Common use of Processing of Controller Personal Data Clause in Contracts

Processing of Controller Personal Data. 2.1. The Parties acknowledge and agree that with regard to the Processing of Controller Personal Data, (i) the customer is the Controller, (ii) Eloops is the Processor, and (iii) Processor or Processor Affiliates may engage Sub Processors pursuant to the requirements set forth in Section 5 below. 2.2. Processor shall not Process Controller Personal Data other than on the Controller’s documented reasonable and customary instructions as specified in the Agreement or in this DPA, unless such Processing is required by applicable laws to which the Processor is subject or as strictly necessary for the provision of Processor's service and product under the Agreement (together the "Services"). 2.3. Controller instructs Processor (and authorizes Processor to instruct each Sub Processor) to (i) Process Controller Personal Data; and (ii) in particular, transfer Controller Personal Data to any country or territory, all as reasonably necessary for the provision of the Services and consistent with Section 2.5 below, with the Agreement and this DPA and in accordance with Applicable Laws. 2.4. Furthermore, Controller warrants and represents that it is and will remain duly and effectively authorized to give the instructions set out in Section 2.1 and any additional instructions as provided pursuant to the Agreement and this DPA and/or in connection with the performance thereof, on behalf of itself and each relevant Controller Affiliate, at all relevant times and at least for as long as the Agreement and this DPA are in effect and for any additional period during which Processor is lawfully processing the Controller Personal Data. 2.5. Controller hereby sets forth the details of the Processing of Controller Personal Data, as required by article 28(3) of the GDPR in Annex 1 (Details of Processing of Controller Personal Data) hereto. 2.6. Controller Personal Data may be transferred from the EU Member States, EEA member countries, and the United Kingdom (collectively, "EEA"), (i) to countries that offer adequate level of data protection under or pursuant to the adequacy decisions published by the relevant data protection authorities of the EEA, the European Union, Member States or the European Commission, without any further safeguard being necessary; (ii) to the United States, solely for Processing by Processor or Sub Processor on its behalf which has self-certified and comply with the EU-US and Swiss-US Privacy Shield Frameworks, as administered by the US Department of Commerce, to the extent permitted under Applicable Laws; (iii) to any country that does not offer an adequate level of data protection, or offers a mechanism such as the aforesaid Privacy Shield, if the Parties hereto have executed the standard data protection clauses adopted by the relevant data protection authorities of the EEA, the European Union, Member States or the European Commission, or complied with any of the other mechanisms provided for in the GDPR or any other Applicable Laws for transferring Personal Data to such other countries. 2.7. Without derogating from the provisions of the Agreement and this DPA, Controller (and not Processor) shall be exclusively liable for any excess Controller Personal Data provided or otherwise made available to Processor or any Sub Processor in the course of providing Processor's Services under the Agreement or under this DPA. Processor's obligations under the Agreement or under this DPA shall not apply to any such excess Controller Personal Data.

Processing of Controller Personal Data. 2.1. The Parties acknowledge and agree that with regard to the Processing of Controller Personal Data, (i) the customer is the Controller, (ii) Eloops is the Processor, and (iii) Processor or Processor Affiliates may engage Sub Processors pursuant to the requirements set forth in Section 5 below. 2.2. o Processor shall not Process Controller Personal Data other than on the Controller’s documented reasonable behalf and customary at Controller’s instructions as specified in the Services Agreement or and in this DPA, unless including without limitation with regard to transfers of Controller Personal Data to a third country or international organization. For the avoidance of doubt, Processor may use aggregated and/or anonymized data (“Aggregate Data”) for purpose of providing benchmarks and for improving the Services, as defined below, including the algorithms and models used by the Services. Any other Processing shall be permitted only in the event that such Processing is required by applicable laws any Data Protection Laws to which the Processor is subject or as strictly necessary for the provision subject. In such event, Processor shall, unless prohibited by such Data Protection Laws on important grounds of Processor's service and product under the Agreement (together the "Services"). 2.3public interest, inform Controller of that requirement before engaging in such Processing. ▪ Controller instructs Processor (and authorizes Processor to instruct each Sub Processor) to (i) to Process Controller Personal DataData for the provision of the services, as detailed in the Services Agreement (“Services”) and as otherwise set forth in the Services Agreement and in this DPA, and/or as otherwise directed by Controller; and (ii) in particular, to transfer Controller Personal Data to any country or territory, all territory as reasonably necessary for the provision of the Services and consistent with Section 2.5 below, with the Agreement and this DPA and in accordance with Applicable Laws. 2.4Law. Furthermore, o Controller warrants and represents that it is and will remain duly and effectively authorized to give the instructions set out in Section 2.1 and any additional instructions as provided pursuant to the Agreement and this DPA and/or in connection with the performance thereof, on behalf of itself and each relevant Controller Affiliate, at all relevant times and at least for as long as the Agreement and this DPA are in effect and for any additional period during which Processor is lawfully processing the Controller Personal Data. 2.5. Controller hereby sets forth the details of the Processing of Controller Personal Data, as required by article Article 28(3) of the GDPR are set forth in Annex Annexure 1 (Details of Processing of Controller Personal Data) ), attached hereto. 2.6. o To the extent that the Processor Processes Controller Personal Data may be transferred from the EU Member States, EEA member countries, and the United Kingdom (collectively, "EEA"), (i) to in countries that offer adequate level of data protection under or pursuant to the adequacy decisions published by the relevant data protection authorities outside of the EEA, the European Union, Member States or the European Commission, without any further safeguard being necessary; (ii) to the United States, solely for Processing by Processor or Sub Processor on its behalf which has self-certified and comply with the EU-US and Swiss-US Privacy Shield Frameworks, as administered by the US Department of Commerce, to the extent permitted under Applicable Laws; (iii) to any country Economic Area that does do not offer provide an adequate level of data protection, or offers a mechanism such as the aforesaid Privacy Shield, if the Parties hereto have executed the standard data protection clauses adopted determined by the relevant data protection authorities of European Commission or other adequate authority as determined by the EEAEU, the European Union, Member States or the European Commission, or complied with any of the other mechanisms provided for Standard Contractual Clauses shall apply in the GDPR or any other Applicable Laws for transferring Personal Data to such other countriesform set out in Annexure 3, which are incorporated into and form a part of this Agreement. 2.7. Without derogating from the provisions of the Agreement and this DPA, Controller (and not Processor) shall be exclusively liable for any excess Controller Personal Data provided or otherwise made available to Processor or any Sub Processor in the course of providing Processor's Services under the Agreement or under this DPA. Processor's obligations under the Agreement or under this DPA shall not apply to any such excess Controller Personal Data.

Processing of Controller Personal Data. 2.1. The Parties acknowledge and agree that with regard to the Processing of Controller Personal Data, (i) the customer is the Controller, (ii) Eloops is the Processor, and (iii) Processor or Processor Affiliates may engage Sub Processors pursuant to the requirements set forth in Section 5 below. 2.23.1. Processor shall not Process Controller Personal Data other than on the Controller’s documented reasonable 's behalf and customary at Controller's instructions as specified in the Agreement or and in this DPA, unless including without limitation with regard to transfers of Controller Personal Data to a third country or international organization. Any other Processing shall be permitted only in the event that such Processing is required by applicable laws any Data Protection Laws to which the Processor is subject or as strictly necessary for the provision subject. In such event, Processor shall, unless prohibited by such Data Protection Laws on important grounds of Processor's service and product under the Agreement (together the "Services")public interest, inform Controller of that requirement before engaging in such Processing. 2.33.2. Controller instructs Processor (and authorizes Processor to instruct each Sub Processor) to (i) to Process Controller Personal DataData for the provision of the services, as detailed in the Agreement ("Services") and as otherwise set forth in the Agreement and in this DPA, and/or as otherwise directed by Controller; and (ii) in particular, to transfer Controller Personal Data to any country or territory, all territory as reasonably necessary for the provision of the Services and consistent with Section 2.5 below, with the Agreement and this DPA and in accordance with Applicable LawsLaw. 2.4. Furthermore, Controller warrants and represents that it is and will remain duly and effectively authorized to give the instructions set out in Section 2.1 and any additional instructions as provided pursuant to the Agreement and this DPA and/or in connection with the performance thereof, on behalf of itself and each relevant Controller Affiliate, at all relevant times and at least for as long as the Agreement and this DPA are in effect and for any additional period during which Processor is lawfully processing the Controller Personal Data. 2.53.3. Controller hereby sets forth the details of the Processing of Controller Personal Data, as required by article Article 28(3) of the GDPR in Annex Schedule 1 (Details of Processing of Controller Personal Data) ), attached hereto. 2.63.4. Controller To the extent that the Processor Processes Personal Data may be transferred from the EU Member States, EEA member countries, and the United Kingdom (collectively, "EEA"), (i) to in countries that offer adequate level of data protection under or pursuant to the adequacy decisions published by the relevant data protection authorities outside of the EEA, the European Union, Member States or the European Commission, without any further safeguard being necessary; (ii) to the United States, solely for Processing by Processor or Sub Processor on its behalf which has self-certified and comply with the EU-US and Swiss-US Privacy Shield Frameworks, as administered by the US Department of Commerce, to the extent permitted under Applicable Laws; (iii) to any country Economic Area that does do not offer provide an adequate level of data protection, or offers a mechanism such as the aforesaid Privacy Shield, if the Parties hereto have executed the standard data protection clauses adopted determined by the relevant data protection authorities European Commission or other adequate authority as determined by the EU, the Standard Contractual Clauses shall apply and shall be incorporated herein upon execution of this DPA by the parties. Annexes 1 and 2, attached hereto, shall apply as Annexes 1 and 2 of the EEAStandard Contractual Clauses. The Standard Contractual Clauses are modular, containing numerous sections that each pertain to a specific type of entity or transfer. For the European Unionpurposes of this DPA and any transfers of data to third countries pursuant hereto, Member States or only the European Commission, or complied with any modular sections pertaining to module two (Controller to Processor) of the other mechanisms provided for Standard Contractual Clauses shall apply, in the GDPR or any other Applicable Laws for transferring Personal Data addition to such other countriesall general sections therein. 2.7. Without derogating from the provisions of the Agreement and this DPA, Controller (and not Processor) shall be exclusively liable for any excess Controller Personal Data provided or otherwise made available to Processor or any Sub Processor in the course of providing Processor's Services under the Agreement or under this DPA. Processor's obligations under the Agreement or under this DPA shall not apply to any such excess Controller Personal Data.