Common use of Processing of Personal Data Clause in Contracts

Processing of Personal Data. 1. The Data Processor and any person acting under its authority (e.g. personnel, Sub-processors and persons acting under the Sub-processor’s authority) undertake to only process Personal Data in accordance with documented instructions communicated by the Data Controller (Appendix 1). The Data Processor shall only process Personal Data to the extent necessary to fulfill its obligations under this DPA or Applicable Data Protection Legislation. 2. If the services are altered during the term of the Agreement and such altered services involve new or amended processing of Personal Data, or if the Data Controller’s instructions are otherwise changed or updated, the parties shall ensure that Appendix 1 is updated as appropriate before or at the latest in connection with the commencement of such processing or change. 3. When processing Personal Data under this DPA, the Data Processor shall comply with any and all Applicable Data Protection Legislation and applicable recommendations by competent Data Protection Authorities or other competent authorities and shall keep itself updated on and comply with any changes in such legislation and/or recommendations. The Data Processor shall accept to make any changes and amendments to this DPA that are required under Applicable Data Protection Legislation. 4. The Data Processor shall assist the Data Controller in fulfilling its legal obligations under Applicable Data Protection Legislation, including but not limited to the Data Controller’s obligation to comply with the rights of data subjects and in ensuring compliance with the Data Controller’s obligations relating to the security of processing (Art. 32 GDPR), the notification of a Personal Data Breach (Art 33, 34 GDPR) and the Data Protection Impact Assessment and the prior consultation (Art 35, 36 GDPR), obligation to respond to requests for exercising the data subject's rights to information regarding the processing of its Personal Data. The Data Processor shall not carry out any act, or omit any act, that would cause the Data Controller to be in breach of Applicable Data Protection Legislation. 5. The Data Processor shall immediately inform the Data Controller of a request, complaint, message, or any other communication received from a competent authority or any other third party regarding the processing of Personal Data covered by this DPA. The Data Processor may not in any way act on behalf of or as a representative of the Data Controller and may not, without prior instructions from the Data Controller, transfer or in any other way disclose Personal Data or any other information relating to the processing of Personal Data to any third party, unless the Data Processor is required to do so by law. The Data Processor shall assist the Data Controller in an appropriate manner to enable him to respond to such a request, complaint, message or other communication in accordance with Applicable Data Protection Legislation. In particular, the Data Processor shall not publish any submissions, notifications, communications, announcements or press releases in the event of a breach of data protection as defined in section 6.3. In the event the Data Processor, according to applicable laws and regulations, is required to disclose Personal Data that the Data Processor processes on behalf of the Data Controller, the Data Processor shall be obliged to inform the Data Controller thereof immediately, unless prohibited by law.

Processing of Personal Data. 1. The Data Processor and any person acting under its authority (e.g. personnel, Sub-Sub- processors and persons acting under the Sub-Sub- processor’s authority) undertake to only process Personal Data in accordance with documented instructions communicated by the Data Controller (Appendix 1). The Data Processor shall only process Personal Data to the extent necessary to fulfill its obligations under this DPA or Applicable Data Protection Legislation. 2. If the services are altered during the term of the Agreement and such altered services involve new or amended processing of Personal Data, or if the Data Controller’s instructions are otherwise changed or updated, the parties shall ensure that Appendix 1 is updated as appropriate before or at the latest in connection with the commencement of such processing or change. 3. When processing Personal Data under this DPA, the Data Processor shall comply with any and all Applicable Data Protection Legislation and applicable recommendations by competent Data Protection Authorities or other competent authorities and shall keep itself updated on and comply with any changes in such legislation and/or recommendations. The Data Processor shall accept to make any changes and amendments to this DPA that are required under Applicable Data Protection Legislation. 4. The Data Processor shall assist the Data Controller in fulfilling its legal obligations under Applicable Data Protection Legislation, including but not limited to the Data Controller’s obligation to comply with the rights of data subjects and in ensuring compliance with the Data Controller’s obligations relating to the security of processing (Art. 32 GDPR), the notification of a Personal Data Breach (Art 33, 34 GDPR) and the Data Protection Impact Assessment and the prior consultation (Art 35, 36 GDPR), obligation to respond to requests for exercising the data subject's rights to information regarding the processing of its Personal Data. The Data Processor shall not carry out any act, or omit any act, that would cause the Data Controller to be in breach of Applicable Data Protection Legislation. 5. The Data Processor shall immediately inform the Data Controller of a request, complaint, message, or any other communication received from a competent authority or any other third party regarding the processing of Personal Data covered by this DPA. The Data Processor may not in any way act on behalf of or as a representative of the Data Controller and may not, without prior instructions from the Data Controller, transfer or in any other way disclose Personal Data or any other information relating to the processing of Personal Data to any third party, unless the Data Processor is required to do so by law. The Data Processor shall assist the Data Controller in an appropriate manner to enable him to respond to such a request, complaint, message or other communication in accordance with Applicable Data Protection Legislation. In particular, the Data Processor shall not publish any submissions, notifications, communications, announcements or press releases in the event of a breach of data protection as defined in section 6.3. In the event the Data Processor, according to applicable laws and regulations, is required to disclose Personal Data that the Data Processor processes on behalf of the Data Controller, the Data Processor shall be obliged to inform the Data Controller thereof immediately, unless prohibited by law.

Processing of Personal Data. 1. 4.1 The Personal Data to which the Personal Data Processor and any person acting under its authority (e.g. personnel, Sub-processors and persons acting under the Sub-processor’s authority) undertake to has access may only process Personal Data be processed in accordance with documented instructions communicated by the Data Controller (Appendix 1). The Data this Processor shall only process Personal Data to the extent necessary to fulfill its obligations under this DPA or Applicable Data Protection Legislation. 2. If the services are altered during the term of the Agreement and such altered services involve new or amended processing of the applicable data-protection regulations, as well as the Personal Data, or if the Data Controller’s documented instructions are otherwise changed or updated, the parties shall ensure that Appendix 1 is updated as appropriate before or applying at the latest in connection with the commencement of such processing or changeany given time (see Annexe 1). 3. When processing 4.2 The Personal Data under this DPA, the Data Processor shall comply with any and all Applicable Data Protection Legislation and applicable recommendations by competent Data Protection Authorities or other competent authorities and shall keep itself updated on and comply with any changes in such legislation and/or recommendations. The Data Processor shall accept to make any changes and amendments to this DPA that are required under Applicable Data Protection Legislation. 4. The Data Processor shall assist the Data Controller in fulfilling its legal obligations under Applicable Data Protection Legislation, including but not limited to the Data Controller’s obligation to comply with the rights of data subjects and in ensuring compliance with the Data Controller’s obligations relating to the security of processing (Art. 32 GDPR), the notification of a Personal Data Breach (Art 33, 34 GDPR) and the Data Protection Impact Assessment and the prior consultation (Art 35, 36 GDPR), obligation to respond to requests for exercising the data subject's rights to information regarding the processing of its Personal Data. The Data Processor shall not carry out any act, or omit any act, that would cause the Data Controller to be in breach of Applicable Data Protection Legislation. 5. The Data Processor shall immediately inform notify the Personal Data Controller if the Personal Data Processor considers that an instruction issued by the Personal Data Controller is in breach of applicable data-protection regulations. 4.3 The Personal Data Processor shall without undue delay but no later than thirty (30) days as from the request on the part of the Personal Data Controller give the latter access to Personal Data in the possession of the Personal Data Processor, and shall carry out the requested amendment, deletion, limitation or transfer of such Personal Data, unless this is incompatible with mandatory legislation. If the Personal Data Controller has deleted data or instructed the Personal Data Processor with regard to deletion, the latter shall undertake the requisite measures to ensure the deleted Personal Data cannot be restored. 4.4 The Personal Data Processor shall always and without any special request from the Personal Data Controller undertake the measures referred to in 4.3 if this follows from the instructions in Annexe 1. 4.5 The Personal Data Processor shall maintain a request, complaint, message, or any other communication received from a competent authority or any other third party regarding the processing written register of all Processing of Personal Data covered by this DPA. The Data Processor may not in any way act carried out on behalf of the Personal Data Controller, and at the express request of the Personal Data Controller or the relevant supervisory authority shall submit a legible register extract that as a representative minimum includes details of: a) the name and contact details of the Personal Data Processor and, where applicable, the Personal Data Processor's representative, the data-protection officer and, where appropriate, the hiring of a Sub-processor; b) the processing carried out by the Personal Data Processor on behalf of the Personal Data Controller and may noton behalf of any other personal data controller, without prior instructions from the type of Personal Data Controllerand, where appropriate, the specific categories of Personal Data processed; c) where appropriate, transfer or in any other way disclose Personal Data or any other information relating to the processing of Personal Data to any a third partycountry, unless the Data Processor third country where data is required processed and the appropriate safeguards undertaken, and d) a general description of the technical and organisational measures undertaken to do so by law. The Data Processor shall assist the Data Controller in maintain an appropriate manner to enable him to respond to such a request, complaint, message or other communication in accordance with Applicable Data Protection Legislation. In particular, the Data Processor shall not publish any submissions, notifications, communications, announcements or press releases in the event level of a breach of data protection as defined in section 6.3. In the event the Data Processor, according to applicable laws and regulations, is required to disclose Personal Data that the Data Processor processes on behalf of the Data Controller, the Data Processor shall be obliged to inform the Data Controller thereof immediately, unless prohibited by law.protection;

Processing of Personal Data. ‌ 1. The Data Processor and any person acting under its authority (e.g. personnel, Sub-processors and persons acting under All personal data contained in the Sub-processor’s authority) undertake to only process Personal Data grant agreement shall be processed in accordance with documented instructions communicated Regulation (EC) No 45/2001 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by the Data institutions and bodies of the Union and on the free movement of such data. Such data shall be processed by the Controller (Appendix 1). The Data Processor shall only process Personal Data solely in connection with the implementation and follow-up of the grant agreement and the evaluation and impact assessment of activities of [the Union] [Euratom], including the use and dissemination of foreground, without prejudice to the extent necessary possibility of passing the data to fulfill its obligations under the bodies in charge of a monitoring or inspection task in accordance with [Euratom and European Union] [European Community and European Union] legislation and this DPA or Applicable Data Protection Legislationgrant agreement. 2. If Beneficiaries may, on written request, gain access to their personal data and correct any information that is inaccurate or incomplete. They should address any questions regarding the services are altered during the term of the Agreement and such altered services involve new or amended processing of Personal Data, or if their personal data to the Data Controller’s instructions are otherwise changed or updated, . Beneficiaries may lodge a complaint against the parties shall ensure that Appendix 1 is updated as appropriate before or at the latest in connection processing of their personal data with the commencement of such processing or changeEuropean Data Protection Supervisor at any time. 3. When processing Personal Data under For the purposes of this DPAgrant agreement, the Data Processor Controller identified in Article 8.4 shall comply be the contact for the Commission.‌ Part B FINANCIAL PROVISIONS SECTION 1 – GENERAL FINANCIAL PROVISIONS‌ II.14. Eligible costs of the project‌ 1. Costs incurred for the implementation of the project shall meet the following conditions in order to be considered eligible: a) they must be actual; b) they must be incurred by the beneficiary; c) they must be incurred during the duration of the project, with any the exception of costs incurred in relation to final reports and all Applicable Data Protection Legislation reports corresponding to the last period as well as certificates on the financial statements when requested at the last period and applicable recommendations by competent Data Protection Authorities final reviews if applicable, which may be incurred during the period of up to 60 days after the end of the project or other competent authorities the date of termination whichever is earlier; d) they must be determined in accordance with the usual accounting and shall keep itself updated on management principles and comply with any changes in such legislation and/or recommendationspractices of the beneficiary. The Data Processor accounting procedures used in the recording of costs and receipts shall accept respect the accounting rules of the State in which the beneficiary is established. The beneficiary’s internal accounting and auditing procedures must permit direct reconciliation of the costs and receipts declared in respect of the project with the corresponding financial statements and supporting documents; e) they must be used for the sole purpose of achieving the objectives of the project and its expected results, in a manner consistent with the principles of economy, efficiency and effectiveness; f) they must be recorded in the accounts of the beneficiary; in the case of any contribution from third parties, they must be recorded in the accounts of the third parties; g) they must be indicated in the estimated overall budget in Annex I. Notwithstanding point a) of the first subparagraph, beneficiaries may opt to make any changes and amendments declare average personnel costs if the following cumulative criteria are fulfilled: (a) The average personnel cost methodology shall be the one declared by the beneficiary as its usual cost accounting practice; as such it shall be consistently applied to this DPA that are required under Applicable Data Protection Legislationall the participations of the beneficiary in the Framework Programmes. 4. (b) The Data Processor methodology shall assist be based on the Data Controller actual personnel costs of the beneficiary as registered in fulfilling its legal obligations statutory accounts, without estimated or budgeted elements; (c) The methodology shall exclude from the average personnel rates any ineligible cost item as referred to in paragraph 3 and any costs claimed under Applicable Data Protection Legislation, including but not limited other costs categories in order to avoid double funding of the same costs; (d) The number of productive hours used to calculate the average hourly rates shall correspond to the Data Controller’s obligation usual management practice of the beneficiary provided that it reflects the actual working standards of the beneficiary, in compliance with applicable national legislation, collective labour agreements and contracts and that it is based on auditable data. Beneficiaries may submit a certified methodology for approval by the Commission on the basis of the criteria referred to in points (a) to (d) of the second subparagraph. Such a certificate shall be issued in accordance with the provisions laid down in Article II.4 and the relevant part of Form E in Annex VII, unless it has already been submitted for a previous grant agreement under the Seventh Framework Programme and the methodology certified has not changed. Average personnel costs charged on the basis of methodologies which comply with the rights criteria referred to in points (a) to (d) of data subjects the second subparagraph shall be deemed not to differ significantly from actual costs. SME owners who do not receive a salary and other natural persons who do not receive a salary shall charge as personnel costs a flat rate based on the ones used in ensuring compliance the People Specific Programme for researchers with full social security coverage, adopted by Council Decision No 2006/973/EC8, and specified in the Data Controller’s obligations relating annual Work Programme of the year of the publication of the call to which the proposal has been submitted9. The value of the personal work of those SME owners and natural persons shall be based on a flat rate to be determined by multiplying the hours worked in the project by the hourly rate to be calculated as follows: {Annual living allowance corresponding to the security appropriate research category published in the 'People' Work Programme of processing (Art. 32 GDPR), the notification year of a Personal Data Breach (Art 33, 34 GDPR) and the Data Protection Impact Assessment and publication of the prior consultation (Art 35, 36 GDPR), obligation call to respond which the proposal has been submitted / standard number of annual productive hours} multiplied by {country correction coefficient published in the 'People' Work programme of the year of the publication of the call /100} The standard number of productive hours is equal to requests for exercising the data subject's rights to information regarding the processing of its Personal Data1 575. The Data Processor total number of hours claimed for European Union projects in a year cannot be higher than the standard number of productive hours per SME owner/natural person. The value of the personal work shall not carry out any act, or omit any act, that would cause be considered as a direct eligible cost of the Data Controller to be in breach of Applicable Data Protection Legislationproject. 52. Costs incurred by third parties in relation to resources they make available free of charge to a beneficiary, can be declared by the beneficiary provided they meet the conditions established in paragraphs 1 and 3, mutatis mutandis and are claimed in conformity with Article II. 3. The Data Processor following costs shall immediately inform the Data Controller of a request, complaint, message, or any other communication received from a competent authority or any other third party regarding the processing of Personal Data covered by this DPA. The Data Processor be considered as non-eligible and may not in any way act on behalf of or as a representative of the Data Controller and may not, without prior instructions from the Data Controller, transfer or in any other way disclose Personal Data or any other information relating be charged to the processing of Personal Data to any third party, unless the Data Processor is required to do so by law. The Data Processor shall assist the Data Controller in an appropriate manner to enable him to respond to such a request, complaint, message or other communication in accordance with Applicable Data Protection Legislation. In particular, the Data Processor shall not publish any submissions, notifications, communications, announcements or press releases in the event of a breach of data protection as defined in section 6.3. In the event the Data Processor, according to applicable laws and regulations, is required to disclose Personal Data that the Data Processor processes on behalf of the Data Controller, the Data Processor shall be obliged to inform the Data Controller thereof immediately, unless prohibited by law.the

Processing of Personal Data. 1. The Data Processor and any person acting under its authority (e.g. personnel, Sub-processors and persons acting under the Sub-processor’s authority) undertake to only process Personal Data in accordance with documented instructions communicated by the Data Controller (Appendix 1). The Data Processor shall only process Personal Data to the extent necessary to fulfill its obligations under this DPA or Applicable Data Protection Legislation. 2. If the services are altered during the term of the Agreement and such altered services involve new or amended processing of Personal Data, or if the Data Controller’s instructions are otherwise changed or updated, the parties shall ensure that Appendix 1 is updated as appropriate before or at the latest in connection with the commencement of such processing or change. 3. When processing Personal Data under this DPA, the Data Processor shall comply with any and all Applicable Data Protection Legislation and applicable recommendations by competent Data Protection Authorities or other competent authorities and shall keep itself updated on and comply with any changes in such legislation and/or recommendations. The Data Processor shall accept to make any changes and amendments to this DPA that are required under Applicable Data Protection Legislation. 4. The Data Processor shall assist the Data Controller in fulfilling its legal obligations under Applicable Data Protection Legislation, including but not limited to the Data Controller’s obligation to comply with the rights of data subjects and in ensuring compliance with the Data Controller’s obligations relating to the security of processing (Art. 32 GDPR), the notification of a Personal Data Breach (Art 33, 34 GDPR) and the Data Protection Impact Assessment and the prior consultation (Art 35, 36 GDPR), obligation to respond to requests for exercising the data subject's rights to information regarding the processing of its Personal Data. The Data Processor shall not carry out any act, or omit any act, that would cause the Data Controller to be in breach of Applicable Data Protection Legislation. 5. The Data Processor shall immediately inform the Data Controller of a request, complaint, message, or any other communication received from a competent authority or any other third party regarding the processing of Personal Data covered by this DPA. The Data Processor may not in any way act on behalf of or as a representative of the Data Controller and may not, without prior instructions from the Data Controller, transfer or in any other way disclose Personal Data or any other information relating to the processing of Personal Data to any third party, unless the Data Processor is required to do so by law. The Data Processor shall assist the Data Controller in an appropriate manner to enable him it to respond to such a request, complaint, message or other communication in accordance with Applicable Data Protection Legislation. In particular, the Data Processor shall not publish any submissions, notifications, communications, announcements or press releases in the event of a breach of data protection as defined in section 6.3. In the event the Data Processor, according to applicable laws and regulations, is required to disclose Personal Data that the Data Processor processes on behalf of the Data Controller, the Data Processor shall be obliged to inform the Data Controller thereof immediately, unless prohibited by law.

Processing of Personal Data. 1. The Data Processor and any person acting under its authority (e.g. personnel, Sub-processors and persons acting under the Sub-processor’s authority) undertake 3.1 WSP undertakes to only process Process Personal Data in accordance with documented instructions communicated from time to time by the Data Controller (Appendix 1)CUSTOMER. The Data Processor shall only process Personal Data to CUSTOMER acknowledges that WSP is dependent on CUSTOMER’s Microsoft Azure instance for the extent necessary to fulfill performance of its obligations under the Agreement including any Processing by WSP of CUSTOMER Personal Data. The CUSTOMER’s initial instructions to WSP regarding the subject-matter of the Processing, the nature and purpose of the Processing, the type of Personal Data and categories of Data Subjects are set forth in this DPA or Applicable Data Protection Legislation. 2and in Exhibit 1. If the services are altered during the term of the Agreement and such altered services involve new or amended processing of Personal Data, or if the Data Controller’s instructions are otherwise changed or updated, the parties shall ensure that Appendix 1 is updated as appropriate before or at the latest in connection with the commencement of such processing or change. 3. When processing Personal Data under this DPA, the Data Processor shall comply with any and all Applicable Data Protection Legislation and applicable recommendations by competent Data Protection Authorities or other competent authorities and shall keep itself updated on and comply with any changes in such legislation and/or recommendations. The Data Processor shall accept to make any changes and amendments to this DPA that are required under Applicable Data Protection Legislation. 4. The Data Processor WSP shall assist the Data Controller CUSTOMER, either as a Processor or as a Controller, in fulfilling its legal obligations under Applicable Data Protection Legislation, including . This may include but is not limited to the Data ControllerCUSTOMER’s obligation to comply assist with the rights of data subjects and in ensuring compliance with the Data Controller’s obligations relating to the security of processing (Art. 32 GDPR), the notification of a Personal Data Breach (Art 33, 34 GDPR) and the Data Protection Impact Assessment and the prior consultation (Art 35, 36 GDPR), obligation to and/or respond to requests for exercising the data subjectData Subject's rights such as right of access, right to information regarding rectification, right to erasure, right to restriction of processing, right to data portability and right to object, as well as the processing CUSTOMER’s obligation to ensure a level of its security appropriate to the risk and to perform a data protection impact assessment. Secure erasure of data is based on the Azure policy of erasing data. This is part of the retention policy of Azure Log Analytics. 3.2 WSP shall immediately inform the CUSTOMER if WSP does not have sufficient instructions for how to Process Personal Data. The Data Processor shall not carry out any actin a particular situation or if instructions provided under this DPA, or omit any actin WSP’s reasonable opinion, that would cause the Data Controller to be in breach of violates Applicable Data Protection Legislation. 5. The 3.3 If Data Processor shall immediately inform the Subjects, Data Controller of a request, complaint, message, Protection Authorities or any other communication received competent third parties request information from a competent authority or any other third party WSP regarding the processing of Personal Data covered by this DPA, WSP shall refer such request to the CUSTOMER. The Data Processor WSP may not in any way act on behalf of or as a representative of the Data Controller CUSTOMER and may not, without prior instructions from the Data ControllerCUSTOMER, transfer or in any other way disclose Personal Data or any other information relating to the processing Processing of Personal Data to any third party, unless the Data Processor is required to do so by law. The Data Processor shall assist the Data Controller in an appropriate manner to enable him to respond to such a request, complaint, message or other communication in accordance with Applicable Data Protection Legislation. In particular, the Data Processor shall not publish any submissions, notifications, communications, announcements or press releases in the event of a breach of data protection as defined in section 6.3. In the event the Data ProcessorWSP, according to applicable laws and regulations, is required to disclose Personal Data that the Data Processor processes WSP Processes on behalf of the Data ControllerCUSTOMER, the Data Processor shall be obliged to WSP shall, unless legally prevented, inform the Data Controller CUSTOMER thereof immediately, unless prohibited by lawimmediately and shall request confidentiality in conjunction with the disclosure of requested information.

Processing of Personal Data. 12.1. For the purposes of this DPA and Processor's processing of Controller Data in connection with the performance of its obligations under the Principal Agreements, Processor (and each Sub-Processor) shall be a processor/service provider and shall not act as a controller/third party. NNA acts as a data controller/business and shall be solely responsible for determining the purposes for which and the manner in which Controller Data are processed. Controller Data is and at all times shall remain the sole property of NNA. Processor shall not possess or assert any lien or other right against or to the Controller Data. Processor agrees not to permit any of Processor Personnel to access or use any Controller Data except in furtherance of its obligations under the Principal Agreements. 2.2. Information on the data processed by Processor under this DPA, including the subject-matter, duration, nature and purpose of the processing, type of Personal Data and categories of Data Subjects as well as the retention period(s) for the Personal Data is set out in Appendix 2 (Data Processing Information). To the extent the Personal Data processed by Processor changes (whether by expanding or narrowing in scope) under the Principal Agreements, the Parties acknowledge and agree that Appendix 2 must be updated accordingly to comply with Data Protection Law. NNA will have the right, in its sole discretion, to prepare an amended Appendix 2 and notify Processor in writing. The Data amended Appendix 2 will take effect on the date thirty (30) days after its notification to Processor, unless Processor notifies NNA prior to this date that it refuses to accept the amended Appendix 2, in which case: (a) the amendment will not take effect, and (b) NNA will have the right to terminate the Principal Agreements (subject to Section 9.1.1) by written notice to Processor with immediate effect, in NNA’s sole discretion, with effect from any person acting under its authority future date specified in the notice. Such termination shall be without prejudice to any accrued rights and liabilities of the Parties, provided that no termination fees, expenses or other compensation will be payable by NNA in connection with such termination and Processor shall refund NNA within thirty (e.g. personnel, Sub-processors and persons acting under 30) days of termination any fees prepaid by NNA to Processor in respect of the Sub-processor’s authority) undertake to only process Personal Data in accordance with documented instructions communicated by the Data Controller (Appendix 1)period following termination. 2.3. The Data Processor shall only process Personal Data in compliance with Data Protection Law, and in accordance with this DPA, the Principal Agreements and NNA's other written instructions, unless required to do otherwise by Applicable Law to which Processor is subject (in which case, Processor shall inform NNA of such legal requirement before processing, if permitted by such Applicable Law), and including any instructions to cease or terminate processing of Controller Data. 2.4. Notwithstanding anything to the extent necessary contrary in the Principal Agreements, Processor shall not: 2.4.1. Sell or share Controller Data; 2.4.2. Retain, use, or disclose Personal Data for any purpose other than as permitted under Appendix 2, except as required by Applicable Law; 2.4.3. Retain, use, or disclose Personal Data outside the direct business relationship between NNA and Processor; or 2.4.4. Combine Controller Data that Processor receives from, or on behalf of, NNA with Controller Data that it receives from, or on behalf of, another person or persons, or collects from its own interaction with a Data Subject, except to fulfill its obligations under this DPA or Applicable Data Protection Legislationperform the business purpose specified in the Principal Agreements. 22.5. If the services are altered during the term Processor shall maintain an accurate, up-to-date written log of the Agreement and such altered services involve new or amended all processing of Personal Data, Data performed on NNA's behalf which shall distinguish between accesses due to regular business operations and accesses due to orders or if requests for access. The written log shall include the following information: (a) the categories of recipients to whom Personal Data Controller’s instructions are otherwise changed have been or updated, will be disclosed; and (b) a description of the parties shall ensure that Appendix 1 is updated as appropriate before or at the latest technical and organizational security measures referred to in connection with the commencement this DPA. Processor will provide NNA a copy of such processing or changelog upon NNA's request. 32.6. When processing Personal Data Processor certifies that it understands the restrictions set forth in this Section 2 and, without limiting any of its other obligations under this DPA, the Data Processor shall comply with any these restrictions. Controller may monitor Processor’s compliance with this DPA through reviews, audits or regular assessments at least once per year. 2.7. NNA shall have the right to take reasonable and all Applicable appropriate steps to help ensure that Processor uses the Personal Data in a manner consistent with Data Protection Legislation Law. Upon notice, NNA shall take reasonable and applicable recommendations by competent Data Protection Authorities or other competent authorities appropriate steps to stop and shall keep itself updated on and comply with any changes in such legislation and/or recommendations. The Data Processor shall accept to make any changes and amendments to this DPA that are required under Applicable Data Protection Legislation. 4. The Data Processor shall assist the Data Controller in fulfilling its legal obligations under Applicable Data Protection Legislation, including but not limited to the Data Controller’s obligation to comply with the rights remediate unauthorized use of data subjects and in ensuring compliance with the Data Controller’s obligations relating to the security of processing (Art. 32 GDPR), the notification of a Personal Data Breach (Art 33, 34 GDPR) and the Data Protection Impact Assessment and the prior consultation (Art 35, 36 GDPR), obligation to respond to requests for exercising the data subject's rights to information regarding the processing of its Personal Data. The Data Processor shall not carry out any act, or omit any act, that would cause the Data Controller to be in breach of Applicable Data Protection Legislation. 5. The Data Processor shall immediately inform the Data Controller of a request, complaint, message, or any other communication received from a competent authority or any other third party regarding the processing of Personal Data covered by this DPA. The Data Processor may not in any way act on behalf of or as a representative of the Data Controller and may not, without prior instructions from the Data Controller, transfer or in any other way disclose Personal Data or any other information relating to the processing of Personal Data to any third party, unless the Data Processor is required to do so by law. The Data Processor shall assist the Data Controller in an appropriate manner to enable him to respond to such a request, complaint, message or other communication in accordance with Applicable Data Protection Legislation. In particular, the Data Processor shall not publish any submissions, notifications, communications, announcements or press releases in the event of a breach of data protection as defined in section 6.3. In the event the Data Processor, according to applicable laws and regulations, is required to disclose Personal Data that the Data Processor processes on behalf of the Data Controller, the Data Processor shall be obliged to inform the Data Controller thereof immediately, unless prohibited by law.

Processing of Personal Data. 15.1. The Processor guarantees that it has implemented and will continue to implement within the term of this DPA the appropriate technical and organizational measures in such a manner that its Processing of Personal Data under this DPA will meet the requirements of Applicable Data Protection Law and ensure the protection of the rights of the Data Subject. 5.2. The Processor and any person acting under its authority (e.g. personnel, Sub-processors and persons acting under the Sub-processor’s authority) undertake undertakes to only process Process Personal Data in accordance with documented instructions communicated from time to time by the Controller, unless required to do so pursuant to the Applicable Data Controller (Appendix 1)Protection Law. The Data Processor shall only process at any time be able to document the specific instructions from the Controller. The Controller guarantees that it is entitled to Process the Personal Data under Applicable Data Protection Law before providing Personal Data to the extent necessary Processor. The Controller hereby confirms that it is solely responsible for determining the purposes and means of processing Personal Data by the Processor. The Controller’s initial instructions to fulfill its obligations under this DPA or Applicable Data Protection Legislation. 2. If the services are altered during Processor regarding the term subject-matter and duration of the Agreement processing, the nature and such altered services involve new or amended processing purpose of the Processing, the type of Personal Data, or if and categories of data subjects are set forth in the Data Controller’s instructions are otherwise changed or updated, Section 4. of the parties shall ensure that Appendix 1 is updated as appropriate before or at the latest in connection with the commencement of such processing or changeDPA. 35.3. When The Processor shall, when processing Personal Data under this DPA, the Data Processor shall comply with any and all Applicable Data Protection Legislation Law and applicable recommendations by competent Data Protection Authorities the Supervisory Authority or other competent authorities and shall keep itself updated on and comply with any changes in such legislation and/or recommendationsauthorities. The Data Processor shall accept to make any changes and amendments to this DPA that are required under Applicable Data Protection LegislationLaw. 45.4. The Data Processor shall assist the Data Controller in fulfilling its legal obligations under Applicable Data Protection LegislationLaw, including including, but not limited to to, the Data Controller’s obligation to comply with the rights of data subjects and in ensuring compliance with the Data Controller’s obligations relating to the security of processing (Art. 32 GDPR), the notification of a Personal Data Breach (Art 33, 34 GDPR) and the Data Protection Impact Assessment and the prior consultation (Art 35, 36 GDPR), obligation to respond to requests for exercising the data subjectData Subject's rights to request information regarding the processing of its (register extracts) and for Personal DataData to be corrected, blocked or erased. 5.5. The Data Processor shall not carry out any act, or omit any act, that would cause the Data Controller to be in breach of Applicable Data Protection Legislation. 5. The Data Processor shall immediately inform the Controller if the Processor does not have an instruction for how to process Personal Data Controller of in a requestsituation or if any instruction provided under this DPA or otherwise infringes Applicable Data Protection Law. 5.6. If Data Subjects, complaint, message, or any other communication received from a competent authority authorities or any other third party parties request information from the Processor regarding the processing Processing of Personal Data covered by this DPA, the Processor shall refer such request to the Controller. The Data Processor may not in any way act on behalf of or as a representative of the Data Controller and Controller. 5.7. The Processor may not, without prior instructions from the Data Controller, transfer transfer, or in any other way way, disclose Personal Data or any other information relating to the processing Processing of Personal Data to any third party, unless the Data Processor is required to do so by law. The Data Processor shall assist the Data Controller in an appropriate manner to enable him to respond to such a request, complaint, message or other communication in accordance with Applicable Data Protection Legislation. In particular, the Data Processor shall not publish any submissions, notifications, communications, announcements or press releases in the event of a breach of data protection as defined in section 6.3. In the event that the Data Processor, according to applicable laws and regulationsApplicable Data Protection Law, is required to disclose Personal Data that the Data Processor processes Processes on behalf of the Data Controller, the Data Processor shall be obliged to inform the Data Controller thereof immediatelyimmediately and request confidentiality in conjunction with the disclosure of requested information. 5.8. Upon the Controller’s reasonable request, unless prohibited and in accordance with the change management procedure set forth in the respective Agreement (if applicable), the Processor shall implement additional reasonable technical and organizational security measures and adjustments to the processing activities. The Controller shall notify the Processor of any adjustments to the Controller’s instructions concerning security and the processing of Personal Data, without undue delay, for the Processor to enable the necessary amendments to procedures to be implemented. 5.9. The Processor undertakes to make available to the Controller all information and provide all assistance necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including on-site inspections, conducted by lawthe Controller or another auditor mandated by the Controller.

Processing of Personal Data. 1. 2.1 The Data parties agree that Agency and/or Customer is the Controller and IgnitionOne is a Processor and any person acting that the subject matter and details of the processing of such Personal Data are described in the SOW attached to the Platform Agreement. IgnitionOne shall keep a record of all Processing activities with respect to Customer’s Personal Data as required under its authority (e.g. personnel, Sub-processors and persons acting GDPR. 2.2 Each party will comply with the obligations applicable to it under the Sub-processor’s authority) undertake Privacy Laws and Regulations with respect to only process the Processing of Personal Data. Agency shall, in its use or receipt of the Services, Process Personal Data in accordance with documented the requirements of the Privacy Laws and Regulations and Agency will ensure that its instructions communicated by for the Data Controller (Appendix 1). The Data Processor shall only process Processing of Personal Data shall comply with the Privacy Laws and Regulations. If IgnitionOne believes or becomes aware that any of Agency’s instructions conflicts with any Privacy Laws and Regulations, IgnitionOne shall inform Agency. As between the parties, Agency shall have sole responsibility for determining the legal basis for processing of Personal Data and (to the extent legally required) obtain all consents from Data Subjects necessary to fulfill its obligations under this DPA or Applicable for collection and Processing of Personal Data Protection Legislationin the scope of the Services. 22.3 The objective of Processing of Personal Data by IgnitionOne is to perform the Services. If During the services are altered during the term Term, IgnitionOne shall only Process Personal Data on behalf of and in accordance with the Agreement and such altered services involve new or amended processing of Personal Data, or if the Data ControllerAgency’s instructions are otherwise changed or updated, and shall treat Personal Data as Confidential Information. IgnitionOne may Process Personal Data other than on the parties instructions of the Agency if it is mandatory under applicable law to which IgnitionOne is subject. In this situation IgnitionOne shall ensure that Appendix 1 is updated as appropriate before or inform the Agency of such a requirement unless the law prohibits such notice. 3.1 Agency and/or Customer has the responsibility for honoring Data Subject access requests. IgnitionOne shall provide reasonable assistance to the Agency (at the latest Agency's expense) to enable the Agency to respond to: (i) any request from a Data Subject to exercise any of its rights under Privacy Laws and Regulations; and (ii) any other correspondence received from a Data Subject in connection with the commencement processing of the Personal Data. In the event that any such processing request or change. 3. When processing Personal Data under this DPA, the Data Processor shall comply with any and all Applicable Data Protection Legislation and applicable recommendations by competent Data Protection Authorities or other competent authorities and shall keep itself updated on and comply with any changes in such legislation and/or recommendations. The Data Processor shall accept to make any changes and amendments to this DPA that are required under Applicable Data Protection Legislation. 4. The Data Processor shall assist the Data Controller in fulfilling its legal obligations under Applicable Data Protection Legislation, including but not limited correspondence is made directly to the Data Controller’s obligation to comply with the rights of data subjects and in ensuring compliance with the Data Controller’s obligations relating to the security of processing IgnitionOne (Art. 32 GDPRa “Direct Access Request”), IgnitionOne shall promptly inform the notification of a Personal Data Breach (Art 33, 34 GDPR) and the Data Protection Impact Assessment and the prior consultation (Art 35, 36 GDPR), obligation Agency. If Agency fails to respond to requests for exercising a Direct Access Request within 30 days, IgnitionOne reserves the data subject's rights to information regarding the processing of its Personal Data. The Data Processor shall not carry out any act, or omit any act, that would cause the Data Controller to be in breach of Applicable Data Protection Legislation. 5. The Data Processor shall immediately inform the Data Controller of a request, complaint, message, or any other communication received from a competent authority or any other third party regarding the processing of Personal Data covered by this DPA. The Data Processor may not in any way act on behalf of or as a representative of the Data Controller and may not, without prior instructions from the Data Controller, transfer or in any other way disclose Personal Data or any other information relating to the processing of Personal Data to any third party, unless the Data Processor is required to do so by law. The Data Processor shall assist the Data Controller in an appropriate manner to enable him right to respond to such a request, complaint, message or other communication in accordance with Applicable Data Protection Legislation. In particular, the Data Processor shall not publish any submissions, notifications, communications, announcements or press releases in the event of a breach of data protection as defined in section 6.3. In the event the Data Processor, according to applicable laws and regulations, is required to disclose Personal Data that the Data Processor processes on behalf of the Data Controller, the Data Processor shall be obliged to inform the Data Controller thereof immediately, unless prohibited by lawrequest(s).

Processing of Personal Data. 1. The 2.1 Data Processor Processor, and any person acting under its authority (e.g. personnelauthority, Sub-processors and persons acting under will carry out the Sub-processor’s authority) undertake to only process Personal Data Processing activities, including with regard to transfers of Personal Data to a third country or an international organisation, only for the following purposes: (i) to provide the Services during the Term in accordance with the Services Agreement and other reasonable documented instructions communicated provided by the Data Controller, where such instructions are consistent with the terms of the Services Agreement (collectively, the “Instructions”); and (ii) as required under Applicable Law, in which case Data Processor shall, to the extent permitted by Applicable Law, inform Data Controller of such legally required Processing of Personal Data, unless that law prohibits such information on important grounds of public interest. 2.2 Data Controller instructs Data Processor (and authorises Data Processor to instruct each of its Sub-processors) to process the Personal Data, as reasonably necessary for the provision of the Services and in accordance with the Services Agreement and this DPA. Additional Instructions outside the scope of this DPA and the Services Agreement require prior written agreement between Data Controller and Data Processor and will include any additional fees that may be payable by the Data Controller (Appendix 1)to the Data Processor for carrying out such Instructions. 2.3 Data Controller hereby acknowledges that as part of the provision of the Services hereunder, Data Processor may collect, disclose, publish, share and otherwise use fully anonymized, de- identified and de-identifiable data, including statistical data, analytics, trends and other aggregated data which derives from the Personal Data processed by the Data Processor as part of the provision of the Services, all as required for the Data Processor's legitimate purposes, including without limitation in order to provide, maintain, operate and improve the Services and for research purposes. The Data Processor shall only process Personal Data to Controller hereby agrees and acknowledges that such processing activities (including the extent necessary to fulfill its obligations under this DPA or Applicable Data Protection Legislation. 2. If the services are altered during the term of the Agreement anonymization and such altered services involve new or amended processing de-identification of Personal Data, or if ) will not be considered as performed outside the scope of the Instructions provided by the Data Controller’s instructions are otherwise changed Controller hereunder. Data Processor agrees not to use said anonymized data in a form that identifies the Customer or updated, the parties shall ensure that Appendix 1 is updated as appropriate before or at the latest in connection with the commencement of such processing or changeany Data Subject. 3. When processing Personal 2.4 Data Processor will notify Data Controller if Data Processor is of the opinion that a written Instruction received from Data Controller is in violation of Applicable Law and/or in violation of contractual duties under this DPA, the Services Agreement. 2.5 Data Processor shall comply with any and all Applicable Data Protection Legislation and applicable recommendations by competent Data Protection Authorities or other competent authorities and shall keep itself updated on and comply with any changes in such legislation and/or recommendations. The Data Processor shall accept to make any changes and amendments to this DPA that are required under Applicable Data Protection Legislation. 4. The Data Processor shall assist the Data Controller in fulfilling its legal obligations under Applicable Data Protection Legislation, including but not limited to the Data Controller’s obligation to comply with the rights of data subjects and in ensuring compliance with the Data Controller’s obligations relating to the security of processing (Art. 32 GDPR), the notification of a treat Personal Data Breach (Art 33as confidential information and will not disclose, 34 GDPR) and make available or transfer the Data Protection Impact Assessment and the prior consultation (Art 35, 36 GDPR), obligation to respond to requests for exercising the data subject's rights to information regarding the processing of its Personal Data. The Data Processor shall not carry out any act, or omit any act, that would cause the Data Controller to be in breach of Applicable Data Protection Legislation. 5. The Data Processor shall immediately inform the Data Controller of a request, complaint, message, or any other communication received from a competent authority or any other third party regarding the processing of Personal Data covered by this DPA. The Data Processor may not in any way act on behalf of or as a representative of the Data Controller and may not, without prior instructions from the Data Controller, transfer or in any other way disclose Personal Data or any other information relating to the processing of Personal Data to any third party, unless other than as permitted under this DPA. 2.6 Data Controller shall have sole responsibility for the accuracy, quality and legality of the Personal Data and the means by which Data Controller acquired the Personal Data. Data Controller warrants and undertakes that: (i) the Personal Data has been collected, Processed and transferred in accordance with the laws applicable to Data Controller, including, if required by applicable law, that Data Controller has received all required consents from the applicable Data Subjects for the Processing carried out by the Data Processor is required to do so by law. The Data Processor shall assist under this DPA and the Data Controller in an appropriate manner Subjects have been informed that their Personal Data could be transmitted to enable him to respond to such a request, complaint, message or other communication in accordance with Applicable Data Protection Legislation. In particular, third country outside of the Data Processor shall not publish any submissions, notifications, communications, announcements or press releases in the event of a breach of data protection as defined in section 6.3. In the event the EU/EEA; and (ii) it will provide Data Processor, according when so requested, with copies of relevant Data Protection Laws or references to applicable laws them (where relevant, and regulations, not including legal advice) of the country in which Data Controller is required established or which may otherwise be relevant to disclose the Personal Data that the concerned. 2.7 Exhibit 1 of this DPA sets forth certain information regarding Data Processor processes on behalf Processor’s Processing activities of the Data ControllerPersonal Data, as required by Article 28(3) of the Data Processor shall be obliged to inform the Data Controller thereof immediately, unless prohibited by lawGDPR.

Processing of Personal Data. 1. The Data Processor 2.1 With respect to Customer Personal Data, Smartnova and any person acting under its authority Customer hereby agree that (e.g. personnel, Sub-processors i) Customer may act as “Controller” and persons acting Smartnova may act as “Processor” under the Sub-processor’s authorityGDPR or (ii) undertake Customer may act as “Data Exporter” and Smartnova may act as “ Data Importer” as defined under the Standard Contractual Clauses or (iii) Customer as a “Exporter” and Smartnova as an “Importer” under UK GDPR. 2.2 Subject to only process the terms of the Agreement (i) Customer as Controller or Business or Data exporter under Data Protection Laws, hereby appoints Smartnova as Processor or Service Provider or data importer in respect of Processing operations required to be carried out by Smartnova on Customer Personal Data in accordance with documented the terms of the Agreement, (ii) Customer agrees to comply with its obligations as Controller or Business or data exporter under Data Protection Laws and declares that it has been instructed by and obtained the authorization of the relevant Controller or Business or data exporter to enter into this DPA in the name and on behalf of such Controller or Business or data exporter, (iii) Customer is responsible for obtaining all of the necessary authorizations and approvals and all consents and rights necessary under Data Protection Laws to enter, use, provide, store, and Process Customer Data, including Customer Personal Data in the Services to enable Smartnova’s fulfillment of its obligations pursuant to the Agreement. 2.3 Smartnova shall (i) process Customer Personal Data only in accordance with Customer’s lawful instructions communicated by consistent with the terms of the Data Controller Protection Laws and (Appendix 1). The Data Processor shall only process ii) Process all Customer Personal Data to as Processor or Services Provider or data importer under the extent necessary applicable Data Protection Laws to fulfill its obligations under this DPA or Applicable Data Protection Legislation. 2. If the services are altered during the term of the Agreement for or on Customer’s behalf, and such altered services involve new or amended processing of Personal Data, or if the Data Controller’s instructions are otherwise changed or updated, the parties shall ensure that Appendix 1 is updated as appropriate before or at the latest for no other purposes than in connection with the commencement of such processing or change. 3. When processing Personal Data under this DPA, the Data Processor shall comply with any and all Applicable Data Protection Legislation and applicable recommendations by competent Data Protection Authorities or other competent authorities and shall keep itself updated on and comply with any changes in such legislation and/or recommendations. The Data Processor shall accept to make any changes and amendments to this DPA that are required under Applicable Data Protection Legislation. 4. The Data Processor shall assist the Data Controller in fulfilling its legal obligations under Applicable Data Protection Legislation, including but not limited to the Data Controller’s obligation to comply with the rights of data subjects and in ensuring compliance with the Data Controller’s obligations relating to the security of processing (Art. 32 GDPR), the notification of a Personal Data Breach (Art 33, 34 GDPR) and the Data Protection Impact Assessment and the prior consultation (Art 35, 36 GDPR), obligation to respond to requests for exercising the data subject's rights to information regarding the processing of its Personal Data. The Data Processor shall not carry out any act, or omit any act, that would cause the Data Controller to be in breach of Applicable Data Protection Legislation. 5. The Data Processor shall immediately inform the Data Controller of a request, complaint, message, or any other communication received from a competent authority or any other third party regarding the processing of Personal Data covered by this DPA. The Data Processor may not in any way act on behalf of or as a representative of the Data Controller and may not, without prior instructions from the Data Controller, transfer or in any other way disclose Personal Data or any other information relating to the processing of Personal Data to any third partyServices, unless the Data Processor is required to do so by lawData Protection Laws or other applicable data privacy laws to which Smartnova (or Sub-Processor(s)) is subject. The Data Processor In such a case Smartnova shall assist to the extent permitted by the Data Controller Protection Laws inform Customer of that legal requirement before the relevant Processing of the Customer Personal Data. Each party will comply in an appropriate manner to enable him to respond to such a request, complaint, message or other communication in accordance all respects with Applicable the provisions of this DPA and the applicable Data Protection LegislationLaws in any country where the Services are used, provided or delivered. In particularCustomer hereby agrees and understands that the processing of personal data by Smartnova is always triggered by the type of Services, or function for which Customer has registered or activated. Consequently, the Data Processor shall not publish any submissions, notifications, communications, announcements or press releases in the event of a breach of data protection as defined in section 6.3. In the event the Data Processor, according to applicable laws and regulations, is required to disclose Personal Data Parties agree that the Data Processor processes moment when Smartnova initiates the processing of personal data is always understood to be at the express instruction of Customer to do so for and on behalf of the Data Controller, the Data Processor shall be obliged to inform the Data Controller thereof immediately, unless prohibited by lawCustomer.

Processing of Personal Data. 13.1. The Processor processes the Personal Data only on behalf of the Controller and only in the context of performing the Agreement and for purposes that are reasonably related thereto or that are determined upon further consultation. In view of the nature of Rodeo, the Processor and any person acting under its authority (e.g. personnel, Sub-processors and persons acting will process under the Sub-processorAgreement all Personal Data of all categories of Data Subjects that are stored with the use of Rodeo, or that are otherwise provided to the Processor for processing via Rodeo. ▇▇▇▇▇ does not interfere in any way with the nature or content of this information. The Controller is able to add to, edit or delete the processed Data at any time. 3.2. The Processor will follow the Controller’s authority) undertake to only written instructions regarding the Processing and may not process the Personal Data in accordance with documented any other way, unless the Controller has given the Processor prior consent or instructions communicated by the Data Controller (Appendix 1)to do so. 3.3. The Data Processor shall only process Personal Data Controller guarantees that it will comply with applicable legislation and regulations with regard to the extent necessary to fulfill its obligations under this DPA or Applicable Data Protection Legislation. 2. If the services are altered during the term of the Agreement and such altered services involve new or amended processing Processing of Personal Data, or if including any written instructions given to the Processor, and in this respect will comply with the requirements and conditions for the Processing of Personal Data. 3.4. The Controller will ensure and guarantee that the Data Subject will be able to exercise his/her rights in accordance with applicable legislation and regulations. 3.5. Insofar as possible, the Processor will cooperate with the Controller to ensure that the Controller can comply - if applicable within the statutory time limits - with its obligations under the applicable legislation and regulations, including the Controller’s instructions are otherwise changed or updated, the parties shall ensure that Appendix 1 is updated as appropriate before or at the latest in connection with the commencement of such processing or change. 3. When processing Personal Data under this DPA, obligations to respect the Data Processor shall comply with any and all Applicable Data Protection Legislation and applicable recommendations by competent Data Protection Authorities or other competent authorities and shall keep itself updated on and comply with any changes in Subject's rights, such legislation and/or recommendations. The Data Processor shall accept to make any changes and amendments to this DPA that are required under Applicable Data Protection Legislation. 4. The Data Processor shall assist the Data Controller in fulfilling its legal obligations under Applicable Data Protection Legislationas, including but not limited to, a request to view Personal Data or have the Personal Data corrected, supplemented, deleted or blocked or the right to make a valid registered objection; the Processor will further cooperate to ensure that it complies with its own obligations as referred to in Articles 32 to 36 of the GDPR. The Processor reserves the right to charge the costs associated with these efforts to the Controller. 3.6. The Controller hereby grants the Processor permission to engage a Sub-Processor for processing the Personal Data. The Processor must inform the Controller about the Sub-Processors it has engaged. 3.7. Before replacing a Sub-Processor or engaging a new Sub-Processor, the Processor must ensure that the overview on ▇▇▇▇▇://▇▇▇.▇▇▇▇▇.▇▇▇/subverwerkers is updated. The Controller is responsible for regularly checking Sub-Processors on ▇▇▇▇▇://▇▇▇▇▇▇▇▇.▇▇/. If the Controller cannot reasonably agree with the intended change or addition of a certain Sub-Processor, the Controller is permitted to object. The Processor is allowed to propose an alternative within a period of 4 weeks. If the Processor does not offer an alternative, the Controller will be permitted to terminate the Agreement without being obliged to pay compensation to the Processor as a result of termination of the Agreement. 3.8. When the Processor engages a Sub-Processor, the Processor will ensure that the Sub-Processor in any case undertakes to take appropriate technical and organisational measures in relation to the Processing of Personal Data and undertakes to maintain confidentiality. 3.9. The Processor will not provide Personal Data to anyone - with the exception of Sub-Processors - other than the Controller’s obligation , unless at the written request of the Controller, or with the latter's written consent or when this is necessary in order to comply with the rights of data subjects and in ensuring compliance with the Data Controller’s obligations relating to the security of processing (Art. 32 GDPR), the notification of Agreement and/or a Personal Data Breach (Art 33, 34 GDPR) and the Data Protection Impact Assessment and the prior consultation (Art 35, 36 GDPR), obligation to respond to requests for exercising the data subject's rights to information regarding the processing of its Personal Data. The Data Processor shall not carry out any act, or omit any act, that would cause the Data Controller to be in breach of Applicable Data Protection Legislationlegal requirement. 5. The Data Processor shall immediately inform the Data Controller of a request, complaint, message, or any other communication received from a competent authority or any other third party regarding the processing of Personal Data covered by this DPA. The Data Processor may not in any way act on behalf of or as a representative of the Data Controller and may not, without prior instructions from the Data Controller, transfer or in any other way disclose Personal Data or any other information relating to the processing of Personal Data to any third party, unless the Data Processor is required to do so by law. The Data Processor shall assist the Data Controller in an appropriate manner to enable him to respond to such a request, complaint, message or other communication in accordance with Applicable Data Protection Legislation. In particular, the Data Processor shall not publish any submissions, notifications, communications, announcements or press releases in the event of a breach of data protection as defined in section 6.3. In the event the Data Processor, according to applicable laws and regulations, is required to disclose Personal Data that the Data Processor processes on behalf of the Data Controller, the Data Processor shall be obliged to inform the Data Controller thereof immediately, unless prohibited by law.

Processing of Personal Data. 1BY THE EVENT AGENCY, AS DATA PROCESSOR 3.1. When the EVENT AGENCY processes Personal Data on behalf of SERVIER, it acts as Processor and SERVIER as Controller. 3.2. If the EVENT AGENCY considers that any of SERVIER’s instructions constitutes a breach of the Data Privacy Regulations, EVENT AGENCY shall inform SERVIER promptly. 3.3. The Data Processor EVENT AGENCY undertakes to comply and to take all necessary measures to ensure that any person acting under its authority supervision (e.g. personnelincluding its employees and authorized sub-processors) comply with the following commitments: a) to communicate to SERVIER the name and contact details of its Data Protection Officer (DPO), Sub-processors and persons acting under the Sub-processor’s authority) undertake to only process Personal Data if one has been appointed, in accordance with documented instructions communicated the Article 37 of the GDPR, or any other point of contact for all matters related to the data Processing; b) to implement and regularly update all appropriate technical and organizational measures to protect Personal Data, and notably to prevent any distortion, alteration, damage, accidental or unlawful destruction, loss, disclosure and/or any access by the Data Controller (Appendix 1)unauthorised third parties. The Data Processor EVENT AGENCY shall only process comply with all security measures listed in Exhibit B of Appendix 4 (“Security measures”) and/or the Agreement; c) to secure and keep confidential the Personal Data processed under the Agreement, notably with the following obligations (i) Personal Data are disclosed only to persons duly authorized with a need-to-know, (ii) authorised persons are bound by confidentiality obligations and (iii) they receive the extent necessary to fulfill its obligations under this DPA or Applicable Data Protection Legislation. 2. If training regarding the services are altered during the term of the Agreement and such altered services involve new or amended processing protection of Personal Data; d) to maintain, or if in writing, a record of Processing activities on behalf of ▇▇▇▇▇▇▇, as set out in Article 30 of the GDPR; e) to make available to SERVIER all information necessary to demonstrate compliance with its obligations as Processor laid down in the Data Controller’s instructions are otherwise changed Privacy Regulations and allow for and contribute to audits conducted by SERVIER or updatedany auditor mandated by SERVIER, under the parties shall ensure that Appendix 1 is updated as appropriate before or at the latest conditions set out in connection with the commencement of such processing or changeArticle 3.5 below. 3. When processing Personal Data under this DPA, the Data Processor shall comply with any and all Applicable Data Protection Legislation and applicable recommendations by competent Data Protection Authorities or other competent authorities and shall keep itself updated on and comply with any changes in such legislation and/or recommendations3.4. The Data Processor shall accept EVENT AGENCY undertakes to make any changes and amendments to this DPA that are required under Applicable Data Protection Legislation. 4. The Data Processor shall assist the Data Controller in fulfilling its legal obligations under Applicable Data Protection Legislation, including but not limited to the Data Controller’s obligation to comply with the rights of data subjects and SERVIER in ensuring compliance with the Data Controller’s its obligations relating to the security of processing (Art. 32 GDPR), the notification of a Personal Data Breach (Art 33, 34 GDPR) and the Data Protection Impact Assessment and the prior consultation (Art 35, 36 GDPR), obligation to respond to requests for exercising the data subject's rights to information regarding the processing Processing of its Personal Data. The Data Processor shall not carry out any act, or omit any act, that would cause the Data Controller to be in breach of Applicable Data Protection Legislation. 5. The Data Processor shall immediately inform the Data Controller of a request, complaint, message, or any other communication received from a competent authority or any other third party regarding the processing of Personal Data covered by this DPA. The Data Processor may not in any way act on behalf of or as a representative of the Data Controller and may not, without prior instructions from the Data Controller, transfer or in any other way disclose Personal Data or any other information relating to the processing of Personal Data to any third party, unless the Data Processor is required to do so by law. The Data Processor shall assist the Data Controller in an appropriate manner to enable him to respond to such a request, complaint, message or other communication in accordance with Applicable Data Protection Legislation. In particular, the EVENT AGENCY undertakes to: a) Use software solutions, tools, products, applications or services that take account data protection principles of “Privacy-by-design” and “Privacy-by-default”; b) Notify SERVIER, by e-mail or postal mail, any Personal Data Processor Breach within forty-eight (48) hours after becoming aware of it, provide SERVIER with all information available regarding the said breach, and take any measures of remediation to this Personal Data Breach, which the EVENT AGENCY must keep SERVIER informed. This notification shall not publish be accompanied by all relevant documentation in order to enable SERVIER to notify the breach to the competent Supervisory Authority. The notification shall contain in particular: c) Assist and provide SERVIER with all the necessary information for carrying out a Data Protection Impact Assessment (“DPIA”) or within consultation of any submissionsdata protection Supervisory Authority prior to implementation of Personal Data Processing, notificationswhen the Processing is likely to result in a high risk to the rights and freedoms of natural persons; d) Cooperate with any data protection Supervisory Authority; and e) Assist SERVIER, communicationsas far as possible, announcements or press releases in the event management of requests or recourses brought by Data Subjects in exercising their rights. When Data Subjects directly exercise their rights with the EVENT AGENCY, this latter shall send these requests to SERVIER’s Data Protection Officer by e-mail, immediately upon receipt. 3.5. If information provided by the EVENT AGENCY in accordance with this Appendix is insufficient to enable SERVIER to demonstrate that its obligations under the Data Privacy Regulations are complied, SERVIER may carry out an audit itself or by an external auditor, in the premises of the EVENT AGENCY, in order to verify its compliance with the obligations set out by the Data Privacy Regulations and this Appendix, in particular with regard to data security, integrity and confidentiality. 3.6. SERVIER allows the EVENT AGENCY to engage any sub-processor(s) to process the Personal Data. The list of authorized sub-processor(s) engaged within the performance of the Agreement, including their identity, contact details and sub-contracted Processing activities, is set out in Exhibit A to Appendix 4 (“Details of the processing”). The EVENT AGENCY undertakes to inform by email SERVIER of any intended changes concerning the addition or replacement of sub-processors, by indicating the reference of the Agreement. SERVIER may object to such changes and oppose a breach new sub-processor by e-mail within thirty (30) business days from date of data receipt of EVENT AGENCY’s notice. In this case, the CONTRACTOR undertakes to propose an action plan to SERVIER within thirty (30) days. In the absence of an action plan within the required period or if no agreement is reached between the Parties, SERVIER may terminate the Agreement by sending a written notice to the EVENT AGENCY, without any compensation that the EVENT AGENCY could claim in this regard. In any event, the EVENT AGENCY shall bind its sub-processors with Personal Data protection obligations no less stringent than those as defined set out in section 6.3this Appendix, by a written agreement, which shall define sufficient guarantees to implement appropriate technical and organisational measures, in such a manner that Processing will comply with the requirements of the Data Privacy Regulations. Moreover, the EVENT AGENCY shall ensure that its sub-processor(s) process(es) the Personal Data solely for the purpose of the performance of the subcontracted services. The EVENT AGENCY shall remain fully liable to SERVIER for its sub-processors’ acts, omissions and breaches. 3.7. The EVENT AGENCY shall comply with the instructions of SERVIER with regard to Personal Data retention period and, upon at SERVIER’s discretion and request, delete or return all the Personal Data to SERVIER, within the time limit agreed with SERVIER, including any copies that have been made on any medium whatsoever, unless retention is required by law or regulation. 3.8. In the event that the Data Processor, according to applicable laws and regulations, is required to disclose EVENT AGENCY or any of its sub-processors would transfer Personal Data that from a country in the Data Processor processes on behalf European Economic Area to a country outside of the Data ControllerEuropean Economic Area that does not have an adequate level of protection as defined by the European Commission, the Data Processor said transfer shall be obliged subject to inform the signature with the relevant legal entities outside of the European Economic Area, of a contract of transfer based on the European Commission’s Standard Contractual Clauses for data transfers between EU and non-EU countries (the “Standard Contractual Clauses for data transfers”), or any other equivalent alternative mechanism agreed and recognized by the European authorities as an appropriate legal safeguard to secure the transfer of Personal Data Controller thereof immediately, unless prohibited by lawoutside European Economic Area.

Processing of Personal Data. 1. The Data Processor Processing of personal data by the contracting party 2. Processing of personal data by the expert (a) prevent unauthorised people from accessing computer systems that process personal data and any person acting under to the nature, scope, context and purposes of processing, in order to ensure, in particular, as appropriate: (i) unauthorised reading, copying, alteration or removal of storage media; (ii) unauthorised data input, disclosure, alteration or deletion of stored personal data; (iii) unauthorised use of data-processing systems by means of data transmission facilities; (b) ensure that a data-processing system’s authorised users can access only the personal data to which its authority access right refer; (e.g. personnel, Sub-processors and persons acting under the Sub-processor’s authorityc) undertake to only process Personal Data in accordance with documented instructions record which personal data have been communicated by the Data Controller expert, when and to whom; (Appendix 1)d) ensure that personal data being processed on behalf of third parties can be processed only in the manner prescribed by the contracting party; (e) ensure that, during communication of personal data and transport of storage media, the data cannot be read, copied or deleted without authorisation; (f) design its organisational structure in a way that meets data protection requirements. The Data Processor expert shall only process Personal Data notify relevant personal data breaches to the extent necessary to fulfill its obligations under this DPA or Applicable Data Protection Legislation. 2. If the services are altered during the term of the Agreement controller without undue delay and such altered services involve new or amended processing of Personal Data, or if the Data Controller’s instructions are otherwise changed or updated, the parties shall ensure that Appendix 1 is updated as appropriate before or at the latest in connection with within 48 hours after the commencement expert becomes aware of the breach. In such processing or change. 3. When processing Personal Data under this DPAcases, the Data Processor expert shall comply provide the controller with any at least the following information: (a) nature of the personal data breach including where possible, the categories and all Applicable Data Protection Legislation approximate number of data subjects concerned and applicable recommendations by competent Data Protection Authorities the categories and approximate number of personal data records concerned; (b) likely consequences of the breach; (c) measures taken or proposed to be taken to address the breach, including, where appropriate, measures to mitigate its possible adverse effects. The expert shall immediately inform the data controller if, in its opinion, an instruction infringes Regulation (EU) 2018/1725, Regulation (EU) 2016/679, or other competent authorities and shall keep itself updated on and comply with any changes Union or Member State data protection provisions as referred to in such legislation and/or recommendationsthe tender specifications. The Data Processor shall accept to make any changes and amendments to this DPA that are required under Applicable Data Protection Legislation. 4. The Data Processor expert shall assist the Data Controller in fulfilling controller for the fulfilment of its legal obligations pursuant to Article 33 to 41 under Applicable Data Protection Legislation, including but not limited to the Data Controller’s obligation to comply with the rights of data subjects and in ensuring Regulation (EU) 2018/1725 to: (a) ensure compliance with the Data Controller’s its data protection obligations relating to regarding the security of processing (Art. 32 GDPR)the processing, the notification of a Personal Data Breach (Art 33, 34 GDPR) and the confidentiality of electronic communications and directories of users; (b) notify a personal data breach to the European Data Protection Impact Assessment Supervisor; (c) communicate a personal data breach without undue delay to the data subject, where applicable; (d) carry out data protection impact assessments and prior consultations as necessary. The expert shall maintain a record of all data processing operations carried on behalf of the prior consultation (Art 35controller, 36 GDPR)transfers of personal data, obligation to respond security breaches, responses to requests for exercising the rights of people whose personal data subject's rights is processed and requests for access to information regarding the processing of its Personal Datapersonal data by third parties. The Data Processor shall not carry out any act, or omit any act, that would cause the Data Controller contracting authority is subject to be in breach of Applicable Data Protection Legislation. 5. The Data Processor shall immediately inform the Data Controller of a request, complaint, message, or any other communication received from a competent authority or any other third party regarding the processing of Personal Data covered by this DPA. The Data Processor may not in any way act on behalf of or as a representative Protocol 7 of the Data Controller Treaty on the Functioning of the European Union on the privileges and may notimmunities of the European Union, without prior instructions from particularly as regards the Data Controller, transfer or in any other way disclose Personal Data or any other information relating to inviolability of archives (including the processing of Personal Data to any third party, unless the Data Processor is required to do so by law. The Data Processor shall assist the Data Controller in an appropriate manner to enable him to respond to such a request, complaint, message or other communication in accordance with Applicable Data Protection Legislation. In particular, the Data Processor shall not publish any submissions, notifications, communications, announcements or press releases in the event of a breach physical location of data protection and services as defined set out in section 6.3. In the event the Data ProcessorArticle I.9.2) and data security, according to applicable laws and regulations, is required to disclose Personal Data that the Data Processor processes which includes personal data held on behalf of the Data Controllercontracting authority in the premises of the expert. The expert shall notify the contracting authority without delay of any legally binding request for disclosure of the personal data processed on behalf of the contracting authority made by any national public authority, including an authority from a third country. The expert may not give such access without the prior written authorisation of the contracting authority. The duration of processing of personal data by the expert will not exceed the period of seven years starting from the payment of the balance. Upon expiry of this period, the Data Processor expert shall, at the choice of the controller, return, without any undue delay in a commonly agreed format, all personal data processed on behalf of the controller and the copies thereof or shall effectively delete all personal data unless Union or national law requires a longer storage of personal data. For this purposes of this article: (a) the subject matter and purpose of the processing of personal data by the expert is strictly restricted to the implementation of this contract. (b) The localisation of and access to the personal data processed by the expert shall comply with the following : i. the personal data shall only be processed within the territory of the European Union and the European Economic Area and will not leave that territory; ii. the data shall only be held in data centres located with the territory of the European Union and the European Economic Area; iii. no access shall be obliged given to inform such data outside of the Data Controller thereof immediately, unless prohibited by lawEuropean Union and the European Economic Area; iv. the expert may not change the location of data processing without the prior written authorisation of the contracting authority; v. any transfer of personal data under the contract to third countries or international organisations shall fully comply with the requirements laid down in Chapter V of Regulation (EU) 2018/1725 .

Processing of Personal Data. 1. The Data Processor and any person acting under its authority (e.g. personnel, Sub-processors and persons acting under We will Process the Sub-processor’s authority) undertake to only process Personal Data in accordance with your documented instructions communicated and as legally required. 3.1 The Data Controller takes full responsibility to ensure that the Processing of Per- ▇▇▇▇▇ Data and any instructions relating thereto is in compliance with Data Pro- tection Regulations applicable from time to time, including obtaining necessary licenses, permits and approvals for the Processing. The Data Controller is fur- ther responsible for ensuring that there is a valid legal basis under article 6 of the General Data Protection Regulation for the Processing of all Personal Data performed by the Data Controller (Appendix 1). Processor on behalf of the Data Controller. 3.2 The Data Processor shall only process Process Personal Data to the extent necessary to fulfill its obligations under this DPA or Applicable Data Protection Legislation. 2. If the services are altered during the term of the Agreement and such altered services involve new or amended processing of Personal Data, or if in accordance with the Data Controller’s documented instructions are otherwise changed or updatedas set out in Schedule 1, the parties shall ensure that Appendix 1 is updated as appropriate before or at the latest in connection with the commencement including trans- fer of such processing or change. 3. When processing Personal Data to third countries or an international organisation, unless the Data Processor has an obligation under this DPAEU law (including the laws of its member states) to Process Personal Data. In such case, the Data Processor shall comply with any and all Applicable Data Protection Legislation and applicable recommendations by competent Data Protection Authorities or other competent authorities and shall keep itself updated on and comply with any changes in such legislation and/or recommendations. The Data Processor shall accept to make any changes and amendments to this DPA that are required under Applicable Data Protection Legislation. 4. The Data Processor shall assist inform the Data Controller of the legal requirement before the Processing is ini- tiated, provided that this is in fulfilling its legal obligations accordance with applicable laws. 3.3 Schedule 1 of the Data Processing Addendum stipulates the (i) types of Personal Data Processed under Applicable the Data Protection LegislationProcessing Addendum, (ii) categories of Data Subjects that the Personal Data concern, and (iii) nature and purpose for the Processing of Personal Data. 3.4 This Data Processing Addendum, including but not limited to Schedule 1, constitutes the Data Controller’s obligation entire instructions to comply with the rights of data subjects and in ensuring compliance with the Data Controller’s obligations relating to Processor for the security Processing of processing (Art. 32 GDPR), the notification of a Personal Per- ▇▇▇▇▇ Data Breach (Art 33, 34 GDPR) and under the Data Protection Impact Assessment and the prior consultation (Art 35, 36 GDPR), obligation to respond to requests for exercising the data subject's rights to information regarding the processing of its Personal Data. The Data Processor shall not carry out any act, or omit any act, that would cause the Data Controller to be in breach of Applicable Data Protection LegislationProcessing Addendum. 5. 3.5 The Data Processor shall immediately inform the Data Controller if the Data Processor considers that all or part of a request, complaint, message, or any other communication received from a competent authority or any other third party regarding the processing Data Controller’s instructions are in violation of Personal Data covered by this DPAProtection Regulations. The Data Processor may shall not in any way act on behalf of or as a representative of imple- ment such instruction until the Data Controller and may not, without prior instructions from has confirmed that the imple- mentation of the instruction is lawful. 3.6 The Data Controller, transfer or in any other way disclose Processor shall Process the Personal Data or any other information relating for the time necessary in or- der to fulfil its obligations under the processing of Personal Service Terms. 3.7 The Data to any third party, unless Processor shall ensure that persons for whom the Data Processor is required re- sponsible and who Process Personal Data under the Data Processing Addendum have committed themselves to do so by law. The confidentiality or are under an appropriate statu- tory obligation of confidentiality. 3.8 Taking into account the nature of the Processing, the Data Processor shall assist the Data Controller with appropriate technical and organisational measures, in- sofar as this is possible and to a reasonable extent, for the fulfilment of the Data Controller's obligation to respond to requests for exercising the Data Subjects’ rights under the Data Protection Regulations. 3.9 Taking into account the nature of the Processing and the information available to the Data Processor, the Data Processor shall assist the Data Controller in an appropriate manner to enable him to respond to such a request, complaint, message or other communication in accordance en- suring compliance with Applicable Data Protection Legislation. In particular, the Data Processor shall not publish any submissionsController’s obligations pursuant to Data Pro- tection Regulations, notificationsincluding (where applicable) its obligations to (i) implement appropriate technical and organisational measures, communications(ii) notify Personal Data Breaches to the supervisory authority, announcements or press releases in the event (iii) inform Data Subjects of a breach of Personal Data Breaches, (iv) carry out data protection as defined in section 6.3. In impact assessments, and (v) carry out prior consultation with competent supervisory authorities before Processing. 3.10 The Data Processor shall, at the event choice of the Data ProcessorController, according to applicable laws and regulations, is required to disclose delete or return the Personal Data that to the Data Processor processes on behalf Controller at the end of the term of the Data Pro- cessing Addendum, and delete existing copies unless EU law (including the laws of its member states) requires storage of the Personal Data. If requested by the Data Controller, the Data Processor shall be obliged provide written notice confirming the return or deletion of the Personal Data. The Data Processor’s responsibility un- der this Section 3.10 only concerns deletion and return of Personal Data pursu- ant to inform the Data Controller thereof immediately, unless prohibited by lawProtection Regulations.

Processing of Personal Data. 1. 2.1 The Data Processor and any person acting under its authority (e.g. personnel, Sub-processors and persons acting under the Sub-processor’s authority) undertake undertakes to process personal data only process Personal Data in accordance with documented instructions communicated from time to time by the Data Controller (Appendix 1)Controller. The Data Processor shall only process Personal Data Controller's original instructions to the extent necessary to fulfill its obligations Data Processor regarding the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects are set out in this Data Processing Agreement and in Appendix 1. 2.2 When processing personal data under this DPA or Applicable Data Protection Legislation. 2. If the services are altered during the term of the Agreement and such altered services involve new or amended processing of Personal Data, or if the Data Controller’s instructions are otherwise changed or updated, the parties shall ensure that Appendix 1 is updated as appropriate before or at the latest in connection with the commencement of such processing or change. 3. When processing Personal Data under this DPAProcessing Agreement, the Data Processor shall comply with any and all Applicable Data Protection Legislation applicable data protection laws and applicable recommendations by competent Data from the Swedish Authority for Privacy Protection Authorities (IMY) or any other competent authorities and shall keep itself updated on and comply with any changes in such legislation and/or recommendationsauthority. The Data Processor shall accept to make approve any changes and amendments additions to this DPA that are Data Processing Agreement required under Applicable Data Protection Legislationby applicable data protection legislation. 4. 2.3 The Data Processor shall assist the Data Controller in fulfilling its legal obligations under Applicable Data Protection Legislationapplicable data protection legislation, including but not limited to the Data Controller’s 's obligation to comply deal with claims regarding the rights exercise of data subjects and in ensuring compliance with the Data Controller’s obligations relating to the security of processing (Art. 32 GDPR), the notification of a Personal Data Breach (Art 33, 34 GDPR) and the Data Protection Impact Assessment and the prior consultation (Art 35, 36 GDPR), obligation to respond to requests for exercising the data subject's subjects' rights to information regarding about the processing of its Personal Data. The Data Processor shall not carry out any acttheir personal data (data statements) and to have personal data corrected, blocked or omit any act, that would cause the Data Controller to be in breach of Applicable Data Protection Legislationdeleted. 5. 2.4 The Data Processor shall immediately inform notify the Data Controller if an instruction issued pursuant to Section 6 below is in obvious violation of a requestapplicable data protection legislation. 2.5 The Data Processor undertakes not to disclose or otherwise make personal data processed under this Data Processing Agreement available to third parties without the prior written consent of the Data Controller, complaint, messagewith the exception of any sub-processors engaged under this Data Processing Agreement, or any other communication received from pursuant to applicable regulations. 2.6 If a data subject, competent authority or any other third party regarding requests information from the Data Processor about the processing of Personal Data personal data covered by this DPAData Processing Agreement, the Data Processor shall refer such request to the Data Controller, unless applicable regulations stipulate otherwise. The Data Processor may not in any way act on behalf of or as a representative on behalf of the Data Controller as its representative, and may not, without the prior instructions from consent of the Data Controller, transfer or in any otherwise disclose personal data or other way disclose Personal Data or any other information data relating to the processing of Personal Data personal data to any third partyparties, unless applicable regulations stipulate otherwise. If, pursuant to applicable regulations, the Data Processor is required to do so by law. The Data Processor shall assist the Data Controller in an appropriate manner to enable him to respond to such a request, complaint, message or other communication in accordance with Applicable Data Protection Legislation. In particular, the Data Processor shall not publish any submissions, notifications, communications, announcements or press releases in the event of a breach of disclose personal data protection as defined in section 6.3. In the event the Data Processor, according to applicable laws and regulations, is required to disclose Personal Data that the Data Processor processes on behalf of the Data Controller, the Data Processor shall be obliged to inform shall, provided so allowed under applicable regulations, immediately notify the Data Controller thereof immediately, unless prohibited by lawas well as request that any personal data so disclosed shall be kept confidential.

Processing of Personal Data. 1. The Where the Supplier, pursuant to its obligations under this Framework Agreement, undertakes the Processing of Personal Data Processor and any person acting under its authority (e.g. personnelon behalf of the Authority, Sub-processors and persons acting under it must: carry out the Sub-processor’s authority) undertake to only process Processing of the Personal Data in accordance with documented instructions communicated from the Authority and this Framework Agreement (however where the Supplier considers such instructions conflict with Applicable Laws and regulations in any relevant jurisdiction, the matter will be resolved in accordance with the dispute resolution procedure set out in Clause 17); process the Personal Data: that is necessary for the provision of the Authority Services and the Customer and Supplier; and as required by Applicable Law or any Regulatory Body; implement appropriate technical and organisational measures to protect the Personal Data Controller (Appendix 1). The Data Processor shall only process against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure; take reasonable steps to ensure the reliability of any Supplier personnel that have access to the Personal Data; obtain prior written consent from the Authority to transfer the Personal Data to any subcontractor for the extent necessary to fulfill its obligations under this DPA or Applicable Data Protection Legislation. 2. If the services are altered during the term provision of the Agreement and such altered services involve new Authority Services or amended processing of Personal Data, or if the Data Controller’s instructions are otherwise changed or updated, the parties shall Customer Services; ensure that Appendix 1 is updated as appropriate before or at any Supplier personnel required to access the latest in connection with the commencement of such processing or change. 3. When processing Personal Data under this DPA, are informed of the confidential nature of the Personal Data Processor shall comply with any and all Applicable Data Protection Legislation and applicable recommendations by competent Data Protection Authorities or other competent authorities and shall keep itself updated on and comply with any changes in such legislation and/or recommendations. The Data Processor shall accept to make any changes and amendments to this DPA that are required under Applicable Data Protection Legislation. 4. The Data Processor shall assist the Data Controller in fulfilling its legal obligations under Applicable Data Protection Legislation, including but not limited to the Data Controller’s obligation to they comply with the rights of data subjects and obligations in ensuring compliance with this Clause; ensure that the Data Controller’s obligations relating to the security of processing (Art. 32 GDPR)Supplier's personnel do not publish, the notification of a Personal Data Breach (Art 33, 34 GDPR) and the Data Protection Impact Assessment and the prior consultation (Art 35, 36 GDPR), obligation to respond to requests for exercising the data subject's rights to information regarding the processing of its Personal Data. The Data Processor shall not carry out disclose or divulge any act, or omit any act, that would cause the Data Controller to be in breach of Applicable Data Protection Legislation. 5. The Data Processor shall immediately inform the Data Controller of a request, complaint, message, or any other communication received from a competent authority or any other third party regarding the processing of Personal Data covered by this DPA. The Data Processor may not in any way act on behalf of or as a representative of the Data Controller and may not, without prior instructions from the Data Controller, transfer or in any other way disclose Personal Data or any other information relating to the processing of Personal Data to any third party, unless the Data Processor is required directed in writing to do so by law. The the Authority; notify the Authority within five (5) Working Days if it receives: a request from a Data Processor shall assist Subject to have access to the Personal Data (a Data Access Request); or a complaint or a request relating to the Authority’s obligations under the Data Controller Protection Requirements; provide the Authority with full cooperation and assistance for any complaint or request made. This includes: providing the Authority with full details of the complaint or request; complying with a Data Access Request within the relevant timescales set out in an appropriate manner to enable him to respond to such a request, complaint, message or other communication the Data Protection Requirements and in accordance with Applicable the Authority’s instructions; providing the Authority with any Personal Data it holds in relation to a Data Subject within the timescales reasonably required by the Authority; and providing the Authority with any information reasonably requested by the Authority; permit the Authority or its representatives (subject to obtaining reasonable and appropriate confidentiality undertakings), to: inspect and audit, in accordance with Clause 6, the Supplier’s, and those of its agents and subsidiaries, data Processing activities; and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and procure that the Supplier is in full compliance with its obligations under this Framework Agreement; provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data within the timescales reasonably required by the Authority; and not undertake the Processing of Personal Data outside the European Economic Area without the prior written consent of the Authority (such consent not to be unreasonably withheld) and, where the Authority consents to a transfer under Clause 19.2.1(e), to comply with: the obligations of a Data Controller under the Eighth Data Protection Legislation. In particular, Principle set out in Schedule 1 of the Data Processor shall not publish Protection Act 1998 by providing an adequate level of protection to any submissions, notifications, communications, announcements or press releases in the event of a breach of data protection as defined in section 6.3. In the event the Data Processor, according to applicable laws and regulations, is required to disclose Personal Data that is transferred; and any reasonable instructions notified to the Data Processor processes on behalf of Supplier by the Data Controller, the Data Processor shall be obliged to inform the Data Controller thereof immediately, unless prohibited by law.Authority. Confidentiality

Processing of Personal Data. 13.1 In the context of performing the Service, the Processor may receive personal data, as defined in article 4.1 of the General Data Protection Regulation (EU 2016/679) (the "GDPR"), processed for purposes determined by the Controller (the "Personal Data"). The Controller is the data controller of the Personal Data by the personal data protection laws applicable from time to time, as well as any other applicable law, regulation, or equivalent ordinance. 3.2 The Processor and any person acting under its authority (e.g. personnel, Sub-processors and persons acting under the Sub-processor’s authority) undertake undertakes to only process the Personal Data by the terms of the Agreement or other written Agreement between the Parties, and only by the Controller's instructions, Appendix 1, as well as with the from time to time applicable data protection legislation and any other applicable law, regulation or equivalent ordinance. The Controller is responsible for ensuring that the Processor does not process any other categories of Personal Data than those listed in Appendix 1 and by the scope stated therein. In case of changes in the documented instructions by the Controller, the Processor is entitled to reasonable compensation. 3.3 In case the Processor lacks the instructions that the Processor considers necessary to perform the tasks that the Processor has acquired from the Controller within the scope of the Service, the Processor shall, without delay, notify the Controller of its position and await such instructions that the Controller deems necessary. 3.4 Access to the Personal Data shall, within the Processor's organization, be limited to those who require it for the performance of the Service and who are obligated to observe secrecy by Agreement or by law. The Processor shall take appropriate technical and organizational measures to protect the Personal Data. Such measures shall provide a level of security appropriate with regard to the available technology and the cost of the measures, taking into account whether there are any specific risks involved with the processing and the level of sensitivity of the Personal Data. Such measures include: – the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services; – the ability to restore the availability of and access to the Personal Data in accordance with documented instructions communicated a timely manner in the event of a physical or technical incident; – the pseudonymization and encryption of the Personal Data when the processing so requires under the applicable law; – a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing, when required under the applicable law; – keeping and updating logs of Personal Data; maintaining a secure IT environment, and establishing and maintaining physical security measures and procedures; and – ensuring procedures to immediately notify the Controller at every attempt at or complete unauthorized access to the data provided by the Data Controller (Appendix 1including destruction or alteration of the Personal Data). 3.5 The Processor undertakes to ensure that relevant personnel comply with this Agreement and the Controller's instructions at all times and that they are kept informed regarding the applicable data protection legislation from time to time. 3.6 The Processor shall, through suitable technical and organizational measures and to the degree it is possible about the nature of the processing, assist the Controller for the Controller to be able to fulfill its obligation to respond to requests from the individual data subjects by the applicable law or regulation. The Data Processor shall only process Personal Data also, in all other aspects, assist the Controller in fulfilling its obligations, taking into account the type of processing and the information available to the Processor regarding – security in connection to the processing; – notification of any personal data breach to the supervisory authority; – communication to the data subject of a personal data breach, and – data protection impact assessment and prior consultation; to the extent necessary that the obligations in (a)-(d) above are required according to fulfill the applicable law or regulation. The Processor shall be entitled to reasonable compensation for its obligations under assistance in accordance with this DPA or Applicable Data Protection LegislationSection 3.6. 2. If the services are altered during the term 3.7 The Processor undertakes to maintain a written record of the Agreement and such altered services involve new or amended processing of Personal Data, or if including the Data Controller’s instructions are otherwise changed or updated, the parties shall ensure that Appendix 1 is updated as appropriate before or at the latest content stated in connection with the commencement of such processing or change. 3. When processing Personal Data under this DPA, the Data Processor shall comply with any and all Applicable Data Protection Legislation and applicable recommendations by competent Data Protection Authorities or other competent authorities and shall keep itself updated on and comply with any changes in such legislation and/or recommendations. The Data Processor shall accept to make any changes and amendments to this DPA that are required under Applicable Data Protection Legislation. 4. The Data Processor shall assist the Data Controller in fulfilling its legal obligations under Applicable Data Protection Legislation, including but not limited to the Data Controller’s obligation to comply with the rights of data subjects and in ensuring compliance with the Data Controller’s obligations relating to the security of processing (Art. 32 GDPR), the notification of a Personal Data Breach (Art 33, 34 GDPR) and the Data Protection Impact Assessment and the prior consultation (Art 35, 36 GDPR), obligation to respond to requests for exercising the data subject's rights to information regarding the processing of its Personal Data. The Data Processor shall not carry out any act, or omit any act, that would cause the Data Controller to be in breach of Applicable Data Protection Legislation. 5. The Data Processor shall immediately inform the Data Controller of a request, complaint, message, or any other communication received from a competent authority or any other third party regarding the processing of Personal Data covered by this DPA. The Data Processor may not in any way act on behalf of or as a representative of the Data Controller and may not, without prior instructions from the Data Controller, transfer or in any other way disclose Personal Data or any other information relating to the processing of Personal Data to any third party, unless the Data Processor is required to do so by law. The Data Processor shall assist the Data Controller in an appropriate manner to enable him to respond to such a request, complaint, message or other communication in accordance with Applicable Data Protection Legislation. In particular, the Data Processor shall not publish any submissions, notifications, communications, announcements or press releases in the event of a breach of data protection as defined in section 6.3. In the event the Data Processor, according to applicable laws and regulations, is required to disclose Personal Data that the Data Processor processes on behalf of the Data Controller, the Data Processor shall be obliged to inform the Data Controller thereof immediately, unless prohibited by law.Article

Processing of Personal Data. 1. The 3.1 Data Processor and any person acting under its authority (e.g. personnel, Sub-processors and persons acting under the Sub-processor’s authority) undertake to only shall process Personal personal data on behalf of Data Controller in accordance with documented instructions communicated by the Data Controller (Appendix 1). The Data Processor shall only process Personal Data to the extent necessary to fulfill its obligations under this DPA or Applicable Data Protection Legislation. 23.2 The personal data to be processed by Data Processor and the categories of data subjects are set out in schedule 1 to this Data Processing Agreement. 3.3 Data Processor may only process the personal data on documented instructions from Data Controller, unless required to do so pursuant to mandatory European Union rules and regulation or mandatory member state law to which Data Processor is subject. If In that case, Data Processor must notify Data Controller of such legal require- ment before the services processing, unless the relevant law prohibits such notification on important grounds of public in- terest. 3.4 Data Processor must ensure that the persons involved in the processing of personal data on behalf of Data Con- troller under the Data Processing Agreement have either committed themselves to confidentiality or are altered subject to a proper statutory duty of confidentiality and that they only process personal data in compliance with the Master Agreement, the Data Processing Agreement and the Data Protection Legislation. 3.5 Data Processor shall take the necessary steps to ensure that any person acting under the authority of Data Pro- cessor, and who has access to the personal data, does not process such personal data except on documented instructions from Data Controller. 3.6 Data Processor shall, upon request from Data Controller, provide access to all necessary information in order for Data Controller to ensure compliance with the obligations laid down in the Data Protection Legislation. 3.7 The Data Processor shall during the term of the Data Processing Agreement and such altered services involve new or amended processing of Personal Data, or if upon requect from Data Control- ler issue an annual audit report on the Data ControllerProcessor’s instructions are otherwise changed or updated, the parties shall ensure that Appendix 1 is updated as appropriate before or at the latest in connection with the commencement of such processing or change. 3. When processing Personal Data under this DPA, IT Security and the Data Processor shall comply with any and all Applicable Data Protection Legislation and applicable recommendations by competent Data Protection Authorities or other competent authorities and shall keep itself updated on and comply with any changes in such legislation and/or recommendations. The bear the costs. 3.8 Furthermore, Data Processor shall accept must allow and contribute to make any changes audits, including inspections, conducted by Data Controller or an auditor authorized by Data Controller, which must be bound to confidentiality, selected by the Da- ta Controller and amendments approved by Data Processor, and, where applicable, in coordination with the supervisory author- ity. Data Processor is entitled to receive separate compensation in this DPA that are required under Applicable regard. 3.9 The audits carried out by Data Controller or an auditor authorized by Data Controller must be proportional with regard to the sensitivity of the personal data processed by Data Processor. 3.10 Data Processor must immediately notify Data Controller if, in Data Processor's opinion, an instruction from Data Controller is contrary to the Data Protection Legislation. 4. The Data Processor shall assist the Data Controller in fulfilling its legal obligations under Applicable Data Protection Legislation, including but not limited to the Data Controller’s obligation to comply with the rights of data subjects and in ensuring compliance with the Data Controller’s obligations relating to the security of processing (Art. 32 GDPR), the notification of a Personal Data Breach (Art 33, 34 GDPR) and the Data Protection Impact Assessment and the prior consultation (Art 35, 36 GDPR), obligation to respond to requests for exercising the data subject's rights to information regarding the processing of its Personal Data. The Data Processor shall not carry out any act, or omit any act, that would cause the Data Controller to be in breach of Applicable Data Protection Legislation. 5. The Data Processor shall immediately inform the Data Controller of a request, complaint, message, or any other communication received from a competent authority or any other third party regarding the processing of Personal Data covered by this DPA. The Data Processor may not in any way act on behalf of or as a representative of the Data Controller and may not, without prior instructions from the Data Controller, transfer or in any other way disclose Personal Data or any other information relating to the processing of Personal Data to any third party, unless the Data Processor is required to do so by law. The Data Processor shall assist the Data Controller in an appropriate manner to enable him to respond to such a request, complaint, message or other communication in accordance with Applicable Data Protection Legislation. In particular, the Data Processor shall not publish any submissions, notifications, communications, announcements or press releases in the event of a breach of data protection as defined in section 6.3. In the event the Data Processor, according to applicable laws and regulations, is required to disclose Personal Data that the Data Processor processes on behalf of the Data Controller, the Data Processor shall be obliged to inform the Data Controller thereof immediately, unless prohibited by law.

Processing of Personal Data. 1. The Where the Supplier, pursuant to its obligations under this Framework Agreement, undertakes the Processing of Personal Data Processor and any person acting under its authority (e.g. personnelon behalf of the Authority, Sub-processors and persons acting under it must: carry out the Sub-processor’s authority) undertake to only process Processing of the Personal Data in accordance with documented instructions communicated from the Authority and this Framework Agreement (however where the Supplier considers such instructions conflict with Applicable Laws and regulations in any relevant jurisdiction, the matter will be resolved in accordance with the dispute resolution procedure set out in Clause 17); process the Personal Data: that is necessary for the provision of the Authority Services and the Customer and Supplier; and as required by Applicable Law or any Regulatory Body; implement appropriate technical and organisational measures to protect the Personal Data Controller (Appendix 1). The Data Processor shall only process against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure; take reasonable steps to ensure the reliability of any Supplier personnel that have access to the Personal Data; obtain prior written consent from the Authority to transfer the Personal Data to any subcontractor for the extent necessary to fulfill its obligations under this DPA or Applicable Data Protection Legislation. 2. If the services are altered during the term provision of the Agreement and such altered services involve new Authority Services or amended processing of Personal Data, or if the Data Controller’s instructions are otherwise changed or updated, the parties shall Customer Services; ensure that Appendix 1 is updated as appropriate before or at any Supplier personnel required to access the latest in connection with the commencement of such processing or change. 3. When processing Personal Data under this DPA, are informed of the confidential nature of the Personal Data Processor shall comply with any and all Applicable Data Protection Legislation and applicable recommendations by competent Data Protection Authorities or other competent authorities and shall keep itself updated on and comply with any changes in such legislation and/or recommendations. The Data Processor shall accept to make any changes and amendments to this DPA that are required under Applicable Data Protection Legislation. 4. The Data Processor shall assist the Data Controller in fulfilling its legal obligations under Applicable Data Protection Legislation, including but not limited to the Data Controller’s obligation to they comply with the rights of data subjects and obligations in ensuring compliance with this Clause; ensure that the Data Controller’s obligations relating to the security of processing (Art. 32 GDPR)Supplier's personnel do not publish, the notification of a Personal Data Breach (Art 33, 34 GDPR) and the Data Protection Impact Assessment and the prior consultation (Art 35, 36 GDPR), obligation to respond to requests for exercising the data subject's rights to information regarding the processing of its Personal Data. The Data Processor shall not carry out disclose or divulge any act, or omit any act, that would cause the Data Controller to be in breach of Applicable Data Protection Legislation. 5. The Data Processor shall immediately inform the Data Controller of a request, complaint, message, or any other communication received from a competent authority or any other third party regarding the processing of Personal Data covered by this DPA. The Data Processor may not in any way act on behalf of or as a representative of the Data Controller and may not, without prior instructions from the Data Controller, transfer or in any other way disclose Personal Data or any other information relating to the processing of Personal Data to any third party, unless the Data Processor is required directed in writing to do so by law. The the Authority; notify the Authority within five (5) Working Days if it receives: a request from a Data Processor shall assist Subject to have access to the Personal Data (a Data Access Request); or a complaint or a request relating to the Authority’s obligations under the Data Controller Protection Requirements; provide the Authority with full cooperation and assistance for any complaint or request made. This includes: providing the Authority with full details of the complaint or request; complying with a Data Access Request within the relevant timescales set out in an appropriate manner to enable him to respond to such a request, complaint, message or other communication the Data Protection Requirements and in accordance with Applicable the Authority’s instructions; providing the Authority with any Personal Data it holds in relation to a Data Subject within the timescales reasonably required by the Authority; and providing the Authority with any information reasonably requested by the Authority; permit the Authority or its representatives (subject to obtaining reasonable and appropriate confidentiality undertakings), to: inspect and audit, in accordance with Clause 6, the Supplier’s, and those of its agents and subsidiaries, data Processing activities; and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and procure that the Supplier is in full compliance with its obligations under this Framework Agreement; provide a written description of the technical and organisational methods employed by the Supplier for Processing Personal Data within the timescales reasonably required by the Authority; and not undertake the Processing of Personal Data outside the European Economic Area without the prior written consent of the Authority (such consent not to be unreasonably withheld) and, where the Authority consents to a transfer under Clause 19.2(e), to comply with: the obligations of a Data Controller under the Eighth Data Protection Legislation. In particular, Principle set out in Schedule 1 of the Data Processor shall not publish Protection Act 1998 by providing an adequate level of protection to any submissions, notifications, communications, announcements or press releases in the event of a breach of data protection as defined in section 6.3. In the event the Data Processor, according to applicable laws and regulations, is required to disclose Personal Data that is transferred; and any reasonable instructions notified to the Data Processor processes on behalf of Supplier by the Data Controller, the Data Processor shall be obliged to inform the Data Controller thereof immediately, unless prohibited by law.Authority. Confidentiality

Processing of Personal Data. 115.1. The parties agree that the Customer is a Controller and that 2Teck is a Processor for the purposes of processing Protected Data Processor pursuant to the Contract. The Customer shall at all times comply with all Data Protection Laws in connection with the processing of Protected Data. The Customer shall ensure all instructions given by it to 2Teck in respect of Protected Data (including the terms of the Contract) shall at all times be in accordance with Data Protection Laws. 15.2. 2Teck shall process Protected Data in compliance with the obligations placed on it under Data Protection Laws and the terms of the Contract. 15.3. The Customer shall indemnify and keep indemnified 2Teck against all losses, claims, damages, liabilities, fines, sanctions, interest, penalties, costs, charges, expenses, compensation paid to Data Subjects, demands and legal and other professional costs (calculated on a full indemnity basis and in each case whether or not arising from any person acting under its authority (e.g. personnelinvestigation by, Sub-processors and persons acting under the Sub-processor’s or imposed by, a supervisory authority) undertake to arising out of or in connection with any breach by the Customer of its obligations under this clause 15. 15.4. 2Teck shall: 15.4.1. Only process (and shall ensure 2Teck Personnel only process Personal process) the Protected Data in accordance with documented schedule 1 and the Contract (and not otherwise unless alternative processing instructions communicated are agreed between the parties in writing) except where otherwise required by applicable law (and shall inform the Customer of that legal requirement before processing, unless applicable law prevents it doing so on important grounds of public interest); and 15.4.2. If 2Teck believes that any instruction received by it from the Customer is likely to infringe the Data Controller Protection Laws it shall promptly inform the Customer and be entitled to cease to provide the relevant Services until the parties have agreed appropriate amended instructions which are not infringing. 15.5. Taking into account the state of technical development and the nature of processing, 2Teck shall implement and maintain the technical and organisational measures set out in Part 3 of schedule 1 to protect the Protected Data against accidental, unauthorised or unlawful destruction, loss, alteration, disclosure or access. 15.6. 2Teck shall: 15.6.1. Not permit any processing of Protected Data by any agent, subcontractor or other third party (Appendix 1)except its or its Sub-Processors’ own employees in the course of their employment that are subject to an enforceable obligation of confidence with regards to the Protected Data) without the written authorisation of the Customer; 15.6.2. Prior to the relevant Sub-Processor carrying out any processing activities in respect of the Protected Data, appoint each Sub-Processor under a written contract containing materially the same obligations as under this clause 15 that is enforceable by 2Teck and ensure each such Sub-Processor complies with all such obligations; 15.6.3. Remain fully liable to the Customer under the Contract for all the acts and omissions of each Sub-Processor as if they were its own; and 15.6.4. Ensure that all persons authorised by 2Teck or any Sub-Processor to process Protected Data are subject to a binding written contractual obligation to keep the Protected Data confidential. 15.7. The Data Processor shall only process Personal Data Customer authorises the appointment of the Sub-Processors as may be notified to the extent necessary Customer from time to fulfill its obligations under this DPA or Applicable Data Protection Legislationtime. 215.8. If the services are altered during the term of the Agreement and such altered services involve new or amended processing of Personal Data, or if the Data Controller’s instructions are otherwise changed or updated, the parties 2Teck shall ensure that Appendix 1 is updated as appropriate before or (at the latest in connection with Customer's cost): 15.8.1. Assist the commencement of such processing or change. 3. When processing Personal Data under this DPA, the Data Processor shall comply with any and all Applicable Data Protection Legislation and applicable recommendations by competent Data Protection Authorities or other competent authorities and shall keep itself updated on and comply with any changes in such legislation and/or recommendations. The Data Processor shall accept to make any changes and amendments to this DPA that are required under Applicable Data Protection Legislation. 4. The Data Processor shall assist the Data Controller in fulfilling its legal obligations under Applicable Data Protection Legislation, including but not limited to the Data Controller’s obligation to comply with the rights of data subjects and Customer in ensuring compliance with the Data ControllerCustomer’s obligations relating pursuant to Articles 32 to 36 of the security GDPR (and any similar obligations under applicable Data Protection Laws) taking into account the nature of the processing and the information available to 2Teck; and 15.8.2. Taking into account the nature of the processing, assist the Customer (Art. 32 GDPRby appropriate technical and organisational measures), insofar as this is possible, for the notification fulfilment of a Personal Data Breach (Art 33, 34 GDPR) and the Data Protection Impact Assessment and the prior consultation (Art 35, 36 GDPR), obligation Customer’s obligations to respond to requests for exercising the data subject's Data Subjects’ rights to information regarding under Chapter III of the processing GDPR (and any similar obligations under applicable Data Protection Laws) in respect of its Personal any Protected Data. 15.9. The Data Processor 2Teck shall not carry out any actprocess and/or transfer, or omit otherwise directly or indirectly disclose, any actProtected Data in or to countries outside the United Kingdom or to any International Organisation without the prior written consent of the Customer. 15.10. 2Teck shall, that would cause the Data Controller to be in breach of Applicable accordance with Data Protection LegislationLaws, make available to the Customer such information that is in its possession or control as is necessary to demonstrate 2Teck's compliance with the obligations placed on it under this clause 15 and to demonstrate compliance with the obligations on each party imposed by Article 28 of the GDPR (and under any equivalent Data Protection Laws equivalent to that Article 28), and allow for and contribute to audits, including inspections, by the Customer (or another auditor mandated by the Customer) for this purpose (subject to a maximum of 1 audit request in any 12 month period under this clause 15.10). 515.11. The Data Processor 2Teck shall immediately inform notify the Data Controller Customer without undue delay and in writing on becoming aware of a request, complaint, message, or any other communication received from a competent authority or any other third party regarding the processing of Personal Data covered by this DPABreach in respect of any Protected Data. 15.12. The Data Processor may not in any way act on behalf of or as a representative On the end of the Data Controller and may not, without prior instructions from provision of the Data Controller, transfer or in any other way disclose Personal Data or any other information Services relating to the processing of Personal Protected Data, at the Customer’s cost and the Customer’s option, 2Teck shall either return all of the Protected Data to any third party, unless the Data Processor is required to do so by law. The Data Processor shall assist the Data Controller in an appropriate manner to enable him to respond to such a request, complaint, message Customer or other communication in accordance with Applicable Data Protection Legislation. In particular, the Data Processor shall not publish any submissions, notifications, communications, announcements or press releases in the event of a breach of data protection as defined in section 6.3. In the event the Data Processor, according to applicable laws and regulations, is required to disclose Personal Data that the Data Processor processes on behalf securely dispose of the Protected Data Controller, (and thereafter promptly delete all existing copies of it) except to the Data Processor extent that any applicable law requires 2Teck to store such Protected Data. This clause 15 shall be obliged to inform survive termination or expiry of the Data Controller thereof immediately, unless prohibited by lawContract.

Processing of Personal Data. 115.1. The parties agree that the Customer is a Controller and that 2Teck is a Processor for the purposes of processing Protected Data Processor pursuant to the Contract. The Customer shall at all times comply with all Data Protection Laws in connection with the processing of Protected Data. The Customer shall ensure all instructions given by it to 2Teck in respect of Protected Data (including the terms of the Contract) shall at all times be in accordance with Data Protection Laws.‌ 15.2. 2Teck shall process Protected Data in compliance with the obligations placed on it under Data Protection Laws and the terms of the Contract. 15.3. The Customer shall indemnify and keep indemnified 2Teck against all losses, claims, damages, liabilities, fines, sanctions, interest, penalties, costs, charges, expenses, compensation paid to Data Subjects, demands and legal and other professional costs (calculated on a full indemnity basis and in each case whether or not arising from any person acting under its authority (e.g. personnelinvestigation by, Sub-processors and persons acting under the Sub-processor’s or imposed by, a supervisory authority) undertake to arising out of or in connection with any breach by the Customer of its obligations under this clause 15. 15.4. 2Teck shall: 15.4.1. Only process (and shall ensure 2Teck Personnel only process Personal process) the Protected Data in accordance with documented schedule 1 and the Contract (and not otherwise unless alternative processing instructions communicated are agreed between the parties in writing) except where otherwise required by applicable law (and shall inform the Customer of that legal requirement before processing, unless applicable law prevents it doing so on important grounds of public interest); and 15.4.2. If 2Teck believes that any instruction received by it from the Customer is likely to infringe the Data Controller Protection Laws it shall promptly inform the Customer and be entitled to cease to provide the relevant Services until the parties have agreed appropriate amended instructions which are not infringing. 15.5. Taking into account the state of technical development and the nature of processing, 2Teck shall implement and maintain the technical and organisational measures set out in Part 3 of schedule 1 to protect the Protected Data against accidental, unauthorised or unlawful destruction, loss, alteration, disclosure or access. 15.6. 2Teck shall: 15.6.1. Not permit any processing of Protected Data by any agent, subcontractor or other third party (Appendix 1)except its or its Sub-Processors’ own employees in the course of their employment that are subject to an enforceable obligation of confidence with regards to the Protected Data) without the written authorisation of the Customer; 15.6.2. Prior to the relevant Sub-Processor carrying out any processing activities in respect of the Protected Data, appoint each Sub-Processor under a written contract containing materially the same obligations as under this clause 15 that is enforceable by 2Teck and ensure each such Sub-Processor complies with all such obligations; 15.6.3. Remain fully liable to the Customer under the Contract for all the acts and omissions of each Sub-Processor as if they were its own; and 15.6.4. Ensure that all persons authorised by 2Teck or any Sub-Processor to process Protected Data are subject to a binding written contractual obligation to keep the Protected Data confidential. 15.7. The Data Processor shall only process Personal Data Customer authorises the appointment of the Sub-Processors as may be notified to the extent necessary Customer from time to fulfill its obligations under this DPA or Applicable Data Protection Legislationtime. 215.8. If the services are altered during the term of the Agreement and such altered services involve new or amended processing of Personal Data, or if the Data Controller’s instructions are otherwise changed or updated, the parties 2Teck shall ensure that Appendix 1 is updated as appropriate before or (at the latest in connection with Customer's cost): 15.8.1. Assist the commencement of such processing or change. 3. When processing Personal Data under this DPA, the Data Processor shall comply with any and all Applicable Data Protection Legislation and applicable recommendations by competent Data Protection Authorities or other competent authorities and shall keep itself updated on and comply with any changes in such legislation and/or recommendations. The Data Processor shall accept to make any changes and amendments to this DPA that are required under Applicable Data Protection Legislation. 4. The Data Processor shall assist the Data Controller in fulfilling its legal obligations under Applicable Data Protection Legislation, including but not limited to the Data Controller’s obligation to comply with the rights of data subjects and Customer in ensuring compliance with the Data ControllerCustomer’s obligations relating pursuant to Articles 32 to 36 of the security GDPR (and any similar obligations under applicable Data Protection Laws) taking into account the nature of the processing and the information available to 2Teck; and 15.8.2. Taking into account the nature of the processing, assist the Customer (Art. 32 GDPRby appropriate technical and organisational measures), insofar as this is possible, for the notification fulfilment of a Personal Data Breach (Art 33, 34 GDPR) and the Data Protection Impact Assessment and the prior consultation (Art 35, 36 GDPR), obligation Customer’s obligations to respond to requests for exercising the data subject's Data Subjects’ rights to information regarding under Chapter III of the processing GDPR (and any similar obligations under applicable Data Protection Laws) in respect of its Personal any Protected Data. 15.9. The Data Processor 2Teck shall not carry out any actprocess and/or transfer, or omit otherwise directly or indirectly disclose, any actProtected Data in or to countries outside the United Kingdom or to any International Organisation without the prior written consent of the Customer. 15.10. 2Teck shall, that would cause the Data Controller to be in breach of Applicable accordance with Data Protection LegislationLaws, make available to the Customer such information that is in its possession or control as is necessary to demonstrate 2Teck's compliance with the obligations placed on it under this clause 15 and to demonstrate compliance with the obligations on each party imposed by Article 28 of the GDPR (and under any equivalent Data Protection Laws equivalent to that Article 28), and allow for and contribute to audits, including inspections, by the Customer (or another auditor mandated by the Customer) for this purpose (subject to a maximum of 1 audit request in any 12 month period under this clause 15.10). 515.11. The Data Processor 2Teck shall immediately inform notify the Data Controller Customer without undue delay and in writing on becoming aware of a request, complaint, message, or any other communication received from a competent authority or any other third party regarding the processing of Personal Data covered by this DPABreach in respect of any Protected Data.‌ 15.12. The Data Processor may not in any way act on behalf of or as a representative On the end of the Data Controller and may not, without prior instructions from provision of the Data Controller, transfer or in any other way disclose Personal Data or any other information Services relating to the processing of Personal Protected Data, at the Customer’s cost and the Customer’s option, 2Teck shall either return all of the Protected Data to any third party, unless the Data Processor is required to do so by law. The Data Processor shall assist the Data Controller in an appropriate manner to enable him to respond to such a request, complaint, message Customer or other communication in accordance with Applicable Data Protection Legislation. In particular, the Data Processor shall not publish any submissions, notifications, communications, announcements or press releases in the event of a breach of data protection as defined in section 6.3. In the event the Data Processor, according to applicable laws and regulations, is required to disclose Personal Data that the Data Processor processes on behalf securely dispose of the Protected Data Controller, (and thereafter promptly delete all existing copies of it) except to the Data Processor extent that any applicable law requires 2Teck to store such Protected Data. This clause 15 shall be obliged to inform survive termination or expiry of the Data Controller thereof immediately, unless prohibited by lawContract.

Processing of Personal Data. 17.1. The To the extent that Personal Data is processed using the Product, the Parties acknowledge that Bynder is a Data Processor and Customer is a Data Controller and each Party shall comply with their respective statutory or regulatory data protection obligations. 7.2. Bynder, as well as its subcontractors, licensors, and hosts, take sufficient and appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to Personal Data, having regard to the state of technological development and cost of implementing any person acting under its authority (e.g. personnelmeasures, Sub-processors to ensure a level of security appropriate to the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction, or damage and persons acting under the Sub-processor’s authority) undertake nature of the Personal Data to only be protected. 7.3. Bynder shall process Personal Data in accordance with documented Customer’s instructions. Should Customer’s instructions communicated by contravene or appear likely to contravene legislation binding Bynder, Bynder will notify Customer and request alternative instructions not in contravention of such legislation. Bynder shall have no liability whatsoever for breaches of Data Protection Legislation that arise as a result of its following Customer’s instructions in implementing and supplying the Product. 7.4. Customer is fully responsible for its Customer Data Controller (Appendix 1)and guarantees to Bynder that the content, use, and/or processing of the Customer Data are not unlawful and do not infringe the rights of any third party. 7.5. The Customer shall ensure that all Personal Data Processor shall only process that it supplies or discloses to Bynder has been obtained fairly and lawfully and that Customer will obtain all necessary consents from Data Subjects and registrations with authorities that are required to permit Bynder to transfer Personal Data to the extent necessary third parties to fulfill fulfil its obligations under this DPA or Applicable Data Protection LegislationAgreement. 27.6. If the services are altered during the term Customer indemnifies Bynder against any claim of the Agreement and such altered services involve new or amended processing of Personal Dataa third party, or if the including Data Controller’s instructions are otherwise changed or updatedSubjects, the parties shall ensure that Appendix 1 is updated as appropriate before or at the latest instituted for whatever reason in connection with its Customer Data or the commencement performance of such processing or changethis Agreement. 37.7. When processing If a third party alleges infringement of its data protection rights, Bynder shall be entitled to take measures it deems necessary to prevent the infringement of a third party’s rights from continuing. 7.8. Bynder shall have no liability whatsoever for the protection of Personal Data under this DPAin the event that Customer uses a Bynder Product to release such Personal Data to unauthorized persons, the Data Processor shall comply with any and all Applicable Data Protection Legislation and applicable recommendations by competent Data Protection Authorities entities, or other competent authorities and shall keep itself updated on and comply with any changes in such legislation and/or recommendations. The Data Processor shall accept to make any changes and amendments to this DPA that are required under Applicable Data Protection Legislationorganisations. 47.9. The Data Processor shall assist the Data Controller in fulfilling its legal obligations under Applicable Subject to applicable Data Protection Legislation, including but not limited if a Data Subject submits a request to the Data Controller’s obligation Customer to comply with the rights find out what of data subjects and in ensuring compliance with the Data Controller’s obligations relating to the security of processing (Art. 32 GDPR), the notification of a their Personal Data Breach (Art 33Customer holds, 34 GDPR) and the Data Protection Impact Assessment and the prior consultation (Art 35, 36 GDPR), obligation and/or to respond to requests for exercising the data subject's rights to information regarding the processing obtain a copy of its their Personal Data. The Data Processor , Bynder shall not carry out any act, or omit any act, that would cause the Data Controller to be in breach of Applicable Data Protection Legislation. 5. The Data Processor shall immediately inform the Data Controller of a request, complaint, message, or any other communication received from a competent authority or any other third party regarding the processing of Personal Data covered by this DPA. The Data Processor may not in any way act on behalf of or as a representative of the Data Controller and may not, without prior instructions from the Data Controller, transfer or in any other way disclose Personal Data or any other information relating to the processing of Personal Data to any third party, unless the Data Processor is required to do so by law. The Data Processor shall assist the Data Controller in an appropriate manner to enable him to respond to such a request, complaint, message or other communication in accordance with Applicable Data Protection Legislation. In particular, the Data Processor shall not publish any submissions, notifications, communications, announcements or press releases in the event of a breach of data protection as defined in section 6.3. In the event the Data Processor, according to applicable laws and regulations, is required to disclose Personal Data that the Data Processor processes on behalf of the Data Controller, the Data Processor shall be obliged to inform the Data Controller thereof immediatelyCustomer, unless prohibited by law, and will cooperate and invoice Customer on a time and material basis for any work conducted in fulfilling such requests. Should Bynder be required by law to supply Personal Data to third parties, Subsection 4.6 shall apply.

Processing of Personal Data. 15.1. The Processor guarantees that it has implemented and will continue to implement within the term of this DPA the appropriate technical and organizational measures in such a manner that its Processing of Personal Data under this DPA will meet the requirements of Applicable Data Protection Law and ensure the protection of the rights of the Data Subject. 5.2. The Processor and any person acting under its authority (e.g. personnel, Sub-processors and persons acting under the Sub-processor’s authority) undertake undertakes to only process Process Personal Data in accordance with documented instructions communicated from time to time by the Controller, unless required to do so pursuant to the Applicable Data Controller (Appendix 1)Protection Law. The Data Processor shall only process at any time be able to document the specific instructions from the Controller. The Controller guarantees that it is entitled to Process the Personal Data under Applicable Data Protection Law before providing Personal Data to the extent necessary Processor. The Controller hereby confirms that it is solely responsible for determining the purposes and means of processing Personal Data by the Processor. The Controller’s initial instructions to fulfill its obligations under this DPA or Applicable the Processor regarding the subject-matter and duration of the processing, the nature and purpose of the Processing, the type of Personal Data Protection Legislationand categories of data subjects are set forth in the Section 4. of the DPA. 25.3. If the services are altered during the term of the Agreement and such altered services involve new or amended processing of Personal DataThe Processor shall, or if the Data Controller’s instructions are otherwise changed or updated, the parties shall ensure that Appendix 1 is updated as appropriate before or at the latest in connection with the commencement of such processing or change. 3. When when processing Personal Data under this DPA, the Data Processor shall comply with any and all Applicable Data Protection Legislation Law and applicable recommendations by competent Data Protection Authorities the Supervisory Authority or other competent authorities and shall keep itself updated on and comply with any changes in such legislation and/or recommendationsauthorities. The Data Processor shall accept to make any changes and amendments to this DPA that are required under Applicable Data Protection LegislationLaw. 45.4. The Data Processor shall assist the Data Controller in fulfilling its legal obligations under Applicable Data Protection LegislationLaw, including but not limited to the Data Controller’s obligation to comply with the rights of data subjects and in ensuring compliance with the Data Controller’s obligations relating to the security of processing (Art. 32 GDPR), the notification of a Personal Data Breach (Art 33, 34 GDPR) and the Data Protection Impact Assessment and the prior consultation (Art 35, 36 GDPR), obligation to respond to requests for exercising the data subjectData Subject's rights to request information regarding the processing of its (register extracts) and for Personal DataData to be corrected, blocked or erased. 5.5. The Data Processor shall not carry out any act, or omit any act, that would cause the Data Controller to be in breach of Applicable Data Protection Legislation. 5. The Data Processor shall immediately inform the Controller if the Processor does not have an instruction for how to process Personal Data Controller of in a requestparticular situation or if any instruction provided under this DPA or otherwise infringes Applicable Data Protection Law. 5.6. If Data Subjects, complaint, message, or any other communication received from a competent authority authorities or any other third party parties request information from the Processor regarding the processing Processing of Personal Data covered by this DPA, the Processor shall refer such request to the Controller. The Data Processor may not in any way act on behalf of or as a representative of the Data Controller and Controller. 5.7. The Processor may not, without prior instructions from the Data Controller, transfer or in any other way disclose Personal Data or any other information relating to the processing Processing of Personal Data to any third party, unless the Data Processor is required to do so by law. The Data Processor shall assist the Data Controller in an appropriate manner to enable him to respond to such a request, complaint, message or other communication in accordance with Applicable Data Protection Legislation. In particular, the Data Processor shall not publish any submissions, notifications, communications, announcements or press releases in the event of a breach of data protection as defined in section 6.3. In the event the Data Processor, according to applicable laws and regulationsApplicable Data Protection Law, is required to disclose Personal Data that the Data Processor processes Processes on behalf of the Data Controller, the Data Processor shall be obliged to inform the Data Controller thereof immediatelyimmediately and request confidentiality in conjunction with the disclosure of requested information. 5.8. Upon the Controller’s reasonable request, unless prohibited and in accordance with the change management procedure set forth in the respective Agreement (if applicable) the Processor shall implement additional reasonable technical and organizational security measures and adjustments to the processing activities. The Controller shall notify the Processor of any adjustments to the Controller’s instructions concerning security and the processing of Personal Data, without undue delay, for the Processor to enable the necessary amendments to procedures to be implemented. 5.9. The Processor undertakes to make available to the Controller all information and provide all assistance necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including on-site inspections, conducted by lawthe Controller or another auditor mandated by the Controller.

Processing of Personal Data. 1The Main Contractor processes the identity, contact and, as the case may be, other personal data as received from the Supplier and relating to the Supplier itself and its own (sub)supplier(s), if any, its staff, employees, agents and other useful contact persons. The Data Processor purposes of this processing are the execution of this Agreement, the management of (sub)suppliers and any person acting under its authority (e.g. personnel, Sub-processors and persons acting under the Sub-processor’s authority) undertake to only process Personal Data in accordance with documented instructions communicated by the Data Controller (Appendix 1)accounting activities. The Data Processor shall only process Personal Data legal grounds are the execution of the Agreement, the observance of legislative and regulatory obligations (such as, for instance, the compulsory electronic attendance registration, the 30bis-notification of works, the attendance list or other obligations in the event of public contracts, etc.) and/or legitimate interests of the Main Contractor. For the electronic attendance registration, the e-ID-data or Limosa number, as the case may be, are also processed. The above-mentioned personal data will be processed according to the extent necessary to fulfill its obligations under this DPA or Applicable provisions of the General Data Protection Legislation. 2Regulation and will only be passed on to processors, addressees and/or third parties insofar as this is necessary for the above-mentioned processing purposes. If The Supplier bears responsibility for the services are altered during correctness and up- to-date nature of the term personal data submitted by it to the Main Contractor and undertakes to strictly observe the provisions of the General Data Protection Regulation vis-à- vis the persons whose personal data it communicates to the Main Contractor and also in connection with all personal data that it might receive from the Main Contractor and its staff, employees and agents. The Supplier confirms that it will solely process the latter personal data within the scope of and with as legal ground the execution of the Agreement and such altered services involve new or amended processing the fulfilment of Personal Data, or if the Data Controller’s instructions are otherwise changed or updated, the parties shall ensure that Appendix 1 is updated as appropriate before or at the latest in connection with the commencement of such processing or change. 3. When processing Personal Data under this DPA, the Data Processor shall comply with any and all Applicable Data Protection Legislation and applicable recommendations by competent Data Protection Authorities or other competent authorities and shall keep itself updated on and comply with any changes in such legislation and/or recommendationsits legal obligations. The Data Processor shall accept Supplier also undertakes to make any changes and amendments to this DPA that are required under Applicable Data Protection Legislation. 4. The Data Processor shall assist impose the Data Controller in fulfilling its legal obligations under Applicable Data Protection Legislation, including but not limited to observance of the Data Controller’s obligation to comply with the rights of data subjects and in ensuring compliance with the Data Controller’s obligations relating to the security of processing (Art. 32 GDPR), the notification of a Personal Data Breach (Art 33, 34 GDPR) and the Data Protection Impact Assessment and the prior consultation (Art 35, 36 GDPR), obligation to respond to requests for exercising the data subject's rights to information regulations regarding the processing of personal data upon its Personal Dataown (sub)supplier(s) and to inform them about their corresponding obligations. Upon potential infringements in connection with personal data (“data breaches”), the Supplier will immediately and, in any case, within 5 hours after having taken cognizance of it, inform the Main Contractor about the nature of the breach, its probable consequences and the measures that are proposed or taken to limit negative consequences, if any. The Data Processor shall not carry out any act, or omit any act, that would cause the Data Controller to be in breach of Applicable Data Protection Legislation. 5. The Data Processor shall immediately inform the Data Controller of a request, complaint, message, or any other communication received from a competent authority or any other third party regarding Supplier confirms having been adequately informed about the processing of Personal Data covered by its personal data and about its rights to access, rectification, deletion and objection. For further explanation on this DPAprocessing and on the rights, the Main Contractor explicitly refers to the Privacy Policy available on the website: ▇▇▇▇://▇▇▇.▇▇▇▇▇▇▇▇.▇▇▇ If the Supplier has any further questions regarding this privacy policy, he can contact the data controller or the data protection officer at ▇▇▇▇▇▇▇@▇▇▇▇▇▇▇▇.▇▇▇. The Data Processor may not in any way act on behalf of or as a representative Supplier confirms having taken cognizance of the Data Controller privacy policy through the website ▇▇▇▇://▇▇▇.▇▇▇▇▇▇▇▇.▇▇▇ and may not, without prior instructions from accepting its content. Whenever the Data Controller, transfer or in any other way disclose Personal Data or any other information relating Supplier fails to observe the relevant legislation on the processing of Personal Data to any third party, unless the Data Processor is required to do so by law. The Data Processor shall assist the Data Controller in an appropriate manner to enable him to respond to such a request, complaint, message or other communication in accordance with Applicable personal data and its applicable “Data Protection Legislation. In particularNotice”, the Data Processor shall not publish any submissions, notifications, communications, announcements or press releases in Main Contractor will be entitled to take the event of a breach of data protection as defined in section 6.3. In necessary measures at the event the Data Processor, according to applicable laws and regulations, is required to disclose Personal Data that the Data Processor processes on behalf expense of the Data Controller, the Data Processor shall be obliged Supplier or to inform the Data Controller thereof immediately, unless prohibited by lawterminate this Agreement with immediate effect without any notice period or severance payment being required.

Processing of Personal Data. 1. 3.1 The Parties acknowledge that for the purposes of the Data Protection Legislation and the delivery of the data processing services for the Programme, each General Practice is the Controller of their primary care personal data and AGEM CSU is the Processor. 3.2 The Data Processor and any person acting under its authority (e.g. personnel, Sub-processors and persons acting under the Sub-processor’s authority) Controllers undertake to only process Personal ensure compliance with Data Protection Legislation in accordance respect of transparency and Privacy Notice obligations in regard to any personal data that the Processor is processing on its behalf. 3.3 The Processor undertakes to comply with documented instructions communicated by the requirements of the NHS Data Security and Protection Toolkit. 3.4 The Data Controllers undertake to ensure compliance with Data Protection Legislation in respect of transparency and Privacy Notice obligations in regard to any personal data that the Processor is processing on their behalf. 3.5 The Processor shall notify the Data Controller (Appendix 1). The Controllers immediately if it considers that any of the Data Processor shall only process Personal Data to Controllers’ instructions infringe the extent necessary to fulfill its obligations under this DPA or Applicable Data Protection Legislation. 23.6 The Processor shall provide all reasonable assistance to the Data Controllers in the preparation of any Data Protection Impact Assessment prior to commencing any processing of personal data. If Such assistance may, at the services are altered during the term discretion of the Agreement Data Controllers, include: 3.6.1 a systematic description of the envisaged processing operations and such altered services involve new or amended the purpose of the processing; 3.6.2 an assessment of the necessity and proportionality of the processing operations in relation to the data processing activities; 3.6.3 an assessment of the risks to the rights and freedoms of natural persons; and 3.6.4 the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data, or . 3.7 The Processor shall provide all reasonable assistance to the Data Controllers if the outcome of the Data Controller’s instructions are otherwise changed or updatedProtection Impact Assessment leads the Data Controllers to consult the Information Commissioner. 3.8 The Processor shall, the parties shall ensure that Appendix 1 is updated as appropriate before or at the latest in relation to any Personal Data processed in connection with its obligations under this Contract: 3.8.1 process that Personal Data only as is necessary to fulfil the commencement of such services as specified in this Contract and in the main Agreement, unless the Processor is required to do otherwise by Law. If it is so required the Processor shall promptly notify the Data Controller before processing or changethe Personal Data unless prohibited by Law. 3. When processing 3.8.2 ensure that it has in place Protective Measures to protect against a Data Loss Event having taken account of the: 3.8.2.1 nature of the data to be protected; 3.8.2.2 harm that might result from a Data Loss Event; 3.8.2.3 state of technological development; and 3.8.2.4 cost of implementing any measures. 3.8.3 ensure that: 3.8.3.1 the Processor Personnel do not process the Personal Data except in accordance with this Contract (including anything specified the Annex) 3.8.3.2 it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they: 3.8.3.2.1 are aware of and comply with the Processor’s duties under this DPAclause; 3.8.3.2.2 are subject to appropriate confidentiality undertakings with the Processor or any Sub-processor that are in writing and are legally enforceable; 3.8.3.2.3 are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in advance and in writing to do so by the Data Controller or as otherwise permitted by this Contract or the main Agreement. 3.8.3.2.4 have undergone adequate training in the use, care, protection and handling of Data that enables them and the Processor shall to comply with any and all Applicable their responsibilities under the Data Protection Legislation and applicable recommendations this Contract. The Processor shall provide the Data Controller with evidence of completion and maintenance of that training within three Working Days of request by competent the Data Controllers. 3.8.4 not transfer Personal Data outside of the EU unless the prior written consent of the Data Controllers has been obtained and the following conditions are fulfilled: 3.8.4.1 the Data Controllers or the Processor has provided appropriate safeguards in relation to the transfer as determined by the Data Controllers; 3.8.4.2 the Data Subject has enforceable rights and effective legal remedies; 3.8.4.3 the Processor complies with its obligations under the Data Protection Authorities or other competent authorities and shall keep itself updated on and comply with Legislation by providing an adequate level of protection to any changes in such legislation and/or recommendations. The Personal Data Processor shall accept that is transferred (or, if it is not so bound, uses its best endeavours to make any changes and amendments to this DPA that are required under Applicable Data Protection Legislation. 4. The Data Processor shall assist the Data Controller in fulfilling meeting its legal obligations under Applicable Data Protection Legislation, including but not limited obligations) and; 3.8.4.4 the Processor complies with any reasonable instructions notified to the Data Controller’s obligation to comply with the rights of data subjects and it in ensuring compliance with the Data Controller’s obligations relating to the security of processing (Art. 32 GDPR), the notification of a Personal Data Breach (Art 33, 34 GDPR) and the Data Protection Impact Assessment and the prior consultation (Art 35, 36 GDPR), obligation to respond to requests for exercising the data subject's rights to information regarding the processing of its Personal Data. The Data Processor shall not carry out any act, or omit any act, that would cause advance by the Data Controller to be in breach of Applicable Data Protection Legislation. 5. The Data Processor shall immediately inform the Data Controller of a request, complaint, message, or any other communication received from a competent authority or any other third party regarding the processing of Personal Data covered by this DPA. The Data Processor may not in any way act on behalf of or as a representative of the Data Controller and may not, without prior instructions from the Data Controller, transfer or in any other way disclose Personal Data or any other information relating with respect to the processing of the Personal Data. 3.8.5 at the written direction of the Data Controllers, delete or return the Personal Data (and any copies of it) to any third party, the Data Controllers on termination of this Contract or the main Agreement unless the Data Processor is required by Law to do so by lawretain the Personal Data. The If the Processor is asked to delete the Personal Data the Processor shall assist provide the Data Controller in an appropriate manner to enable him to respond to such Controllers with evidence that the Personal Data that has been securely deleted within a requestperiod agreed within the written direction of the Data Controllers, complaint, message or other communication in accordance with Applicable Data Protection Legislationthe prevailing minimum NHS standards for secure destruction. In particularAt the time of issue of this Contract, the Data current requirements are contained HS Digital “Destruction and disposal of sensitive data: good practice guidelines” available at: ▇▇▇▇▇://▇▇▇▇▇▇▇.▇▇▇.▇▇/binaries/content/assets/website- assets/services/data-and-cyber-security/policies-and-good-practice- guides/hscic_data_destruction_standard_v3.2.pdf. Paper documents – use of a micro cross cut shredder to a maximum size of 15 mm x 2 mm or via the services of a third party confidential waste company that complies with HMG S5 Infosec DIN Level 4/5 onsite prior to disposal. Electronic data - destroyed or overwritten to current National Cyber Security Centre/CESG standards as defined at ▇▇▇.▇▇▇▇.▇▇▇.▇▇/▇▇▇▇▇/▇▇▇▇▇/▇▇▇. 3.9 Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including, but not publish any submissionslimited to, notificationsas appropriate: 3.9.1 the pseudonymisation and encryption of Personal Data; 3.9.2 the de-identification of Personal Data (anonymisation in accordance with the ICO Anonymisation Code of Practice) where the data becomes de-identified. 3.9.3 the ability to ensure the ongoing confidentiality, communicationsintegrity, announcements or press releases availability and resilience of processing systems and services; 3.9.4 the ability to restore the availability and access to Personal Data in a timely manner in the event of a breach physical or technical incident; and 3.9.5 a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of processing. 3.10 The Processor has engaged the services of the following sub-processors: 3.10.1 Secure data protection destruction – Greenworld Electronics Limited, Stoke on Trent 3.10.2 Secure Cloud data storage, infrastructure and support – provided through ANS Group Ltd, who have further engaged the Services of Microsoft. Microsoft is a sub-processor of ANS and provide the Azure Cloud service which will be used as defined a secure storage facility. ANS provide support for setup and maintenance; The Processor has obtained assurance of the sub-processors’ information governance controls (including information security) and has entered into a written agreements with them which give effect to similar terms as set out in section 6.3. In this Contract, such that they apply to the event sub-processors and in respect of which the Data Processor, according Controllers are given the benefits of third party rights to applicable laws and regulations, is required enforce the same. 3.11 Before engaging the services of any additional sub-processor to disclose process any Personal Data that related to this Contract, the Processor must: 3.11.1 notify the Data Processor processes on behalf Controllers in writing of the intended sub-processor and processing; 3.11.2 obtain the written consent of the Data Controller, Controllers; 3.11.3 enter into a written agreement with the sub-processor which gives effect to the terms set out in this Contract such that they apply to the sub-processor and in respect of which the Data Controllers are given the benefits of third party rights to enforce the same; and 3.11.4 provide the Data Controllers with such information regarding the sub- processor as the Data controllers may reasonably require. 3.12 The Processor shall be obliged ensure that the third party's access to inform the Personal Data Controller thereof immediately, unless prohibited by lawterminates automatically on termination of this Contract or the main Agreement for any reason save that the sub-processor may access the Personal Data in order to securely destroy it.

Processing of Personal Data. 1. 3.1 The Data Processor undertakes to comply with applicable Data Privacy Laws and any person acting under its authority (e.g. personnel, Sub-processors and persons acting under the Sub-processor’s authority) undertake to only process Personal Data in accordance with documented instructions communicated recommendations by the Data Controller (Appendix 1). Supervisory Authority or other competent authorities. 3.2 The Data Processor shall undertakes to only process Personal Data to the extent necessary to fulfill fulfil its obligations undertakings under this DPA or Applicable Data Protection Legislation. 2. If the services are altered during the term of the Agreement Main Agreement, and such altered services involve new or amended processing of Personal Data, or if the Data Controller’s instructions are otherwise changed or updated, the parties shall ensure that Appendix 1 is updated as appropriate before or at the latest only in connection with the commencement of such processing or change. 3. When processing Personal Data under this DPA, the Data Processor shall comply with any and all Applicable Data Protection Legislation and applicable recommendations by competent Data Protection Authorities or other competent authorities and shall keep itself updated on and comply with any changes in such legislation and/or recommendations. The Data Processor shall accept to make any changes and amendments to this DPA that are required under Applicable Data Protection Legislation. 4. The Data Processor shall assist the Data Controller in fulfilling its legal obligations under Applicable Data Protection Legislation, including but not limited to the Data Controller’s obligation to comply with the rights of data subjects and in ensuring compliance accordance with the Data Controller’s obligations relating to the security of processing (Art. 32 GDPR)written instructions, the notification of a Personal Data Breach (Art 33, 34 GDPR) and the Data Protection Impact Assessment and the prior consultation (Art 35, 36 GDPR), obligation to respond to requests for exercising the data subject's rights to information regarding the processing of its Personal DataAppendix 1. The Data Processor shall may not carry out any act, or omit any act, that would cause process the Personal Data Controller to be in breach of Applicable Data Protection Legislationfor its own purpose(s). 5. 3.3 The Data Processor shall immediately inform the Data Controller if the Data Processor lacks an instruction on how to process Personal Data in a particular situation or if it believes an instruction provided under this DPA infringes applicable Data Privacy Laws 3.4 If the Data Processor processes Personal Data in addition to or in violation of a requestthe Data Controller’s instructions, complaintdue to being required to do so by Union or Member State law to which the Data Processor is subject, messagethe Data Processor shall inform the Data Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest. 3.5 If Data Subjects, competent authorities, or any other communication received third parties request information from a competent authority or any other third party the Data Processor regarding the processing of Personal Data covered by this DPA. The , the Data Processor may not in any way act on behalf of or as a representative of shall refer such request to the Data Controller as soon as possible and may not, without prior instructions from the Data Controller, transfer or in any other way disclose Personal Data or any other information relating to the processing no later than twenty-four (24) hours after receipt of Personal Data to any third party, unless the Data Processor is required to do so by lawsuch request. The Data Processor shall assist the Data Controller in an appropriate manner to enable him fulfill its obligations to respond to such a requests from Supervisory Authorities and Data Subjects to exercise their rights under Chapter III of the GDPR. 3.6 The Data Processor shall, upon the Data Controller’s request, complaint, message or other communication in accordance assist the Data Controller with Applicable carrying out Data Protection LegislationImpact Assessment(s) where required under applicable Data Privacy Laws. In particularThe Data Processor shall in particular assist with: (i) Describing the nature of the processing, including the Personal Data involved and the processing location; (ii) Identifying and assessing risks to the rights and freedoms of Data Subjects; (iii) Providing information on the technical and organizational measures and safeguards taken or envisaged to address the identified risks in order to ensure the protection of Personal Data processed under this DPA; and (iv) Providing detailed information on any other parties involved in the processing of Personal Data (including information on their part of the process and their location). 3.7 Upon the Data Controller’s request, the Data Processor shall not publish any submissionsassist the Data Controller with carrying out prior consultations with the Supervisory Authority, notifications, communications, announcements or press releases where such consultations are required under applicable Data Privacy Laws. 3.8 The Data Processor shall immediately (and in the event no case later than twenty-four (24) hours) upon becoming aware of a breach of data protection as defined in section 6.3. In the event Personal Data Breach notify the Data ProcessorController in writing thereof, according to applicable laws and regulations, is required to disclose providing a detailed description of the Personal Data that Breach and its effects. If the Data Processor processes on behalf of the Data ControllerController so requests, the Data Processor shall be obliged assist the Data Controller in fulfilling the Data Controller’s obligations under Article 33 of the GDPR, such as: (i) In writing provide the Data Controller with a detailed statement of the nature of the Personal Data Breach in accordance with what is stated in Article 33.3(a) in the GDPR; (ii) In consultation with the Data Controller and at Data Processor’s cost take all reasonable steps necessary to mitigate the consequences of the Personal Data Breach or (if applicable) to protect against a threatened security incident; and (iii) As soon as practicable following the Personal Data Breach, inform the Data Controller thereof immediately, unless prohibited by lawof the remedial action(s) the Data Processor proposes to take to prevent any similar security incident occurring in the future.