Common use of PROVISIONS APPLICABLE TO CONTROLLER SERVICES Clause in Contracts

PROVISIONS APPLICABLE TO CONTROLLER SERVICES. 2.1. The Parties envisage that under this DP Schedule, each Party is a separate data fiduciary of the Agreement Personal Data processed for the provision of the services applicable to the Terms of Business listed in Appendix 1 ("Controller Services"). 2.2. If the Parties or their Affiliates (as applicable) enter into a Statement of Work, under which Aon agrees to provide services to you which: (a) are listed in Appendix 1, then the relevant services shall be deemed applicable for the purposes of Appendix 1 from the date of that Statement of Work; or (b) are not covered by Appendix 1, then the Parties or their Affiliates (as applicable) may agree in writing to update Appendix 1 to insert details of the relevant services. 2.3. Each Party agrees for its own part that, to the extent that it processes Agreement Personal Data as a separate data fiduciary: (a) it will observe all applicable requirements of DP Laws and this DP Schedule in relation to its processing of Agreement Personal Data; and (b) all Agreement Personal Data collected or sourced by it or on its behalf for processing in connection with the Terms of Business or which is otherwise provided or made available to the other Party shall have been collected or otherwise obtained in compliance with DP Laws, and shall be allowed to be processed, disclosed and transferred as described in or in connection with the Terms of Business. 2.4. Aon and Aon Affiliates shall process, transfer and disclose personal data as described in Aon’s privacy notice in particular for (i) the delivery of the Controller Services; (ii) administration of engagement and general correspondence with you; (iii) screening of individuals associated with you against international sanctioned parties lists; and (iv) aggregation, de- identification and, where feasible, full anonymisation of personal information for benchmarking, market research and data analysis purposes associated with the development of Aon Group’s products and services. 2.5. You warrant that you have obtained all necessary consents from the data principals so that all Agreement Personal Data (including sensitive personal data) disclosed by you or which is otherwise provided or made available to Aon may be processed, disclosed and transferred as described in or in connection with this DP Schedule and the Terms of Business. 2.6. The Parties will work together in good faith to ensure information describing the personal data processing activities envisaged by the Terms of Business is made available to relevant data principals, including where necessary your provision of such information to data principals on Aon’s behalf. 2.7. Each Party shall implement appropriate technical and organisational security measures in relation to the processing of the Agreement Personal Data under or in connection with the Terms of Business, which shall ensure a level of security appropriate to the risk including, as appropriate, (i) pseudonymisation and encryption; (ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (iii) the ability to restore the availability and access to the Agreement Personal Data in a timely manner in the event of a physical or technical incident; and (iv) a process for regularly testing, assessing and evaluating the effectiveness of those measures. 2.8. Aon shall maintain a global data governance framework which mandates strict technical and organisational security measures applicable to the processing of Agreement Personal Data including those relating to, without limitation, access control, data processing, malware protection, security organisation, system configuration and hardening, personnel security, physical security, business continuity plans and disaster recovery and third- party security. 2.9. Aon shall retain the Agreement Personal Data pursuant to its corporate record retention schedules for the purposes of meeting Aon’s legal and regulatory obligations and enabling Aon to establish, exercise or defend legal claims. 2.10. If either Party receives any complaint, notice or communication from a Supervisory Authority which relates to the other Party’s: (i) processing of the Agreement Personal Data; or (ii) potential failure to comply with DP Laws in respect of the Agreement Personal Data, that Party shall direct the Supervisory Authority to the other Party. 2.11. If a data principal makes a written request to a Party to exercise any of their rights in relation to the Agreement Personal Data that concerns processing of the other Party, that Party shall direct the data principal to that other Party. 2.12. If either Party becomes aware of a Personal Data Breach that requires notification to a Supervisory Authority, it shall notify the other Party without undue delay, and each Party shall co-operate with the other, to the extent reasonably requested, in relation to any notifications to Supervisory Authorities and/or to affected data principals. 2.13. The Parties acknowledge that Agreement Personal Data under this DP Schedule may be transferred or otherwise processed or transferred outside of India (“International Transfer”) provided that such International Transfer is made in compliance with DP Laws, including, if applicable, by adoption of the appropriate international transfer mechanism that effectively complies with DP Laws or other lawful basis permitted by the DP Laws to the extent that such transfers would otherwise be unlawful.

PROVISIONS APPLICABLE TO CONTROLLER SERVICES. 2.1. The Parties envisage that under this DP Schedule, each Party is a separate data fiduciary of the Agreement Personal Data processed for the provision of the services applicable to the Terms of Business listed in Appendix 1 ("Controller Services"). 2.2. If the Parties or their Affiliates (as applicable) enter into a Statement of Work, under which Aon GIB agrees to provide services to you which: (a) are listed in Appendix 1, then the relevant services shall be deemed applicable for the purposes of Appendix 1 from the date of that Statement of Work; or (b) are not covered by Appendix 1, then the Parties or their Affiliates (as applicable) may agree in writing to update Appendix 1 to insert details of the relevant services. 2.3. Each Party agrees for its own part that, to the extent that it processes Agreement Personal Data as a separate data fiduciary: (a) it will observe all applicable requirements of DP Laws and this DP Schedule in relation to its processing of Agreement Personal Data; and (b) all Agreement Personal Data collected or sourced by it or on its behalf for processing in connection with the Terms of Business or which is otherwise provided or made available to the other Party shall have been collected or otherwise obtained in compliance with DP Laws, and shall be allowed to be processed, disclosed and transferred as described in or in connection with the Terms of Business. 2.4. Aon GIB and Aon GIB Affiliates shall process, transfer and disclose personal data as described in AonGIB’s privacy notice in particular for (i) the delivery of the Controller Services; (ii) administration of engagement and general correspondence with you; (iii) screening of individuals associated with you against international sanctioned parties lists; and (iv) aggregation, de- identification and, where feasible, full anonymisation of personal information for benchmarking, market research and data analysis purposes associated with the development of Aon Group’s products and services. 2.5. You warrant that you have obtained all necessary consents from the data principals so that all Agreement Personal Data (including sensitive personal data) disclosed by you or which is otherwise provided or made available to Aon GIB may be processed, disclosed and transferred as described in or in connection with this DP Schedule and the Terms of Business. 2.6. The Parties will work together in good faith to ensure information describing the personal data processing activities envisaged by the Terms of Business is made available to relevant data principals, including where necessary your provision of such information to data principals on AonGIB’s behalf. 2.7. Each Party shall implement appropriate technical and organisational security measures in relation to the processing of the Agreement Personal Data under or in connection with the Terms of Business, which shall ensure a level of security appropriate to the risk including, as appropriate, (i) pseudonymisation and encryption; (ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (iii) the ability to restore the availability and access to the Agreement Personal Data in a timely manner in the event of a physical or technical incident; and (iv) a process for regularly testing, assessing and evaluating the effectiveness of those measures. 2.8. Aon GIB shall maintain a global data governance framework which mandates strict technical and organisational security measures applicable to the processing of Agreement Personal Data including those relating to, without limitation, access control, data processing, malware protection, security organisation, system configuration and hardening, personnel security, physical security, business continuity plans and disaster recovery and third- party security. 2.9. Aon GIB shall retain the Agreement Personal Data pursuant to its corporate record retention schedules for the purposes of meeting AonGIB’s legal and regulatory obligations and enabling Aon GIB to establish, exercise or defend legal claims. 2.10. If either Party receives any complaint, notice or communication from a Supervisory Authority which relates to the other Party’s: (i) processing of the Agreement Personal Data; or (ii) potential failure to comply with DP Laws in respect of the Agreement Personal Data, that Party shall direct the Supervisory Authority to the other Party. 2.11. If a data principal makes a written request to a Party to exercise any of their rights in relation to the Agreement Personal Data that concerns processing of the other Party, that Party shall direct the data principal to that other Party. 2.12. If either Party becomes aware of a Personal Data Breach that requires notification to a Supervisory Authority, it shall notify the other Party without undue delay, and each Party shall co-operate with the other, to the extent reasonably requested, in relation to any notifications to Supervisory Authorities and/or to affected data principals. 2.13. The Parties acknowledge that Agreement Personal Data under this DP Schedule may be transferred or otherwise processed or transferred outside of India (“International Transfer”) provided that such International Transfer is made in compliance with DP Laws, including, if applicable, by adoption of the appropriate international transfer mechanism that effectively complies with DP Laws or other lawful basis permitted by the DP Laws to the extent that such transfers would otherwise be unlawful.