Common use of Processor’s Obligations Clause in Contracts

Processor’s Obligations. The Data Processor shall ensure that in relation to the Personal Data disclosed to it by, or otherwise obtained from the Data Controller, it shall: a) fully comply with the documented instructions if provided by the Data Controller and not Process the Personal Data for any purpose other than to perform the Service. If it fails to comply, the Data Processor agrees to promptly inform the Data Controller of such inability; b) immediately inform the Data Controller, if it believes that any instruction from the Data Controller infringes applicable data protection legislation; c) take appropriate technical and organisational measures against any unauthorised or unlawful Processing, and to evaluate at regular intervals the adequacy of such security measures, amending these measures, if necessary, in order to fully comply with the prerequisites provided by the GDPR and applicable national data protection legislation; d) ensure that access, inspection, provision and other forms of Processing shall take place only in accordance with the need-to-know principle, meaning that the information shall be provided only to those persons who require such information for their work in relation to the performance of the Service; e) not disclose the Personal Data to any person other than to its personnel as necessary to perform obligations under this Agreement and ensure that such personnel is subject to statutory or contractual confidentiality obligations; f) promptly notify the Data Controller about any legally binding request for disclosure, unless such notification is prohibited by law; g) immediately notify the Data Controller about any accidental or unauthorized access or unlawful Processing or other Personal Data breach; h) create and maintain a record of its processing activities in relation to this Agreement and to disclose it to the Data Controller and relevant Supervisory Authority, if required; i) deal promptly and properly with all reasonable queries from the Data Controller regarding the Processing and performance of the Service; j) make available to the Data Controller all information necessary to demonstrate compliance with the applicable data protection legislation and if needed, submit its data processing facilities and/or information to audit; k) assist the Data Controller, if required, with the Data Controller’s obligations under applicable data protection legislation regarding fulfilment of rights of Data Subjects; l) immediately fulfil the request by the Data Controller for erasure or any other different Processing of Personal Data.

Processor’s Obligations. The 3.1. In view of its obligations under the Data Protection Laws, the Data Processor shall ensure shall: 3.1.1. Act only upon the strict instructions of the Data Controller and not process any personal data that in relation to the Personal Data disclosed may be transferred to it byby the Data Controller except as may be necessary for the performance of any service or task provided by the Data Processor to/for the Data Controller and, or otherwise obtained in particular, to process the said personal data only on documented instructions from the Data Controller, it shall: a) fully comply including with the documented instructions if provided regard to transfers of personal data to a third country or an international organisation, unless required to do so by the Data Controller and not Process the Personal Data for any purpose other than to perform the ServiceEU or Maltese law. If it fails to complyIn such a case, the Data Processor agrees to promptly shall inform the Data Controller of that legal requirement before processing, unless that law prohibits such inabilityinformation on important grounds of public interest; b) immediately inform 3.1.2. Ensure that persons authorised to process the personal data (including but not limited to the Data Controller, if it believes that any instruction from the Data Controller infringes applicable data protection legislationProcessor’s employees) have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; c) take 3.1.3. Implement appropriate technical and organisational measures to protect any personal data that may be processed on behalf of the Data Controller (if any) against any unauthorised accidental destruction or loss or unlawful Processingforms of processing thereby providing the best possible level of security appropriate to the particular risks in question and take any other such measures as required by the Data Processor’s direct obligations as a data processor in terms of Article 32 of the GDPR; 3.1.4. Not engage another data processor without prior specific or general written authorisation of the Data Controller. In the case of general written authorisation, and the Data Processor shall inform the Data Controller of any intended changes concerning the addition or replacement of other processors, thereby giving the Data Controller the opportunity to evaluate at regular intervals object to such changes. Where the adequacy Data Processor engages another processor for carrying out specific processing activities on behalf of such security measuresthe Data Controller (as authorised by the Data Controller), amending these measures, if necessarythe same data protection obligations as set out in this DPA shall be imposed on that other processor or sub-processor by way of a contract or other legal act under EU or Maltese law, in order particular providing sufficient guarantees to fully comply with implement appropriate technical and organisational measures in such a manner that the prerequisites provided by processing will meet the GDPR and applicable national requirements of the GDPR. Where that other processor or sub-processor fails to fulfil its data protection legislation; d) ensure that accessobligations, inspection, provision and other forms of Processing the Data Processor shall take place only in accordance with remain fully liable to the need-to-know principle, meaning that the information shall be provided only to those persons who require such information Data Controller for their work in relation to the performance of the Servicethat other processor or sub-processor's obligations. A list of sub-processors currently employed by Data Processor can be found in “Annex A”; e) not disclose 3.1.5. Assist the Personal Data Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Data Controller’s obligation to any person other than respond to its personnel as necessary to perform obligations under this Agreement and ensure that such personnel is subject to statutory or contractual confidentiality obligationsrequests for exercising the data subject's rights laid down in Chapter III of the GDPR, taking into account the nature of the processing; f3.1.6. Assist the Data Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR (security obligations, notification of personal data breach to the supervisory authority obligation, communication of a personal data breach to the data subject obligation, data protection impact assessment obligation and prior consultation with the supervisory authority obligation) promptly taking into account the nature of processing and the information available to the Data Processor; 3.1.7. In any case, notify the Data Controller about any legally binding request for disclosure, unless such notification is prohibited by law; g) immediately notify the Data Controller about any accidental or unauthorized access or unlawful Processing or other Personal Data without undue delay after becoming aware of a personal data breach; h) create and maintain a record 3.1.8. At the choice of its processing activities in relation to this Agreement and to disclose it the Data Controller, delete or return all the personal data to the Data Controller after the end of the provision of services relating to processing, and relevant Supervisory Authority, if requireddelete existing copies unless EU or Maltese law requires storage of the personal data; i) deal promptly and properly with all reasonable queries from the Data Controller regarding the Processing and performance of the Service; j) make 3.1.9. Make available to the Data Controller all information necessary to demonstrate compliance with the obligations laid down in this Clause 2 and in the applicable data protection legislation law(s) and if neededallow for and contribute to audits, submit its data processing facilities and/or information to audit; k) assist the Data Controllerincluding inspections, if required, with the Data Controller’s obligations under applicable data protection legislation regarding fulfilment of rights of Data Subjects; l) immediately fulfil the request conducted by the Data Controller for erasure or any another auditor mandated by the Data Controller. In this regard, the Data Processor shall immediately inform the Data Controller if, in its opinion, an instruction in connection with point (h) of the first subparagraph of Article 28 of the GDPR infringes the GDPR or other different Processing EU or Maltese data protection provisions; 3.1.10. Take all such measures necessary to ensure that processing will meet the requirements of Personal Datathe GDPR and ensure the protection of the rights of data subjects.

Processor’s Obligations. ‌ 2.1 The Data data Processor shall ensure that in relation undertakes to : (a) process the Personal Data disclosed to it by, or otherwise obtained only on documented instructions from the Data data Controller, it shall:including with regard to Personal Data Transfers to a Third Country or an international organisation, unless required to do so by any applicable local law to which the data Processor is subject; in such a case, the data Processor shall inform the data Controller of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest. The data Processor shall immediately inform the data Controller if, in its opinion, an instruction infringes the GDPR or other applicable local data protection provisions; a(b) fully comply with the documented instructions if provided by the Data Controller and not Process ensure that persons authorised to process the Personal Data for any purpose other than have committed themselves to perform the Service. If it fails to comply, the Data Processor agrees to promptly inform the Data Controller confidentiality or are under an appropriate statutory obligation of such inabilityconfidentiality; b) immediately inform the Data Controller, if it believes that any instruction from the Data Controller infringes applicable data protection legislation; (c) take all measures required pursuant to Article 3 of the DPA; (d) respect the conditions referred to in Article 5 of this DPA for engaging a sub-processor; (e) taking into account the nature of the Processing, assist the data Controller by appropriate technical and organisational measures against any unauthorised or unlawful Processing, and to evaluate at regular intervals the adequacy of such security measures, amending these measuresinsofar as this is possible, if necessary, for the fulfilment of the Controller's obligation to respond to requests for exercising the Data Subject's rights laid down in order to fully comply the GDPR; (f) assist the data Controller in ensuring compliance with the prerequisites provided by obligations pursuant to Articles 3 and 4 of the GDPR DPA taking into account the nature of Processing and applicable national data protection legislationthe information available to the Processor (including but not limited for privacy impact assessment) ; d(g) ensure that access, inspection, provision and other forms of Processing shall take place only in accordance with at the need-to-know principle, meaning that the information shall be provided only to those persons who require such information for their work in relation to the performance choice of the Service; e) not disclose data Controller, delete or return all the Personal Data to the data Controller after the end of the provision of Services relating to Processing, and deletes existing copies unless any person other than to its personnel as necessary to perform obligations under this Agreement and ensure that such personnel is subject to statutory or contractual confidentiality obligationsapplicable local law requires storage of the Personal Data; f) promptly notify the Data Controller about any legally binding request for disclosure, unless such notification is prohibited by law; g) immediately notify the Data Controller about any accidental or unauthorized access or unlawful Processing or other Personal Data breach; (h) create and maintain a record of its processing activities in relation to this Agreement and to disclose it to the Data Controller and relevant Supervisory Authority, if required; i) deal promptly and properly with all reasonable queries from the Data Controller regarding the Processing and performance of the Service; j) make available to the Data data Controller all information necessary to demonstrate compliance with the applicable data protection legislation obligations laid down in this DPA and if neededallow for and contribute to audits, submit its data processing facilities and/or information to audit; k) assist the Data Controllerincluding inspections, if required, with the Data Controller’s obligations under applicable data protection legislation regarding fulfilment of rights of Data Subjects; l) immediately fulfil the request conducted by the data Controller or another auditor mandated by the data Controller. 2.2 The data Processor shall communicate the data Controller the name and contact details of its Data Controller for erasure or Protection Officer if any other different Processing in accordance with article 37 of Personal Datathe GDPR.

Processor’s Obligations. 5.1. The Data Processor shall ensure that in relation to fulfill all the Personal Data disclosed to it byobligations set forth by the Agreement and this DAP, or otherwise obtained from the Data Controllerand, specifically, it shall: a(i) fully follow the instructions of the Data Controller based on the functionality of the Platform and carry out only the processing activities on Personal Data agreed with the Data Controller and indicated by the latter, and strictly necessary to execute the Agreement and the DAP; (ii) comply with the documented instructions if provided given by the Data Controller related to safety regulations and not Process with the Privacy Law, following the measures adopted by the Data Controller. (iii) request the Data Controller authorization if, in order to execute the Agreement, the Processor needs to carry out Processing activities on Personal Data other than those strictly related to the object of the Agreement; (iv) taking into account the nature, object, context, purpose of the Processing, as well as the possible risk for the rights and freedoms of the Data Subject, adopt the appropriate technical and organizational measures to ensure a level of security adequate to the risk and, in any case, the integrity, accuracy of the Personal Data for any purpose other than processed and the lawfulness of the Processing; (v) Grant to perform the Service. If it fails to comply, the Data Processor agrees to promptly inform the Data Controller the possibility of such inabilitycomplying with requests to exercise the rights of the Data Subject, including, by way of example, the right of access to their Personal Data, the right to rectification, the right to erasure (or right to be forgotten), the right to restriction of processing, the right to data portability, the right to object, the right not to be subject to decisions based on an automated decision-making process. In particular, the Processor will be required to take the necessary technical and organizational measures to allow the timely transmission to the Controller of the aforementioned requests; b(vi) immediately inform Ensure that the personnel who will carry out the processing activities are adequately trained in the protection of personal data and bound by confidentiality obligations with regard to the processing of Personal Data of the Controller; (vii) on the basis of the information at its disposal and following receipt of a written request by the Data Controller, if it believes that any instruction from assist the Data Controller infringes applicable data protection legislation; c) take appropriate latter in fulfilling its obligations under the Privacy Law, with particular reference to the implementation of technical and organisational measures against any unauthorised or unlawful Processing, and to evaluate at regular intervals the adequacy of such security organizational measures, amending these measures, if necessary, in order to fully comply with the prerequisites provided by the GDPR and applicable national data protection legislation; d) ensure that access, inspection, provision and other forms of Processing shall take place only in accordance with the need-to-know principle, meaning that the information shall be provided only to those persons who require such information for their work in relation to the performance of the Servicenecessary activities following a Data Breach, and the performance of a data protection impact assessment; e) not disclose the Personal Data to any person other than to its personnel as necessary to perform obligations under this Agreement and ensure that such personnel is subject to statutory or contractual confidentiality obligations; f) promptly notify the Data Controller about any legally binding request for disclosure, unless such notification is prohibited by law; g) immediately notify the Data Controller about any accidental or unauthorized access or unlawful Processing or other Personal Data breach; h) create and maintain a record of its processing activities in relation to this Agreement and to disclose it to the Data Controller and relevant Supervisory Authority, if required; i) deal promptly and properly with all reasonable queries from the Data Controller regarding the Processing and performance of the Service; j(viii) make available to the Data Controller all the information necessary required in order to demonstrate the compliance with its obligations pursuant to the applicable data protection legislation and if needed, submit its data processing facilities and/or information to auditPrivacy Law; k(ix) assist the Data ControllerController in carrying out the audit activities, if required, with the Data Controller’s obligations under applicable data protection legislation regarding fulfilment of rights of Data Subjects; l) immediately fulfil the request including any inspections carried out by the Data Controller for erasure or any other different Processing of Personal Dataand/or another subject appointed by the Data Controller.

Processor’s Obligations. 5.1. The Data Processor shall ensure that in relation to fulfill all the Personal Data disclosed to it byobligations set forth by the Agreement and this DAP, or otherwise obtained from the Data Controllerand, specifically, it shall: a(i) fully follow the instructions of the Data Controller based on the functionality of the Platform and carry out only the processing activities on Personal Data agreed with the Data Controller and indicated by the latter, and strictly necessary to execute the Agreement and the DAP; (ii) comply with the documented instructions if provided given by the Data Controller related to safety regulations and not Process with the Privacy Law, following the measures adopted by the Data Controller. (iii) request the Data Controller authorization if, in order to execute the Agreement, the Processor needs to carry out Processing activities on Personal Data other than those strictly related to the object of the Agreement; (iv) taking into account the nature, object, context, purpose of the Processing, as well as the possible risk for the rights and freedoms of the Data Subject, adopt the appropriate technical and organizational measures to ensure a level of security adequate to the risk and, in any case, the integrity, accuracy of the Personal Data for any purpose other than processed and the lawfulness of the Processing; (v) ▇▇▇▇▇ to perform the Service. If it fails to comply, the Data Processor agrees to promptly inform the Data Controller the possibility of such inabilitycomplying with requests to exercise the rights of the Data Subject, including, by way of example, the right of access to their Personal Data, the right to rectification, the right to erasure (or right to be forgotten), the right to restriction of processing, the right to data portability, the right to object, the right not to be subject to decisions based on an automated decision-making process. In particular, the Processor will be required to take the necessary technical and organizational measures to allow the timely transmission to the Controller of the aforementioned requests; b(vi) immediately inform Ensure that the personnel who will carry out the processing activities are adequately trained in the protection of personal data and bound by confidentiality obligations with regard to the processing of Personal Data of the Controller; (vii) on the basis of the information at its disposal and following receipt of a written request by the Data Controller, if it believes that any instruction from assist the Data Controller infringes applicable data protection legislation; c) take appropriate latter in fulfilling its obligations under the Privacy Law, with particular reference to the implementation of technical and organisational measures against any unauthorised or unlawful Processing, and to evaluate at regular intervals the adequacy of such security organizational measures, amending these measures, if necessary, in order to fully comply with the prerequisites provided by the GDPR and applicable national data protection legislation; d) ensure that access, inspection, provision and other forms of Processing shall take place only in accordance with the need-to-know principle, meaning that the information shall be provided only to those persons who require such information for their work in relation to the performance of the Servicenecessary activities following a Data Breach, and the performance of a data protection impact assessment; e) not disclose the Personal Data to any person other than to its personnel as necessary to perform obligations under this Agreement and ensure that such personnel is subject to statutory or contractual confidentiality obligations; f) promptly notify the Data Controller about any legally binding request for disclosure, unless such notification is prohibited by law; g) immediately notify the Data Controller about any accidental or unauthorized access or unlawful Processing or other Personal Data breach; h) create and maintain a record of its processing activities in relation to this Agreement and to disclose it to the Data Controller and relevant Supervisory Authority, if required; i) deal promptly and properly with all reasonable queries from the Data Controller regarding the Processing and performance of the Service; j(viii) make available to the Data Controller all the information necessary required in order to demonstrate the compliance with its obligations pursuant to the applicable data protection legislation and if needed, submit its data processing facilities and/or information to auditPrivacy Law; k(ix) assist the Data ControllerController in carrying out the audit activities, if required, with the Data Controller’s obligations under applicable data protection legislation regarding fulfilment of rights of Data Subjects; l) immediately fulfil the request including any inspections carried out by the Data Controller for erasure or any other different Processing of Personal Dataand/or another subject appointed by the Data Controller.

Processor’s Obligations. 9.1. The Data Processor shall ensure that in relation to the Personal Data disclosed to it by, or otherwise obtained from the Data Controller, it shall: a) fully comply with the Process User’s Data only on documented instructions if provided by from the Data Controller and not Process the Personal Data for any purpose other than to perform the Service. If it fails to comply, the Data Processor agrees to promptly inform the Data Controller of such inabilityUser; b) immediately inform Ensure that persons authorized to Process User’s Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. The Processor shall regularly train those persons to whom it grants access to User’s Data on IT security and privacy law compliance. The undertaking to data secrecy shall continue after the Data Controller, if it believes that any instruction from the Data Controller infringes applicable data protection legislationtermination of this Agreement; c) take Implement appropriate technical and organisational organizational security measures against any unauthorised or unlawful Processing, and to evaluate at regular intervals the adequacy ensure a level of such security measures, amending these measures, if necessary, in order appropriate to fully comply with the prerequisites provided by the GDPR and applicable national data protection legislationUser’s Data; d) ensure Ensure that access, inspection, provision and other forms any natural person acting under the authority of Processing shall take place only in accordance with the need-to-know principle, meaning that the information shall be provided only to those persons Processor who require such information for their work in relation has access to the performance of Personal Data does not process them except on instructions from the ServiceUser; e) not disclose Assist the Personal Data to any person other than to its personnel as necessary to perform User in compliance with User’s obligations under this Agreement and ensure that such personnel is subject Art. 32 to statutory or contractual confidentiality obligations36 of the GDPR; f) promptly notify the Data Controller about any legally binding request for disclosure, unless such notification is prohibited by law; g) immediately notify the Data Controller about any accidental or unauthorized access or unlawful Processing or other Personal Data breach; h) create and maintain a record of its processing activities in relation to this Agreement and to disclose it to the Data Controller and relevant Supervisory Authority, if required; i) deal promptly and properly with all reasonable queries from the Data Controller regarding the Processing and performance of the Service; j) make Make available to the Data Controller User all information necessary to demonstrate compliance with Processor’s obligations under the Agreement, the Data Protection Law, and allow for and contribute to audits, including inspections, conducted by the User or another auditor mandated by the User; g) Appoint a data protection officer if it is legally obliged to do so or, if it is not obliged to do so, a contact person for data protection issues; h) Provide the User, upon request in writing, with the name and contact details of its data protection officer or the contact person for data protection issues; i) Monitor the Processing by way of regular reviews concerning the performance of and compliance with this Agreement, the Terms, and the applicable data protection legislation and if neededData Protection Law; j) At User’s written request, submit its data processing facilities reasonably support the User in dealing with requests from individual Data Subjects and/or information a supervisory authority with respect to auditthe Processing of Personal Data hereunder; k) assist Assist the User with the implementation of appropriate technical and organizational measures in order to respond to applications by the Data ControllerSubjects for the exercise of their rights (in particular, if required, with Art. 13 to 23 of the Data Controller’s obligations under applicable data protection legislation regarding fulfilment of rights of Data SubjectsGDPR); l) immediately fulfil Provide at minimum the request by information set out in Art. 33(3) of the GDPR in the case of a Personal Data breach; m) Communicate information to the Data Controller for erasure or Subjects after a Personal Data breach, in particular pursuant to Art. 34 of the GDPR; and n) Conduct prior (i.e. before the start of the processing) data protection impact assessments pursuant to Art. 35 of the GDPR and, if necessary, consult with a supervisory authority pursuant to Art. 36 of the GDPR. 9.2. The Processor commits to observe any and all other different Processing duties that are imposed to the Processor pursuant to Art. 28 of Personal Datathe GDPR. 9.3. The Processor shall collaborate with User’s data protection officer to generate the records of processing activities, pursuant to Art. 30 of the GDPR, and provide all the necessary details to the User.

Processor’s Obligations. The Processor shall: Process User’s Data only on documented instructions from the User; Ensure that persons authorised to Process User’s Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. The Processor shall regularly train those persons to whom it grants access to User’s Data on IT security and privacy law compliance. The undertaking to data secrecy shall continue after the termination of this Agreement; Implement appropriate technical and organisational security measures to ensure a level of security appropriate to User’s Data; Ensure that in relation any natural person acting under the authority of the Processor who has access to the Personal Data disclosed to it by, or otherwise obtained does not process them except on instructions from the Data Controller, it shall: a) fully comply User; Assist the User in compliance with the documented instructions if provided by the Data Controller and not Process the Personal Data for any purpose other than User’s obligations under Art. 32 to perform the Service. If it fails to comply, the Data Processor agrees to promptly inform the Data Controller of such inability; b) immediately inform the Data Controller, if it believes that any instruction from the Data Controller infringes applicable data protection legislation; c) take appropriate technical and organisational measures against any unauthorised or unlawful Processing, and to evaluate at regular intervals the adequacy of such security measures, amending these measures, if necessary, in order to fully comply with the prerequisites provided by the GDPR and applicable national data protection legislation; d) ensure that access, inspection, provision and other forms of Processing shall take place only in accordance with the need-to-know principle, meaning that the information shall be provided only to those persons who require such information for their work in relation to the performance 36 of the Service; e) not disclose the Personal Data to any person other than to its personnel as necessary to perform obligations under this Agreement and ensure that such personnel is subject to statutory or contractual confidentiality obligations; f) promptly notify the Data Controller about any legally binding request for disclosure, unless such notification is prohibited by law; g) immediately notify the Data Controller about any accidental or unauthorized access or unlawful Processing or other Personal Data breach; h) create and maintain a record of its processing activities in relation to this Agreement and to disclose it to the Data Controller and relevant Supervisory Authority, if required; i) deal promptly and properly with all reasonable queries from the Data Controller regarding the Processing and performance of the Service; j) make GDPR; Make available to the Data Controller User all information necessary to demonstrate compliance with Processor’s obligations under the applicable Agreement, the Data Protection Law, and allow for and contribute to audits, including inspections, conducted by the User or another auditor mandated by the User; Appoint a data protection legislation and officer if needed, submit its data processing facilities and/or information it is legally obliged to audit; k) assist the Data Controllerdo so or, if requiredit is not obliged to do so, a contact person for data protection issues; Provide the User, upon request in writing, with the Data Controller’s obligations under applicable name and contact details of its data protection legislation regarding fulfilment officer or the contact person for data protection issues; Monitor the Processing by way of rights regular reviews concerning the performance of and compliance with this Agreement, the Terms, and the applicable Data Subjects; l) immediately fulfil Protection Law; At User’s written request, reasonably support the request User in dealing with requests from individual Data Subjects and/or a supervisory authority with respect to the Processing of Personal Data hereunder; Assist the User with the implementation of appropriate technical and organisational measures in order to respond to applications by the Data Controller Subjects for erasure or the exercise of their rights (in particular, Art. 13 to 23 of the GDPR); Provide at minimum the information set out in Art. 33(3) of the GDPR in the case of a Personal Data breach; Communicate information to the Data Subjects after a Personal Data breach, in particular pursuant to Art. 34 of the GDPR; and Conduct prior (i.e. before the start of the processing) data protection impact assessments pursuant to Art. 35 of the GDPR and, if necessary, consult with a supervisory authority pursuant to Art. 36 of the GDPR. The Processor commits to observe any and all other different Processing duties that are imposed to the Processor pursuant to Art. 28 of Personal Datathe GDPR. The Processor shall collaborate with User’s data protection officer to generate the records of processing activities, pursuant to Art. 30 of the GDPR, and provide all the necessary details to the User.