Common use of Protection of Personal Data Clause in Contracts

Protection of Personal Data. 25.1 The Parties agree that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties shall at all times ensure that: a) they process data only for the express purpose for which it was obtained; b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form; c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement; d) they do not disclose personal data of the other Party, other than in terms of this Agreement; e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use; f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement; g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access. 25.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing. 25.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 25, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 shall mutatis mutandis apply to all authorised third parties who process personal data. 25.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it. 25.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented. 25.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisation.

Protection of Personal Data. 25.1 19.1 The Parties agree that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties shall at all times ensure that: a) they process data only for the express purpose for which it was obtained; b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form; c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement; d) they do not disclose personal data of the other Party, other than in terms of this Agreement; e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use; f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement; g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access. 25.2 19.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing. 25.3 19.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 251918.1, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 19 shall mutatis mutandis apply to all authorised third parties who process personal data. 25.4 19.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it. 25.5 19.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented. 25.6 19.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisation.

Protection of Personal Data. 25.1 26.1 The Parties agree that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties shall at all times ensure that: a) they process data only for the express purpose for which it was obtained; b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form; c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement; d) they do not disclose personal data of the other Party, other than in terms of this Agreement; e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use; f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement; g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access. 25.2 26.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing. 25.3 26.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 2526, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 26 shall mutatis mutandis apply to all authorised third parties who process personal data. 25.4 26.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it. 25.5 26.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented. 25.6 26.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisation.

Protection of Personal Data. 25.1 19.1 The Parties agree that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties shall at all times ensure that: a) they process data only for the express purpose for which it was obtained; b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form; c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement; d) they do not disclose personal data of the other Party, other than in terms of this Agreement; e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use; f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement; g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access. 25.2 19.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing. 25.3 19.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 2518.118.1, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 18.1 shall mutatis mutandis apply to all authorised third parties who process personal data. 25.4 19.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it. 25.5 19.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented. 25.6 19.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisation.

Protection of Personal Data. 25.1 24.1 The Parties agree that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties shall at all times ensure that: a) they process data only for the express purpose for which it was obtained; b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form; c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement; d) they do not disclose personal data of the other Party, other than in terms of this Agreement; e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use; f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement; g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access. 25.2 24.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing. 25.3 24.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 2524, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 24 shall mutatis mutandis apply to all authorised third parties who process personal data. 25.4 24.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it. 25.5 24.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented. 25.6 24.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisation.

Protection of Personal Data. 25.1 18.1 The Parties agree that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties shall at all times ensure that: a) they process data only for the express purpose for which it was obtained; b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form; c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement; d) they do not disclose personal data of the other Party, other than in terms of this Agreement; e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use; f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement; g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access. 25.2 18.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing. 25.3 18.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 2517.117.1, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 17.1 shall mutatis mutandis apply to all authorised third parties who process personal data. 25.4 18.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it. 25.5 18.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented. 25.6 18.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisation.

Protection of Personal Data. 25.1 The Parties agree that they may obtain and have access to personal data for Where any Personal Data are Processed in connection with the duration exercise of the Agreement for the fulfilment of the Parties’ rights and obligations contained herein. In performing the obligations as set out in under this Framework Agreement, the Parties shall acknowledge that the Authority is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Authority to perform its obligations under this Framework Agreement; ensure that at all times ensure that: a) they process data only for the express purpose for which it was obtained; b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form; c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement; d) they do not disclose personal data of the other Party, other than in terms of this Agreement; e) they have all reasonable technical and organisational measures has in place to protect all personal data from unauthorised access and/or use; f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement; g) such personal data is protected guard against unauthorised or unlawful processing, Processing of the Personal Data and/or accidental loss, destruction destruction, or damage, alteration, disclosure or access. 25.2 The Parties agree that if personal data will be processed for additional purposes beyond damage to the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing. 25.3 Should it be necessary for either Party to Personal Data; not disclose or otherwise make available transfer the personal data Personal Data to any third party (including sub-contractors and employees)or Supplier Personnel unless necessary for the provision of the Services and, it may do so only with for any disclosure or transfer of Personal Data to any third party, obtain the prior written permission consent of the Authority (save where such disclosure or transfer is specifically authorised under this Framework Agreement); take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 26.5.2 and Clause 26.2 (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority or as otherwise permitted by this Framework Agreement; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Authority within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request), a request to rectify, block or erase any Personal Data or any other Partyrequest, complaint or communication relating to the Authority's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Authority with full cooperation and assistance (within the timescales reasonably required by the Authority) in relation to any complaint, communication or request made (as referred to at Clause 26.5.2(e), including by promptly providing: the Authority with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Authority to enable the Authority to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the Authority, on request by the Authority, with any Personal Data it holds in relation to a Data Subject; and if requested by the Authority, provide a written description of the measures that the Supplier has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 26.5.2 and provide to the Authority copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Party requiring such permission Supplier shall require of all such third parties, appropriate written undertakings not Process or otherwise transfer any Personal Data in or to any country outside the European Economic Area or any country which is not determined to be providedadequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “Restricted Countries”). If, containing similar terms after the Framework Commencement Date, the Supplier or any Sub-Contractor wishes to that Process and/or transfer any Personal Data in or to anywhere outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a variation to the Authority which, if it is agreed by the Authority, shall be dealt with in accordance with Clause 19.1 (Variation Procedure) and Clauses 26.5.3(b) to 26.5.3(d); the Supplier shall set forth out in this clause 25its proposal to the Authority for a Variation, details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and dealing with that any Sub-Contractors or other third party's obligations parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of its processing of the personal data. Following approval by Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the other PartyAuthority’s compliance with the DPA; in providing and evaluating the Variation, the Party requiring permission agrees that the provisions of this clause 25 shall mutatis mutandis apply to all authorised third parties who process personal data. 25.4 The Parties shall ensure that they have regard to and comply with the Authority, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirementapprovals processes in connection with, the Parties Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall keep all personal data comply with such other instructions and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it. 25.5 The Parties shall carry out regular assessments such other actions as the Authority may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Framework Agreement or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Authority on such terms as may be required by the Authority; or a data processing agreement with the Supplier on terms which are equivalent to identify all reasonably foreseeable internal those agreed between the Authority and external risks the Supplier relating to the personal data relevant Personal Data transfer, and the Supplier acknowledges that in its possession or each case, this may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under its controlthe DPA) and technical and organisation measures which the Authority deems necessary for the purpose of protecting Personal Data. The Parties Supplier shall implement and maintain appropriate safeguards against use its reasonable endeavours to assist the risks which it identifies Authority to comply with any obligations under the DPA and shall also regularly verify that the safeguards which it has in place has been effectively implemented. 25.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to not perform its obligations under this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed Framework Agreement in such a manner way as to cause the Authority to breach any of the Authority’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that it cannot the same would be reconstructed to its original form, linking it to any particular individual or organisationa breach of such obligations.

Protection of Personal Data. 25.1 29.1 The Parties agree that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties shall at all times ensure that: a) they process data only for the express purpose for which it was obtained; b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form; c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement; d) they do not disclose personal data of the other Party, other than in terms of this Agreement; e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use; f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement; g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access. 25.2 29.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing. 25.3 29.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 2529, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 29 shall mutatis mutandis apply to all authorised third parties who process personal data. 25.4 29.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it. 25.5 29.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented. 25.6 29.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisation.

Protection of Personal Data. 25.1 17.1 The Parties agree that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties shall at all times ensure that: a) they process data only for the express purpose for which it was obtained; b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form; c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement; d) they do not disclose personal data of the other Party, other than in terms of this Agreement; e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use; f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement; g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access. 25.2 17.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing. 25.3 17.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 2516.116.1, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 16.1 shall mutatis mutandis apply to all authorised third parties who process personal data. 25.4 17.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it. 25.5 17.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented. 25.6 17.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisation.

Protection of Personal Data. 25.1 28.1 The Parties agree that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties shall at all times ensure that: a) they process data only for the express purpose for which it was obtained; b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form; c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement; d) they do not disclose personal data of the other Party, other than in terms of this Agreement; e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use; f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement; g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access. 25.2 28.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing. 25.3 28.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 2528, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 28 shall mutatis mutandis apply to all authorised third parties who process personal data. 25.4 28.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it. 25.5 28.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented. 25.6 28.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisation.

Protection of Personal Data. 25.1 18.1 The Parties agree that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties shall at all times ensure that: a) they process data only for the express purpose for which it was obtained; b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form; c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement; d) they do not disclose personal data of the other Party, other than in terms of this Agreement; e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use; f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement; g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access. 25.2 18.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing. 25.3 18.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 251817.1, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 18 shall mutatis mutandis apply to all authorised third parties who process personal data. 25.4 18.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it. 25.5 18.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented. 25.6 18.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisation.

Protection of Personal Data. 25.1 22.1 The Parties agree that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties shall at all times ensure that: a) they process data only for the express purpose for which it was obtained; b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form; c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement; d) they do not disclose personal data of the other Party, other than in terms of this Agreement; e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use; f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement; g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access. 25.2 22.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing. 25.3 22.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 2522, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 22 shall mutatis mutandis apply to all authorised third parties who process personal data. 25.4 22.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it. 25.5 22.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented. 25.6 22.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisation.

Protection of Personal Data. 25.1 31.1 The Parties agree that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties shall at all times ensure that: a) they process data only for the express purpose for which it was obtained; b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form; c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement; d) they do not disclose personal data of the other Party, other than in terms of this Agreement; e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use; f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement; g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access. 25.2 31.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing. 25.3 31.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 2531, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 31 shall mutatis mutandis apply to all authorised third parties who process personal data. 25.4 31.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it. 25.5 31.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented. 25.6 31.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisation.

Protection of Personal Data. 25.1 23.1 The Parties agree that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties shall at all times ensure that: a) they process data only for the express purpose for which it was obtained; b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form; c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement; d) they do not disclose personal data of the other Party, other than in terms of this Agreement; e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use; f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement; g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access. 25.2 23.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing. 25.3 23.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 2523, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 23 shall mutatis mutandis apply to all authorised third parties who process personal data. 25.4 23.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it. 25.5 23.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented. 25.6 23.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisation.

Protection of Personal Data. 25.1 The Parties agree that they may obtain and have access to personal data for Where any Personal Data are Processed in connection with the duration exercise of the Agreement for the fulfilment of the Parties’ rights and obligations contained herein. In performing the obligations as set out in under this Framework Agreement, the Parties shall acknowledge that the Authority is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Authority to perform its obligations under this Framework Agreement; ensure that at all times ensure that: a) they process data only for the express purpose for which it was obtained; b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form; c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement; d) they do not disclose personal data of the other Party, other than in terms of this Agreement; e) they have all reasonable technical and organisational measures has in place to protect all personal data from unauthorised access and/or use; f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement; g) such personal data is protected guard against unauthorised or unlawful processing, Processing of the Personal Data and/or accidental loss, destruction destruction, or damage, alteration, disclosure or access. 25.2 The Parties agree that if personal data will be processed for additional purposes beyond damage to the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing. 25.3 Should it be necessary for either Party to Personal Data; not disclose or otherwise make available transfer the personal data Personal Data to any third party (including sub-contractors and employees)or Supplier Personnel unless necessary for the provision of the Services and, it may do so only with for any disclosure or transfer of Personal Data to any third party, obtain the prior written permission consent of the Authority (save where such disclosure or transfer is specifically authorised under this Framework Agreement); take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 26.5.2 and Clause 26.2 (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority or as otherwise permitted by this Framework Agreement; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Authority within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request), a request to rectify, block or erase any Personal Data or any other Partyrequest, complaint or communication relating to the Authority's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Authority with full cooperation and assistance (within the timescales reasonably required by the Authority) in relation to any complaint, communication or request made (as referred to at Clause 26.5.2(e), including by promptly providing: the Authority with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Authority to enable the Authority to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the Authority, on request by the Authority, with any Personal Data it holds in relation to a Data Subject; and if requested by the Authority, provide a written description of the measures that the Supplier has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 26.5.2 and provide to the Authority copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Party requiring such permission Supplier shall require of all such third parties, appropriate written undertakings not Process or otherwise transfer any Personal Data in or to any country outside the European Economic Area or any country which is not determined to be providedadequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “Restricted Countries”). If, containing similar terms after the Framework Commencement Date, the Supplier or any Sub-Contractor wishes to that Process and/or transfer any Personal Data in or to anywhere outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a variation to the Authority which, if it is agreed by the Authority, shall be dealt with in accordance with Clause 18.1 (Variation Procedure) and Clauses 26.5.3(b) to 26.5.3(d); the Supplier shall set forth out in this clause 25its proposal to the Authority for a Variation, details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and dealing with that any Sub-Contractors or other third party's obligations parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of its processing of the personal data. Following approval by Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the other PartyAuthority’s compliance with the DPA; in providing and evaluating the Variation, the Party requiring permission agrees that the provisions of this clause 25 shall mutatis mutandis apply to all authorised third parties who process personal data. 25.4 The Parties shall ensure that they have regard to and comply with the Authority, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirementapprovals processes in connection with, the Parties Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall keep all personal data comply with such other instructions and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it. 25.5 The Parties shall carry out regular assessments such other actions as the Authority may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Framework Agreement or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Authority on such terms as may be required by the Authority; or a data processing agreement with the Supplier on terms which are equivalent to identify all reasonably foreseeable internal those agreed between the Authority and external risks the Supplier relating to the personal data relevant Personal Data transfer, and the Supplier acknowledges that in its possession or each case, this may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under its controlthe DPA) and technical and organisation measures which the Authority deems necessary for the purpose of protecting Personal Data. The Parties Supplier shall implement and maintain appropriate safeguards against use its reasonable endeavours to assist the risks which it identifies Authority to comply with any obligations under the DPA and shall also regularly verify that the safeguards which it has in place has been effectively implemented. 25.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to not perform its obligations under this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed Framework Agreement in such a manner way as to cause the Authority to breach any of the Authority’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that it cannot the same would be reconstructed a breach of such obligations. The Supplier must comply with the Cyber Essentials requirements set out in paragraph 9 of Part A of Framework Schedule 2 (Services and Key Performance Indicators) and ensure that its Sub-Contractors, where appropriate, comply with those requirements in order to its original form, linking it to any particular individual or organisationdemonstrate compliance with the technical requirements prescribed by Cyber Essentials.

Protection of Personal Data. 25.1 The Parties agree that they may obtain and have access to personal data for 27.5.1 Where any Personal Data are Processed in connection with the duration exercise of the Agreement for the fulfilment of the Parties’ rights and obligations contained herein. In performing the obligations as set out in under this Framework Agreement, the Parties shall acknowledge that the Authority is the Data Controller and that the Supplier is the Data Processor. 27.5.2 The Supplier shall: (a) Process the Personal Data only in accordance with instructions from the Authority to perform its obligations under this Framework Agreement; (b) ensure that at all times ensure that: a) they process data only for the express purpose for which it was obtained; b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form; c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement; d) they do not disclose personal data of the other Party, other than in terms of this Agreement; e) they have all reasonable technical and organisational measures has in place to protect all personal data from unauthorised access and/or use; f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement; g) such personal data is protected guard against unauthorised or unlawful processing, Processing of the Personal Data and/or accidental loss, destruction destruction, or damage, alteration, disclosure or access.damage to the Personal Data; 25.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing. 25.3 Should it be necessary for either Party to (c) not disclose or otherwise make available transfer the personal data Personal Data to any third party (including sub-contractors or Supplier Personnel unless necessary for the provision of the Goods and employees)Services and, it may do so only with for any disclosure or transfer of Personal Data to any third party, obtain the prior written permission consent of the Authority (save where such disclosure or transfer is specifically authorised under this Framework Agreement); (d) take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: (i) are aware of and comply with the Supplier’s duties under this Clause 27.5.2 and Clause 27.2 (Confidentiality); (ii) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority or as otherwise permitted by this Framework Agreement; and (iii) have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); (e) notify the Authority within five (5) Working Days if it receives: (i) from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request), a request to rectify, block or erase any Personal Data or any other Party. The Party requiring request, complaint or communication relating to the Authority's obligations under the DPA; (ii) any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or (iii) a request from any third party for disclosure of Personal Data where compliance with such permission shall require request is required or purported to be required by Law; (f) provide the Authority with full cooperation and assistance (within the timescales reasonably required by the Authority) in relation to any complaint, communication or request made (as referred to at Clause 27.5.2(e), including by promptly providing: (i) the Authority with full details and copies of the complaint, communication or request; (ii) where applicable, such assistance as is reasonably requested by the Authority to enable the Authority to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and (iii) the Authority, on request by the Authority, with any Personal Data it holds in relation to a Data Subject; and (g) if requested by the Authority, provide a written description of the measures that the Supplier has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 27.5.2 and provide to the Authority copies of all documentation relevant to such third partiescompliance including, appropriate written undertakings protocols, procedures, guidance, training and manuals. 27.5.3 The Supplier shall not Process or otherwise transfer any Personal Data in or to any country outside the European Economic Area or any country which is not determined to be providedadequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “Restricted Countries”). If, containing similar terms after the Framework Commencement Date, the Supplier or any Sub-Contractor wishes to that Process and/or transfer any Personal Data in or to anywhere outside the European Economic Area, the following provisions shall apply: (a) the Supplier shall propose a variation to the Authority which, if it is agreed by the Authority, shall be dealt with in accordance with Clause 19.1 (Variation Procedure) and Clauses 27.5.3(b) to 27.5.3(d); (b) the Supplier shall set forth out in this clause 25its proposal to the Authority for a Variation, details of the following: (i) the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; (ii) the Restricted Countries to which the Personal Data will be transferred and/or Processed; and (iii) any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; (iv) how the Supplier will ensure an adequate level of protection and dealing with that third party's obligations adequate safeguards in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees Personal Data that the provisions of this clause 25 shall mutatis mutandis apply to all authorised third parties who process personal data. 25.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it. 25.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented. 25.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed Processed in such a manner that it cannot be reconstructed and/or transferred to its original form, linking it Restricted Countries so as to any particular individual or organisation.ensure the Authority’s compliance with the DPA;

Protection of Personal Data. 25.1 The Parties agree that they may obtain and have access to personal data for Where any Personal Data are Processed in connection with the duration exercise of the Agreement for the fulfilment of the Parties’ rights and obligations contained herein. In performing the obligations as set out in under this AgreementCall Off Contract, the Parties shall acknowledge that the Customer is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Customer to perform its obligations under this Call Off Contract; ensure that at all times ensure that: a) they process data only for the express purpose for which it was obtained; b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form; c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement; d) they do not disclose personal data of the other Party, other than in terms of this Agreement; e) they have all reasonable technical and organisational measures has in place to protect all personal data from unauthorised access and/or use; f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement; g) such personal data is protected guard against unauthorised or unlawful processing, Processing of the Personal Data and/or accidental loss, destruction destruction, or damagedamage to the Personal Data, alteration, disclosure or access. 25.2 The Parties agree that if personal data will be processed for additional purposes beyond including the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing. 25.3 Should it be necessary for either Party to measures as are set out in Clauses 34.1 (Security Requirements) and 34.2 (Protection of Customer Data); not disclose or otherwise make available transfer the personal data Personal Data to any third party (including sub-contractors and employees)or Supplier Personnel unless necessary for the provision of the Goods and/or Services and, it may do so only with for any disclosure or transfer of Personal Data to any third party, obtain the prior written permission consent of the Customer (save where such disclosure or transfer is specifically authorised under this Call Off Contract) take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 34.6.2 and Clauses 34.1 (Security Requirements), 34.2 (Protection of Customer Data) and 34.3 (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Customer or as otherwise permitted by this Call Off Contract; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Customer within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request) a request to rectify, block or erase any Personal Data or any other Partyrequest, complaint or communication relating to the Customer's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Customer with full cooperation and assistance (within the timescales reasonably required by the Customer) in relation to any complaint, communication or request made (as referred to at Clause 34.6.2(e)), including by promptly providing: the Customer with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Customer to enable the Customer to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the Customer, on request by the Customer, with any Personal Data it holds in relation to a Data Subject; and if requested by the Customer, provide a written description of the measures that has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 34.6.2 and provide to the Customer copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Party requiring such permission Supplier shall require of all such third parties, appropriate written undertakings not Process or otherwise transfer any Personal Data in or to any country outside the European Economic Area or any country which is not determined to be providedadequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “Restricted Countries”). If, containing similar terms after the Call Off Commencement Date, the Supplier or any Sub-Contractor wishes to that Process and/or transfer any Personal Data in or to any outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a Variation to the Customer which, if it is agreed by the Customer, shall be dealt with in accordance with the Variation Procedure and Clauses 34.6.3(b) to 34.6.3(c); the Supplier shall set forth out in this clause 25, its proposal to the Customer for a Variation details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and dealing with that any Sub-Contractors or other third party's obligations parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of its processing of the personal data. Following approval by Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the other PartyCustomer’s compliance with the DPA; in providing and evaluating the Variation, the Party requiring permission agrees that the provisions of this clause 25 shall mutatis mutandis apply to all authorised third parties who process personal data. 25.4 The Parties shall ensure that they have regard to and comply with then-current Customer, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirementapprovals processes in connection with, the Parties Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall keep all personal data comply with such other instructions and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it. 25.5 The Parties shall carry out regular assessments such other actions as the Customer may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Call Off Contract or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Customer on such terms as may be required by the Customer; or a data processing agreement with the Supplier on terms which are equivalent to identify all reasonably foreseeable internal those agreed between the Customer and external risks the Sub-Contractor relating to the personal data relevant Personal Data transfer, and in its possession or each case which the Supplier acknowledges may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under its controlthe DPA) and technical and organisation measures which the Customer deems necessary for the purpose of protecting Personal Data. The Parties Supplier shall implement and maintain appropriate safeguards against use its reasonable endeavours to assist the risks which it identifies Customer to comply with any obligations under the DPA and shall also regularly verify that the safeguards which it has in place has been effectively implemented. 25.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to not perform its obligations under this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed Call Off Contract in such a manner way as to cause the Customer to breach any of the Customer’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that it cannot the same would be reconstructed to its original form, linking it to any particular individual or organisationa breach of such obligations.

Protection of Personal Data. 25.1 The Parties agree that they may obtain and have access to personal data for Where any Personal Data are Processed in connection with the duration exercise of the Agreement for the fulfilment of the Parties’ rights and obligations contained herein. In performing the obligations as set out in under this AgreementCall Off Contract, the Parties shall acknowledge that the Customer is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Customer to perform its obligations under this Call Off Contract; ensure that at all times ensure that: a) they process data only for the express purpose for which it was obtained; b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form; c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement; d) they do not disclose personal data of the other Party, other than in terms of this Agreement; e) they have all reasonable technical and organisational measures has in place to protect all personal data from unauthorised access and/or use; f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement; g) such personal data is protected guard against unauthorised or unlawful processing, Processing of the Personal Data and/or accidental loss, destruction destruction, or damagedamage to the Personal Data, alteration, disclosure or access. 25.2 The Parties agree that if personal data will be processed for additional purposes beyond including the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing. 25.3 Should it be necessary for either Party to measures as are set out in Clauses 36.1 (Security Requirements) and 36.2 (Protection of Customer Data); not disclose or otherwise make available transfer the personal data Personal Data to any third party (including sub-contractors and employees)or Supplier Personnel unless necessary for the provision of the Services and, it may do so only with for any disclosure or transfer of Personal Data to any third party, obtain the prior written permission consent of the Customer (save where such disclosure or transfer is specifically authorised under this Call Off Contract) take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 36.6.2 and Clauses 36.1 (Security Requirements), 36.2 (Protection of Customer Data) and 36.3 (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Customer or as otherwise permitted by this Call Off Contract; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Customer within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request) a request to rectify, block or erase any Personal Data or any other Party. The Party requiring request, complaint or communication relating to the Customer's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such permission shall require of all such third parties, appropriate written undertakings request is required or purported to be provided, containing similar terms to that set forth in this clause 25, required by Law; provide the Customer with full cooperation and dealing with that third party's obligations in respect of its processing of assistance (within the personal data. Following approval timescales reasonably required by the other Party, the Party requiring permission agrees that the provisions of this clause 25 shall mutatis mutandis apply to all authorised third parties who process personal data. 25.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third partiesCustomer) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it. 25.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented. 25.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to any complaint, communication or request made (as referred to at Clause 36.6.2(e)), including by promptly providing: the Customer with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Customer to enable the Customer to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the Customer, on request by the Customer, with any Personal Data it holds in relation to a Data Subject; and if requested by the Customer, provide a written description of the measures that has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this AgreementClause 36.6.2 and provide to the Customer copies of all documentation relevant to such compliance including, subject protocols, procedures, guidance, training and manuals. The Supplier shall not Process or otherwise transfer any Personal Data in or to any legal retention requirements. This may be at country outside the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal dataEuropean Economic Area. The information will be destroyed Supplier shall use its reasonable endeavours to assist the Customer to comply with any obligations under the DPA and shall not perform its obligations under this Call Off Contract in such a manner way as to cause the Customer to breach any of the Customer’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that it cannot the same would be reconstructed to its original form, linking it to any particular individual or organisationa breach of such obligations.

Protection of Personal Data. 25.1 The Parties agree that they may obtain and have access to personal data for Where any Personal Data are Processed in connection with the duration exercise of the Agreement for the fulfilment of the Parties’ rights and obligations contained herein. In performing the obligations as set out in under this Framework Agreement, the Parties shall acknowledge that the Authority is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Authority to perform its obligations under this Framework Agreement; ensure that at all times ensure that: a) they process data only for the express purpose for which it was obtained; b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form; c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement; d) they do not disclose personal data of the other Party, other than in terms of this Agreement; e) they have all reasonable technical and organisational measures has in place to protect all personal data from unauthorised access and/or use; f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement; g) such personal data is protected guard against unauthorised or unlawful processing, Processing of the Personal Data and/or accidental loss, destruction destruction, or damage, alteration, disclosure or access. 25.2 The Parties agree that if personal data will be processed for additional purposes beyond damage to the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing. 25.3 Should it be necessary for either Party to Personal Data; not disclose or otherwise make available transfer the personal data Personal Data to any third party (including sub-contractors and employees)or Supplier Personnel unless necessary for the provision of the Goods and/or Services and, it may do so only with for any disclosure or transfer of Personal Data to any third party, obtain the prior written permission consent of the Authority (save where such disclosure or transfer is specifically authorised under this Framework Agreement); take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 26.5.2 and Clause 26.2 (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority or as otherwise permitted by this Framework Agreement; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Authority within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request), a request to rectify, block or erase any Personal Data or any other Partyrequest, complaint or communication relating to the Authority's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Authority with full cooperation and assistance (within the timescales reasonably required by the Authority) in relation to any complaint, communication or request made (as referred to at Clause 26.5.2(e), including by promptly providing: the Authority with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Authority to enable the Authority to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the Authority, on request by the Authority, with any Personal Data it holds in relation to a Data Subject; and if requested by the Authority, provide a written description of the measures that the Supplier has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 26.5.2 and provide to the Authority copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Party requiring such permission Supplier shall require of all such third parties, appropriate written undertakings not Process or otherwise transfer any Personal Data in or to any country outside the European Economic Area or any country which is not determined to be providedadequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “Restricted Countries”). If, containing similar terms after the Framework Commencement Date, the Supplier or any Sub-Contractor wishes to that Process and/or transfer any Personal Data in or to anywhere outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a variation to the Authority which, if it is agreed by the Authority, shall be dealt with in accordance with Clause 18.1 (Variation Procedure) and Clauses 26.5.3(b) to 26.5.3(d); the Supplier shall set forth out in this clause 25its proposal to the Authority for a Variation, details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and dealing with that any Sub-Contractors or other third party's obligations parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of its processing of the personal data. Following approval by Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the other PartyAuthority’s compliance with the DPA; in providing and evaluating the Variation, the Party requiring permission agrees that the provisions of this clause 25 shall mutatis mutandis apply to all authorised third parties who process personal data. 25.4 The Parties shall ensure that they have regard to and comply with the Authority, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirementapprovals processes in connection with, the Parties Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall keep all personal data comply with such other instructions and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it. 25.5 The Parties shall carry out regular assessments such other actions as the Authority may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Framework Agreement or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Authority on such terms as may be required by the Authority; or a data processing agreement with the Supplier on terms which are equivalent to identify all reasonably foreseeable internal those agreed between the Authority and external risks the Supplier relating to the personal data relevant Personal Data transfer, and the Supplier acknowledges that in its possession or each case, this may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under its controlthe DPA) and technical and organisation measures which the Authority deems necessary for the purpose of protecting Personal Data. The Parties Supplier shall implement and maintain appropriate safeguards against use its reasonable endeavours to assist the risks which it identifies Authority to comply with any obligations under the DPA and shall also regularly verify that the safeguards which it has in place has been effectively implemented. 25.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to not perform its obligations under this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed Framework Agreement in such a manner way as to cause the Authority to breach any of the Authority’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that it cannot the same would be reconstructed to its original form, linking it to any particular individual or organisationa breach of such obligations.

Protection of Personal Data. 25.1 27.1 The Parties agree that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties shall at all times ensure that: a) they process data only for the express purpose for which it was obtained; b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form; c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement; d) they do not disclose personal data of the other Party, other than in terms of this Agreement; e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use; f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement; g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access. 25.2 27.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing. 25.3 27.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 2527, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 27 shall mutatis mutandis apply to all authorised third parties who process personal data. 25.4 27.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it. 25.5 27.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented. 25.6 27.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisation.

Protection of Personal Data. 25.1 The Parties agree acknowledge that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties shall at all times ensure that: a) they process data only for the express purpose for which it was obtained; b) once processed for the purposes for which it was obtainedof the Data Protection Legislation, all data will be destroyed the factual activity carried out by each of them in relation to an extent that it cannot be reconstructed to its original form; c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ their respective obligations under this Agreement; dPanel Agreement dictates the classification of each party and shall be stated in Schedule 25. In certain circumstances, a Party may act as “Joint Controller” or a “Controller” or a “Processor”. Each Party, where it is a Controller, shall be responsible for its own compliance with all its obligations under the Data Protection Legislation. Where a Party acts as a Processor in relation to Personal Data where the other Party is Controller, the first Party shall comply and shall procure that any sub-processor complies with the Processor’s obligations in this Panel Agreement to the extent applicable. The only processing that the Processor is authorised to do is listed in Schedule 25 (Processing Personal Data) they do by the Controller and may not disclose personal data be determined by the Service Provider. The Processor shall notify the Controller immediately if it considers that any of the other Party, other than in terms of this Agreement; e) they have Controller's instructions infringe the Data Protection Legislation. The Processor shall provide all reasonable technical and organisational measures assistance to the Controller in place the preparation of any Data Protection Impact Assessment prior to protect all personal data from unauthorised access and/or use; f) they have appropriate technical and organisational measures in place to safeguard commencing any processing. Such assistance may, at the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement; g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access. 25.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing. 25.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission discretion of the other Party. The Party requiring such permission shall require of all such third partiesController, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 25, and dealing with that third party's obligations in respect of its processing include: a systematic description of the personal data. Following approval by envisaged processing operations and the other Party, purpose of the Party requiring permission agrees that processing; an assessment of the provisions necessity and proportionality of this clause 25 shall mutatis mutandis apply the processing operations in relation to all authorised third parties who process personal data. 25.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity Services; an assessment of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it. 25.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its controlrights and freedoms of Data Subjects; and the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. The Parties Processor shall, in relation to any Personal Data processed in connection with its obligations under this Panel Agreement: process that Personal Data only in accordance with Schedule 25 (Processing Personal Data), unless the Processor is required to do otherwise by the requirements of the Panel Agreement or Law. If it is so required the Processor shall implement and maintain appropriate safeguards against promptly notify the risks which it identifies and shall also regularly verify Controller before processing the Personal Data unless prohibited by Law; ensure that the safeguards which it has in place Protective Measures which are appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), having taken account of the: nature of the data to be protected; harm that might result from a Data Loss Event; state of technological development; and cost of implementing any measures; ensure that : the Processor Personnel do not process Personal Data except in accordance with this Panel Agreement (and in particular Schedule 25 (Processing Personal Data)); it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they: are aware of and comply with the Processor’s duties under this Clause; are subject to appropriate confidentiality undertakings with the Processor or any Sub-processor; are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Controller or as otherwise permitted by this Panel Agreement; and have undergone adequate training in the use, care, protection and handling of Personal Data; not transfer Personal Data outside of the EU unless the prior written consent of the Controller has been effectively implemented. 25.6 The Parties agree that they will promptly return obtained and the following conditions are fulfilled: the Controller or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected Processor has provided appropriate safeguards in relation to this Agreement, subject the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Controller; the Data Subject has enforceable rights and effective legal remedies; the Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any legal retention requirements. This may be Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing of the Personal Data; at the request written direction of the other Controller, delete or return Personal Data (and any copies of it) to the Controller on termination of the Panel Agreement unless the a Party and includes circumstances where a person has requested is required by Law to retain the Parties Personal Data. Subject to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original formClause 27.5.7, linking it to any particular individual or organisation.the Processor shall notify the Controller immediately if it:

Protection of Personal Data. 25.1 17.1 The Parties agree that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties shall at all times ensure that: a) they process data only for the express purpose for which it was obtained; b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form; c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement; d) they do not disclose personal data of the other Party, other than in terms of this Agreement; e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use; f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement; g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access. 25.2 17.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing. 25.3 17.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 2516, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 16.1 shall mutatis mutandis apply to all authorised third parties who process personal data. 25.4 17.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it. 25.5 17.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented. 25.6 17.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisation.

Protection of Personal Data. 25.1 17.1 The Parties agree that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties shall at all times ensure that: a) they process data only for the express purpose for which it was obtained; b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form; c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement; d) they do not disclose personal data of the other Party, other than in terms of this Agreement; e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use; f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement; g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access. 25.2 17.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing. 25.3 17.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 2516.116.1, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 16.1 shall mutatis mutandis apply to all authorised third parties who process personal data. 25.4 17.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it. 25.5 17.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented. 25.6 17.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisation.includes

Protection of Personal Data. 25.1 23.1 The Parties agree that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties shall at all times ensure that: a) they process data only for the express purpose for which it was obtained; b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form; c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement; d) they do not disclose personal data of the other Party, other than in terms of this Agreement; e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use; f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement; g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access. 25.2 23.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing. 25.3 23.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 2524, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 2423 shall mutatis mutandis apply to all authorised third parties who process personal data. 25.4 23.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it. 25.5 23.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented. 25.6 23.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisation.

Protection of Personal Data. 25.1 The Parties agree that they may obtain and have access to personal data for Where any Personal Data are Processed in connection with the duration exercise of the Agreement for the fulfilment of the Parties’ rights and obligations contained herein. In performing the obligations as set out in under this AgreementCall Off Contract, the Parties shall acknowledge that the Customer is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Customer to perform its obligations under this Call Off Contract; ensure that at all times ensure that: a) they process data only for the express purpose for which it was obtained; b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form; c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement; d) they do not disclose personal data of the other Party, other than in terms of this Agreement; e) they have all reasonable technical and organisational measures has in place to protect all personal data from unauthorised access and/or use; f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement; g) such personal data is protected guard against unauthorised or unlawful processing, Processing of the Personal Data and/or accidental loss, destruction destruction, or damagedamage to the Personal Data, alteration, disclosure or access. 25.2 The Parties agree that if personal data will be processed for additional purposes beyond including the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing. 25.3 Should it be necessary for either Party to measures as are set out in Clauses 34.1 (Security Requirements) and 34.3 (Protection of Customer Data); not disclose or otherwise make available transfer the personal data Personal Data to any third party (including sub-contractors or Supplier Personnel unless necessary for the provision of the Goods and employees)Services and, it may do so only with for any disclosure or transfer of Personal Data to any third party, obtain the prior written permission consent of the Customer (save where such disclosure or transfer is specifically authorised under this Call Off Contract) take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 34.7.2 and Clauses 34.1 (Security Requirements), 34.3 (Protection of Customer Data) and 34.4 (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Customer or as otherwise permitted by this Call Off Contract; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Customer within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request) a request to rectify, block or erase any Personal Data or any other Partyrequest, complaint or communication relating to the Customer's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Customer with full cooperation and assistance (within the timescales reasonably required by the Customer) in relation to any complaint, communication or request made (as referred to at Clause 34.7.2(e)), including by promptly providing: the Customer with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Customer to enable the Customer to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the Customer, on request by the Customer, with any Personal Data it holds in relation to a Data Subject; and if requested by the Customer, provide a written description of the measures that has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 34.7.2 and provide to the Customer copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Party requiring such permission Supplier shall require of all such third parties, appropriate written undertakings not Process or cause or permit any Personal Data to be providedtransferred in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together Restricted Countries) without Approval. If, containing similar terms after the Call Off Commencement Date, the Supplier or any Sub-Contractor wishes to that Process and/or transfer any Personal Data in or to any outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a Variation to the Customer which, if it is agreed by the Customer, shall be dealt with in accordance with the Variation Procedure and Clauses 34.7.3(b) to 34.7.3(d); the Supplier shall set forth out in this clause 25its proposal to the Customer for a Variation details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries, including the purpose for the transfer; (if applicable) the countries through which the Personal Data will be transited and dealing with that the nature of the transit; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third party's obligations parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of its processing of the personal data. Following approval by Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the other PartyCustomer’s compliance with the DPA; in providing and evaluating the Variation, the Party requiring permission agrees that the provisions of this clause 25 shall mutatis mutandis apply to all authorised third parties who process personal data. 25.4 The Parties shall ensure that they have regard to and comply with then-current Customer, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirementapprovals processes in connection with, the Parties Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall keep all personal data comply with such other instructions and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it. 25.5 The Parties shall carry out regular assessments such other actions as the Customer may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Call Off Contract or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Customer on such terms as may be required by the Customer; or a data processing agreement with the Supplier on terms which are equivalent to identify all reasonably foreseeable internal those agreed between the Customer and external risks the Sub-Contractor relating to the personal data relevant Personal Data transfer, and in its possession or each case which the Supplier acknowledges may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under its controlthe DPA) and technical and organisation measures which the Customer deems necessary for the purpose of protecting Personal Data. The Parties Supplier shall implement and maintain appropriate safeguards against use its reasonable endeavours to assist the risks which it identifies Customer to comply with any obligations under the DPA and shall also regularly verify that the safeguards which it has in place has been effectively implemented. 25.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to not perform its obligations under this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed Call Off Contract in such a manner way as to cause the Customer to breach any of the Customer’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that it cannot the same would be reconstructed to its original form, linking it to any particular individual or organisationa breach of such obligations.

Protection of Personal Data. 25.1 The Parties agree that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties shall at all times ensure that: a) they process data only for the express purpose for which it was obtained; b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form; c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement; d) they do not disclose personal data of the other Party, other than in terms of this Agreement; e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use; f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement; g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access. 25.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing. 25.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 25, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 shall mutatis mutandis apply to all authorised third parties who process personal data. 25.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it. 25.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented. 25.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual ororganisation. 25.7 Personal Information security breach: Supplier/Service Provider’s Obligations a) The Supplier/Service Provider shall notify the Information Officer of Transnet, in writing as soon as possible after it becomes aware of or organisationsuspects any loss, unauthorised access or unlawful use of any personal data and shall, at its own cost, take all necessary remedial steps to mitigate the extent of the loss or compromise of personal data and to restore the integrity of the affected Goods/Services as quickly as is possible. The Supplier/Service Provider shall also be required to provide Transnet with details of the persons affected by the compromise and the nature and extent of the compromise, including details of the identity of the unauthorised person who may have accessed or acquired the personal data. b) The Supplier/Service Provider shall provide on-going updates on its progress in resolving the compromise at reasonable intervals until such time as the compromise is resolved. c) Where required, the Supplier/Service Provider may be required to notify the South African Police Service; and/or the State Security Agency and where applicable, the relevant regulator and/or the affected persons of the security breach. Any such notification shall always include sufficient information to allow the persons to take protective measures against the potential consequences of the compromise. d) The Supplier/Service Provider undertakes to co‑operate in any investigation relating to security which is carried out by or on behalf of Transnet including providing any information or material in its possession or control and implementing new security measures.

Protection of Personal Data. 25.1 ‌ The Parties parties agree that they may obtain as at the Signature Date, the provisions of Clause 29 in their entirety do not apply to this agreement on the basis that the Contractor will not receive or process any Personal Data as a Data Processor for in the performance of its Services. 29.1 To the extent that personal date is processed and have access with respect to personal data for the duration of the Agreement for the fulfilment of the parties' rights and obligations contained herein. In performing under this Agreement, the obligations parties agree that the DCC is either the Data Controller or the Data Processor and that the Contractor is the Data Processor. 29.2 To the extent that the Contractor processes Personal Data as the Data Processor for DCC, the Contractor shall: 29.2.1 Process the Personal Data only in accordance with instructions from the DCC as to the manner and purpose of the processing of this Personal Data (which may be specific instructions or instructions of a general nature as set out in this Agreement, Agreement or as otherwise notified by the Parties shall at all times ensure that: a) they process data only for DCC to the express purpose for Contractor during the Service Period). Any such instructions which it was obtained; b) once processed for are inconsistent with the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form; c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective parties' rights and obligations under this AgreementAgreement shall be dealt with in accordance with the Change Control Procedure; d) they do not disclose personal data 29.2.2 Process the Personal Data only to the extent, and in such manner, as is necessary for the provision of the other Party, other than in terms of this AgreementServices or as is required by Law; e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use; f) they have 29.2.3 implement appropriate technical and organisational measures in place to safeguard protect the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement; g) such personal data is protected Personal Data against unauthorised or unlawful processingProcessing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damagedamage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;‌ 29.2.4 take reasonable steps to ensure the reliability of any Contractor Personnel who have access to the Personal Data; 29.2.5 obtain prior written consent from the DCC in order to transfer the Personal Data to any Sub-contractors or Affiliates for the provision of the Services, alterationsuch consent not to be unreasonably withheld or delayed; 29.2.6 ensure that all Contractor Personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 29; 29.2.7 ensure that none of the Contractor Personnel publish, disclosure or access. 25.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing. 25.3 Should it be necessary for either Party to disclose or otherwise make available divulge any of the personal data Personal Data to any third party unless directed in writing to do so by the DCC; 29.2.8 notify the DCC (within five (5) Working Days) unless not permitted by law or regulation if it receives: 29.2.8.1 a request from a Data Subject to have access to that person's Personal Data of which DCC is the Data Controller and Contractor is the Data Processor; or 29.2.8.2 a complaint or request relating to the DCC's obligations under the Data Protection Legislation; 29.2.9 provide the DCC with full co-operation and assistance in relation to any complaint or request made, including subby: 29.2.9.1 providing the DCC with full details of the complaint or request; 29.2.9.2 enabling the DCC to comply with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the DCC's instructions; 29.2.9.3 providing the DCC with any Personal Data it holds as Data Processor in relation to a Data Subject as a result of this Agreement (within the timescales required by the DCC); and 29.2.9.4 providing the DCC with any reasonable information requested by the DCC; 29.2.10 provide a written description of the technical and organisational methods employed by the Contractor for Processing Personal Data (with DCC providing no less than 30 days notice); and 29.2.11 not Process or otherwise transfer any Personal Data outside the European Economic Area without the consent of the DCC (not to be unreasonably withheld or denied).‌ 29.2.11.1 the Contractor shall submit a Change Request to the DCC which shall be dealt with in accordance with the Change Control Procedure and this Clause 29.2.11; 29.2.11.2 the Contractor shall set out in its Change Request and/or Impact Assessment appropriate details of the following: (a) the Personal Data which will be Processed and/or transferred outside the European Economic Area; (b) the country or countries in which the Personal Data will be Processed and/or to which the Personal Data will be transferred outside the European Economic Area; (c) any Sub-contractors or other third parties who will be Processing and/or transferring Personal Data outside the European Economic Area; and (d) how the Contractor will ensure an adequate level of protection and employees), it may do so only adequate safeguards (in accordance with the prior written permission of Data Protection Legislation and in particular so as to ensure the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 25, and dealing DCC's compliance with that third party's obligations the Data Protection Legislation) in respect of its processing of the personal data. Following approval by Personal Data that will be Processed and/or transferred outside the other PartyEuropean Economic Area; 29.2.11.3 in providing and evaluating the Change Request and Impact Assessment, the Party requiring permission agrees that the provisions of this clause 25 shall mutatis mutandis apply to all authorised third parties who process personal data. 25.4 The Parties shall ensure that they have regard to and comply with then current Guidance on, and any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirementapprovals processes in connection with, the Parties Processing and/or transfers of Personal Data outside the European Economic Area and/or overseas generally; and 29.2.11.4 the Contractor shall keep all personal data comply with such other instructions and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it. 25.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to such other actions as the personal DCC may notify in writing, including: (a) incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the Data Protection Legislation) in this Agreement or a separate data in its possession processing agreement between the parties; and (b) procuring that any Sub-contractor or other third party who will be Processing and/or transferring the Personal Data outside the European Economic Area enters into a direct data processing agreement with the DCC on such terms as may be required by the DCC, which the Contractor acknowledges may include the incorporation of standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under its controlthe Data Protection Legislation. The Parties Contractor shall implement and maintain appropriate safeguards against comply at all times with the risks which it identifies Data Protection Legislation as applicable and shall also regularly verify that the safeguards which it has in place has been effectively implemented. 25.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to not perform its obligations under this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed Agreement in such a manner that it canway as to cause the DCC to breach any of its applicable obligations under the Data Protection Legislation. 29.3 DCC shall comply at all times with the Data Protection Legislation and shall not be reconstructed Process Personal Data for the purposes of this Agreement in such a way as to cause the Contractor to breach any of its original form, linking it to any particular individual or organisationapplicable obligations under the Data Protection Legislation.

Protection of Personal Data. 25.1 The Parties agree that they may obtain and have access ‌ Arrangement between the Parties‌ 36.1 With respect to personal data for the duration of the Agreement for the fulfilment of the Parties' rights and obligations contained herein. In performing the obligations as set out in under this Agreement, the Parties shall at all times ensure thatacknowledge that the DCC is a Data Controller and that the Contractor is a Data Processor. In respect of the Contractor's Processing under this Agreement: a) they process data only for 36.1.1 the express subject-matter, nature and purpose for which it was obtained; b) once processed of the Processing will be DCC employee and supply chain contact details used for the purposes for which it was obtained, all data of liaising with such parties to perform the Services and/or as required to assist in delivering the Objectives; 36.1.2 the type of Personal Data being processed will be destroyed to an extent that it cannot be reconstructed to its original formPersonal Data of names, contact addresses, email addresses and telephone numbers; c) data is provided 36.1.3 the duration of the Processing shall be the term of this Agreement; and 36.1.4 the parties will use the Variation Procedure to agree any changes to this clause for the Transition to Live and Operational Phase. Processor obligations‌ 36.2 The Contractor shall:‌ 36.2.1 Process the Personal Data only in accordance with instructions from the DCC to authorised personnel who strictly require the personal data to carry out the Parties’ respective perform its obligations under this Agreement; d) they do not disclose personal data of the other Party, other than in terms of this Agreement; e) they have 36.2.2 ensure that at all reasonable technical and organisational measures times it has in place to protect all personal data from unauthorised access and/or use; f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement; g) such personal data is protected guard against unauthorised or unlawful processing, processing of the Personal Data and/or accidental loss, destruction or damagedamage to the Personal Data, alterationincluding the measures as are set out in Clause 35 (DCC Data), disclosure or access.Clause 41 (Security Requirements) and the Security Management Plan; 25.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing. 25.3 Should it be necessary for either Party to 36.2.3 not disclose or otherwise make available transfer the personal data Personal Data to any third party or Contractor Personnel, or allow a third party or Contractor Personnel access to the Personal Data, unless necessary for the provision of the Services and: (including sub-contractors and employees)a) for any disclosure or transfer of Personal Data to any third party, it may do so only with the prior written permission consent of the DCC; (b) where the Contractor wishes to appoint a sub-Processor, in compliance with Clause 27 (Supply Chain Rights) and any applicable conditions under such Clause 27 (Supply Chain Rights) or Clause 36.3; 36.2.4 take all reasonable steps to ensure the reliability and integrity of any Contractor Personnel who have access to the Personal Data and ensure that the Contractor Personnel: (i) are aware of and comply with the Contractor’s duties under this Clause 36.2 and Clauses 37 (Confidentiality), 35 (DCC Data) and 41 (Security Requirements); (ii) are subject to appropriate confidentiality undertakings with the Contractor or the relevant Sub- contractor; (iii) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the DCC or as otherwise permitted by this Agreement; and (iv) have undergone adequate training in the use, care, protection and handling of personal data (as defined in the Data Protection Laws); 36.2.5 notify the DCC within 48 hours if it:‌ (a) receives from a Data Subject (or third party on their behalf): (i) a Data Subject Access Request (or purported Data Subject Access Request); (ii) a request to rectify, block or erase any Personal Data; or (iii) any other request, complaint or communication relating to either Party. The Party requiring 's obligations under the Data Protection Laws; (b) considers that any of the instructions from the DCC infringe the Data Protection Laws; (c) receives any Regulator Correspondence or any other any communication from the Information Commissioner or any other Regulatory Body in connection with Personal Data Processed under this Agreement; (d) receives a request from any third party for disclosure of Personal Data where compliance with such permission shall require of all such third parties, appropriate written undertakings request is required or purported to be providedrequired by Law; or (e) is required by Law to commit an act or omission that would, containing similar terms to that set forth in but for Clause 36.2, constitute a breach of this clause 25, Clause 36; 36.2.6 provide the DCC with full co-operation and dealing with that third party's obligations in respect of its processing of assistance (within the personal data. Following approval timescales reasonably required by the other Party, the Party requiring permission agrees that the provisions of this clause 25 shall mutatis mutandis apply to all authorised third parties who process personal data. 25.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third partiesDCC) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it. 25.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented. 25.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to either Party's obligations under the Data Protection Laws or any complaint, communication or request made as referred to in Clause 36.2.5, including by promptly providing: (a) the DCC with full details and copies of the complaint, communication or request; (b) where applicable, such assistance as is reasonably requested by the DCC to enable the DCC to comply with the Data Subject Access Request within the relevant timescales set out in the Data Protection Laws; and (c) the DCC, on request by the DCC, with any Personal Data it holds in relation to a Data Subject; and 36.2.7 assistance following a security breach or incident involving Personal Data as required by the DCC including with respect to the DCC's consultation with the Information Commissioner's Office; and 36.2.8 if requested by the DCC, provide a written description of the measures that it has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this AgreementClause 36 and provide to the DCC copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. 36.3 The Contractor shall not Process or otherwise transfer any Personal Data in or to any Restricted Country without the DCC's prior written consent. If, after the Commencement Date, the Contractor or any Sub-contractor wishes to Process and/or transfer any Personal Data in or to any Restricted Country, the Contractor shall, in seeking consent, submit such information as the DCC's shall require in order to enable it to consider the request and acknowledges that such consent may be given subject to any legal retention requirements. This may conditions which will, if appropriate, be incorporated into this Agreement at the request of Contractor's cost and expense using the other Party Variation Procedure.‌ 36.4 The Contractor shall use its reasonable endeavours to assist the DCC to comply with any obligations under the Data Protection Laws and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed shall not perform its obligations under this Agreement in such a manner way as to cause the DCC to breach any of the DCC’s obligations under the Data Protection Laws to the extent the Contractor is aware, or ought reasonably to have been aware, that it cannot the same would be reconstructed a breach of such obligations. 36.5 The Contractor shall indemnify and keep indemnified the DCC at all times against any Losses incurred by the DCC in connection with the Contractor's breach of this Clause 36 and/or any failure by the Contractor or any Sub- contractor to its original form, linking it comply with their respective obligations under Data Protection Laws.‌ 36.6 Nothing in this Clause 36 shall be construed as requiring the Contractor or any relevant Sub-contractor to be in breach of any particular individual or organisationData Protection Laws.

Protection of Personal Data. 25.1 The Parties agree that they may obtain and have access to personal data for Where any Personal Data are Processed in connection with the duration exercise of the Agreement for the fulfilment of the Parties’ rights and obligations contained herein. In performing the obligations as set out in under this Lease Agreement, the Parties shall acknowledge that the Customer is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Customer to perform its obligations under this Lease Agreement; ensure that at all times ensure that: a) they process data only for the express purpose for which it was obtained; b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form; c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement; d) they do not disclose personal data of the other Party, other than in terms of this Agreement; e) they have all reasonable technical and organisational measures has in place to protect all personal data from unauthorised access and/or use; f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement; g) such personal data is protected guard against unauthorised or unlawful processing, Processing of the Personal Data and/or accidental loss, destruction destruction, or damagedamage to the Personal Data, alteration, disclosure or access. 25.2 The Parties agree that if personal data will be processed for additional purposes beyond including the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing. 25.3 Should it be necessary for either Party to measures as are set out in Clauses 43 (Security Requirements) and (c) (Protection of Customer Data); not disclose or otherwise make available transfer the personal data Personal Data to any third party (including sub-contractors and employees)or Supplier Personnel unless necessary for the provision of the Goods and/or Services and, it may do so only with for any disclosure or transfer of Personal Data to any third party, obtain the prior written permission consent of the Customer (save where such disclosure or transfer is specifically authorised under this Lease Agreement) take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under Clause 43.2.30 and Clauses 43 (Security Requirements), (c)(Protection of Customer Data) and (c) (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Customer or as otherwise permitted by this Lease Agreement; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Customer within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request) a request to rectify, block or erase any Personal Data or any other Partyrequest, complaint or communication relating to the Customer's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Customer with full cooperation and assistance (within the timescales reasonably required by the Customer) in relation to any complaint, communication or request made (as referred to at Clause 43.(e)), including by promptly providing: the Customer with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Customer to enable the Customer to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the Customer, on request by the Customer, with any Personal Data it holds in relation to a Data Subject; and if requested by the Customer, provide a written description of the measures that has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 43.2.30 and provide to the Customer copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Party requiring such permission Supplier shall require of all such third parties, appropriate written undertakings not Process or otherwise transfer any Personal Data in or to any country outside the European Economic Area or any country which is not determined to be providedadequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “Restricted Countries”). If, containing similar terms after the Lease Agreement Commencement Date, the Supplier or any Sub-Contractor wishes to that Process and/or transfer any Personal Data in or to any outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a Variation to the Customer which, if it is agreed by the Customer, shall be dealt with in accordance with the Variation Procedure and Clauses 43.(b) to 43.(c); the Supplier shall set forth out in this clause 25, its proposal to the Customer for a Variation details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and dealing with that any Sub-Contractors or other third party's obligations parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of its processing of the personal data. Following approval by Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the other PartyCustomer’s compliance with the DPA; in providing and evaluating the Variation, the Party requiring permission agrees that the provisions of this clause 25 shall mutatis mutandis apply to all authorised third parties who process personal data. 25.4 The Parties shall ensure that they have regard to and comply with then-current Customer, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirementapprovals processes in connection with, the Parties Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall keep all personal data comply with such other instructions and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it. 25.5 The Parties shall carry out regular assessments such other actions as the Customer may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Lease Agreement or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Customer on such terms as may be required by the Customer; or a data processing agreement with the Supplier on terms which are equivalent to identify all reasonably foreseeable internal those agreed between the Customer and external risks the Sub-Contractor relating to the personal data relevant Personal Data transfer, and in its possession or each case which the Supplier acknowledges may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under its controlthe DPA) and technical and organisation measures which the Customer deems necessary for the purpose of protecting Personal Data. The Parties Supplier shall implement and maintain appropriate safeguards against use its reasonable endeavours to assist the risks which it identifies Customer to comply with any obligations under the DPA and shall also regularly verify that the safeguards which it has in place has been effectively implemented. 25.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to not perform its obligations under this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed Lease Agreement in such a manner way as to cause the Customer to breach any of the Customer’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that it cannot the same would be reconstructed to its original form, linking it to any particular individual or organisationa breach of such obligations.

Protection of Personal Data. 25.1 With respect to the Parties' rights and obligations under this DPS Agreement, the Parties acknowledge that the Authority is the Controller and that the Supplier is the Processor. The Parties agree only Processing that they the Supplier is authorised to do is as specified in Schedule 13 of this DPS Agreement and may obtain not be determined by the Supplier. The Supplier shall: notify the Authority immediately if it considers that any of the Authority's instructions infringe the Data Protection Legislation; provide all reasonable assistance to the Authority in the preparation of any Data Protection Impact Assessment prior to commencing any Processing. Such assistance may, at the discretion of the Authority, include: a systematic description of the envisaged Processing operations and the purpose of the Processing; an assessment of the necessity and proportionality on the Processing operations in relation to the Services; an assessment of the risks to the rights and freedoms of Data Subjects; and the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. The Supplier shall, in relation to any Personal Data Processed in connection with its obligations under this DPS Agreement: process the Personal Data only in accordance with DPS Agreement Schedule 13, unless the Supplier is required to do otherwise by Law. If it is so required the Supplier shall promptly notify the Authority before Processing the Personal Data unless prohibited by Law; ensure that it has in place Protective Measures, which have been reviewed and approved by the Authority as appropriate to protect against a Data Loss Event having taken account of the: nature of the data to be protected; harm that might result from a Data Loss Event; state of technological development; and cost of implementing any measures; ensure that: the Supplier Personnel do not Process Personal Data except in accordance with this DPS Agreement (and in particular DPS Agreement Schedule 13); it takes all reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to personal data for the duration Personal Data and ensure that they: are aware of and comply with the Supplier’s duties under this Clause; are subject to appropriate confidentiality undertakings with the Supplier or any Sub-processor; are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Authority or as otherwise permitted by this DPS Agreement; and have undergone adequate training in the use, care, protection and handling of Personal Data. not transfer Personal Data outside of the European Union (“EU”) unless the prior written consent of the Authority has been obtained and the following conditions are fulfilled: the Authority or the Supplier has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Authority; the Data Subject has enforceable rights and effective legal remedies; the Supplier complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Authority in meeting its obligations); and the Supplier complies with any reasonable instructions notified to it in advance by the Authority with respect to the Processing of the Personal Data. at the written direction of the Authority, delete or return Personal Data (and any copies of it) to the Authority on termination of the DPS Agreement unless the Supplier is required by Law to retain the Personal Data. Subject to Clause 21.6.5, the Supplier shall notify the Authority immediately if it: receives a Data Subject Access Request (or purported Data Subject Access Request); receives a request to rectify, block or erase any Personal Data; receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data Processed under this DPS Agreement; receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or becomes aware of a Data Loss Event. Taking into account the fulfilment nature of the Processing, the Supplier shall provide the Authority with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under Clause 21.6.4 (and insofar as possible within the timescales reasonably required by the Authority) including by promptly providing: the Authority with full details and copies of the complaint, communication or request; such assistance as is reasonably requested by the Authority to enable the Authority to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation; the Authority, at its request, with any Personal Data it holds in relation to a Data Subject; assistance as requested by the Authority following any Data Loss Event; and assistance as requested by the Authority with respect to any request from the Information Commissioner’s Office, or any consultation by the Authority with the Information Commissioner's Office. The Supplier shall maintain complete and accurate records and information to demonstrate its compliance with this Clause. This requirement does not apply where the Supplier employs fewer than two hundred and fifty (250) staff, unless: the Authority determines that the Processing is not occasional; the Authority determines the Processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; and the Authority determines that the Processing is likely to result in a risk to the rights and obligations contained hereinfreedoms of Data Subjects. In performing The Supplier shall allow for audits of its Data Processing activity by the obligations as Authority or the Authority’s designated auditor. The Supplier shall designate a Data Protection Officer if required by the Data Protection Legislation. Before allowing any Sub-processor to Process any Personal Data related to this DPS Agreement, the Supplier must: (a) notify the Authority in writing of the intended Sub-processor and Processing; (b) obtain the written consent of the Authority; (c) enter into a written agreement with the Sub-processor which give effect to the terms set out in this Agreement, the Parties shall at all times ensure that: a) Clause 21.6 such that they process data only for the express purpose for which it was obtained; b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form; c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement; d) they do not disclose personal data of the other Party, other than in terms of this Agreement; e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use; f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement; g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access. 25.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing. 25.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 25, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 shall mutatis mutandis apply to all authorised third parties who process personal data. 25.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it. 25.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented. 25.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisation.Sub-processor; and

Protection of Personal Data. 25.1 9.1.1 The Parties agree acknowledge that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties shall at all times ensure that: a) they process data only for the express purpose for which it was obtained; b) once processed for the purposes for which it was obtainedof the Data Protection Legislation, all data will be destroyed the factual activity carried out by each of them in relation to an extent that it cannot be reconstructed to its original form; c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ their respective obligations under this AgreementCall Off Contract dictates the classification of each party. In certain circumstances, a Party may act as “Joint Controller” or a “Controller” or a “Processor”. Each Party, where it is a Controller, shall be responsible for its own compliance with all its obligations under the Data Protection Legislation. Where a Party acts as a Processor in relation to Personal Data where the other Party is Controller, the first Party shall comply and shall procure that any subprocessor complies with the Processor’s obligations in this Call Off Contract to the extent applicable. The only processing that the Processor is authorised to do is listed in Schedule 15 (Processing Personal Data) by the Controller and may not be determined by the Processor. 9.1.2 The Processor shall notify the Controller immediately if it considers that any of the Controller’s instructions infringe the Data Protection Legislation. 9.1.3 The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller, include: (a) a systematic description of the envisaged processing operations and the purpose of the processing; d(b) they do not disclose personal data an assessment of the other Party, other than necessity and proportionality of the processing operations in terms of this Agreementrelation to the Services; e(c) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use; f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement; g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access. 25.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing. 25.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission an assessment of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 25, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 shall mutatis mutandis apply to all authorised third parties who process personal data. 25.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it. 25.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data rights and freedoms of Data Subjects; and (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. 9.1.4 The Processor shall, in relation to any Personal Data processed in connection with its possession obligations under this Call Off Contract: (a) process that Personal Data only in accordance with Schedule 15 (Processing Personal Data), unless the Processor is required to do otherwise by the requirements of the Call Off Contract or under its controlLaw. The Parties If it is so required the Processor shall implement and maintain appropriate safeguards against promptly notify the risks which it identifies and shall also regularly verify Buyer before processing the Personal Data unless prohibited by Law; (b) ensure that the safeguards which it has in place Protective Measures which are appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures) having taken account of the: (i) nature of the data to be protected; (ii) harm that might result from a Data Loss Event; (iii) state of technological development; and (iv) cost of implementing any measures; (c) ensure that : (i) the Processor Personnel do not process Personal Data except in accordance with this Call Off Contract (and in particular Schedule 15 (Processing Personal Data)); (ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they: (A) are aware of and comply with the Processor’s duties under this ▇▇▇▇▇▇; (B) are subject to appropriate confidentiality undertakings with the Processor or any Sub-processor; (C) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Controller or as otherwise permitted by this Call Off Contract; and (D) have undergone adequate training in the use, care, protection and handling of Personal Data; (d) not transfer Personal Data outside of the EU unless the prior written consent of the Buyer has been effectively implemented.obtained and the following conditions are fulfilled: 25.6 The Parties agree that they will promptly return (i) the Controller or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected Processor has provided appropriate safeguards in relation to this Agreement, subject the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Controller; (ii) the Data Subject has enforceable rights and effective legal remedies; (iii) the Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any legal retention requirements. This may be Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and (iv) the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing of the Personal Data; (e) at the request written direction of the other Party Controller, delete or return Personal Data (and includes circumstances where a person has requested any copies of it) to the Parties Controller on termination of the Call Off Contract unless the Processor is required by Law to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed retain the Personal Data. 9.1.5 Subject to its original formClause 9.1.7, linking it to any particular individual or organisation.the Processor shall notify the Controller immediately if it:

Protection of Personal Data. 25.1 21.1 The Parties shall observe and perform their respective obligations under the Data Protection Legislation. In respect of the Personal Data processed to perform the Services the parties agree that they may obtain and have access are joint Data Controllers .Each Party shall comply with its obligations as a Data Controller under the Data Protection Legislation 21.2 Details of the Personal Data to personal be shared under this Agreement are recorded in Schedule 15. The Parties shall process the data in accordance with Schedule 15. 21.3 When one party is transferring Personal Data (the “Disclosing Party”) to the other Party (the “Receiving Party”), the Disclosing Party shall ensure that any Personal Data that is transferred: 21.3.1 has been collected in accordance with the Data Protection Legislation; and 21.3.2 the fair processing notice given to the relevant Data Subject entitles the Receiving Party to Process such Personal Data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as purposes set out in this Agreement 21.4 Neither Party shall Process Personal Data transferred under this Agreement for any purposes other than those set out in this Agreement. 21.5 Without Limitation to Clause 21.1, the Parties shall at all times ensure thateach Party shall: a) they process data only for the express purpose for which it was obtained; b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form; c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement; d) they do not disclose personal data of the other Party, other than in terms of this Agreement; e) they have all reasonable technical 21.5.1 Implement and organisational measures in place to protect all personal data from unauthorised access and/or use; f) they have maintain appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement; g) such personal data is protected guard against unauthorised or unlawful processing, Processing of the Personal Data and/or accidental loss, destruction or damage, alteration, disclosure or access.damage to the Personal Data; 25.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing. 25.3 Should it be necessary for either Party to 21.5.2 not disclose or otherwise make available transfer the personal data Personal Data to any third party or Staff unless necessary to perform the Services or in the case of disclosure or transfer by the Council its other statutory duties which are not delegated by these arrangements and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the other party (including save where such disclosure or transfer is specifically authorised under the Information Sharing Protocol; 21.5.3 take all reasonable steps to ensure the reliability and integrity of any employees who have access to the Personal Data and ensure that the employees: 21.5.3.1 are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless permitted by this Agreement; and 21.5.3.2 have undergone adequate training in the Data Protection Legislation and use, care, protection and handling of Personal Data; 21.5.4 notify the other Party promptly of any known breach of technical and organisational security measures where the breach has affected or could have affected Personal Data transferred under this Agreement. 21.5.5 notify the other Party promptly if a request is received form any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; and 21.5.6 notify the other Party promptly of any complaint, communication or request regarding the Processing of Personal Data pursuant to this Agreement and provide full cooperation and assistance (within a reasonable timescale) to assist the receiving party in responding to the complaint within any relevant deadlines set out in the Data Protection Legislation. 21.6 On receipt of any request or enquiry from an Information Regulator that relates to Personal Data transferred under this Agreement, each Party shall notify the other and shall provide the other with all reasonable assistance to allow the Party in receipt of the request to respond. 21.7 Each Party shall allow access to its premises and reasonable notice and provide all reasonable assistance to the other Party to provide the other Party with reasonable assurance that this Agreement is being complied with. 21.8 In the event of a request relating to Personal Data transferred under this agreement from a Data Subject: 21.8.1 for subject access, the Party who has received the request shall notify the other Party promptly. The other Party shall provide reasonable assistance to allow the Party who has received the request to respond to the Data Subject within the timescales set out in the Data Protection Legislation; 21.8.2 for the rectification or erasure of Personal Data or restriction of Processing, the Party who has received the request shall determine whether such request is valid under the Data Protection Legislation. In the event that the Party which has received the request determines that the relevant Personal Data should be rectified or erased or that any Processing shall be restricted, it shall notify the other Party promptly. The Party receiving the notification shall rectify or erase the Personal Data or restrict Processing (as applicable) promptly. 21.9 The Parties shall not Process or otherwise transfer any Personal Data in or to any Restricted Country. If, after the Effective Date, a Party wishes to Process and/or transfer any Personal Data in or to any Restricted Country, the following provisions shall apply: 21.9.1 the Party wishing to transfer the Personal Data shall submit a request to the other Party which, if agreed, shall be dealt with in accordance with Clause 21.9.2.1 to 21.9.2.4 21.9.2 the Party wishing to transfer the Personal Data shall set out in its request details of the following: 21.9.2.1 the Personal Data which will be transferred to and/or Processed in any Restricted Country; 21.9.2.2 the Restricted Country or Countries which the Personal Data will be transferred to and/or Processed in; 21.9.2.3 any sub-contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; and 21.9.2.4 how the Party wishing to transfer the Personal Data will ensure an adequate level of protection and employees), it may do adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so only with the prior written permission of as to ensure the other Party. ’s compliance with the Data Protection Legislation; 21.9.3 In providing and evaluating the request under Clause 21.9.1, the Parties shall ensure that they have regard to and comply with then current Council, Central Government Bodies and Information Regulator policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Country; and 21.9.4 The Party requiring wishing to transfer the Personal Data shall comply with such permission other instructions and shall require of all carry out such other actions as the other Party may notify in writing, including; 21.9.4.1 incorporating standard and/or model clauses (which are in line with Good Industry Practice and offer adequate safeguards under the Data Protection Legislation) into this Agreement or a separate data processing agreement between the Parties; and 21.9.4.2 procuring that any sub-contractor or other third parties, appropriate written undertakings to party who will be provided, containing similar Processing and/or receiving or accessing the Personal Data in any Restricted Country either enters into: 21.9.4.2.1 a direct data processing agreement with the other party on such terms to that set forth in this clause 25, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval as may be required by the other Party, ; or 21.9.4.2.2 a data processing agreement with the Party requiring permission agrees that wishing to transfer the provisions of this clause 25 shall mutatis mutandis apply Personal Data on terms which are equivalent to all authorised third parties who process personal data. 25.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees those agreed between the other party and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it. 25.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks sub- contractor relating to the personal data relevant Personal Data transfer; and in its possession or each case the Party wishing to transfer the Personal Data acknowledges such agreements may include the incorporation of model contract provisions (which are in line with Good Industry Practice as offering adequate safeguards under its control. The Parties shall implement the Data Protection Legislation) and maintain appropriate safeguards against the risks technical and organisation measures which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented. 25.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves deems necessary for the purpose of protection of Personal Data. 21.10 The Trust must nominate an Information Governance Lead, a Caldicott Guardian and Senior Information Risk Owner and advise the Council of the identities and contact details of those individuals. 21.11 The Trust must report any serious data security breaches it makes to the Information Regulator in accordance with the NHS Information Governance Toolkit and the Council must report any serious data security breaches it makes to the Information Regulator in accordance with its policy governing information security incidents from time to time which takes account of the guidance published by the Information Regulator for which the public sector on self-reporting. Where a Party has reported in this way, it was collected must consider the mitigating measures that are to be put in relation place to this Agreement, subject minimise damage to any legal retention requirementsall affected and potentially affected parties. This may be at the request of Each Party shall use its reasonable endeavours to assist the other Party and includes circumstances where a person has requested in complying with its obligations under the Parties to delete all instances of their personal dataData Protection Legislation. The information will be destroyed Each Party shall not perform its obligations under this Agreement in such a manner way as to cause the other Party to breach its obligations under the Data Protection Legislation to the extent it is reasonably aware or ought reasonably to have been aware, that it cannot the same would be reconstructed a breach of such obligations. 21.12 The Parties acknowledge their respective obligations arising under the Data Protection Legislation, EIR and HRA, and under the common law duty of confidentiality, and must assist each other as necessary to its original form, linking it enable each other to any particular individual or organisationcomply with these obligations.

Protection of Personal Data. 25.1 The Parties agree acknowledge that they for the purposes of the Data Protection Legislation, the factual activity carried out by each of them in relation to their respective obligations under this Call Off Contract dictates the classification of each party. In certain circumstances, a Party may obtain act as “Joint Controller” or a “Controller” or a “Processor”. Each Party, where it is a Controller, shall be responsible for its own compliance with all its obligations under the Data Protection Legislation. Where a Party acts as a Processor in relation to Personal Data where the other Party is Controller, the first Party shall comply and shall procure that any subprocessor complies with the Processor’s obligations in this Call Off Contract to the extent applicable. The only processing that the Processor is authorised to do is listed in Schedule 15 (Processing Personal Data) by the Controller and may not be determined by the Processor. The Processor shall notify the Controller immediately if it considers that any of the Controller’s instructions infringe the Data Protection Legislation. The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller, include: a systematic description of the envisaged processing operations and the purpose of the processing; an assessment of the necessity and proportionality of the processing operations in relation to the Services; an assessment of the risks to the rights and freedoms of Data Subjects; and the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. The Processor shall, in relation to any Personal Data processed in connection with its obligations under this Call Off Contract: process that Personal Data only in accordance with Schedule 15 (Processing Personal Data), unless the Processor is required to do otherwise by the requirements of the Call Off Contract or Law. If it is so required the Processor shall promptly notify the Buyer before processing the Personal Data unless prohibited by Law; ensure that it has in place Protective Measures which are appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures) having taken account of the: nature of the data to be protected; harm that might result from a Data Loss Event; state of technological development; and cost of implementing any measures; ensure that : the Processor Personnel do not process Personal Data except in accordance with this Call Off Contract (and in particular Schedule 15 (Processing Personal Data)); it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel who have access to personal data for the duration Personal Data and ensure that they: are aware of and comply with the Processor’s duties under this ▇▇▇▇▇▇; are subject to appropriate confidentiality undertakings with the Processor or any Sub-processor; are informed of the Agreement confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Controller or as otherwise permitted by this Call Off Contract; and have undergone adequate training in the use, care, protection and handling of Personal Data; not transfer Personal Data outside of the EU unless the prior written consent of the Buyer has been obtained and the following conditions are fulfilled: the Controller or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Controller; the Data Subject has enforceable rights and effective legal remedies; the Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing of the Personal Data; at the written direction of the Controller, delete or return Personal Data (and any copies of it) to the Controller on termination of the Call Off Contract unless the Processor is required by Law to retain the Personal Data. Subject to Clause 21.5.7, the Processor shall notify the Controller immediately if it: receives a Data Subject Access Request (or purported Data Subject Access Request); receives a request to rectify, block or erase any Personal Data; receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Call Off Contract; receives a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or becomes aware of a Data Loss Event. The Processor’s obligation to notify under Clause 21.5.5 shall include the fulfilment provision of further information to the Controller in phases, as details become available. Taking into account the nature of the processing, the Processor shall provide the Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under Clause 21.5.5 (and insofar as possible within the timescales reasonably required by the Controller) including by promptly providing: the Controller with full details and copies of the complaint, communication or request; such assistance as is reasonably requested by the Controller to enable the Controller to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation; the Controller, at its request, with any Personal Data it holds in relation to a Data Subject; assistance as requested by the Controller following any Data Loss Event; assistance as requested by the Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Buyer with the Information Commissioner's Office. The Processor shall maintain complete and accurate records and information to demonstrate its compliance with this Clause. This requirement does not apply where the Processor employs fewer than 250 staff, unless: the Controller determines that the processing is not occasional; the Controller determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; and the Controller determines that the processing is likely to result in a risk to the rights and obligations contained hereinfreedoms of Data Subjects. In performing The Processor shall allow for audits of its Data Processing activity by the obligations as Controller or the Controller’s designated auditor. The Processor shall designate a Data Protection Officer if required by the Data Protection Legislation. Before allowing any Sub-processor to process any Personal Data related to this Call Off Contract, the Processor must: notify the Controller in writing of the intended Sub-processor and processing; obtain the written consent of the Controller; enter into a written agreement with the Sub-processor which give effect to the terms set out in this Agreement, Clause 21.5.11 such that they apply to the Parties Sub-processor; and provide the Controller with such information regarding the Sub-processor as the Controller may reasonably require. The Processor shall at remain fully liable for all times ensure that: a) they process data only for the express purpose for which it was obtained; b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form; c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement; d) they do not disclose personal data acts or omissions of the other Party, other than in terms of this Agreement; e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use; f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement; g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access. 25.2 any Sub-processor. The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing. 25.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to take account of any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 25, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval guidance issued by the other Party, the Party requiring permission agrees that the provisions of Information Commissioner’s Office and amend this clause 25 shall mutatis mutandis apply Call Off Contract to all authorised third parties who process personal data. 25.4 The Parties shall ensure that it complies with any persons authorized to process data on their behalf (including employees and third parties) will safeguard guidance issued by the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by itInformation Commissioner’s Office. 25.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented. 25.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisation.

Protection of Personal Data. 25.1 The Parties agree that they may obtain and have access to personal data for Where any Personal Data are Processed in connection with the duration exercise of the Agreement for the fulfilment of the Parties’ rights and obligations contained herein. In performing the obligations as set out in under this AgreementCall Off Contract, the Parties shall acknowledge that the Customer is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Customer to perform its obligations under this Call Off Contract; ensure that at all times ensure that: a) they process data only for the express purpose for which it was obtained; b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form; c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement; d) they do not disclose personal data of the other Party, other than in terms of this Agreement; e) they have all reasonable technical and organisational measures has in place to protect all personal data from unauthorised access and/or use; f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement; g) such personal data is protected guard against unauthorised or unlawful processing, Processing of the Personal Data and/or accidental loss, destruction destruction, or damagedamage to the Personal Data, alteration, disclosure or access. 25.2 The Parties agree that if personal data will be processed for additional purposes beyond including the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing. 25.3 Should it be necessary for either Party to measures as are set out in Clauses 37.1 (Security Requirements) and 37.2 (Protection of Customer Data); not disclose or otherwise make available transfer the personal data Personal Data to any third party (including sub-contractors and employees)or Supplier Personnel unless necessary for the provision of the Products and/or Servicesand, it may do so only with for any disclosure or transfer of Personal Data to any third party, obtain the prior written permission consent of the Customer (save where such disclosure or transfer is specifically authorised under this Call Off Contract) take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under Clause 37.5.2 and Clauses 37.1 (Security Requirements), 37.2 (Protection of Customer Data) and 37.3 (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Customer or as otherwise permitted by this Call Off Contract; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Customer within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request) a request to rectify, block or erase any Personal Data or any other Partyrequest, complaint or communication relating to the Customer's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Customer with full cooperation and assistance (within the timescales reasonably required by the Customer) in relation to any complaint, communication or request made (as referred to at Clause 37.5.2(e)), including by promptly providing: the Customer with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Customer to enable the Customer to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the Customer, on request by the Customer, with any Personal Data it holds in relation to a Data Subject; and if requested by the Customer, provide a written description of the measures that has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to Clause 37.5.2 and provide to the Customer copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Party requiring such permission Supplier shall require not Process or otherwise transfer any Personal Data in or to a Restricted Country. If, after the Call Off Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to any outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a Variation to the Customer which, if it is agreed by the Customer, shall be dealt with in accordance with the Variation Procedure and Clauses 37.5.3(b) to 37.5.3(c); the Supplier shall set out in its proposal to the Customer for a Variation details of all such the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties, appropriate written undertakings to parties who will be provided, containing similar terms to that set forth Processing and/or receiving Personal Data in this clause 25, Restricted Countries; how the Supplier will ensure an adequate level of protection and dealing with that third party's obligations adequate safeguards in respect of its processing of the personal data. Following approval by Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the other PartyCustomer’s compliance with the DPA; in providing and evaluating the Variation, the Party requiring permission agrees that the provisions of this clause 25 shall mutatis mutandis apply to all authorised third parties who process personal data. 25.4 The Parties shall ensure that they have regard to and comply with then-current Customer, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirementapprovals processes in connection with, the Parties Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall keep all personal data comply with such other instructions and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it. 25.5 The Parties shall carry out regular assessments such other actions as the Customer may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Call Off Contract or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Customer on such terms as may be required by the Customer; or a data processing agreement with the Supplier on terms which are equivalent to identify all reasonably foreseeable internal those agreed between the Customer and external risks the Sub-Contractor relating to the personal data relevant Personal Data transfer, and in its possession or each case which the Supplier acknowledges may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under its controlthe DPA) and technical and organisation measures which the Customer deems necessary for the purpose of protecting Personal Data. The Parties Supplier shall implement and maintain appropriate safeguards against use its reasonable endeavours to assist the risks which it identifies Customer to comply with any obligations under the DPA and shall also regularly verify that the safeguards which it has in place has been effectively implemented. 25.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to not perform its obligations under this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed Call Off Contract in such a manner way as to cause the Customer to breach any of the Customer’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that it cannot the same would be reconstructed to its original form, linking it to any particular individual or organisationa breach of such obligations.

Protection of Personal Data. 25.1 17.1 The Parties agree that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties shall at all times ensure that: a) they process data only for the express purpose for which it was obtained; b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form; c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement; d) they do not disclose personal data of the other Party, other than in terms of this Agreement; e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use; f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement; g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access. 25.2 17.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing. 25.3 17.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 251716.1, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 17 shall mutatis mutandis apply to all authorised third parties who process personal data. 25.4 17.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it. 25.5 17.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented. 25.6 17.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisation.

Protection of Personal Data. 25.1 26.1 The Parties agree that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties shall at all times ensure that: a) they process data only for the express purpose for which it was obtained; b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form; c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement; d) they do not disclose personal data of the other Party, other than in terms of this Agreement; e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use; f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement; g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access. 25.2 26.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing. 25.3 26.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 25clause26, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 26 shall mutatis mutandis apply to all authorised third parties who process personal data. 25.4 26.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it. 25.5 26.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented. 25.6 26.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisation.

Protection of Personal Data. 25.1 The Parties agree that they may obtain and have access With respect to personal data for the duration of the Agreement for the fulfilment of the parties' rights and obligations contained hereinunder this Contract, the parties agree that the Customer is the Data Controller and that the Service Provider is the Data Processor. In performing The Service Provider shall: Process the obligations Personal Data only in accordance with instructions from the Customer (which may be specific instructions or instructions of a general nature as set out in this AgreementContract or as otherwise notified by the Customer to the Service Provider during the Contract Period); Process the Personal Data only to the extent, the Parties shall at all times ensure that: a) they process data only and in such manner, as is necessary for the express purpose for which it was obtained; b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form; c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement; d) they do not disclose personal data provision of the other Party, other than in terms of this Agreement; e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use; f) they have Services or as is required by Law or any Regulatory Body; implement appropriate technical and organisational measures in place to safeguard protect the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement; g) such personal data is protected Personal Data against unauthorised or unlawful processingProcessing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damagedamage to the Personal Data and having regard to the nature of the Personal Data which is to be protected; take reasonable steps to ensure the reliability of any Staff who have access to the Personal Data; obtain prior written consent from the Customer in order to transfer the Personal Data to any Sub-contractors or Affiliates for the provision of the Services; ensure that all Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 6.4; ensure that none of Staff publish, alteration, disclosure or access. 25.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing. 25.3 Should it be necessary for either Party to disclose or otherwise make available divulge any of the personal data Personal Data to any third party unless directed in writing to do so by the Customer; notify the Customer (within five Working Days or such other period as specified in the Order Form (if any)) if it receives: a request from a Data Subject to have access to that person's Personal Data; or a complaint or request relating to the Customer's obligations under the Data Protection Legislation; provide the Customer with full cooperation and assistance in relation to any complaint or request made, including sub-contractors by: providing the Customer with full details of the complaint or request; complying with a data access request within the relevant timescales set out in the Data Protection Legislation and employeesin accordance with the Customer's instructions; providing the Customer with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Customer); and providing the Customer with any information requested by the Customer; permit the Customer or the Customer Representative (subject to reasonable and appropriate confidentiality undertakings), it may do so only to inspect and audit, the Service Provider's data Processing activities (and/or those of its agents, subsidiaries and Sub-contractors) and comply with all reasonable requests or directions by the Customer to enable the Customer to verify and/or procure that the Service Provider is in full compliance with its obligations under this Contract; provide a written description of the technical and organisational methods employed by the Service Provider for Processing Personal Data (within the timescales required by the Customer); and not Process Personal Data outside the European Economic Area without the prior written permission consent of the other PartyCustomer and, where the Customer consents to a transfer, to comply with: the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and any reasonable instructions notified to it by the Customer. The Party requiring such permission Service Provider shall require of comply at all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 25, and dealing times with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 shall mutatis mutandis apply to all authorised third parties who process personal data. 25.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it. 25.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies Data Protection Legislation and shall also regularly verify that the safeguards which it has in place has been effectively implemented. 25.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to not perform its obligations under this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed Contract in such a manner that it cannot be reconstructed way as to cause the Customer to breach any of its original form, linking it to any particular individual or organisationapplicable obligations under the Data Protection Legislation.

Protection of Personal Data. 25.1 17.1 The Parties agree that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties shall at all times ensure that: a) they process data only for the express purpose for which it was obtained; b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form; c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement; d) they do not disclose personal data of the other Party, other than in terms of this Agreement; e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use; f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement; g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access. 25.2 17.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing. 25.3 17.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 2517.1, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 17 shall mutatis mutandis apply to all authorised third parties who process personal data. 25.4 17.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it. 25.5 17.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented. 25.6 17.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisation.

Protection of Personal Data. 25.1 28.1 The Parties agree that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties shall at all times ensure that: a) they process data only for the express purpose for which it was obtained; b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form; c) data is provided only to authorised authorized personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement; d) they do not disclose personal data of the other Party, other than in terms of this Agreement; e) they have all reasonable technical and organisational organizational measures in place to protect all personal data from unauthorised unauthorized access and/or andor use; f) they have appropriate technical and organisational organizational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement; g) such personal data is protected against unauthorised unauthorized or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access. 25.2 28.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing. 25.3 28.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 2529, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 29 shall mutatis mutandis apply to all authorised authorized third parties who process personal data. 25.4 28.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it. 25.5 28.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks risks, which it identifies and shall also regularly regularly, verify that the safeguards which it has in place has been effectively implemented. 25.6 28.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisationororganization.

Protection of Personal Data. 25.1 The Parties agree that they may obtain and have access to personal data for Where any Personal Data are Processed in connection with the duration exercise of the Agreement for the fulfilment of the Parties’ rights and obligations contained herein. In performing the obligations as set out in under this AgreementCall Off Contract, the Parties shall acknowledge that the Customer is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Customer to perform its obligations under this Call Off Contract; ensure that at all times ensure that: a) they process data only for the express purpose for which it was obtained; b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form; c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement; d) they do not disclose personal data of the other Party, other than in terms of this Agreement; e) they have all reasonable technical and organisational measures has in place to protect all personal data from unauthorised access and/or use; f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement; g) such personal data is protected guard against unauthorised or unlawful processing, Processing of the Personal Data and/or accidental loss, destruction destruction, or damagedamage to the Personal Data, alteration, disclosure or access. 25.2 The Parties agree that if personal data will be processed for additional purposes beyond including the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing. 25.3 Should it be necessary for either Party to measures as are set out in Clauses 34.1 (Security Requirements) and 34.2 (Protection of Customer Data); not disclose or otherwise make available transfer the personal data Personal Data to any third party (including sub-contractors and employees)or Supplier Personnel unless necessary for the provision of the Goods and/or Services and, it may do so only with for any disclosure or transfer of Personal Data to any third party, obtain the prior written permission consent of the Customer (save where such disclosure or transfer is specifically authorised under this Call Off Contract) take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under Clause 34.6.2 and Clauses 34.1 (Security Requirements), 34.2 (Protection of Customer Data) and 34.3 (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Customer or as otherwise permitted by this Call Off Contract; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Customer within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request) a request to rectify, block or erase any Personal Data or any other Partyrequest, complaint or communication relating to the Customer's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Customer with full cooperation and assistance (within the timescales reasonably required by the Customer) in relation to any complaint, communication or request made (as referred to at Clause 34.6.2(e)), including by promptly providing: the Customer with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Customer to enable the Customer to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the Customer, on request by the Customer, with any Personal Data it holds in relation to a Data Subject; and if requested by the Customer, provide a written description of the measures that has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to Clause 34.6.2 and provide to the Customer copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Party requiring such permission Supplier shall require of all such third parties, appropriate written undertakings not Process or otherwise transfer any Personal Data in or to any country outside the European Economic Area or any country which is not determined to be providedadequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “Restricted Countries”). If, containing similar terms after the Call Off Commencement Date, the Supplier or any Sub-Contractor wishes to that Process and/or transfer any Personal Data in or to any outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a Variation to the Customer which, if it is agreed by the Customer, shall be dealt with in accordance with the Variation Procedure and Clauses 34.6.3(b) to 34.6.3(c); the Supplier shall set forth out in this clause 25, its proposal to the Customer for a Variation details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and dealing with that any Sub-Contractors or other third party's obligations parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of its processing of the personal data. Following approval by Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the other PartyCustomer’s compliance with the DPA; in providing and evaluating the Variation, the Party requiring permission agrees that the provisions of this clause 25 shall mutatis mutandis apply to all authorised third parties who process personal data. 25.4 The Parties shall ensure that they have regard to and comply with then-current Customer, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirementapprovals processes in connection with, the Parties Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall keep all personal data comply with such other instructions and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it. 25.5 The Parties shall carry out regular assessments such other actions as the Customer may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Call Off Contract or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Customer on such terms as may be required by the Customer; or a data processing agreement with the Supplier on terms which are equivalent to identify all reasonably foreseeable internal those agreed between the Customer and external risks the Sub-Contractor relating to the personal data relevant Personal Data transfer, and in its possession or each case which the Supplier acknowledges may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under its controlthe DPA) and technical and organisation measures which the Customer deems necessary for the purpose of protecting Personal Data. The Parties Supplier shall implement and maintain appropriate safeguards against use its reasonable endeavours to assist the risks which it identifies Customer to comply with any obligations under the DPA and shall also regularly verify that the safeguards which it has in place has been effectively implemented. 25.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to not perform its obligations under this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed Call Off Contract in such a manner way as to cause the Customer to breach any of the Customer’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that it cannot the same would be reconstructed to its original form, linking it to any particular individual or organisationa breach of such obligations.

Protection of Personal Data. 25.1 20.1 The Parties agree that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties shall at all times ensure that: a) they process data only for the express purpose for which it was obtained; b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form; c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement; d) they do not disclose personal data of the other Party, other than in terms of this Agreement; e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use; f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement; g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access. 25.2 20.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing. 25.3 20.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 252018.1, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 20 shall mutatis mutandis apply to all authorised third parties who process personal data. 25.4 20.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it. 25.5 20.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented. 25.6 20.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisation.

Protection of Personal Data. 25.1 18.1 The Parties agree that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties shall at all times ensure that: a) they process data only for the express purpose for which it was obtained; b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form; c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement; d) they do not disclose personal data of the other Party, other than in terms of this Agreement; e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use; f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement; g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access. 25.2 18.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing. 25.3 18.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 251717, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 17 shall mutatis mutandis apply to all authorised third parties who process personal data. 25.4 18.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it. 25.5 18.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented. 25.6 18.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisation.

Protection of Personal Data. 25.1 The Parties agree that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties shall at all times ensure that: a) they process data only for the express purpose for which it was obtained; b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form; c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement; d) they do not disclose personal data of the other Party, other than in terms of this Agreement; e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use; f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement; g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access. 25.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processingfurtherprocessing. 25.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 2529, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 29 shall mutatis mutandis apply to all authorised third parties who process personal data. 25.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it. 25.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented. 25.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisation.

Protection of Personal Data. 25.1 43.1 The Parties agree parties acknowledge that they may obtain for the purposes of the Data Protection Legislation, the Authority is the Controller and the Hosting Supplier is the Processor. The only processing which the Authority has authorised the Hosting Supplier to do is described in this Agreement and at schedule 12. The Hosting Supplier shall not assume any responsibility for determining the purposes for which and the manner in which the Personal Data is DP Processed, but nevertheless shall comply at all times with the Data Protection Requirements. 43.2 Each Party will DP Process the Personal Data in compliance with Data Protection Legislation. 43.3 The Hosting Supplier shall (and shall procure that the Sub-contractors shall): 43.3.1 DP Process any Personal Data only in accordance with this Agreement (in particular, this clause 43 and Schedule 12) and the Authority’s instructions from time to time and shall not DP Process the Personal Data for any purpose other than those expressly authorised by the Authority, except where otherwise required by any UK law applicable to the Hosting Supplier and, in such case, the Hosting Supplier shall inform the Authority of that legal requirement before DP Processing unless that law prohibits such information on important grounds of public interest; 43.3.2 DP Process the Personal Data only to the extent, and in such manner, as is necessary for the provision of the Hosting Services, the Cross Tower Services or as is required by Law or any Regulatory Body; 43.3.3 ensure that it has in place Protective Measures as appropriate to protect against a Data Loss Event having taken account of the nature of the data to be protected as described in schedule 12, harm that might result from a Data Loss Event, the state of technological development and the cost of implementing any measures; 43.3.4 take reasonable steps to ensure the reliability and integrity of any Hosting Supplier Personnel who have access to personal data the Personal Data; 43.3.5 neither disclose nor transfer the Personal Data to any Sub-contractors or Affiliates other than where strictly necessary for the duration provision of the Agreement Services and in such event the Hosting Supplier shall obtain prior written consent from the Authority in order to transfer the Personal Data to any Suppliers, Sub-contractors or Affiliates for the fulfilment provision of the rights End to End Services. Where such consent has already been provided by the Authority prior to the introduction of the GDPR on 25 May 2018, then that consent will remain valid and obligations contained hereinthe Hosting Supplier shall not be required to obtain additional consent in respect of the same transfer(s) of Personal Data on or after that date. In performing The Authority has already consented to the appointment of the Sub-contractors identified in schedule 4.3 (Notified Sub-contractors) for the purposes of delivering, and solely to the extent required to deliver, the End to End Services; 43.3.6 ensure the reliability and integrity of any Hosting Supplier Personnel who have access to the Personal Data and that any person (including all Hosting Supplier Personnel) it authorises to DP Process Personal Data or that are required to access the Personal Data: 43.3.6.1 are informed of the confidential nature of the Personal Data; 43.3.6.2 are aware of and comply with the obligations as set out in this clause 43; 43.3.6.3 do not DP Process Personal Data except in accordance with this Agreement; 43.3.6.4 are subject to appropriate confidentiality undertakings with the Hosting Supplier or any Sub-processor; and 43.3.6.5 have undergone training in the use, care, protection and handling of the Parties shall at all times Personal Data; 43.3.7 ensure thatthat none of the Hosting Supplier Personnel publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority; 43.3.8 notwithstanding clause 43.6 notify the Authority without undue delay and in any event within 48 hours if it: a) they process data only for the express purpose for which it was obtained43.3.8.1 receives a Data Subject Access Request (or purported Data Subject Access Request); b) once processed for 43.3.8.2 receives a complaint, request or communication relating to either party’s obligations under the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original formData Protection Legislation; c) data is provided only 43.3.8.3 receives a request to authorised personnel who strictly require rectify, block or erase any Personal Data; 43.3.8.4 receives any communication from the personal data to carry out the Parties’ respective obligations Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Agreement; d) they do not disclose personal data of the other Party, other than in terms of this Agreement; e) they have all reasonable technical and organisational measures in place to protect all personal data 43.3.8.5 receives a request from unauthorised access and/or use; f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement; g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access. 25.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing. 25.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or 43.3.8.6 becomes aware of a Personal Data Breach and/or any Data Loss Event and/or destruction of data integrity (including sub-contractors unauthorised changes) to Personal Data; and employees), shall provide such information as the Authority may reasonably require so that the Authority can fulfil any Personal Data Breach reporting or recording obligations it may do so only have under (and in accordance with the prior written permission timescales required by) Data Protection Legislation. The Hosting Supplier’s obligation to notify under clause 43.3.8 includes the reasonable provision of further information to the Authority in phases as details become available. 43.3.9 taking into account the nature of the other Party. The Party requiring such permission shall require of all such third partiesDP Processing, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 25, provide the Authority with full cooperation and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 shall mutatis mutandis apply to all authorised third parties who process personal data. 25.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it. 25.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented. 25.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected assistance in relation to either party’s obligations under the Data Protection Legislation and without any additional cost to the Authority provide reasonable and timely assistance to the Authority, without undue delay, to enable the Authority to respond to: 43.3.9.1 any request from a Data Subject to exercise any of its rights under Data Protection Legislation in connection with the Data Processing under this AgreementAgreement (including its rights of access, subject to correction, objection, erasure and data portability, as applicable); and 43.3.9.2 any legal retention requirements. This may be at other correspondence, enquiry or complaint received from a Data Subject, regulator or other third party in connection with the request DP Processing of the other Party and includes circumstances where a person has requested Personal Data or relating to the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisationAuthority’s obligations under the Data Protection Legislation.

Protection of Personal Data. 25.1 The Parties agree that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties shall at all times ensure that: a) they process data only for the express purpose for which it was obtained; b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form; c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement; d) they do not disclose personal data of the other Party, other than in terms of this Agreement; e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use; f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement; g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access. 25.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing. 25.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 25, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 26 shall mutatis mutandis apply to all authorised third parties who process personal data. 25.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it. 25.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented. 25.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisation.

Protection of Personal Data. 25.1 27.1 The Parties agree Supplier shall (and shall procure that they may obtain and have access to personal data for any of its Staff and/or Sub-Contractors involved in the duration provision of the Agreement for Agreement) comply with any notification requirements under the fulfilment of Data Protection Legislation and both Parties will duly observe their obligations under the rights and obligations contained herein. In performing the obligations as set out Data Protection Legislation, which arise in connection with this Agreement. 27.2 Notwithstanding the general obligation in Clause 27.1, where the Parties shall at all times ensure that: a) they process data only for the express purpose for which it was obtained; b) once processed for the purposes for which it was obtainedSupplier or any of its Staff and/or Sub-Contractors, all data will be destroyed to an extent that it cannot be reconstructed to in performing its original form; c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement; d) they do not disclose personal data , processes Personal Data as a Data Processor on behalf of the other PartyCustomer, other than in terms of this Agreement;the Supplier shall and shall procure that its Staff and/or Sub-Contractors: e) they have all reasonable technical and organisational measures 27.2.1 ensure that has in place to protect all personal data from unauthorised access and/or use; f) they have appropriate technical and organisational contractual measures in place to safeguard ensure the security, integrity security of the Personal Data (and authenticity of all data in its possession or under its control in terms of this Agreement; g) such personal data is protected to guard against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access. 25.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing. 25.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 25, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval Personal Data and against accidental loss or destruction of, or damage to, the Personal Data), as required under the Seventh Data Protection Principle in Schedule 1 to the Data Protection ▇▇▇ ▇▇▇▇; 27.2.2 provide the Customer with such information as the Customer may reasonably require to satisfy itself that the [Service Provider] is complying with its obligations under the Data Protection Legislation; 27.2.3 promptly notify the Customer of any breach of the security measures required to be put in place pursuant to Clause 27.2.1; 27.2.4 ensure it does not knowingly or negligently do or omit to do anything which places the Customer in breach of the Customer's obligations under the Data Protection Legislation; 27.2.5 not without the Customer’s prior written consent (which the Customer may withhold at its absolute discretion), do anything which would cause Personal Data to be transferred outside the European Economic Area 27.2.6 act only on instructions from the Customer as Data Controller; and 27.2.7 comply with the Customer’s instructions in relation to the processing of Personal Data as such instructions are given and varied from time to time by the other Party, Customer. 27.3 The Supplier undertakes to use best endeavours to procure that its Sub-Contractors maintain appropriate security systems. 27.4 The Supplier shall ensure that its contracts with its Sub-Contractors include provisions which oblige each Sub-Contractor to promptly notify the Party requiring permission agrees Customer of any breach of security in relation to the Supplier's Confidential Information or data. 27.5 The Supplier shall ensure that its contracts with its Sub-Contractors impose an obligation on each Sub-Contractor to co-operate with the Supplier and/or Customer in any investigation that either considers necessary to undertake as a result of any breach of security in relation to the Customer's Confidential Information or data. 27.6 The provisions of this clause 25 Clause 27 shall mutatis mutandis apply to all authorised third parties who process personal dataduring the continuance of this Agreement and indefinitely after its expiry or termination. 25.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it. 25.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented. 25.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisation.

Protection of Personal Data. 25.1 19.1 The Parties agree that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties shall at all times ensure that: a) they process data only for the express purpose for which it was obtained; b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form; c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement; d) they do not disclose personal data of the other Party, other than in terms of this Agreement; e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use; f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement; g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access. 25.2 19.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing. 25.3 19.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 2518, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 18 shall mutatis mutandis apply to all authorised third parties who process personal data. 25.4 19.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it. 25.5 19.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented. 25.6 19.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisation.

Protection of Personal Data. 25.1 9.1.1 The Parties agree acknowledge that they may obtain and have access to personal data for the duration purposes of the Agreement Data Protection Legislation, the factual activity carried out by each of them in relation to their respective obligations under this Call Off Contract dictates the classification of each party. In certain circumstances, a Party may act as “Joint Controller” or a “Controller” or a “Processor”. Each Party, where it is a Controller, shall be responsible for its own compliance with all its obligations under the fulfilment Data Protection Legislation. Where a Party acts as a Processor in relation to Personal Data where the other Party is Controller, the first Party shall comply and shall procure that any subprocessor complies with the Processor’s obligations in this Call Off Contract to the extent applicable. The only processing that the Processor is authorised to do is listed in Schedule 15 (Processing Personal Data) by the Controller and may not be determined by the Processor. 9.1.2 The Processor shall notify the Controller immediately if it considers that any of the Controller’s instructions infringe the Data Protection Legislation. 9.1.3 The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller, include: (a) a systematic description of the envisaged processing operations and the purpose of the processing; (b) an assessment of the necessity and proportionality of the processing operations in relation to the Services; (c) an assessment of the risks to the rights and freedoms of Data Subjects; and (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. 9.1.4 The Processor shall, in relation to any Personal Data processed in connection with its obligations contained hereinunder this Call Off Contract: (a) process that Personal Data only in accordance with Schedule 15 (Processing Personal Data), unless the Processor is required to do otherwise by the requirements of the Call Off Contract or Law. In performing the obligations as set out in this AgreementIf it is so required, the Parties Processor shall at all times promptly notify the Buyer before processing the Personal Data unless prohibited by Law; (b) ensure that it has in place Protective Measures which are appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures) having taken account of the: (i) nature of the data to be protected; (ii) harm that might result from a Data Loss Event; (iii) state of technological development; and (iv) cost of implementing any measures; (c) ensure that: a(i) they the Processor Personnel do not process data only for the express purpose for which it was obtainedPersonal Data except in accordance with this Call Off Contract (and in particular Schedule 15 (Processing Personal Data)); b(ii) once processed for it takes all reasonable steps to ensure the purposes for which it was obtained, all data will be destroyed reliability and integrity of any Processor Personnel who have access to an extent the Personal Data and ensure that it cannot be reconstructed to its original formthey: (A) are aware of and comply with the Processor’s duties under this ▇▇▇▇▇▇; c(B) data is provided only are subject to authorised personnel who strictly require appropriate confidentiality undertakings with the personal data to carry out the Parties’ respective obligations under this AgreementProcessor or any Sub-processor; d(C) they are informed of the confidential nature of the Personal Data and do not disclose personal data publish, disclose, or divulge any of the other Party, other than in terms of this Agreement; e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use; f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement; g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access. 25.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing. 25.3 Should it be necessary for either Party to disclose or otherwise make available the personal data Personal Data to any third party (including sub-contractors and employees), it may Party unless directed in writing to do so only with by the Controller or as otherwise permitted by this Call Off Contract; and (D) have undergone adequate training in the use, care, protection, and handling of Personal Data; (d) not transfer Personal Data outside of the EU unless the prior written permission consent of the other Party. The Party requiring such permission shall require Buyer has been obtained and the following conditions are fulfilled: (i) the Controller or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Controller; (ii) the Data Subject has enforceable rights and effective legal remedies; (iii) the Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of all such third partiesprotection to any Personal Data that is transferred (or, appropriate written undertakings if it is not so bound, uses its best endeavours to be provided, containing similar terms assist the Controller in meeting its obligations); and (iv) the Processor complies with any reasonable instructions notified to that set forth it in this clause 25, and dealing advance by the Controller with that third party's obligations in respect of its to the processing of the personal data. Following approval Personal Data; (e) at the written direction of the Controller, delete or return Personal Data (and any copies of it) to the Controller on termination of the Call Off Contract unless the Processor is required by Law to retain the other PartyPersonal Data. 9.1.5 Subject to Clause 9.1.7, the Party requiring permission agrees that Processor shall notify the provisions of this clause 25 shall mutatis mutandis apply to all authorised third parties who process personal data. 25.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by Controller immediately if it. 25.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented. 25.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisation.:

Protection of Personal Data. 25.1 16.1 The Parties agree that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties shall at all times ensure that: a) they process data only for the express purpose for which it was obtained; b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form; c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement; d) they do not disclose personal data of the other Party, other than in terms of this Agreement; e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use; f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement; g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access. 25.2 16.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing. 25.3 16.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 251615.1, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 16 shall mutatis mutandis apply to all authorised authorized third parties who process personal data. 25.4 16.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it. 25.5 16.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented. 25.6 16.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisation.

Protection of Personal Data. 25.1 18.1 The Parties agree that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties shall at all times ensure that: a) they process data only for the express purpose for which it was obtained; b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form; c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement; d) they do not disclose personal data of the other Party, other than in terms of this Agreement; e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use; f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement; g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access. 25.2 18.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing. 25.3 18.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 2517.117.1, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 17.1 shall mutatis mutandis apply to all authorised third parties who process personal data. 25.4 18.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it. 25.5 18.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented. 25.6 18.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisation.their

Protection of Personal Data. 25.1 32.1 The Parties agree that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties shall at all times ensure that: a) they process data only for the express purpose for which it was obtained; b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form; c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement; d) they do not disclose personal data of the other Party, other than in terms of this Agreement; e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use; f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement; g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access. 25.2 32.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing. 25.3 32.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 2532, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 32 shall mutatis mutandis apply to all authorised third parties who process personal data. 25.4 32.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it. 25.5 32.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has have been effectively implemented. 25.6 32.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisationorganization.

Protection of Personal Data. 25.1 The 35.1 Both Parties agree that they may obtain and have access to personal data for the duration as a result of the Agreement for the fulfilment of the rights and obligations contained hereinBid process. In performing the obligations as set out in this Agreement, the The Parties shall at all times ensure that: a) they process data only for the express purpose for which it was obtained; b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form; c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreementin terms of the Bid process; d) they do not disclose personal data of the other Party, other than as agreed in terms of this Agreementparagraph 37.3 below; e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use; f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms as a result of this Agreementthe Bid process; g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access. 25.2 35.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing. 25.3 35.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 25paragraph 37, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 37 shall mutatis mutandis apply to all authorised third parties who process personal data. 25.4 35.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it. 25.5 35.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented. 25.6 35.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreementthe Bid process, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisation.

Protection of Personal Data. 25.1 The Parties agree that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties shall at all times ensure that: a) they process data only for the express purpose for which it was obtained; b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form; c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement;out d) they do not disclose personal data of the other Party, other than in terms of this Agreement; e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use; f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement; g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access. 25.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing. 25.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 25, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 shall mutatis mutandis apply to all authorised third parties who process personal data. 25.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it. 25.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented. 25.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual ororganisation. 25.7 Personal Information security breach: Supplier/Service Provider’s Obligations a) The Supplier/Service Provider shall notify the Information Officer of Transnet, in writing as soon as possible after it becomes aware of or organisationsuspects any loss, unauthorised access or unlawful use of any personal data and shall, at its own cost, take all necessary remedial steps to mitigate the extent of the loss or compromise of personal data and to restore the integrity of the affected Goods/Services as quickly as is possible. The Supplier/Service Provider shall also be required to provide Transnet with details of the persons affected by the compromise and the nature and extent of the compromise, including details of the identity of the unauthorised person who may have accessed or acquired the personal data. b) The Supplier/Service Provider shall provide on-going updates on its progress in resolving the c) Where required, the Supplier/Service Provider may be required to notify the South African Police Service; and/or the State Security Agency and where applicable, the relevant regulator and/or the affected persons of the security breach. Any such notification shall always include sufficient information to allow the persons to take protective measures against the potential consequences of the compromise. d) The Supplier/Service Provider undertakes to co‑operate in any investigation relating to security which is carried out by or on behalf of Transnet including providing any information or material in its possession or control and implementing new security measures.

Protection of Personal Data. 25.1 19.1 The Parties agree that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties shall at all times ensure that: a) they process data only for the express purpose for which it was obtained; b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form; c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement; d) they do not disclose personal data of the other Party, other than in terms of this Agreement; e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use; f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement; g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access. 25.2 19.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing. 25.3 19.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 251818, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 18 shall mutatis mutandis apply to all authorised third parties who process personal data. 25.4 19.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it. 25.5 19.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented. 25.6 19.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisation.

Protection of Personal Data. 25.1 26.1 The Parties agree that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties shall at all times ensure that: a) they process data only for the express purpose for which it was obtained; b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form; c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement; d) they do not disclose personal data of the other Party, other than in terms of this Agreement; e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use; f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement;this g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access. 25.2 26.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing. 25.3 26.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 2526, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 26 shall mutatis mutandis apply to all authorised third parties who process personal data. 25.4 26.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it. 25.5 26.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented. 25.6 26.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual ororganisation. 26.7 Personal Information security breach: Supplier/Service Provider’s Obligations a) The Supplier/Service Provider shall notify the Information Officer of Transnet, in writing as soon as possible after it becomes aware of or organisationsuspects any loss, unauthorised access or unlawful use of any personal data and shall, at its own cost, take all necessary remedial steps to mitigate the extent of the loss or compromise of personal data and to restore the integrity of the affected Goods/Services as quickly as is possible. The Supplier/Service Provider shall also be required to provide Transnet with details of the persons affected by the compromise and the nature and extent of the compromise, including details of the identity of the unauthorised person who may have accessed or acquired the personal data. b) The Supplier/Service Provider shall provide on-going updates on its progress in resolving the compromise at reasonable intervals until such time as the compromise is resolved. c) Where required, the Supplier/Service Provider may be required to notify the South African Police Service; and/or the State Security Agency and where applicable, the relevant regulator and/or the affected persons of the security breach. Any such notification shall always include sufficient information to allow the persons to take protective measures against the potential consequences of the compromise. d) The Supplier/Service Provider undertakes to co‑operate in any investigation relating to security which is carried out by or on behalf of Transnet including providing any information or material in its possession or control and implementing new security measures.

Protection of Personal Data. 25.1 The Parties agree that they may obtain and have access Arrangement between the Parties 36.1 With respect to personal data for the duration of the Agreement for the fulfilment of the Parties' rights and obligations contained herein. In performing the obligations as set out in under this Agreement, the Parties shall at all times ensure that:acknowledge that the DCC is a Data Controller and that the Contractor is a Data Processor. In respect of the Contractor's Processing under this Agreement:- a) they process data only for 36.1.1 the express subject-matter, nature and purpose for which it was obtained; b) once processed of the Processing will be DCC employee and supply chain contact details used for the purposes for which it was obtained, all data of liaising with such parties to perform the Services and/or required to assist in delivering the Objectives; 36.1.2 the type of Personal Data being processed will be destroyed to an extent that it cannot be reconstructed to its original formPersonal Data of names, contact addresses, email addresses and telephone numbers; c) data is provided 36.1.3 the duration of the Processing shall be the term of this Agreement; and 36.1.4 the Parties will use the Variation Procedure to agree any changes or additions to the subject matter, nature, purpose or type of Personal Data to be Processed under this Agreement. 36.2 The Contractor shall:- 36.2.1 Process the Personal Data only in accordance with documented instructions from the DCC to authorised personnel who strictly require the personal data to carry out the Parties’ respective perform its obligations under this Agreement; d) they do not disclose personal data of the other Party, other than in terms of this Agreement; e) they have 36.2.2 ensure that at all reasonable technical and organisational measures times it has in place to protect all personal data from unauthorised access and/or use; f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement; g) such personal data is protected guard against unauthorised or unlawful processing, processing of the Personal Data and/or accidental loss, destruction or damagedamage to the Personal Data, alterationincluding the measures as are set out in Clause 35 (DCC Data), disclosure or access.Clause 41 (Security Requirements) and the Security Management Plan; 25.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing. 25.3 Should it be necessary for either Party to 36.2.3 not disclose or otherwise make available transfer the personal data Personal Data to any third party or Contractor Personnel, or allow a third party or Contractor Personnel access to the Personal Data, unless necessary for the provision of the Services and:- (including sub-contractors and employees)a) for any disclosure or transfer of Personal Data to any third party, it may do so only with the prior written permission consent of the other Party. The Party requiring DCC; (b) where the Contractor wishes to appoint a sub-Processor, in compliance with Clause 27 (Supply Chain Rights) and any applicable conditions under such permission shall require Clause 27 (Supply Chain Rights) or Clause 36.3; 36.2.4 take all reasonable steps to ensure the reliability and integrity of all such third partiesany Contractor Personnel who have access to the Personal Data and ensure that the Contractor Personnel:- (i) are aware of and comply with the Contractor’s duties under this Clause 36.2 and Clauses 37 (Confidentiality), 35 (DCC Data) and 41 (Security Requirements); (ii) are subject to appropriate written confidentiality undertakings to be provided, containing similar terms to that set forth in this clause 25, and dealing with that third party's obligations in respect of its processing the Contractor or the relevant Sub-contractor; (iii) are informed of the personal data. Following approval confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the other PartyDCC or as otherwise permitted by this Agreement; and (iv) have undergone adequate training in the use, care, protection and handling of personal data (as defined in the Party requiring permission agrees that Data Protection Laws); 36.2.5 notify the provisions of this clause 25 shall mutatis mutandis apply to all authorised DCC without undue delay if it:- (a) receives from a Data Subject (or third parties who process personal data. 25.4 The Parties shall ensure that any persons authorized to process data party on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it. 25.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented. 25.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisation.behalf):-

Protection of Personal Data. 25.1 18.1 The Parties agree that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties shall at all times ensure that: a) they process data only for the express purpose for which it was obtained; b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form; c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement; d) they do not disclose personal data of the other Party, other than in terms of this Agreement; e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use; f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement; g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access. 25.2 18.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing. 25.3 18.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 2517, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 17 shall mutatis mutandis apply to all authorised third parties who process personal data. 25.4 18.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it. 25.5 18.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented. 25.6 18.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisationorganization.

Protection of Personal Data. 25.1 17.1 The Parties agree that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties shall at all times ensure that: a) they process data only for the express purpose for which it was obtained; b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form; c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement; d) they do not disclose personal data of the other Party, other than in terms of this Agreement; e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use; f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement; g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access. 25.2 17.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing. 25.3 17.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 25, 18 and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 17 shall mutatis mutandis apply to all authorised third parties who process personal data. 25.4 17.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it. 25.5 17.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented. 25.6 17.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisation.

Protection of Personal Data. 25.1 35.1 The Parties agree that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties shall at all times ensure that: a) they process data only for the express purpose for which it was obtained; b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form; c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement; d) they do not disclose personal data of the other Party, other than in terms of this Agreement; e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use; f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement; g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access. 25.2 35.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing. 25.3 35.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 2535, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 35 shall mutatis mutandis apply to all authorised third parties who process personal data. 25.4 35.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it. 25.5 35.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has have been effectively implemented. 25.6 35.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisationorganization.

Protection of Personal Data. 25.1 The Parties agree that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties shall at all times ensure that: a) they process data only for the express purpose for which it was obtained; b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form; c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement; d) they do not disclose personal data of the other Party, other than in terms of this Agreement; e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised Unauthorised access and/or use; f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement; g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access. 25.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processingfurtherprocessing. 25.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 2524, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 24 shall mutatis mutandis apply to all authorised third parties who process personal data. 25.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it. 25.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented. 25.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual ororganisation. 25.7 Personal Information security breach: Service Provider’s Obligations a) The Supplier/Service Provider shall notify the Information Officer of Transnet, in writing as soon as possible after it becomes aware of or organisationsuspects any loss, unauthorised access or unlawful use of any personal data and shall, at its own cost, take all necessary remedial steps to mitigate the extent of the loss or compromise of personal data and to restore the integrity of the affected Services as quickly as is possible. The Service Provider shall also be required to provide Transnet with details of the persons affected by the compromise and the nature and extent of the compromise, including details of the identity of the unauthorised person who may have accessed or acquired the personal data. b) The Service Provider shall provide on-going updates on its progress in resolving the compromise at reasonable intervals until such time as the compromise is resolved. c) Where required, the Service Provider may be required to notify the South African Police Service; and/or the State Security Agency and where applicable, the relevant regulator and/or the affected persons of the security breach. Any such notification shall always include sufficient information to allow the persons to take protective measures against the potential consequences of the compromise. d) The Service Provider undertakes to co‑operate in any investigation relating to security which is carried out by or on behalf of Transnet including providing any information or material in its possession or control and implementing new security measures.

Protection of Personal Data. 25.1 18.1 The Parties agree that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties shall at all times ensure that: a) they process data only for the express purpose for which it was obtained; b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form; c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement; d) they do not disclose personal data of the other Party, other than in terms of this Agreement; e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use; f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement; g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access. 25.2 18.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing. 25.3 18.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 25, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 shall mutatis mutandis apply to all authorised third parties who process personal data.so 25.4 18.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it. 25.5 18.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented. 25.6 18.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisation.

Protection of Personal Data. 25.1 The Parties agree Tenant shall: (a) take all reasonable measures to ensure that they may obtain any personal data held in connection with this Agreement is protected against loss and unauthorised access, use, modification, disclosure or other misuse and that only authorised personnel involved in the performance of the Tenant’s obligations hereunder have access to such data; and not disclose any personal data in connection with this Agreement without the prior written consent of the Landlord. Any request for the duration Landlord’s consent under this Clause 4.24(a) must include an explanation of why the proposed disclosure is necessary for the purposes of fulfilling the Tenant’s obligations hereunder; (b) not transfer personal data held in connection with this Agreement outside Singapore, or allow parties outside Singapore to have access to it, unless with the prior written approval of the Landlord and subject to such conditions as the Landlord may impose. Any request for the Landlord’s approval under this Clause 4.24(b) shall include an explanation of why the proposed transfer is necessary for the purposes of fulfilling the Tenant’s obligations hereunder. If approval is granted, the Tenant shall provide a written undertaking that the personal data which is transferred outside Singapore will be protected to a comparable standard as it is protected under the Personal Data Protection Act 2012 (No. 26 of 2012); (c) in respect of any personal data held in connection with this Agreement, immediately notify the Landlord when the Tenant becomes aware of the breach of any of the obligations under Clause 4.24; (d) in respect of any personal data held in connection with this Agreement, co-operate with any reasonable requests, directions or guidelines required by the Landlord arising from or in connection with the handling of personal data; and (e) ensure that all personal data obtained or held in connection with this Agreement and any copies thereof, regardless of the medium of storage, and which is no longer necessary for the purposes of its performance of the Agreement is securely destroyed within thirty (30) days from the termination or expiry of this Agreement. Any personal data that is retained by the Tenant after such personal data is no longer necessary for the fulfilment purposes of its performance of this Agreement, or without the written authorisation of the rights and obligations contained hereinLandlord, is a breach of this Agreement. In performing No later than thirty (30) days from the obligations as set out in termination or expiry of this Agreement, the Parties Tenant shall at all times ensure that: a) they process data only for the express purpose for which it was obtained; b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent provide a written confirmation that it cannot be reconstructed to its original form; c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement; d) they do not disclose personal data no longer in possession of the other Party, other than in terms of this Agreement; e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use; f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement; g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access. 25.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing. 25.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 25, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 shall mutatis mutandis apply to all authorised third parties who process personal data. 25.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it. 25.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented. 25.6 The Parties agree that they will promptly return or destroy any personal data obtained or held in their possession connection with this Agreement or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreementcopies thereof, subject to any legal retention requirements. This may be at the request regardless of the other Party and includes circumstances where a person has requested the Parties to delete all instances medium of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisationstorage.

Protection of Personal Data. 25.1 The Parties agree that they may obtain and have access 23.1 With respect to personal data for the duration of the Agreement for the fulfilment of the Parties' rights and obligations contained herein. In performing the obligations as set out in under this Agreement, the Parties shall acknowledge that the Authority is a Data Controller and that the Supplier is a Data Processor. 23.2 The Supplier shall: (a) on or before the Service Commencement Date, agree and enter into a Data Sharing Agreement substantially in the form as set out in Schedule 11 and at all times ensure that: a) they process data only for the express purpose for which it was obtainedact in compliance with this Data Sharing Agreement; (b) once processed for Process the purposes for which it was obtained, all data will be destroyed Personal Data only in accordance with instructions from the Authority to an extent that it cannot be reconstructed to perform its original form; c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement; d(c) they do not disclose personal data of the other Party, other than in terms of this Agreement; e) they have ensure that at all reasonable technical and organisational measures times it has in place to protect all personal data from unauthorised access and/or use; f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement; g) such personal data is protected guard against unauthorised or unlawful processing, Processing of the Personal Data and/or accidental loss, destruction or damagedamage to the Personal Data, alteration, disclosure or access.including the measures as are set out in Clause 20 (Authority Data and Security Requirements); 25.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing. 25.3 Should it be necessary for either Party to (d) not disclose or otherwise make available transfer the personal data Personal Data to any third party (including sub-contractors and employees)or Supplier Personnel unless necessary for the provision of the Services and/or the Traded Contracts and, it may do so only with for any disclosure or transfer of Personal Data to any third party, obtain the prior written permission consent of the Authority (save where such disclosure or transfer is specifically authorised under this Agreement); (e) take all reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: (i) are aware of and comply with the Supplier’s duties under this Clause 23 and Clauses 21 (Confidentiality) and 20 (Authority Data and Security Requirements); (ii) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority or as otherwise permitted by this Agreement; and (iii) have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); (f) notify the Authority within two (2) Working Days if it receives: (i) from a Data Subject (or third party on their behalf): (A) a Data Subject Access Request (or purported Data Subject Access Request); (B) a request to rectify, block or erase any Personal Data; or (C) any other Party. The Party requiring request, complaint or communication relating to the Authority's obligations under the DPA; (ii) any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or (iii) a request from any third party for disclosure of Personal Data where compliance with such permission shall require of all such third parties, appropriate written undertakings request is required or purported to be provided, containing similar terms to that set forth in this clause 25, required by Law; (g) provide the Authority with full cooperation and dealing with that third party's obligations in respect of its processing of assistance (within the personal data. Following approval timescales reasonably required by the other Party, the Party requiring permission agrees that the provisions of this clause 25 shall mutatis mutandis apply to all authorised third parties who process personal data. 25.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third partiesAuthority) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it. 25.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented. 25.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreementany complaint, subject communication or request made as referred to any legal retention requirements. This may be at in Clause 23.2(e), including by promptly providing: (i) the request Authority with full details and copies of the other Party and includes circumstances complaint, communication or request; (ii) where applicable, such assistance as is reasonably requested by the Authority to enable the Authority to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and (iii) the Authority, on request by the Authority, with any Personal Data it holds in relation to a person has Data Subject; and (h) if requested by the Parties to delete all instances Authority, provide a written description of their personal data. The information will be destroyed in such a manner the measures that it cannot be reconstructed has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to its original formthis Clause 23 and provide to the Authority copies of all documentation relevant to such compliance including, linking it to any particular individual or organisationprotocols, procedures, guidance, training and manuals.

Protection of Personal Data. 25.1 26.1 Each of the Parties shall in the provision or use of the Services (as appropriate) comply with all Data Protection Legislation. 26.2 The Parties agree that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties shall at all times ensure that: a) 26.2.1 they process data only for the express purpose for which it was obtained; b) 26.2.2 once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form; c) 26.2.3 data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement; d) 26.2.4 they do not disclose personal data of the other Party, other than in terms of this Agreement; e) 26.2.5 they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use; f) 26.2.6 they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement; g) 26.2.7 such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access. 25.2 26.3 Without prejudice to any other term in this Agreement, the Parties represent, undertake and warrant that to the extent that it is applicable: 26.3.1 where it acts as the Responsible Party, it shall have met the requirements of either Chapter 6 or Chapter 7 of POPIA, as applicable; 26.3.2 it shall comply with all of the conditions for the lawful Processing of Personal Information as is applicable to a Responsible Party regulated by POPIA; and 26.3.3 where it is involved in the further Processing of Personal Information, it has complied with the provisions of Section 15 of POPIA including, where applicable, the requirement to have obtained the Data Subject's Consent to such further processing in the manner and form prescribed under POPIA. 26.4 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing. 25.3 26.5 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 2526, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 26 shall mutatis mutandis apply to all authorised third parties who process personal data. 25.4 26.6 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it. 25.5 26.7 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented. 25.6 26.8 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisation. 26.9 The Supplier/Service Provider shall notify the Information Officer of Transnet, in writing as soon as possible after it becomes aware of or suspects any loss, unauthorised access or unlawful use of any personal data and shall, at its own cost, take all necessary remedial steps to mitigate the extent of the loss or compromise of personal data and to restore the integrity of the affected Goods/Services as quickly as is possible. The Supplier/Service Provider shall also be required to provide Transnet with details of the persons affected by the compromise and the nature and extent of the compromise, including details of the identity of the unauthorised person who may have accessed or acquired the personal data. 26.10 The Supplier/Service Provider shall provide on-going updates on its progress in resolving the compromise at reasonable intervals until such time as the compromise is resolved. 26.11 Where required, the Supplier/Service Provider may be required to notify the South African Police Service; and/or the State Security Agency and where applicable, the relevant regulator and/or the affected persons of the security breach. Any such notification shall always include sufficient information to allow the persons to take protective measures against the potential consequences of the compromise. 26.12 The Supplier/Service Provider undertakes to co‑operate in any investigation relating to security which is carried out by or on behalf of Transnet including providing any information or material in its possession or control and implementing new security measures.

Protection of Personal Data. 25.1 The Parties agree that they may obtain and have access to personal data for Where any Personal Data are Processed in connection with the duration exercise of the Agreement for the fulfilment of the Parties’ rights and obligations contained herein. In performing the obligations as set out in under this AgreementCall Off Contract, the Parties shall acknowledge that the Customer is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Customer to perform its obligations under this Call Off Contract; ensure that at all times ensure that: a) they process data only for the express purpose for which it was obtained; b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form; c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement; d) they do not disclose personal data of the other Party, other than in terms of this Agreement; e) they have all reasonable technical and organisational measures has in place to protect all personal data from unauthorised access and/or use; f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement; g) such personal data is protected guard against unauthorised or unlawful processing, Processing of the Personal Data and/or accidental loss, destruction destruction, or damagedamage to the Personal Data, alteration, disclosure or access. 25.2 The Parties agree that if personal data will be processed for additional purposes beyond including the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing. 25.3 Should it be necessary for either Party to measures as are set out in Clauses 35.1 (Security Requirements) and 35.2 (Protection of Customer Data); not disclose or otherwise make available transfer the personal data Personal Data to any third party (including sub-contractors and employees)or Supplier Personnel unless necessary for the provision of the Goods and/or Services and, it may do so only with for any disclosure or transfer of Personal Data to any third party, obtain the prior written permission consent of the Customer (save where such disclosure or transfer is specifically authorised under this Call Off Contract) take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under Clause 35.5.2 and Clauses 35.1 (Security Requirements), 35.2 (Protection of Customer Data) and 35.3 (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Customer or as otherwise permitted by this Call Off Contract; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Customer within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request) a request to rectify, block or erase any Personal Data or any other Partyrequest, complaint or communication relating to the Customer's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Customer with full cooperation and assistance (within the timescales reasonably required by the Customer) in relation to any complaint, communication or request made (as referred to at Clause 35.5.2(e)), including by promptly providing: the Customer with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Customer to enable the Customer to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the Customer, on request by the Customer, with any Personal Data it holds in relation to a Data Subject; and if requested by the Customer, provide a written description of the measures that has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to Clause 35.5.2 and provide to the Customer copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Party requiring such permission Supplier shall require not Process or otherwise transfer any Personal Data in or to a Restricted Country. If, after the Call Off Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to any outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a Variation to the Customer which, if it is agreed by the Customer, shall be dealt with in accordance with the Variation Procedure and Clauses 35.5.3(b) to 35.5.3(c); the Supplier shall set out in its proposal to the Customer for a Variation details of all such the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties, appropriate written undertakings to parties who will be provided, containing similar terms to that set forth Processing and/or receiving Personal Data in this clause 25, Restricted Countries; how the Supplier will ensure an adequate level of protection and dealing with that third party's obligations adequate safeguards in respect of its processing of the personal data. Following approval by Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the other PartyCustomer’s compliance with the DPA; in providing and evaluating the Variation, the Party requiring permission agrees that the provisions of this clause 25 shall mutatis mutandis apply to all authorised third parties who process personal data. 25.4 The Parties shall ensure that they have regard to and comply with then-current Customer, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirementapprovals processes in connection with, the Parties Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall keep all personal data comply with such other instructions and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it. 25.5 The Parties shall carry out regular assessments such other actions as the Customer may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Call Off Contract or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Customer on such terms as may be required by the Customer; or a data processing agreement with the Supplier on terms which are equivalent to identify all reasonably foreseeable internal those agreed between the Customer and external risks the Sub-Contractor relating to the personal data relevant Personal Data transfer, and in its possession or each case which the Supplier acknowledges may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under its controlthe DPA) and technical and organisation measures which the Customer deems necessary for the purpose of protecting Personal Data. The Parties Supplier shall implement and maintain appropriate safeguards against use its reasonable endeavours to assist the risks which it identifies Customer to comply with any obligations under the DPA and shall also regularly verify that the safeguards which it has in place has been effectively implemented. 25.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to not perform its obligations under this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed Call Off Contract in such a manner way as to cause the Customer to breach any of the Customer’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that it cannot the same would be reconstructed to its original form, linking it to any particular individual or organisationa breach of such obligations.

Protection of Personal Data. 25.1 22.1 The Parties agree that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment fulfillment of the rights and obligations contained herein. In performing the obligations as set out in this the Agreement, the Parties shall at all times ensure that: a) they process data only for the express purpose for which it was obtained; b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form; c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this the Agreement; d) they do not disclose personal data of the other Party, other than in terms of this the Agreement; e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use; f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this the Agreement; g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access. 25.2 22.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing. 25.3 22.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 25, 22 and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 22 shall mutatis mutandis apply to all authorised third parties who process personal data. 25.4 22.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it. 25.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented. 25.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisation.

Protection of Personal Data. 25.1 24.1 The Parties agree that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties shall at all times ensure that: a) they process data only for the express purpose for which it was obtained; b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form; c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement; d) they do not disclose personal data of the other Party, other than in terms of this Agreement; e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use; f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement; g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access. 25.2 24.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing. 25.3 24.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 2529, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 29 shall mutatis mutandis apply to all authorised third parties who process personal data. 25.4 24.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it. 25.5 24.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented. 25.6 24.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual ororganisation. 24.7 Personal Information security breach: Supplier/Service Provider’s Obligations a) The Supplier/Service Provider shall notify the Information Officer of Transnet, in writing as soon as possible after it becomes aware of or organisationsuspects any loss, unauthorised access or unlawful use of any personal data and shall, at its own cost, take all necessary remedial steps to mitigate the extent of the loss or compromise of personal data and to restore the integrity of the affected Goods/Services as quickly as is possible. The Supplier/Service Provider shall also be required to provide Transnet with details of the persons affected by the compromise and the nature and extent of the compromise, including details of the identity of the unauthorised person who may have accessed or acquired the personal data. b) The Supplier/Service Provider shall provide on-going updates on its progress in resolving the compromise at reasonable intervals until such time as the compromise is resolved. c) Where required, the Supplier/Service Provider may be required to notify the South African Police Service; and/or the State Security Agency and where applicable, the relevant regulator sufficient information to allow the persons to take protective measures against the potential consequences of the compromise. d) The Supplier/Service Provider undertakes to co‑operate in any investigation relating to security which is carried out by or on behalf of Transnet including providing any information or material in its possession or control and implementing new security measures.

Protection of Personal Data. 25.1 ‌ 31.1 The Parties agree that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties shall at all times ensure that: a) they process data only for the express purpose for which it was obtained; b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form; c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement; d) they do not disclose personal data of the other Party, other than in terms of this Agreement; e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use; f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement; g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access. 25.2 31.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing. 25.3 31.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 2531, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 31 shall mutatis mutandis apply to all authorised third parties who process personal data. 25.4 31.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it. 25.5 31.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented. 25.6 31.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisation.

Protection of Personal Data. 25.1 95 9.1.1 The Parties agree acknowledge that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties shall at all times ensure that: a) they process data only for the express purpose for which it was obtained; b) once processed for the purposes for which it was obtainedof the Data Protection Legislation, all data will be destroyed the factual activity carried out by each of them in relation to an extent that it cannot be reconstructed to its original form; c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ their respective obligations under this Agreement;Call Off Contract dictates the classification of each party. In certain circumstances, a Party may act as “Joint Controller” or a “Controller” or a “Processor”. Each Party, where it is a Controller, shall be responsible for its own compliance with all its obligations under the Data Protection Legislation. Where a Party acts as a Processor in relation to Personal Data where the other Party is Controller, the first Party shall comply and shall procure that any subprocessor complies with the Processor’s obligations in this Call Off Contract to the extent applicable. The only processing that the Processor is authorised to do is listed in Schedule 15 (Processing Personal Data) by the Controller and may not be determined by the Processor. 95 d) they do not disclose personal data 9.1.2 The Processor shall notify the Controller immediately if it considers that any of the other Party, other than in terms of this Agreement;Controller’s instructions infringe the Data Protection Legislation. 96 e) they have 9.1.3 The Processor shall provide all reasonable technical and organisational measures assistance to the Controller in place the preparation of any Data Protection Impact Assessment prior to protect all personal data from unauthorised access and/or use;commencing any processing. Such assistance may, at the discretion of the Controller, include: 96 f) they have appropriate technical and organisational measures 9.1.4 The Processor shall, in place relation to safeguard any Personal Data processed in connection with its obligations under this Call Off Contract: 96 9.1.5 Subject to Clause 9.1.7, the securityProcessor shall notify the Controller immediately if it: 97 9.1.6 The Processor’s obligation to notify under Clause 9.1.5 shall include the provision of further information to the Controller in phases, integrity and authenticity as details become available. 97 9.1.7 Taking into account the nature of all data in its possession or under its control in terms of this Agreement; g) such personal data is protected against unauthorised or unlawful the processing, accidental lossthe Processor shall provide the Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, destruction communication or damagerequest made under Clause 9.1.5 (and insofar as possible within the timescales reasonably required by the Controller) including by promptly providing: 97 9.1.8 The Processor shall maintain complete and accurate records and information to demonstrate its compliance with this Clause. This requirement does not apply where the Processor employs fewer than 250 staff, alterationunless: 98 9.1.9 The Processor shall allow for audits of its Data Processing activity by the Controller or the Controller’s designated auditor. 98 9.1.10 The Processor shall designate a Data Protection Officer if required by the Data Protection Legislation. 98 9.1.11 Before allowing any Sub-processor to process any Personal Data related to this Call Off Contract, disclosure the Processor must: 98 9.1.12 The Processor shall remain fully liable for all acts or access.omissions of any Sub-processor. 98 25.2 9.1.13 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing. 25.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to take account of any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 25, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval guidance issued by the other Party, the Party requiring permission agrees that the provisions of Information Commissioner’s Office and amend this clause 25 shall mutatis mutandis apply Call Off Contract to all authorised third parties who process personal data. 25.4 The Parties shall ensure that it complies with any persons authorized to process data on their behalf (including employees and third parties) will safeguard guidance issued by the security, integrity and authenticity of all dataInformation Commissioner’s Office. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it. 25.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented. 25.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisation.99

Protection of Personal Data. 25.1 The Parties agree that they may obtain and have access to personal data for Where any Personal Data are Processed in connection with the duration exercise of the Agreement for the fulfilment of the Parties’ rights and obligations contained herein. In performing the obligations as set out in under this AgreementCall-Off Contract, the Parties shall acknowledge that the Customer is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Customer to perform its obligations under this Call-Off Contract; ensure that at all times ensure that: a) they process data only for the express purpose for which it was obtained; b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form; c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement; d) they do not disclose personal data of the other Party, other than in terms of this Agreement; e) they have all reasonable technical and organisational measures has in place to protect all personal data from unauthorised access and/or use; f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement; g) such personal data is protected guard against unauthorised or unlawful processing, Processing of the Personal Data and/or accidental loss, destruction destruction, or damagedamage to the Personal Data, alteration, disclosure or access. 25.2 The Parties agree that if personal data will be processed for additional purposes beyond including the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing. 25.3 Should it be necessary for either Party to measures as are set out in Clauses 31.1 (Security Requirements) and 31.2 (Protection of Customer Data); not disclose or otherwise make available transfer the personal data Personal Data to any third party (including sub-contractors and employees)or Supplier Personnel unless necessary for the provision of the Services and, it may do so only with for any disclosure or transfer of Personal Data to any third party, obtain the prior written permission consent of the Customer (save where such disclosure or transfer is specifically authorised under this Call-Off Contract) take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 31.6.2 and Clauses 31.1 (Security Requirements),31.2 (Protection of Customer Data) and 31.3 (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Customer or as otherwise permitted by this Call-Off Contract; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Customer within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request) a request to rectify, block or erase any Personal Data or any other Partyrequest, complaint or communication relating to the Customer's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Customer with full cooperation and assistance (within the timescales reasonably required by the Customer) in relation to any complaint, communication or request made (as referred to at Clause 31.6.2(e) including by promptly providing: the Customer with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Customer to enable the Customer to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the Customer, on request by the Customer, with any Personal Data it holds in relation to a Data Subject; and if requested by the Customer, provide a written description of the measures that has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 31.6.2 and provide to the Customer copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Party requiring such permission Supplier shall require of all such third parties, appropriate written undertakings not Process or otherwise transfer any Personal Data in or to any country outside the European Economic Area or any country which is not determined to be providedadequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “Restricted Countries”). If, containing similar terms after the Call-Off Commencement Date, the Supplier or any Sub-Contractor wishes to that Process and/or transfer any Personal Data in or to any outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a Variation to the Customer which, if it is agreed by the Customer, shall be dealt with in accordance with the Variation Procedure and Clauses 31.6.3(b) to 31.6.3(c); the Supplier shall set forth out in this clause 25, its proposal to the Customer for a Variation details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and dealing with that any Sub-Contractors or other third party's obligations parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of its processing of the personal data. Following approval by Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the other PartyCustomer’s compliance with the DPA; in providing and evaluating the Variation, the Party requiring permission agrees that the provisions of this clause 25 shall mutatis mutandis apply to all authorised third parties who process personal data. 25.4 The Parties shall ensure that they have regard to and comply with then-current Customer, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirementapprovals processes in connection with, the Parties Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall keep all personal data comply with such other instructions and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it. 25.5 The Parties shall carry out regular assessments such other actions as the Customer may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Call-Off Contract or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Customer on such terms as may be required by the Customer; or a data processing agreement with the Supplier on terms which are equivalent to identify all reasonably foreseeable internal those agreed between the Customer and external risks the Sub-Contractor relating to the personal data relevant Personal Data transfer, and in its possession or each case which the Supplier acknowledges may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under its controlthe DPA) and technical and organisation measures which the Customer deems necessary for the purpose of protecting Personal Data. The Parties Supplier shall implement and maintain appropriate safeguards against use its reasonable endeavours to assist the risks which it identifies Customer to comply with any obligations under the DPA and shall also regularly verify that the safeguards which it has in place has been effectively implemented. 25.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to not perform its obligations under this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed Call-Off Contract in such a manner way as to cause the Customer to breach any of the Customer’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that it cannot the same would be reconstructed to its original form, linking it to any particular individual or organisationa breach of such obligations.

Protection of Personal Data. 25.1 The Parties agree ‌ 36.1 To the extent that: 36.1.1 the Contractor Processes any Personal Data pursuant to this Agreement which relates to DCC Data Subjects or Energy Industry Data Subjects, then the Contractor shall be a Data Processor and DCC shall be a Data Controller in relation to that they Personal Data; and/or 36.1.2 the Contractor Processes any Personal Data pursuant to this Agreement relating to Energy Consumer Data Subjects, it shall Process that Personal Data in the capacity of Sub-Processor, DCC shall be the Data Processor and the relevant DCC Service User shall be the Data Controller. 36.2 Subject to the other provisions of this Clause 36 and the terms of this Agreement, the types of Personal Data that may obtain be Processed in relation to Contractor Data Subjects, DCC Data Subjects and have access Energy Industry Data Subjects may include Basic Information and/or Industry Information; and the types of Personal Data that may be Processed in relation to personal data Energy Consumer Data Subjects may include Energy Supply Information. 36.3 In respect of the Contractor's Processing under this Agreement: 36.3.1 the subject-matter, nature and purpose of the Processing will be for the purposes of performing the Services and/or as required to assist in delivering the Objectives; 36.3.2 the duration of the Processing shall be the term of this Agreement for (or, in the fulfilment case of the rights and obligations contained herein. In performing the obligations specific Personal Data or categories of Personal Data, such shorter retention period as may be explicitly set out in this Agreement or as DCC may instruct in writing from time to time); and 36.3.3 the Parties will use the Change Control Procedure to agree any changes or additions to the subject matter, nature, purpose or type of Personal Data to be Processed under this Agreement. 36.4 Where designated as a Processor or Sub-Processor of DCC under this Agreement (as the case may be), the Parties shall Contractor shall:‌ 36.4.1 Process the Personal Data only in accordance with documented instructions from the DCC and for the purposes of and in the manner permitted by this Agreement; 36.4.2 having regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of the relevant Data Subjects, ensure that at all times ensure thatit has in place appropriate technical and organisational measures to guard against accidental or unlawful loss, destruction, alteration or unauthorised disclosure of, or access to, the Personal Data transmitted, stored or otherwise processed, including the measures as are set out in Clause 35 (DCC Data), Clause 42 (Security Requirements) and the Security Management Plan; 36.4.3 taking into account the nature of the processing and the information available to the Contractor, assist the DCC in ensuring compliance with DCC’s obligations in Articles 32-36 of the General Data Protection Regulation (or its national equivalent) including: (a) they process data only notifying DCC without undue delay if the Contractor becomes aware of a breach of the Data Protection Laws in relation to the Personal Data (including in the event of unauthorised access to such Personal Data); and (b) providing full details of the relevant breach where caused by the Contractor or any Sub-Contractor without undue delay, or, where necessary, in phases but always without further undue delay; 36.4.4 not disclose or transfer the Personal Data to any third party or Contractor Personnel, or allow a third party or Contractor Personnel access to the Personal Data, unless necessary for the express purpose provision of the Services and: (a) for which it was obtainedany disclosure or transfer of Personal Data to any third party, with the prior written consent of the DCC; (b) once processed for where the purposes for Contractor wishes to appoint a sub-Processor, in compliance with Clause 28 (Supply Chain Rights) and any applicable conditions under such Clause 28 (Supply Chain Rights), provided any sub-Processor is subject to contractual terms which it was obtained, all data will be destroyed are identical to an extent that it cannot be reconstructed to its original formthose set out in this Clause 36; 36.4.5 take all reasonable steps to ensure the reliability and integrity of any Contractor Personnel who have access to the Personal Data and ensure that the Contractor Personnel: (a) are aware of and comply with the Contractor’s duties under this Clause 36.4 and Clauses 37 (Confidentiality), 35 (DCC Data) and 42 (Security Requirements); (b) are subject to appropriate confidentiality undertakings with the Contractor or the relevant Sub-contractor; (c) data is provided only are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to authorised personnel who strictly require any third party unless directed in writing to do so by the DCC or as otherwise permitted by this Agreement; and (d) have undergone adequate training in the use, care, protection and handling of personal data (as defined in the Data Protection Laws); 36.4.6 notify the DCC without undue delay (and wherever possible, in advance) if it: (a) receives from a Data Subject (or third party on their behalf): (i) a Data Subject Access Request (or purported Data Subject Access Request); (ii) a request to carry out rectify, block or erase any Personal Data; or (iii) any other request, complaint or communication relating to either Party's obligations under the Parties’ respective obligations Data Protection Laws; (b) Processes Personal Data otherwise than in accordance with this Agreement or Data Protection Laws; (c) considers that any of the instructions from the DCC or a Data Controller infringe or are likely to infringe the Data Protection Laws, giving full details of the actual or potential infringement; (d) receives any Regulator Correspondence or any other communication from the Information Commissioner or any other Regulatory Body in connection with Personal Data Processed under this Agreement; (e) receives a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or (f) is required by Law to commit an act or omission that would, but for Clause 36.4, constitute a breach of this Clause 36; 36.4.7 provide the DCC with full co-operation and assistance (within the timescales reasonably required by the DCC) in relation to either Party's obligations under the Data Protection Laws or any complaint, communication or request made as referred to in Clause 36.4.7, including by promptly providing:‌ (a) the DCC with full details and copies of the complaint, communication or request; (b) where applicable, such assistance as is reasonably requested by the DCC to enable the DCC to comply with the Data Subject Access Request within the relevant timescales set out in the Data Protection Laws; (c) where applicable, such assistance as is reasonably requested by the DCC to enable the DCC to comply with any enquiry made or investigation or assessment initiated by the Information Commissioner and/or a Regulatory Body; and (d) they do not disclose personal data the DCC, on request by the DCC, with any Personal Data it holds in relation to a Data Subject; 36.4.8 assistance following a security breach or incident involving Personal Data as reasonably required by the DCC including with respect to the DCC's consultation with the Information Commissioner's Office; 36.4.9 insofar as it relates to its Processing under this Agreement, maintain accurate and any other information or documentation necessary to demonstrate that it has and is complying with its obligations under this Clause 36 and the Data Protection Laws and make such records, information and documentation available to DCC or, at DCC’s request, a Data Controller, promptly upon request; and 36.4.10 if requested by the DCC, provide a written description of the other Party, other than in terms of this Agreement; e) they have all reasonable measures that it has taken and technical and organisational security measures in place place, for the purpose of compliance with its obligations pursuant to protect all personal data from unauthorised access and/or use; f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement; g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or accessClause 36. 25.2 36.5 The Parties agree Contractor shall not Process or otherwise transfer any Personal Data in or to any Restricted Country without the DCC's prior written consent. If, after the Commencement Date, the Contractor or any Sub- contractor wishes to Process and/or transfer any Personal Data in or to any Restricted Country, the Contractor shall, in seeking consent, submit such information as the DCC shall reasonably require in order to enable it to consider the request and acknowledges that if personal data will such consent may be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be given subject to further processingconditions which will, if appropriate, be incorporated into this Agreement at the Contractor's cost and expense using the Change Control Procedure. 25.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party 36.6 The Contractor shall (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 25, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 shall mutatis mutandis apply to all authorised third parties who process personal data. 25.4 The Parties shall ensure that its Sub-contractor shall) use all reasonable endeavours to assist the DCC to comply with any persons authorized to process data on their behalf (including employees and third parties) will safeguard obligations under the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it. 25.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies Data Protection Laws and shall also regularly verify that the safeguards which it has in place has been effectively implemented. 25.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to not perform its obligations under this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed Agreement in such a manner way as to cause the DCC to breach any of the DCC’s obligations under the Data Protection Laws to the extent the Contractor is aware, or ought reasonably to have been aware, that it cannot the same would be reconstructed a breach of such obligations. 36.7 The Contractor shall permit the DCC to audit its original form, linking it to any particular individual or organisationcompliance with this Clause 36 in accordance with Schedule 8.4 (Records and Audit Provisions).

Protection of Personal Data. 25.1 The Parties agree that they may obtain 13.1. When gathering and have access to (further) processing personal data for in the duration framework of the Agreement for agreement of or on behalf of Staad, the fulfilment Supplier guarantees to Staad it will perform the obligations arising out of the rights and obligations contained herein. In performing the obligations as set out in this AgreementGeneral Data Protection Regulation (GDPR), the Parties shall at GDPR Implementation Act and, as of the time it enters into force, the ePrivacy Regulation and related laws and regulations. 13.2. The Supplier guarantees that the work to perform the agreement and the associated Goods and Services (including later changes), the processing of personal data, and the storage by it or its sub-processors of entered and processed personal data satisfy all times ensure that:legal requirements, as well as the principles that the legislator deems important, including data protection by design, data protection by standard settings and data minimisation. a) they process data only for 13.3. The Supplier guarantees that it has provided Staad with all relevant information and has not withheld any facts with regard to the express purpose for degree in which it was obtained;complies with these laws and regulations. If it turns out that the performance of the agreement must be modified because of current or altered legislation relating to the protection of personal data, the Supplier shall take care of this at its own expense. b) once processed for the purposes for which it was obtained, all data will be destroyed 13.4. The Supplier is not entitled at any time to an extent that it cannot be reconstructed to its original form; c) data is provided only to authorised personnel who strictly require use the personal data made available to carry out it, in whole or in part, in any way other than for the Parties’ respective obligations under this Agreement; d) they do not disclose personal data performance of the other Partyagreement. 13.5. The Supplier guarantees that, other than in terms of this Agreement; e) they have all reasonable accordance with the processing agreement referred to hereinafter, it will always maintain a suitable technical and organisational measures in place level of security to protect all personal data from unauthorised access and/or use; f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement; g) such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access. 25.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing. 25.3 Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees)processed on behalf of Staad. 13.6. If the Supplier must be deemed a processor as defined in the GDPR, on Staad’s first request it may do so only with the prior written permission shall, in supplementation of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth provisions in this clause 25article, enter into and dealing sign a written processing agreement with Staad. 13.7. To perform the information obligations that third party's obligations in respect arise out of its the GDPR, the Supplier shall, if necessary per agreement or instruction, draw up a privacy statement that the Supplier shall present to every user or client of Staad prior to the processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 shall mutatis mutandis apply to all authorised third parties who process personal data. 25.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it. 25.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented. 25.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed Supplier shall send a draft to Staad, in such which the Supplier shall incorporate any changes made by Staad. The Supplier shall perform all commitments made in this privacy statement to users or clients of Staad and guarantee the rights of the data subjects (including inspection, correction and erasure). 13.8. The Supplier indemnifies Staad against all claims of third parties (including in any event users and government agencies), and against damage or loss, financial government sanctions and costs (including legal expenses) connected with these claims, arising out of a manner that it cannot be reconstructed breach by the Supplier of all guarantees included in this article and/or of a breach of any obligation to its original formwhich the Supplier is subject under the above-mentioned processing agreement. 13.9. After the end of the agreement, linking it to any particular individual the Supplier shall destroy all personal data received from Staad or organisationin the framework of the performance of the agreement and provide Staad with proof of this destruction upon first request.

Protection of Personal Data. 25.1 The Parties agree that they may obtain and have access to personal data for 27.5.1 Where any Personal Data are Processed in connection with the duration exercise of the Agreement for the fulfilment of the Parties’ rights and obligations contained herein. In performing the obligations as set out in under this AgreementContract, the Parties shall acknowledge that the Authority is the Data Controller and that the Supplier is the Data Processor. 27.5.2 The Supplier shall: (a) Process the Personal Data only in accordance with instructions from the Authority to perform its obligations under this Contract; (b) ensure that at all times ensure that: a) they process data only for the express purpose for which it was obtained; b) once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form; c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement; d) they do not disclose personal data of the other Party, other than in terms of this Agreement; e) they have all reasonable technical and organisational measures has in place to protect all personal data from unauthorised access and/or use; f) they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement; g) such personal data is protected guard against unauthorised or unlawful processing, Processing of the Personal Data and or accidental loss, destruction destruction, or damagedamage to the Personal Data, alteration, disclosure or access.including the measures as are set out in Clauses (Security Requirements) and 25.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing. 25.3 Should it be necessary for either Party to (c) not disclose or otherwise make available transfer the personal data Personal Data to any third party (including sub-contractors and employees)or Supplier Personnel unless necessary for the provision of the Services and, it may do so only with for any disclosure or transfer of Personal Data to any third party, obtain the prior written permission consent of the Authority (save where such disclosure or transfer is specifically authorised under this Contract) (d) take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: (i) are aware of and comply with the Supplier’s duties under this Clause 27.5.2 and Clauses 27.1 (Security Requirements), and 27.2 (Confidentiality); (ii) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority or as otherwise permitted by this Contract; and (iii) have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); (e) notify the Authority in writing within five (5) Working Days if it receives: (i) from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request) a request to rectify, block or erase any Personal Data or any other Party. The Party requiring request, complaint or communication relating to the Authority's obligations under the DPA; (ii) any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or (iii) a request from any third party for disclosure of Personal Data where compliance with such permission shall require request is required or purported to be required by Law; (f) provide the Authority with full cooperation and assistance (within the timescales reasonably required by the Authority) in relation to any complaint, communication or request made (as referred to at Clause a)27.5.2(e), including by promptly providing: (i) the Authority with full details and copies of the complaint, communication or request; (ii) where applicable, such assistance as is reasonably requested by the Authority to enable the Authority to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and (iii) the Authority, on request by the Authority, with any Personal Data it holds in relation to a Data Subject; and (g) if requested by the Authority, provide a written description of the measures that has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 27.5.2 and provide to the Authority copies of all documentation relevant to such third partiescompliance including, appropriate written undertakings protocols, procedures, guidance, training and manuals. 27.5.3 The Supplier shall not Process or otherwise transfer any Personal Data in or to any country outside the European Economic Area or any country which is not determined to be providedadequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “Restricted Countries”). If, containing similar terms after the Commencement Date, the Supplier or any Sub- Contractor wishes to that Process and or transfer any Personal Data in or to any outside the European Economic Area, the following provisions shall apply: (a) the Supplier shall propose a Variation to the Authority which, if it is agreed by the Authority, shall be dealt with in accordance with the Variation Procedure and Clauses a)27.5.3(b) to a)27.5.3(d); (b) the Supplier shall set forth out in this clause 25, its proposal to the Authority for a Variation details of the following: (i) the Personal Data which will be transferred to and dealing with that or Processed in or to any Restricted Countries; (ii) the Restricted Countries to which the Personal Data will be transferred and or Processed; and (iii) any Sub-Contractors or other third party's obligations parties who will be Processing and or receiving Personal Data in Restricted Countries; (c) how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of its processing of the personal data. Following approval by Personal Data that will be Processed in and or transferred to Restricted Countries so as to ensure the other PartyAuthority’s compliance with the DPA; (d) in providing and evaluating the Variation, the Party requiring permission agrees that the provisions of this clause 25 shall mutatis mutandis apply to all authorised third parties who process personal data. 25.4 The Parties shall ensure that they have regard to and comply with then-current Authority, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirementapprovals processes in connection with, the Parties Processing in and or transfers of Personal Data to any Restricted Countries; and (e) the Supplier shall keep all personal data comply with such other instructions and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it. 25.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal such other actions as the Authority may notify in writing, including: (i) incorporating standard and external risks to or model clauses (which are approved by the personal European Commission as offering adequate safeguards under the DPA) into this Contract or a separate data in its possession processing agreement between the Parties; and (ii) procuring that any Sub-Contractor or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented. 25.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information third party who will be destroyed Processing and or receiving or accessing the Personal Data in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisation.Restricted Countries either enters into:

Protection of Personal Data. 25.1 The Parties agree that they may obtain and have access to personal data for the duration of the Agreement for the fulfilment of the rights and obligations contained herein. In performing the obligations as set out in this Agreement, the Parties shall at all times ensure that: a) : they process data only for the express purpose for which it was obtained; b) ; once processed for the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form; c) ; data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective obligations under this Agreement; d) ; they do not disclose personal data of the other Party, other than in terms of this Agreement; e) ; they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use; f) ; they have appropriate technical and organisational measures in place to safeguard the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement; g) ; such personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access. 25.2 . The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing. 25.3 . Should it be necessary for either Party to disclose or otherwise make available the personal data to any third party (including sub-contractors and employees), it may do so only with the prior written permission of the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 250, and dealing with that third party's obligations in respect of its processing of the personal data. Following approval by the other Party, the Party requiring permission agrees that the provisions of this clause 25 0 shall mutatis mutandis apply to all authorised third parties who process personal data. 25.4 . The Parties shall ensure that any persons authorized to process data on their behalf (including employees and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it. 25.5 . The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented. 25.6 . The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected in relation to this Agreement, subject to any legal retention requirements. This may be at the request of the other Party and includes circumstances where a person has requested the Parties to delete all instances of their personal data. The information will be destroyed in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisation. Personal Information security breach: Supplier/Service Provider’s Obligations The Supplier/Service Provider shall notify the Information Officer of Transnet, in writing as soon as possible after it becomes aware of or suspects any loss, unauthorised access or unlawful use of any personal data and shall, at its own cost, take all necessary remedial steps to mitigate the extent of the loss or compromise of personal data and to restore the integrity of the affected Goods/Services as quickly as is possible. The Supplier/Service Provider shall also be required to provide Transnet with details of the persons affected by the compromise and the nature and extent of the compromise, including details of the identity of the unauthorised person who may have accessed or acquired the personal data. The Supplier/Service Provider shall provide on-going updates on its progress in resolving the compromise at reasonable intervals until such time as the compromise is resolved. Where required, the Supplier/Service Provider may be required to notify the South African Police Service; and/or the State Security Agency and where applicable, the relevant regulator and/or the affected persons of the security breach. Any such notification shall always include sufficient information to allow the persons to take protective measures against the potential consequences of the compromise. The Supplier/Service Provider undertakes to co‑operate in any investigation relating to security which is carried out by or on behalf of Transnet including providing any information or material in its possession or control and implementing new security measures. The Parties hereby undertake the following with regard to Confidential Information: not to divulge or disclose to any person whomsoever in any form or manner whatsoever, either directly or indirectly, any Confidential Information of the other without the prior written consent of such other Party, other than when called upon to do so in accordance with a statute, or by a court having jurisdiction, or by any other duly authorised and empowered authority or official, in which event the Party concerned shall do what is reasonably possible to inform the other of such a demand and each shall assist the other in seeking appropriate relief or the instituting of a defensive action to protect the Confidential Information concerned; not to use, exploit, permit the use of, directly or indirectly, or in any other manner whatsoever apply the Confidential Information disclosed to it as a result of this Agreement, for any purpose whatsoever other than for the purpose for which it is disclosed or otherwise than in strict compliance with the provisions in this Agreement; not to make any notes, sketches, drawings, photographs or copies of any kind of any part of the disclosed Confidential Information without the prior written consent of such other Party, except when reasonably necessary for the purpose of this Agreement, in which case such copies shall be regarded as Confidential Information; not to de-compile, disassemble or reverse engineer any composition, compilation, concept application, item, component de-compilation, including software or hardware disclosed and shall not analyse any sample provided by Transnet, or otherwise determine the composition or structure or cause to permit these tasks to be carried out except in the performance of its obligations pursuant to this Agreement; not to exercise less care to safeguard Transnet Confidential Information than the Party exercises in safeguarding its own competitive, sensitive or Confidential Information; Confidential Information disclosed by either Party to the other or by either Party to any other party used by such party in the performance of this Agreement, shall be dealt with as “restricted” or shall be dealt with according to any other appropriate level of confidentiality relevant to the nature of the information concerned, agreed between the Parties concerned and stipulated in writing for such information in such cases; the Parties shall not make or permit to be made by any other person subject to their control, any public statements or issue press releases or disclose Confidential Information with regard to any matter related to this Agreement, unless written authorisation to do so has first been obtained from the Party first disclosing such information; each Party shall be entitled to disclose such aspects of Confidential Information as may be relevant to one or more technically qualified employees or consultants of the Party who are required in the course of their duties to receive the Confidential Information for the Permitted Purpose provided that the employee or consultant concerned has a legitimate interest therein, and then only to the extent necessary for the Permitted Purpose, and is informed by the Party of the confidential nature of the Confidential Information and the obligations of the confidentiality to which such disclosure is subject and the Party shall ensure such employees or consultants honour such obligations; each Party shall notify the other Party of the name of each person or entity to whom any Confidential Information has been disclosed as soon as practicable after such disclosure; each Party shall ensure that any person or entity to which it discloses Confidential Information shall observe and perform all of the covenants the Party has accepted in this Agreement as if such person or entity has signed this Agreement. The Party disclosing the Confidential Information shall be responsible for any breach of the provisions of this Agreement by such person or entity; and each Party may by written notice to the other Party specify which of the Party’s employees, officers or agents are required to sign a non-disclosure undertaking. The duties and obligations with regard to Confidential Information in this clause 0 shall not apply where: a Party can demonstrate that such information is already in the public domain or becomes available to the public through no breach of this Agreement by that Party, or its Staff; or was rightfully in a Party’s possession prior to receipt from the other Party, as proven by the first- mentioned Party’s written records, without an infringement of an obligation or duty of confidentiality; or can be proved to have been rightfully received by a Party from a third party without a breach of a duty or obligation of confidentiality; or is independently developed by a Party as proven by its written records. This clause 0 shall survive termination for any reason of this Agreement and shall remain in force and effect from the Commencement Date of this Agreement and 5 [five] years after the termination of this Agreement. Upon termination of this Agreement, all documentation furnished to the Supplier/Service Provider by Transnet pursuant to this Agreement shall be returned to Transnet including, without limitation, all corporate identity equipment including dyes, blocks, labels, advertising matter, printing matter and the like.

Protection of Personal Data. 25.1 The Parties parties agree that they may obtain as at the Signature Date, the provisions of Clause 29 in their entirety do not apply to this agreement on the basis that the Contractor will not receive or process any Personal Data as a Data Processor for in the performance of its Services. 29.1 To the extent that personal date is processed and have access with respect to personal data for the duration of the Agreement for the fulfilment of the parties' rights and obligations contained herein. In performing under this Agreement, the obligations parties agree that the DCC is either the Data Controller or the Data Processor and that the Contractor is the Data Processor. 29.2 To the extent that the Contractor processes Personal Data as the Data Processor for DCC, the Contractor shall: 29.2.1 Process the Personal Data only in accordance with instructions from the DCC as to the manner and purpose of the processing of this Personal Data (which may be specific instructions or instructions of a general nature as set out in this Agreement, Agreement or as otherwise notified by the Parties shall at all times ensure that: a) they process data only for DCC to the express purpose for Contractor during the Service Period). Any such instructions which it was obtained; b) once processed for are inconsistent with the purposes for which it was obtained, all data will be destroyed to an extent that it cannot be reconstructed to its original form; c) data is provided only to authorised personnel who strictly require the personal data to carry out the Parties’ respective parties' rights and obligations under this AgreementAgreement shall be dealt with in accordance with the Change Control Procedure; d) they do not disclose personal data 29.2.2 Process the Personal Data only to the extent, and in such manner, as is necessary for the provision of the other Party, other than in terms of this AgreementServices or as is required by Law; e) they have all reasonable technical and organisational measures in place to protect all personal data from unauthorised access and/or use; f) they have 29.2.3 implement appropriate technical and organisational measures in place to safeguard protect the security, integrity and authenticity of all data in its possession or under its control in terms of this Agreement; g) such personal data is protected Personal Data against unauthorised or unlawful processingProcessing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damagedamage to the Personal Data and having regard to the nature of the Personal Data which is to be protected; 29.2.4 take reasonable steps to ensure the reliability of any Contractor Personnel who have access to the Personal Data; 29.2.5 obtain prior written consent from the DCC in order to transfer the Personal Data to any Sub-contractors or Affiliates for the provision of the Services, alterationsuch consent not to be unreasonably withheld or delayed; 29.2.6 ensure that all Contractor Personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 29; 29.2.7 ensure that none of the Contractor Personnel publish, disclosure or access. 25.2 The Parties agree that if personal data will be processed for additional purposes beyond the original purpose for which it was obtained, explicit consent must be obtained beforehand from those persons whose information will be subject to further processing. 25.3 Should it be necessary for either Party to disclose or otherwise make available divulge any of the personal data Personal Data to any third party (including sub-contractors and employees), it may unless directed in writing to do so only with by the prior written permission of DCC; 29.2.8 notify the other Party. The Party requiring such permission shall require of all such third parties, appropriate written undertakings DCC (within five (5) Working Days) unless not permitted by law or regulation if it receives: 29.2.8.1 a request from a Data Subject to be provided, containing similar terms have access to that set forth in this clause 25, person's Personal Data of which DCC is the Data Controller and dealing with that third partyContractor is the Data Processor; or 29.2.8.2 a complaint or request relating to the DCC's obligations in respect of its processing of under the personal data. Following approval by Data Protection Legislation; 29.2.9 provide the other Party, the Party requiring permission agrees that the provisions of this clause 25 shall mutatis mutandis apply to all authorised third parties who process personal data. 25.4 The Parties shall ensure that any persons authorized to process data on their behalf (including employees DCC with full co-operation and third parties) will safeguard the security, integrity and authenticity of all data. Where necessary to meet this requirement, the Parties shall keep all personal data and any analyses, profiles, or documents derived therefrom logically separated from all other data and documentation held by it. 25.5 The Parties shall carry out regular assessments to identify all reasonably foreseeable internal and external risks to the personal data in its possession or under its control. The Parties shall implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place has been effectively implemented. 25.6 The Parties agree that they will promptly return or destroy any personal data in their possession or control which belongs to the other Party once it no longer serves the purpose for which it was collected assistance in relation to this Agreementany complaint or request made, subject to any legal retention requirements. This may be at including by: 29.2.9.1 providing the request DCC with full details of the other Party complaint or request; 29.2.9.2 enabling the DCC to comply with a data access request within the relevant timescales set out in the Data Protection Legislation and includes circumstances where in accordance with the DCC's instructions; 29.2.9.3 providing the DCC with any Personal Data it holds as Data Processor in relation to a person has Data Subject as a result of this Agreement (within the timescales required by the DCC); and 29.2.9.4 providing the DCC with any reasonable information requested by the Parties DCC; 29.2.10 provide a written description of the technical and organisational methods employed by the Contractor for Processing Personal Data (with DCC providing no less than 30 days notice); and 29.2.11 not Process or otherwise transfer any Personal Data outside the European Economic Area without the consent of the DCC (not to delete all instances of their personal data. The information will be destroyed unreasonably withheld or denied). 29.2.11.1 the Contractor shall submit a Change Request to the DCC which shall be dealt with in such a manner that it cannot be reconstructed to its original form, linking it to any particular individual or organisation.accordance with the Change Control Procedure and this Clause 29.2.11;