Common use of Processing of Personal Information Clause in Contracts

Processing of Personal Information. 9.1 This paragraph 9 of the Information Security Terms comprises requirements in relation to the processing of any “personal information” (as defined in the Data Protection Act 1998) which is subject to any law or regulation implementing European Union Directive 95/46/EC, where this is applicable. ▇▇▇▇▇▇ and Subscriber agree that the Services are not anticipated to involve any processing of personal information, but acknowledge that if any personal information is ever processed in the course of providing the Services, this paragraph 9 shall apply. 9.2 Where Subscriber is obliged by law or regulations, or the rules of a regulatory authority to which Subscriber is subject, Markit shall disclose the results of the security assessments referred to in these Information Security Terms to a regulator (including national data protection authorities) Markit hereby consents to such disclosure. 9.3 Markit shall ensure that: (a) only authorised Markit employees with job-related needs access any personal information in the course of providing goods and services under the Agreement (and such personal information cannot be read, copied, modified or removed without authorisation, either in the course of processing or use or after storage); (b) such access is only given to such authorised staff to the extent necessary for the performance of their duties; (c) an up-to-date list is kept of such authorised staff and their level of authorised access (and authorisation credentials are checked at least on an annual basis); (d) personal information collected for different purposes can be processed separately; and (e) a documented procedure is put in place to control access by authorised users under which each user is provided with a particular identification code that cannot be assigned to any other user at any time, while passwords: (i) are at least eight characters long (or less, but only if the password is as long as the maximum number of characters allowed by the electronic device involved), (ii) do not contain any clear reference to the user, and (iii) are changed after the first access and periodically, at least every six (6) months, or disenabled if they are not used for six (6) months or if the means necessary to access personal information are lost (and in each case, if the user has access to Sensitive Personal Data the six (6) month period is reduced to three months). Such passwords shall be kept secret/confidential and not shared or otherwise disclosed whilst still valid. 9.4 Markit shall ensure that the identification and verification of authorised users is implemented in such a way that the risk of an error occurring is minimised, and impose industry-standard limits designed to prevent attempts to obtain unauthorised access. 9.5 Markit shall ensure that such authorised employees are provided with mandatory policies governing their access to such personal information, such mandatory policies to be regularly updated. 9.6 Markit shall ensure that personal information cannot be read, copied, modified or removed without authorisation during electronic transmission or transport, and that it is possible to check and establish to which bodies personal information is to be transferred by means of data transmission facilities. 9.7 Markit shall keep a register of any incident which may affect the security of such personal information, such register to be made available to Subscriber upon request. For each security incident registered, the register must include the following information: (a) the time at which the incident occurred; (b) the person reporting it; (c) to whom it was reported; (d) the consequences thereof; and (e) the procedures put in place to recover any personal information (indicating the person who undertook the process, the information recovered and, if appropriate, which data items had to be input manually as part of the recovery process). 9.8 Markit shall not implement any data recovery procedures in relation to personal information unless it has obtained written authorisation from Subscriber. 9.9 Markit shall ensure files containing personal information which are handled manually shall comply with appropriate security measures, and, will be subject to the following measures: (a) adequate archiving of the media or documents containing personal information (so that document conservation, location and information look-up is guaranteed and privacy rights of individuals are preserved); (b) storing devices incorporate mechanisms which make its opening difficult; (c) appropriate protection of media or documents containing personal information is effected prior and consequent to its archiving so that unauthorised access is prevented at all times; (d) cabinets or other storing elements shall have access doors with a key or equivalent device; (e) copies of documents will solely be done under the control of authorised staff; (f) discarded copies shall be destroyed; and (g) access or manipulation of such files will be impeded during their transportation. 9.10 Markit shall ensure that, if applicable, any Markit employee is authorised to access personal information in the course of providing the Services and that it can be checked and established whether and by whom personal information has been input into ▇▇▇▇▇▇’s data processing systems, modified or removed. 9.11 Markit shall ensure that, if any personal information is to be processed in the coming year, a security measures document is created or updated by 1 March in such year, identifying the relevant personal information file and data treatment and specifying: (a) the security measures to be implemented with regard to the provision of Services; (b) an analysis of the risks run in the data processing; (c) the data recovery procedures; and (d) the training programs aimed at the employees who process the personal information. 9.12 Markit shall ensure that the use of portable devices storing personal information are previously authorised by Subscriber and in any case the applicable security measures are applied. 9.13 Markit shall ensure temporary files have a level of security appropriate to the type of personal information contained therein. All temporary files must be erased once they are no longer necessary for the purposes for which they were created. 9.14 Security measures required for access to personal information via communications networks or when processing personal information outside the premises where the personal information is located (e.g. via remote access) must have a security level equivalent to that applying to local access. 9.15 Where the Services involve processing of personal information, Markit shall perform backups of all systems, applications, and data used to provide such Services at least weekly. 9.16 The back up and data recovery procedures must guarantee the reconstruction of any personal or confidential information involved to the state they were in at the time they were lost or destroyed. 9.17 The back up and data recovery procedures described in this paragraph 9, to the extent applicable, must include a regular testing schedule.

Processing of Personal Information. 9.1 This paragraph 9 of the Information Security Terms comprises requirements in relation to the processing of any “personal information” (as defined in the Data Protection Act 1998) which is subject to any law or regulation implementing European Union Directive 95/46/EC, where this is applicable. ▇▇▇▇▇▇ and Subscriber agree that the Services are not anticipated to involve any processing of personal information, but acknowledge that if any personal information is ever processed in the course of providing the Services, this paragraph 9 shall apply. 9.2 Where Subscriber is obliged by law or regulations, or the rules of a regulatory authority to which Subscriber is subject, Markit shall disclose the results of the security assessments referred to in these Information Security Terms to a regulator (including national data protection authorities) Markit hereby consents to such disclosuresuchdisclosure. 9.3 Markit shall ensure that: (a) only authorised Markit employees with job-related needs access any personal information in the course of providing goods and services under the Agreement (and such personal information cannot be read, copied, modified or removed without authorisation, either in the course of processing or use or after storage); (b) such access is only given to such authorised staff to the extent necessary for the performance of their duties; (c) an up-to-date list is kept of such authorised staff and their level of authorised access (and authorisation credentials are checked at least on an annual basis); (d) personal information collected for different purposes can be processed separately; and (e) a documented procedure is put in place to control access by authorised users under which each user is provided with a particular identification code that cannot be assigned to any other user at any time, while passwords: (i) are at least eight characters long (or less, but only if the password is as long as the maximum number of characters allowed by the electronic device involved), (ii) do not contain any clear reference to the user, and (iii) are changed after the first access and periodically, at least every six (6) months, or disenabled if they are not used for six (6) months or if the means necessary to access personal information are lost (and in each case, if the user has access to Sensitive Personal Data the six (6) month period is reduced to three months). Such passwords shall be kept secret/confidential and not shared or otherwise disclosed whilst still valid. 9.4 Markit shall ensure that the identification and verification of authorised users is implemented in such a way that the risk of an error occurring is minimised, and impose industry-standard limits designed to prevent attempts to obtain unauthorised access. 9.5 Markit shall ensure that such authorised employees are provided with mandatory policies governing their access to such personal information, such mandatory policies to be regularly updatedregularlyupdated. 9.6 Markit shall ensure that personal information cannot be read, copied, modified or removed without authorisation during electronic transmission or transport, and that it is possible to check and establish to which bodies personal information is to be transferred by means of data transmission facilities. 9.7 Markit shall keep a register of any incident which may affect the security of such personal information, such register to be made available to Subscriber upon request. For each security incident registered, the register must include the following information: (a) the time at which the incident occurred; (b) the person reporting it; (c) to whom it was reported; (d) the consequences thereof; and (e) the procedures put in place to recover any personal information (indicating the person who undertook the process, the information recovered and, if appropriate, which data items had to be input manually as part of the recovery process). 9.8 Markit shall not implement any data recovery procedures in relation to personal information unless it has obtained written authorisation from Subscriber. 9.9 Markit shall ensure files containing personal information which are handled manually shall comply with appropriate security measures, and, will be subject to the following measures: (a) adequate archiving of the media or documents containing personal information (so that document conservation, location and information look-up is guaranteed and privacy rights of individuals are preservedarepreserved); (b) storing devices incorporate mechanisms which make its opening difficultopeningdifficult; (c) appropriate protection of media or documents containing personal information is effected prior and consequent to its archiving so that unauthorised access is prevented at all timesalltimes; (d) cabinets or other storing elements shall have access doors with a key or equivalent device; (e) copies of documents will solely be done under the control of authorised staff; (f) discarded copies shall be destroyed; and (g) access or manipulation of such files will be impeded during their transportationtheirtransportation. 9.10 Markit shall ensure that, if applicable, any Markit employee is authorised to access personal information in the course of providing the Services and that it can be checked and established whether and by whom personal information has been input into ▇▇▇▇▇▇’s data processing systems, modified or removed. 9.11 Markit shall ensure that, if any personal information is to be processed in the coming year, a security measures document is created or updated by 1 March in such year, identifying the relevant personal information file and data treatment and specifying: (a) the security measures to be implemented with regard to the provision of Services; (b) an analysis of the risks run in the data processing; (c) the data recovery procedures; and (d) the training programs aimed at the employees who process the personal information. 9.12 Markit shall ensure that the use of portable devices storing personal information are previously authorised by Subscriber and in any case the applicable security measures are appliedareapplied. 9.13 Markit shall ensure temporary files have a level of security appropriate to the type of personal information contained therein. All temporary files must be erased once they are no longer necessary for the purposes for which they were created. 9.14 Security measures required for access to personal information via communications networks or when processing personal information outside the premises where the personal information is located (e.g. via remote access) must have a security level equivalent to that applying to local access. 9.15 Where the Services involve processing of personal information, Markit shall perform backups of all systems, applications, and data used to provide such Services at least weekly. 9.16 The back up and data recovery procedures must guarantee the reconstruction of any personal or confidential information involved to the state they were in at the time they were lost or destroyedordestroyed. 9.17 The back up and data recovery procedures described in this paragraph 9, to the extent applicable, must include a regular testing schedule.

Processing of Personal Information. 9.1 This paragraph 9 of the Information Security Terms comprises requirements in relation to the processing of any “personal information” (as defined in the Data Protection Act 1998) which is subject to any law or regulation implementing European Union Directive 95/46/EC, where this is applicable. ▇▇▇▇▇▇ MSFA and Subscriber Customer agree that the Services are not anticipated to involve any processing of personal information, but acknowledge that if any personal information is ever processed in the course of providing the Services, this paragraph 9 shall apply. 9.2 Where Subscriber Customer is obliged by law or regulations, or the rules of a regulatory authority to which Subscriber Customer is subject, Markit MSFA shall disclose the results of the security assessments referred to in these Information Security Terms to a regulator (including national data protection authorities) Markit MSFA hereby consents to such disclosure. 9.3 Markit MSFA shall ensure that: (a) only authorised Markit MSFA employees with job-related needs access any personal information in the course of providing goods and services under the Agreement (and such personal information cannot be read, copied, modified or removed without authorisation, either in the course of processing or use or after storage); (b) such access is only given to such authorised staff to the extent necessary for the performance of their duties; (c) an up-to-date list is kept of such authorised staff and their level of authorised access (and authorisation credentials are checked at least on an annual basis); (d) personal information collected for different purposes can be processed separately; and (e) a documented procedure is put in place to control access by authorised users under which each user is provided with a particular identification code that cannot be assigned to any other user at any time, while passwords: (i) are at least eight characters long (or less, but only if the password is as long as the maximum number of characters allowed by the electronic device involved), (ii) do not contain any clear reference to the user, and (iii) are changed after the first access and periodically, at least every six (6) months, or disenabled if they are not used for six (6) months or if the means necessary to access personal information are lost (and in each case, if the user has access to Sensitive Personal Data the six (6) month period is reduced to three months). Such passwords shall be kept secret/confidential and not shared or otherwise disclosed whilst still valid. 9.4 Markit MSFA shall ensure that the identification and verification of authorised users is implemented in such a way that the risk of an error occurring is minimised, and impose industry-standard limits designed to prevent attempts to obtain unauthorised access. 9.5 Markit MSFA shall ensure that such authorised employees are provided with mandatory policies governing their access to such personal information, such mandatory policies to be regularly updated. 9.6 Markit MSFA shall ensure that personal information cannot be read, copied, modified or removed without authorisation during electronic transmission or transport, and that it is possible to check and establish to which bodies personal information is to be transferred by means of data transmission facilities. 9.7 Markit MSFA shall keep a register of any incident which may affect the security of such personal information, such register to be made available to Subscriber Customer upon request. For each security incident registered, the register must include the following information: (a) the time at which the incident occurred; (b) the person reporting it; (c) to whom it was reported; (d) the consequences thereof; and (e) the procedures put in place to recover any personal information (indicating the person who undertook the process, the information recovered and, if appropriate, which data items had to be input manually as part of the recovery process). 9.8 Markit MSFA shall not implement any data recovery procedures in relation to personal information unless it has obtained written authorisation from SubscriberCustomer. 9.9 Markit MSFA shall ensure files containing personal information which are handled manually shall comply with appropriate security measures, and, will be subject to the following measures: (a) adequate archiving of the media or documents containing personal information (so that document conservation, location and information look-up is guaranteed and privacy rights of individuals are preserved); (b) storing devices incorporate mechanisms which make its opening difficult; (c) appropriate protection of media or documents containing personal information is effected prior and consequent to its archiving so that unauthorised access is prevented at all times; (d) cabinets or other storing elements shall have access doors with a key or equivalent device; (e) copies of documents will solely be done under the control of authorised staff; (f) discarded copies shall be destroyed; and (g) access or manipulation of such files will be impeded during their transportation. 9.10 Markit MSFA shall ensure that, if applicable, any Markit MSFA employee is authorised to access personal information in the course of providing the Services and that it can be checked and established whether and by whom personal information has been input into ▇▇▇▇▇▇MSFA’s data processing systems, modified or removed. 9.11 Markit MSFA shall ensure that, if any personal information is to be processed in the coming year, a security measures document is created or updated by 1 March in such year, identifying the relevant personal information file and data treatment and specifying: (a) the security measures to be implemented with regard to the provision of Services; (b) an analysis of the risks run in the data processing; (c) the data recovery procedures; and (d) the training programs aimed at the employees who process the personal information. 9.12 Markit MSFA shall ensure that the use of portable devices storing personal information are previously authorised by Subscriber Customer and in any case the applicable security measures are applied. 9.13 Markit MSFA shall ensure temporary files have a level of security appropriate to the type of personal information contained therein. All temporary files must be erased once they are no longer necessary for the purposes for which they were created. 9.14 Security measures required for access to personal information via communications networks or when processing personal information outside the premises where the personal information is located (e.g. via remote access) must have a security level equivalent to that applying to local access. 9.15 Where the Services involve processing of personal information, Markit MSFA shall perform backups of all systems, applications, and data used to provide such Services at least weekly. 9.16 The back up and data recovery procedures must guarantee the reconstruction of any personal or confidential information involved to the state they were in at the time they were lost or destroyed. 9.17 The back up and data recovery procedures described in this paragraph 9, to the extent applicable, must include a regular testing schedule.

Processing of Personal Information. 9.1 This paragraph 9 of the Information Security Terms comprises requirements in relation to the processing of any “personal information” (as defined in the Data Protection Act 1998) which is subject to any law or regulation implementing European Union Directive 95/46/EC, where this is applicable. ▇▇▇▇▇▇ IHS Markit and Subscriber Customer agree that the Services are not anticipated to involve any processing of personal information, but acknowledge that if any personal information is ever processed in the course of providing the Services, this paragraph 9 shall apply. 9.2 . Where Subscriber Customer is obliged by law or regulations, or the rules of a regulatory authority to which Subscriber Customer is subject, IHS Markit shall disclose the results of the security assessments referred to in these Information Security Terms to a regulator (including national data protection authorities) IHS Markit hereby consents to such disclosure. 9.3 . IHS Markit shall ensure that: (a) : only authorised IHS Markit employees with job-related needs access any personal information in the course of providing goods and services under the Agreement (and such personal information cannot be read, copied, modified or removed without authorisation, either in the course of processing or use or after storage); (b) ; such access is only given to such authorised staff to the extent necessary for the performance of their duties; (c) ; an up-to-date list is kept of such authorised staff and their level of authorised access (and authorisation credentials are checked at least on an annual basis); (d) ; personal information collected for different purposes can be processed separately; and (e) and a documented procedure is put in place to control access by authorised users under which each user is provided with a particular identification code that cannot be assigned to any other user at any time, while passwords: (i) : are at least eight characters long (or less, but only if the password is as long as the maximum number of characters allowed by the electronic device involved), (ii) , do not contain any clear reference to the user, and (iii) and are changed after the first access and periodically, at least every six (6) months, or disenabled if they are not used for six (6) months or if the means necessary to access personal information are lost (and in each case, if the user has access to Sensitive Personal Data the six (6) month period is reduced to three months). Such passwords shall be kept secret/confidential and not shared or otherwise disclosed whilst still valid. 9.4 . IHS Markit shall ensure that the identification and verification of authorised users is implemented in such a way that the risk of an error occurring is minimised, and impose industry-standard limits designed to prevent attempts to obtain unauthorised access. 9.5 . IHS Markit shall ensure that such authorised employees are provided with mandatory policies governing their access to such personal information, such mandatory policies to be regularly updated. 9.6 . IHS Markit shall ensure that personal information cannot be read, copied, modified or removed without authorisation during electronic transmission or transport, and that it is possible to check and establish to which bodies personal information is to be transferred by means of data transmission facilities. 9.7 . IHS Markit shall keep a register of any incident which may affect the security of such personal information, such register to be made available to Subscriber Customer upon request. For each security incident registered, the register must include the following information: (a) : the time at which the incident occurred; (b) ; the person reporting it; (c) ; to whom it was reported; (d) ; the consequences thereof; and (e) and the procedures put in place to recover any personal information (indicating the person who undertook the process, the information recovered and, if appropriate, which data items had to be input manually as part of the recovery process). 9.8 . IHS Markit shall not implement any data recovery procedures in relation to personal information unless it has obtained written authorisation from Subscriber. 9.9 Customer. IHS Markit shall ensure files containing personal information which are handled manually shall comply with appropriate security measures, and, will be subject to the following measures: (a) : adequate archiving of the media or documents containing personal information (so that document conservation, location and information look-up is guaranteed and privacy rights of individuals are preserved); (b) ; storing devices incorporate mechanisms which make its opening difficult; (c) ; appropriate protection of media or documents containing personal information is effected prior and consequent to its archiving so that unauthorised access is prevented at all times; (d) ; cabinets or other storing elements shall have access doors with a key or equivalent device; (e) ; copies of documents will solely be done under the control of authorised staff; (f) ; discarded copies shall be destroyed; and (g) and access or manipulation of such files will be impeded during their transportation. 9.10 . IHS Markit shall ensure that, if applicable, any IHS Markit employee is authorised to access personal information in the course of providing the Services and that it can be checked and established whether and by whom personal information has been input into ▇▇▇▇▇▇IHS Markit’s data processing systems, modified or removed. 9.11 . IHS Markit shall ensure that, if any personal information is to be processed in the coming year, a security measures document is created or updated by 1 March in such year, identifying the relevant personal information file and data treatment and specifying: (a) : the security measures to be implemented with regard to the provision of Services; (b) ; an analysis of the risks run in the data processing; (c) ; the data recovery procedures; and (d) and the training programs aimed at the employees who process the personal information. 9.12 . IHS Markit shall ensure that the use of portable devices storing personal information are previously authorised by Subscriber Customer and in any case the applicable security measures are applied. 9.13 . IHS Markit shall ensure temporary files have a level of security appropriate to the type of personal information contained therein. All temporary files must be erased once they are no longer necessary for the purposes for which they were created. 9.14 . Security measures required for access to personal information via communications networks or when processing personal information outside the premises where the personal information is located (e.g. via remote access) must have a security level equivalent to that applying to local access. 9.15 . Where the Services involve processing of personal information, IHS Markit shall perform backups of all systems, applications, and data used to provide such Services at least weekly. 9.16 . The back up and data recovery procedures must guarantee the reconstruction of any personal or confidential information involved to the state they were in at the time they were lost or destroyed. 9.17 . The back up and data recovery procedures described in this paragraph 9, to the extent applicable, must include a regular testing schedule.