Common use of Security and Data Protection Clause in Contracts

Security and Data Protection. 18.1 Each party shall for the duration of this Agreement comply with the provisions of the Data Protection Act 1998 (including the Data Protection Principles set out in that Act) and from 25th May 2018 the General Data Protection Regulation and any similar or analogous laws, regulatory requirements or codes of practice (the ‘Data Protection Legislation’) governing the use, storage or transmission of Customer’s Personal Data (for clarity, this is Personal Data provided by the Customer pursuant to the performance of this Agreement by the parties) and shall not do or permit anything to be done which might cause or otherwise result in breach of the same. For clarity this clause 18 is in addition to, and does not relieve, remove or replace, a party's obligations under the Data Protection Legislation. 18.2 Managed Ink acknowledges that for the purposes of the Data Protection Legislation, it is the Data Processor and the Customer is the Data Controller of any the Customer’s Personal Data provided to it by the Customer or obtained by it as part of its obligations under this Agreement. For clarity Data Controller, Data Processor, and Personal Data have the meanings as defined in the Data Protection Legislation. In its capacity as Data Processor, Managed Ink undertakes to use reasonable endeavours to keep the Customer’s Personal Data secure to ensure that the Customer is not in breach of its obligations under the current or any future Data Protection Legislation. 18.3 Without limitation to clauses 18.1 and 18.2, ▇▇▇▇▇▇▇ Ink agrees to: 18.3.1 to ensure a level of security appropriate to the nature of the Personal Data to be protected; 18.3.2 to take appropriate steps so that Managed Ink’s employees and subcontractors who have access to the Customer’s Personal Data comply with this clause 18; 18.3.3 to comply with the Customer’s reasonable instructions pursuant to the Data Protection Legislation in relation to the collection, processing and disposal of any of the Customer’s Personal Data 18.4 Without limitation to clauses 18.1 and 18.2 Managed Ink shall, in relation to any of the Customer’s Personal Data processed in connection with the performance by Managed Ink of its obligations under this Agreement: 18.4.1 process that Customer’s Personal Data only on the written instructions of the Customer which is to be provided within reasonable notice unless Managed Ink is required by the laws of any member of the European Union or by the laws of the European Union applicable to Managed Ink to process the Customer’s Personal Data (the ‘Applicable Laws’); 18.4.2 ensure that it has in place appropriate technical and organisational measures, to protect against unauthorised or unlawful processing of the Customer’s Personal Data and against accidental loss or destruction of, or damage to the Customer’s Personal Data, having regard to the state of technological development and the cost of implementing any measures (those measures may include measures appropriate under the Data Protection Legislation); 18.4.3 ensure that all personnel who have access to and/or process the Customer’s Personal Data are obliged to keep the Customer’s Personal Data confidential; 18.4.4 not transfer any of the Customer’s Personal Data outside of the European Economic Area unless the prior written consent of the Customer has been obtained and the following conditions are fulfilled: (i) the Customer has provided appropriate safeguards in relation to the transfer; (ii) the Data Subject has enforceable rights and effective legal remedies; (iii) Managed Ink provides an adequate level of protection to any of the Customer’s Personal Data that is transferred; and (iv) Managed Ink complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Customer’s Personal Data; 18.4.5 assist the Customer, at the Customer’s cost, in responding to any request from a Data Subject and in ensuring compliance with each party’s obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; 18.4.6 notify the Customer without undue delay on becoming aware of a breach of the Customer’s Personal Data; 18.4.7 at the written direction of the Customer, delete or return the Customer’s Personal Data and copies thereof to the Customer on termination or expiry of the Agreement unless required by Applicable Law to store the Customer’s Personal Data; and 18.5 The Customer consents to Managed Ink appointing third-party processors of the Customer’s Personal Data under this Agreement. As between the Customer and Managed Ink, The Customer authorises third party contractors to process any of the Customer’s Personal Data (as defined in the Data Protection Legislation) provided that the third party contractor’s agreement with Managed Ink is: 18.5.1 on terms similar to these set out in this Agreement; and

Security and Data Protection. 18.1 21.1 Each party shall for the duration of this Agreement comply with the provisions of the Data Protection Act 1998 (including the Data Protection Principles set out in that Act) and from 25th May 2018 the General Data Protection Regulation and any similar or analogous laws, regulatory requirements or codes of practice (the ‘Data Protection Legislation’) governing the use, storage or transmission of Customer’s Personal Data (for clarity, this is Personal Data provided by the Customer pursuant to the performance of this Agreement by the parties) and shall not do or permit anything to be done which might cause or otherwise result in breach of the same. For clarity this This clause 18 21 is in addition to, and does not relieve, remove or replace, a party's ’s obligations under the Data Protection Legislation. 18.2 Managed Ink 21.2 RNB Group acknowledges that as defined in the Data Protection Act 1998 and for the purposes of the Data Protection Legislation, it is the Data Processor Controller and the Customer Supplier is the Data Controller Processor of any the Customer’s Personal Data provided to it by the Customer Supplier or obtained by it as part of its obligations under this Agreement. For clarity Data Subject, Data Controller, Data Processor, Supplier and Personal Data have the meanings as defined in the Data Protection Legislation. In its capacity as Data Processor, Managed Ink the Supplier undertakes to use reasonable endeavours to keep the Customer’s such Personal Data secure to use best endeavours to ensure that the Customer RNB Group is not in breach of its obligations under the current or any future Data Protection Legislation. 18.3 21.3 Without limitation to clauses 18.1 21.1 and 18.221.2, ▇▇▇▇▇▇▇ Ink agrees tothe Supplier undertakes: 18.3.1 21.3.1 to ensure a level of security appropriate to the nature of the Personal Data to be protectedprotected and the harm that might result from any unauthorised or unlawful processing or accidental loss, destruction of or damage to any such Personal Data; 18.3.2 21.3.2 to take appropriate steps so that Managed Inkensure the Supplier’s employees and subcontractors who have access to the Customer’s Personal Data comply with this clause 1821 and any restrictions in this Agreement; 18.3.3 to comply with 21.3.3 the Customer’s reasonable instructions pursuant to Supplier shall not enlist a subcontractor without the Data Protection Legislation in relation to prior specific or general written confirmation from RNB Group. The Supplier shall additionally give RNB Group written notice of the collection, processing and disposal appointment of any new subcontractors; and 21.3.4 to hold all necessary and appropriate consents and notices in place to enable lawful transfer of the Customer’s Personal DataData for the duration and purposes of this Agreement. 18.4 21.4 Without limitation to clauses 18.1 21.1 and 18.2 Managed Ink 21.2, the Supplier shall, in relation to any of the Customer’s Personal Data processed in connection with the performance by Managed Ink the Supplier of its obligations under this Agreement: 18.4.1 21.4.1 process that Customer’s Personal Data only on the written instructions of RNB Group unless the Customer which is to be provided within reasonable notice unless Managed Ink Supplier is required by the laws of any member of the European Union or by the laws of the European Union applicable to Managed Ink the Supplier to process the Customer’s Personal Data (the ‘Applicable Laws’). Where the Supplier is relying on laws of a member of the European Union or European Union law as the basis for processing Personal Data, the Supplier shall promptly notify RNB Group of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit the Supplier from so notifying RNB Group; 18.4.2 21.4.2 ensure that it has in place appropriate technical and organisational measures, reviewed and approved by RNB Group, to protect against unauthorised or unlawful processing of the Customer’s Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the Customer’s Personal Dataharm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures appropriate under the Data Protection Legislationadopted by it); 18.4.3 21.4.3 ensure that all personnel who have access to and/or process the Customer’s Personal Data are obliged to keep the Customer’s Personal Data confidential; 18.4.4 21.4.4 not transfer any of the Customer’s Personal Data outside of the European Economic Area unless the prior written consent writtenconsent of the Customer RNB Group has been obtained and the following conditions are fulfilled: (i) the Customer Supplier or RNB Group has provided appropriate safeguards in relation to the transfer; (ii) the Data Subject data subject has enforceable rights and effective legal remedies; (iii) Managed Ink provides an adequate the Supplier complies with its obligations under the Data Protection Legislation by providing a fully comprehensive level of protection to any of the Customer’s Personal Data that is transferred; and (iv) Managed Ink the Supplier complies with reasonable instructions notified to it in advance by the Customer RNB Group with respect to the processing of the Customer’s Personal Data; 18.4.5 21.4.5 assist the CustomerRNB Group, at the CustomerSupplier’s cost, in responding to any request from a Data Subject and in ensuring compliance with each party’s its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; 18.4.6 21.4.6 notify the Customer RNB Group without undue delay on becoming aware of a breach of the Customer’s Personal DataData breach; 18.4.7 21.4.7 at the written direction of the CustomerRNB Group, delete or return the Customer’s Personal Data and copies thereof to the Customer RNB Group on termination or expiry of the Agreement unless required by Applicable Law to store the Customer’s Personal Data; and 18.5 21.4.8 maintain complete and accurate records and information to demonstrate its compliance with this clause 21 during the term of this Agreement and for up to 5 years after its expiry or termination. 21.5 The Customer consents to Managed Ink appointing third-party processors Supplier shall wholly indemnify and hold harmless RNB Group for any loss which RNB Group suffers as a result of the CustomerSupplier’s Personal Data failure to comply with its obligations under this Agreement. As between the Customer and Managed Ink, The Customer authorises third party contractors to process any of the Customer’s Personal Data (as defined in the Data Protection Legislation) provided that the third party contractor’s agreement with Managed Ink is: 18.5.1 on terms similar to these set out in this Agreement; andclause

Security and Data Protection. 18.1 21.1 Each party shall for the duration of this Agreement comply with the provisions of the Data Protection Act 1998 (including the Data Protection Principles set out in that Act) and from 25th May 2018 the General Data Protection Regulation and any similar or analogous laws, regulatory requirements or codes of practice (the ‘Data Protection Legislation’) governing the use, storage or transmission of Customer’s Personal Data (for clarity, this is Personal Data provided by the Customer pursuant to the performance of this Agreement by the parties) and shall not do or permit anything to be done which might cause or otherwise result in breach of the same. For clarity this This clause 18 21 is in addition to, and does not relieve, remove or replace, a party's obligations under the Data Protection Legislation. 18.2 Managed Ink 21.2 Fastwalker Digital acknowledges that as defined in the Data Protection Act 1998 and for the purposes of the Data Protection Legislation, it is the Data Processor Controller and the Customer Supplier is the Data Controller Processor of any the Customer’s Personal Data provided to it by the Customer Supplier or obtained by it as part of its obligations under this Agreement. For clarity Data Subject, Data Controller, Data Processor, Supplier and Personal Data have the meanings as defined in the Data Protection Legislation. In its capacity as Data Processor, Managed Ink the Supplier undertakes to use reasonable endeavours to keep the Customer’s such Personal Data secure to use best endeavours to ensure that the Customer Fastwalker Digital is not in breach of its obligations under the current or any future Data Protection Legislation. 18.3 21.3 Without limitation to clauses 18.1 21.1 and 18.221.2, ▇▇▇▇▇▇▇ Ink agrees tothe Supplier undertakes: 18.3.1 21.3.1 to ensure a level of security appropriate to the nature of the Personal Data to be protectedprotected and the harm that might result from any unauthorised or unlawful processing or accidental loss, destruction of or damage to any such Personal Data; 18.3.2 21.3.2 to take appropriate steps so that Managed Inkensure the Supplier’s employees and subcontractors who have access to the Customer’s Personal Data comply with this clause 1821 and any restrictions in this Agreement; 18.3.3 to comply with 21.3.3 the Customer’s reasonable instructions pursuant to Supplier shall not enlist a subcontractor without the Data Protection Legislation in relation to prior specific or general written confirmation from Fastwalker Digital. The Supplier shall additionally give Fastwalker Digital written notice of the collection, processing and disposal appointment of any new subcontractors; and 21.3.4 to hold all necessary and appropriate consents and notices in place to enable lawful transfer of the Customer’s Personal DataData for the duration and purposes of this Agreement. 18.4 21.4 Without limitation to clauses 18.1 21.1 and 18.2 Managed Ink 21.2, the Supplier shall, in relation to any of the Customer’s Personal Data processed in connection with the performance by Managed Ink the Supplier of its obligations under this Agreement: 18.4.1 21.4.1 process that Customer’s Personal Data only on the written instructions of Fastwalker Digital unless the Customer which is to be provided within reasonable notice unless Managed Ink Supplier is required by the laws of any member of the European Union or by the laws of the European Union applicable to Managed Ink the Supplier to process the Customer’s Personal Data (the ‘Applicable Laws’). Where the Supplier is relying on laws of a member of the European Union or European Union law as the basis for processing Personal Data, the Supplier shall promptly notify Fastwalker Digital of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit the Supplier from so notifying Fastwalker Digital; 18.4.2 21.4.2 ensure that it has in place appropriate technical and organisational measures, reviewed and approved by Fastwalker Digital, to protect against unauthorised or unlawful processing of the Customer’s Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the Customer’s Personal Dataharm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures appropriate under the Data Protection Legislationadopted by it); 18.4.3 21.4.3 ensure that all personnel who have access to and/or process the Customer’s Personal Data are obliged to keep the Customer’s Personal Data confidential; 18.4.4 21.4.4 not transfer any of the Customer’s Personal Data outside of the European Economic Area unless the prior written consent of the Customer Fastwalker Digital has been obtained and the following conditions are fulfilled: (i) the Customer Supplier or Fastwalker Digital has provided appropriate safeguards in relation to the transfer; (ii) the Data Subject data subject has enforceable rights and effective legal remedies; (iii) Managed Ink provides an adequate the Supplier complies with its obligations under the Data Protection Legislation by providing a fully comprehensive level of protection to any of the Customer’s Personal Data that is transferred; and (iv) Managed Ink the Supplier complies with reasonable instructions notified to it in advance by the Customer Fastwalker Digital with respect to the processing of the Customer’s Personal Data; 18.4.5 21.4.5 assist the CustomerFastwalker Digital, at the CustomerSupplier’s cost, in responding to any request from a Data Subject and in ensuring compliance with each party’s its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; 18.4.6 21.4.6 notify the Customer Fastwalker Digital without undue delay on becoming aware of a breach of the Customer’s Personal DataData breach; 18.4.7 21.4.7 at the written direction of the CustomerFastwalker Digital, delete or return the Customer’s Personal Data and copies thereof to the Customer Fastwalker Digital on termination or expiry of the Agreement unless required by Applicable Law to store the Customer’s Personal Data; and 18.5 21.4.8 maintain complete and accurate records and information to demonstrate its compliance with this clause 21 during the term of this Agreement and for up to 5 years after its expiry or termination. 21.5 The Customer Supplier shall wholly indemnify and hold harmless Fastwalker Digital for any loss which Fastwalker Digital suffers as a result of the Supplier’s failure to comply with its obligations under this clause 21. For clarity, this indemnity provision shall not exclude the right of Fastwalker Digital to any indemnity granted in favour of Fastwalker Digital under the Agreement. 21.6 Fastwalker Digital consents to Managed Ink the Supplier appointing third-party processors of the Customer’s Personal Data under this Agreement. As between the Customer Supplier and Managed InkFastwalker Digital, The Customer Fastwalker Digital authorises third party contractors to process any of the Customer’s Personal Data (as defined in the Data Protection Legislation) provided that the third party contractor’s agreement with Managed Ink the Supplier is: 18.5.1 21.6.1 on terms similar identical to these set out in this Agreement; and 21.6.2 terminated automatically on termination of this Agreement. 21.7 Fastwalker Digital may propose at any time and on not less than 30 working days’ notice and the other party shall not unreasonably object to, revisions to this clause 21. 21.8 The Supplier shall comply with any of Fastwalker Digital’s instructions in relation to the collection, processing and disposal of any Personal Data. 21.9 The Supplier agrees to provide evidence to Fastwalker Digital that it may reasonably request and upon being given sufficient notice, to demonstrate the Supplier’s compliance with the current Data Protection Legislation.

Security and Data Protection. 18.1 Each party shall for the duration of this Agreement comply with the provisions of the Data Protection Act 1998 (including the Data Protection Principles set out in that Act) and from 25th May 2018 the General Data Protection Regulation and any similar or analogous laws, regulatory requirements or codes of practice (the ‘Data Protection Legislation’) governing the use, storage or transmission of Customer’s Personal Data (for clarity, this is Personal Data provided by the Customer pursuant to the performance of this Agreement by the parties) and shall not do or permit anything to be done which might cause or otherwise result in breach of the same. For clarity this clause 18 is in addition to, and does not relieve, remove or replace, a party's obligations under the Data Protection Legislation. 18.2 Managed Ink Fastwalker Digital acknowledges that for the purposes of the Data Protection Legislation, it is the Data Processor and the Customer is the Data Controller of any the Customer’s Personal Data provided to it by the Customer or obtained by it as part of its obligations under this Agreement. For clarity Data Controller, Data Processor, and Personal Data have the meanings as defined in the Data Protection Legislation. In its capacity as Data Processor, Managed Ink Fastwalker Digital undertakes to use reasonable endeavours to keep the Customer’s Personal Data secure to ensure that the Customer is not in breach of its obligations under the current or any future Data Protection Legislation. 18.3 Without limitation to clauses 18.1 and 18.2, ▇▇▇▇▇▇▇ Ink Fastwalker Digital agrees to: 18.3.1 to ensure a level of security appropriate to the nature of the Personal Data to be protected; 18.3.2 to take appropriate steps so that Managed InkFastwalker Digital’s employees and subcontractors who have access to the Customer’s Personal Data comply with this clause 18; 18.3.3 to comply with the Customer’s reasonable instructions pursuant to the Data Protection Legislation in relation to the collection, processing and disposal of any of the Customer’s Personal Data 18.4 Without limitation to clauses 18.1 and 18.2 Managed Ink Fastwalker Digital shall, in relation to any of the Customer’s Personal Data processed in connection with the performance by Managed Ink Fastwalker Digital of its obligations under this Agreement: 18.4.1 process that Customer’s Personal Data only on the written instructions of the Customer which is to be provided within reasonable notice unless Managed Ink Fastwalker Digital is required by the laws of any member of the European Union or by the laws of the European Union applicable to Managed Ink Fastwalker Digital to process the Customer’s Personal Data (the ‘Applicable Laws’); 18.4.2 ensure that it has in place appropriate technical and organisational measures, to protect against unauthorised or unlawful processing of the Customer’s Personal Data and against accidental loss or destruction of, or damage to the Customer’s Personal Data, having regard to the state of technological development and the cost of implementing any measures (those measures may include measures appropriate under the Data Protection Legislation); 18.4.3 ensure that all personnel who have access to and/or process the Customer’s Personal Data are obliged to keep the Customer’s Personal Data confidential; 18.4.4 not transfer any of the Customer’s Personal Data outside of the European Economic Area unless the prior written consent of the Customer has been obtained and the following conditions are fulfilled: (i) the Customer has provided appropriate safeguards in relation to the transfer; (ii) the Data Subject has enforceable rights and effective legal remedies; (iii) Managed Ink Fastwalker Digital provides an adequate level of protection to any of the Customer’s Personal Data that is transferred; and (iv) Managed Ink Fastwalker Digital complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Customer’s Personal Data; 18.4.5 assist the Customer, at the Customer’s cost, in responding to any request from a Data Subject and in ensuring compliance with each party’s obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; 18.4.6 notify the Customer without undue delay on becoming aware of a breach of the Customer’s Personal Data; 18.4.7 at the written direction of the Customer, delete or return the Customer’s Personal Data and copies thereof to the Customer on termination or expiry of the Agreement unless required by Applicable Law to store the Customer’s Personal Data; and 18.5 The Customer consents to Managed Ink Fastwalker Digital appointing third-third- party processors of the Customer’s Personal Data under this Agreement. As between the Customer and Managed InkFastwalker Digital, The Customer authorises third party contractors to process any of the Customer’s Personal Data (as defined in the Data Protection Legislation) provided that the third party contractor’s agreement with Managed Ink Fastwalker Digital is: 18.5.1 on terms similar to these set out in this Agreement; and

Security and Data Protection. 18.1 Each party 15.1 The Customer understands and accepts the performance by SCGSW of certain of the Services may carry a risk to the Customer of loss or corruption of data. The Customer accepts that it shall be responsible at all times for maintaining an appropriate data backup procedure to enable the recovery of lost or corrupted data files. The Customer understands and accepts that, save where back-up services are specifically purchased under the RFS for a particular Service, the Customer bears full responsibility for the duration loss or corruption of this data. Further, where SCGSW provides back up services for the Customer to upload its data onto a server provided as part of the Services, SCGSW disclaims all liability in respect of the integrity of such data. 15.2 The Customer shall complete all appropriate data and application back up procedures at regular intervals during the continuance of a Services Agreement in accordance with accepted industry practice and at such other times as SCGSW may advise. 15.3 Without limiting the foregoing, the Customer shall be solely responsible for ensuring that: 15.3.1 there is no unauthorised access to or use of the Services; 15.3.2 there is no unauthorised access to or use of any of the Customer’s information technology equipment, software or systems, including by setting up appropriate firewalls [(except to the extent that SCGSW has expressly agreed to provide any firewalls on the Customer’s behalf as described in a Services Schedule)]; 15.3.3 all passwords, log in details and other identification or authorisation information that it has in place to regulate access to the Services are maintained in the strictest confidence and are not disclosed other than on a needs-to-know basis; 15.3.4 SCGSW is notified promptly upon the Customer becoming aware of any security breach relating to the Services or their use. 15.4 SCGSW and the Customer will comply with the provisions all applicable requirements of the Data Protection Act 1998 (including the Data Protection Principles set out in that Act) and from 25th May 2018 the General Data Protection Regulation and any similar or analogous laws, regulatory requirements or codes of practice (the ‘Data Protection Legislation’) governing the use, storage or transmission of Customer’s Personal Data (for clarity, this is Personal Data provided by the Customer pursuant to the performance of this Agreement by the parties) and shall not do or permit anything to be done which might cause or otherwise result in breach of the same. For clarity this clause 18 This condition 15 is in addition to, and does not relieve, remove or replace, a party's ’s obligations under the Data Protection Legislation. 18.2 Managed Ink acknowledges 15.5 The parties acknowledge that for the purposes of the Data Protection Legislation, it is the Data Processor and the Customer is the data controller and SCGSW is the data processor (where Data Controller of any the Customer’s Personal and Data provided to it by the Customer or obtained by it as part of its obligations under this Agreement. For clarity Data Controller, Data Processor, and Personal Data Processor have the meanings as defined in the Data Protection Legislation. In its capacity as Data Processor, Managed Ink undertakes to use reasonable endeavours to keep the Customer’s Personal Data secure to ). 15.6 The Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Customer is not personal data (as defined in breach of its obligations under the current or any future Data Protection Legislation, Personal Data) to SCGSW for the duration of this Agreement. 18.3 15.7 Without limitation to clauses 18.1 and 18.2, ▇▇▇▇▇▇▇ Ink agrees to: 18.3.1 to ensure a level of security appropriate prejudice to the nature generality of the Personal Data to be protected; 18.3.2 to take appropriate steps so that Managed Ink’s employees and subcontractors who have access to the Customer’s Personal Data comply with this clause 18; 18.3.3 to comply with the Customer’s reasonable instructions pursuant to the Data Protection Legislation in relation to the collectioncondition 15.4, processing and disposal of any of the Customer’s Personal Data 18.4 Without limitation to clauses 18.1 and 18.2 Managed Ink SCGSW shall, in relation to any of the Customer’s Personal Data processed in connection with the performance by Managed Ink SCGSW of its obligations under this Agreement: 18.4.1 15.7.1 process that Customer’s Personal Data only on the written instructions of the Customer which is to be provided within reasonable notice unless Managed Ink SCGSW is required by the laws of any member of the European Union or by the laws of the European Union applicable to Managed Ink SCGSW to process the Customer’s Personal Data (the ‘Applicable Laws’). Where the SCGSW is relying on laws of a member of the European Union or European Union law as the basis for processing Personal Data, SCGSW shall promptly notify the Customer of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit SCGSW from so notifying the Customer; 18.4.2 15.7.2 ensure that it has in place appropriate technical and organisational measures, reviewed and approved by the Customer, to protect against the unauthorised or unlawful processing of the Customer’s Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the Customer’s Personal Dataharm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures appropriate under the Data Protection Legislationadopted by it); 18.4.3 15.7.3 ensure that all personnel who have access to and/or process the Customer’s Personal Data are obliged to keep the Customer’s Personal Data confidential;; and 18.4.4 15.7.4 not transfer any of the Customer’s Personal Data outside of the European Economic Area unless the prior written consent of the Customer has been obtained and the following conditions are fulfilled: (i) 15.7.4.1 the Customer or SCGSW has provided appropriate safeguards in relation to the transfer; (ii) 15.7.4.2 the Data Subject data subject has enforceable rights and effective legal remedies; (iii) Managed Ink provides 15.7.4.3 SCGSW complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any of the Customer’s Personal Data that is transferred; and (iv) Managed Ink 15.7.4.4 SCGSW complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Customer’s Personal Data;. 18.4.5 15.7.5 assist the Customer, at the Customer’s cost, in responding to any request from a Data Subject data subject and in ensuring compliance with each party’s its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; 18.4.6 15.7.6 notify the Customer without undue delay on becoming aware of a breach of the Customer’s Personal DataData breach; 18.4.7 15.7.7 at the written direction of the Customer, delete or return the Customer’s Personal Data and copies thereof to the Customer on termination or expiry of the this Agreement unless required by Applicable Law to store the Customer’s Personal Data; and 18.5 15.7.8 maintain complete and accurate records and information to demonstrate its compliance with this condition 15 and allow for audits by the Customer or the Customer’s designated auditor. 15.8 The Customer consents to Managed Ink SCGSW appointing thirda sub-processor as a third party processors of the Customer’s Personal Data under this Agreement. SCGSW confirms that it has entered or (as the case may be) will enter with the sub-processor into a written agreement incorporating terms which are substantially similar to those set out in this condition 15. As between the Customer and Managed InkSCGSW, The Customer authorises third party contractors SCGSW shall remain fully liable for all acts or omissions of any sub-processor appointed by it pursuant to process any of the Customer’s Personal Data (as defined in the Data Protection Legislation) provided that the third party contractor’s agreement with Managed Ink is: 18.5.1 on terms similar to these set out in this Agreement; andcondition 15.8.