required by Applicable Laws to which the relevant Contracted Processor is subject, in which case Vendor or the relevant Vendor Affiliate shall to the extent permitted by Applicable Laws inform the relevant Company Group Member of that legal requirement before the relevant Processing of that Personal Data, 4.2 Company is entitled to terminate this Addendum and the Principal Agreement if Vendor declines to follow instructions requested by Customer that are outside the scope of, or changed from, those give or agreed to be given in this Addendum. 3.2 4.3 Each Company Group Member: 3.2.1 4.3.1 instructs Vendor and each Vendor Affiliate (and authorises Vendor and each Vendor Affiliate to instruct each Subprocessor) to:to:‌ 3.2.1.1 4.3.1.1 Process Company Personal DataData in accordance with this Addendum and the Principal Agreement; and 3.2.1.2 in particular4.3.1.2 subject to section 10 of this Addendum, transfer Company Personal Data to any country or territory, as reasonably necessary for the provision of the Services and consistent with the Principal Agreement; and 3.2.2 4.3.2 warrants and represents that it is and will at all relevant times remain duly and effectively authorised to give the instruction set out in section 3.2.1 4.3.1 on behalf of each relevant Company Affiliate. 3.3 4.4 Annex 1 to this Addendum sets out certain information regarding the Contracted Processors' Processing of the Company Personal Data as required by article 28(3) of the GDPR (and, possibly, equivalent requirements of other Data Protection Laws). Company may make reasonable amendments to Annex 1 by written notice to Vendor from time to time as Company reasonably considers necessary to meet those requirements. Nothing in Annex 1 (including as amended pursuant to this section 3.34.3) confers any right or imposes any obligation on any party to this Addendum. 3.4 It is hereby clarified and implied for the purposes of this Data Protection Addendum, that the Company has obtained sufficient authorization and written consent from its Data Subjects for the Personal Data provided to the Vendor or entered into Vendor’s systems/software, SaaS etc. It is further clarified that the Company also acts as a single point of contact and is solely responsible for obtaining any relevant authorizations, consents and permissions for the processing of Personal Data in accordance with this Addendum to use Vendor as a Processor.

Processing of Company Personal Data. 3.1 Vendor and each Vendor Affiliate shall‌ 2.1 The Company warrants to OnSolve that: 3.1.1 comply 2.1.1 it has all necessary rights to authorise OnSolve to process Company Personal Data in accordance with all applicable this Agreement and the Data Protection Laws in the Processing Laws; and 2.1.2 its instructions to OnSolve relating to processing of Company Personal Data; and 3.1.2 Data will not Process Company Personal put OnSolve in breach of Data other than on the relevant Company Group Member’s documented instructions unless Processing is required by Applicable Laws to which the relevant Contracted Processor is subject, in which case Vendor or the relevant Vendor Affiliate shall to the extent permitted by Applicable Laws inform the relevant Company Group Member of that legal requirement before the relevant Processing of that Personal DataProtection Laws. 3.2 Each Company Group Member: 3.2.1 instructs Vendor and each Vendor Affiliate (and authorises Vendor and each Vendor Affiliate to instruct each Subprocessor) to: 3.2.1.1 Process Company Personal Data; and 3.2.1.2 in particular, transfer Company Personal Data to any country or territory, as reasonably necessary for the provision of the Services and consistent with the Principal Agreement; and 3.2.2 warrants and represents that it is and will at all relevant times remain duly and effectively authorised to give the instruction set out in section 3.2.1 on behalf of each relevant Company Affiliate. 3.3 Annex 2.2 Schedule 1 to this Addendum sets out certain information regarding the Contracted Processors' Processing of the Company Personal Data instructions, as required by article 28(3) of the GDPR (and, possibly, and the UK GDPR and equivalent requirements of other Data Protection Laws). Company may make reasonable amendments to Annex 1 by written notice to Vendor from time to time as Company reasonably considers necessary to meet those requirements. Nothing in Annex Schedule 1 (including as amended pursuant to this section 3.32.3) confers any right or imposes any obligation on any party to this Addendum. 3.4 It 2.3 OnSolve shall: 2.3.1 comply with all applicable Data Protection Laws in the Processing of Company Personal Data; 2.3.2 provide the same level of privacy protection to Personal Data as required of the Company under all applicable Data Protection Laws; 2.3.3 not further collect, sell, use, retain, disclose or otherwise Process Company Personal Data other than on the Company’s documented instructions pursuant to the Company’s specified business purpose, unless Processing is hereby clarified required by applicable laws to which the relevant Contracted Processor is subject, in which case OnSolve shall, to the extent permitted by applicable laws, inform the Company of that legal requirement before the relevant Processing of that Personal Data; 2.3.4 not sell Personal Data on behalf of the Company when a Data Subject has opted-out of the sale of their Personal Information with the Company under applicable Data Protection Laws, regardless of the instruction of the Company; 2.3.5 not sell, rent, release, disclose, disseminate, make available, transfer, or otherwise communicate orally, in writing, or by electronic or other means, any Company Personal Data outside of the business relationship between OnSolve and implied the Company and in no event to another business or a third party for monetary or other valuable consideration unless expressly permitted by Data Protection Laws; 2.3.6 not Process any Personal Data for the purposes of this cross-contextual behavioral advertising, as that term is defined and interpreted under Data Protection AddendumLaws; 2.3.7 not combine Company Personal Data with Personal Data it receives from or on behalf of another person or persons, or that it collects from its own interactions; and 2.3.8 notify the Company has obtained sufficient authorization within five business days if it makes the determination that it can no longer meet its obligations under applicable Data Protection Laws or this Addendum. 2.4 OnSolve hereby certifies that it understands its contractual restrictions under Section 2.3 and written consent from its shall comply with them. 2.5 Each Party shall be individually responsible for complying with the obligations imposed on it by Data Subjects Protection Laws. Neither Party shall be liable for the Personal other Party’s failure to comply with Data provided to the Vendor or entered into Vendor’s systems/software, SaaS etc. It is further clarified that the Company also acts as a single point of contact and is solely responsible for obtaining any relevant authorizations, consents and permissions for the processing of Personal Data in accordance with this Addendum to use Vendor as a ProcessorProtection Laws.

Processing of Company Personal Data. 3.1 3.1. Each Contracted Vendor and each Vendor Affiliate shall: 3.1.1 3.1.1. comply with all applicable Data Protection Applicable Laws in the Processing of Company Personal Data; 3.1.2. if required by GDPR Article 30, maintain a record of all Processing activities carried out on Company Personal Data; and 3.1.2 not 3.1.3. only Process Company Personal Data other than on as instructed by the relevant Company Group Member’s documented instructions , unless such Processing is required by Applicable Laws to which the relevant Contracted Processor is subject, in which case the Contracted Vendor or the relevant Vendor Affiliate shall to the extent permitted by Applicable Laws inform the relevant Company Group Member of that legal requirement (to the extent permitted by the Applicable Laws) before the relevant Processing of that Company Personal Data, or unless such instruction is, in the Contracted Vendor’s good faith belief, violative of Applicable Laws, in which case the Contracted Vendor will immediately notify Company that it is unable to comply with said instruction. 3.2 3.2. Each Company Group MemberMember hereby: 3.2.1 3.2.1. instructs Vendor Contracted Vendor, only as necessary to provide, and each Vendor Affiliate (and authorises Vendor and each Vendor Affiliate to instruct each Subprocessor) to:in furtherance of, the Services, to:‌ 3.2.1.1 3.2.1.1. Process Company Personal Data; and 3.2.1.2 in particular, 3.2.1.2. transfer Company Personal Data to any country or territory, as reasonably necessary for the provision of the Services provided that, if necessary, an Appropriate Safeguard is in place before any such transfer takes place; 3.2.2. agrees that it shall, at all times relevant to this Agreement, comply with all Applicable Laws; 3.2.3. represents and consistent with the Principal Agreement; and 3.2.2 warrants and represents that it is and will at all relevant times remain duly and effectively authorised authorized to give the instruction set out in section Section 3.2.1 on behalf of each relevant Company Affiliate; and 3.2.4. represents and warrants that it will determine an appropriate legal basis, or bases, for the Processing of Company Personal Data which is necessary to perform the Services, and will upon request by Vendor provide proof of the legal basis/bases for processing, as well as compliance with Applicable Laws. 3.3 Annex 1 3.3. Pursuant to this Addendum sets out certain information regarding GDPR Article 28(3), Company agrees that the Contracted Processors' Processing descriptions of i) the subject matter, duration, nature and purpose of Processing, ii) the types of Company Personal Data to be Processed, and iii) the categories of Data Subjects within the Company Personal Data to be Processed under this Agreement, are sufficiently specified in the Contracted Vendor’s technical documentation as required received by article 28(3) of the GDPR (andCompany and within Annex 1, possibly, equivalent requirements of other Data Protection Laws)attached to this Agreement. Company will notify the Contracted Vendor with respect to any revisions to such descriptions that may be required regarding the Company Personal Data. Upon written notice to Company, the Vendor may make reasonable amendments revisions to Annex 1 by written notice to Vendor such descriptions from time to time as Company reasonably considers necessary in order to meet those requirements. Nothing in Annex 1 (including as amended pursuant to this section 3.3) confers any right or imposes any obligation on any party to this Addendummaintain compliance with Applicable Laws. 3.4 It is hereby clarified and implied for the purposes of this Data Protection Addendum, that the Company has obtained sufficient authorization and written consent from its Data Subjects for the Personal Data provided to the Vendor or entered into Vendor’s systems/software, SaaS etc. It is further clarified that the Company also acts as a single point of contact and is solely responsible for obtaining any relevant authorizations, consents and permissions for the processing of Personal Data in accordance with this Addendum to use Vendor as a Processor.