Common use of Shared Personal Data Clause in Contracts

Shared Personal Data. The provisions which follow set out the framework for the sharing of personal data between the parties as data controllers. Each party acknowledges that one party (the Data Discloser) will regularly disclose to the other party (the Data Recipient) Shared Personal Data collected by the Data Discloser for the Agreed Purposes. Each party shall: (a) ensure that it has all necessary consents and notices in place to enable lawful transfer of the Shared Personal Data to the Data Recipient for the Agreed Purposes; (b) give full information to any data subject whose personal data may be processed under this agreement of the nature such processing and the rights thereof, including but not limited to the rights to access, erasure and objection. This includes giving notice that, on the termination of this agreement, personal data relating to them may be retained by or, as the case may be, transferred to one or more of the Data Recipients, their successors and assigns; (c) process the Shared Personal Data only for the Agreed Purposes; (d) not disclose or allow access to the Shared Personal Data to anyone other than the Permitted Recipients; (e) ensure that all Permitted Recipients are subject to written contractual obligations concerning the Shared Personal Data (including obligations of confidentiality) which are no less demanding than those imposed by this agreement; (f) ensure that it has in place appropriate technical and organisational measures, reviewed and approved by the other party, to protect against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. (g) not transfer any personal data obtained from the Data Discloser outside of the European Economic Area or the country in which the Data Discloser is based, unless the prior written consent of the data subject has been obtained and the following conditions are fulfilled: (i) complies with the provisions of Articles 26 of the GDPR (in the event the third party is a joint controller) or any other applicable provision in the Data Protection Legislation; and (ii) the transferring party complies with its obligations under the Data Protection Legislation ensures that (i) the transfer is to a country approved by the European Commission as providing adequate protection pursuant to Article 45 GDPR or any other applicable provision in the Data Protection Legislation; (ii) there are appropriate safeguards in place pursuant to Article 46 GDPR or any other applicable provision in the Data Protection Legislation; or (iii) one of the derogations for specific situations in Article 49 GDPR or any other applicable provision in the Data Protection Legislation applies to the transfer.

Shared Personal Data. The provisions which follow set This clause sets out the framework for the sharing provision of personal data between Shared Personal Data to the parties Company by the Provider (referred to in this clause as data controllersthe Data Discloser) as a controller. Each party acknowledges that one party (the Data Discloser) will regularly Discloser may disclose to the other party (the Data Recipient) Company Shared Personal Data collected by the Data Discloser for the Agreed Purposes. Effect of non-compliance with Data Protection Law. Each party shall comply with all the obligations imposed on a controller under the Data Protection Law, and in the event that there is any material breach of Data Protection Law by a party, the provisions of clause 7.3.3 of the General Terms and Conditions shall apply. Particular obligations relating to data sharing. Each party shall: (a) : ensure that it has all necessary notices and consents and notices lawful bases in place to enable lawful transfer of the Shared Personal Data to the Data Recipient Permitted Recipients for the Agreed Purposes; (b) ; give full information to any data subject whose personal data may be processed under this agreement Agreement of the nature of such processing and the rights thereof, including but not limited to the rights to access, erasure and objectionprocessing. This includes giving notice that, on during the termination course of this agreementAgreement, and any longer period of retention under clause 4.2 of the General Terms and Conditions, personal data relating to them may be retained by or, as the case may be, transferred to one or more of the Data Permitted Recipients, their successors and assigns; (c) assignees; process the Shared Personal Data only for the Agreed Purposes; (d) ; not disclose or allow access to the Shared Personal Data to anyone other than the Permitted Recipients; (e) ; ensure that all Permitted Recipients are subject to written contractual obligations concerning the Shared Personal Data (including obligations of confidentiality) which are no less demanding onerous than those imposed by this agreement; (f) Paragraph ; ensure that it has in place appropriate technical and organisational measures, reviewed and approved by the other party, to protect against unauthorised or unlawful processing of personal data the Shared Personal Data and against accidental loss or destruction of, or damage to, personal data. (g) ; not transfer any personal data obtained from Shared Personal Data outside the Data Discloser outside of the European Economic Area or the country in which the Data Discloser is based, UK unless the prior written consent of the data subject has been obtained and the following conditions are fulfilled: (i) complies with the provisions of Articles 26 of the GDPR (in the event the third party is a joint controller) or any other applicable provision in the Data Protection Legislation; and (ii) the transferring party complies with its obligations under the Data Protection Legislation transferor ensures that that (i) the transfer is to a country approved by under the European Commission applicable Data Protection Law as providing adequate protection pursuant to Article 45 GDPR protection; or any other applicable provision in the Data Protection Legislation; (ii) there are appropriate safeguards or binding corporate rules in place pursuant to Article 46 GDPR or any other the applicable provision in the Data Protection LegislationLaw; or (iii) the transferor otherwise complies with its obligations under the applicable Data Protection Law by providing an adequate level of protection to any personal data that is transferred; or (iv) one of the derogations for specific situations in Article 49 GDPR or any other the applicable provision in the Data Protection Legislation Law applies to the transfer. Mutual assistance. Each party shall assist the other in complying with all applicable requirements of the Data Protection Law. In particular, each party shall: consult with the other party about any notices given to data subjects in relation to the Shared Personal Data; promptly inform the other party about the receipt of any data subject rights request in relation to the Shared Personal Data; provide the other party with reasonable assistance in complying with any data subject rights request in relation to the Shared Personal Data; not disclose, release, amend, delete or block any Shared Personal Data in response to a data subject rights request without first consulting the other party wherever possible; assist the other party, at the cost of the other party, in responding to any request from a data subject and in ensuring compliance with its obligations under the Data Protection Law with respect to security, personal data breach notifications, data protection impact assessments and consultations with the Information Commissioner or other regulators in relation to the Shared Personal Data; notify the other party without undue delay on becoming aware of any breach of the Data Protection Law in relation to the Shared Personal Data (but in any event in not less than 48 hours after becoming aware of the breach); at the written direction of the Data Discloser, delete or return Shared Personal Data and copies thereof to the Data Discloser on termination of this Agreement unless required by law to store the Shared Personal Data; use compatible technology for the processing of Shared Personal Data to ensure that there is no lack of accuracy resulting from personal data transfers; maintain complete and accurate records and information to demonstrate its compliance with this Paragraph ; and provide the other party with contact details of its Data Protection Officer.

Shared Personal Data. The provisions which follow set This paragraph sets out the framework for the sharing of personal data Personal Data between the parties Parties as data controllers. Each party Party acknowledges that from time to time one party (the Party will need to disclose Shared Personal Data Discloser) will regularly disclose to the other party (the Data Recipient) Shared Personal Data collected by the Data Discloser Party as data controller for the Agreed Purposes. The parties acknowledge that as at the date of this Agreement the parties do not consider that either of them acts as data processor for the other, and if that changes during the term of this Agreement then they will need to agree a separate data processing agreement as required by Data Protection Legislation. [Drafting Note: Parties may want to consider provisions regarding control of shared personal data and also the appointment of third party data processors]. Particular obligations relating to data sharing Each party Party shall: (a) : ensure that it has all any necessary notices and consents and notices are in place to enable lawful transfer of the Shared Personal Data to the Data Recipient other Party and their Permitted Recipients for the Agreed Purposes; (b) give full information to any data subject whose personal data may be processed under this agreement of the nature such processing and the rights thereof, including but not limited to the rights to access, erasure and objection. This includes giving notice that, on the termination of this agreement, personal data relating to them may be retained by or, as the case may be, transferred to one or more of the Data Recipients, their successors and assigns; (c) ; process the Shared Personal Data only for the Agreed Purposes; (d) ; not disclose or allow access to the Shared Personal Data to anyone other than the Permitted Recipients; (e) ; ensure that all Permitted Recipients are subject to written contractual obligations concerning the Shared Personal Data (including obligations of confidentiality) which are no less demanding onerous than those imposed by this agreement; (f) Agreement; ensure that it has in place appropriate technical and organisational measures, reviewed and approved by the other party, measures to protect against unauthorised or unlawful processing of personal data Personal Data and against accidental loss or destruction of, or damage to, personal data. (g) Personal Data. not transfer any personal data obtained from Shared Personal Data outside the Data Discloser outside of the European Economic Area or the country in which the Data Discloser is based, EEA unless the prior written consent of the data subject has been obtained and the following conditions are fulfilled: (i) complies with the provisions of Articles 26 of the GDPR (in the event the third party is a joint controller) or any other applicable provision in the Data Protection Legislation; and (ii) the transferring party complies with its obligations under the Data Protection Legislation ensures that (i) the transfer is to a country approved by the European Commission as providing adequate protection pursuant to Article 45 GDPR or any other applicable provision in the Data Protection LegislationGDPR; (ii) there are appropriate safeguards in place pursuant to Article 46 GDPR or any other applicable provision in the Data Protection LegislationGDPR; or (iii) one of the derogations for specific situations in Article 49 GDPR applies to the transfer. [Drafting Note: Parties may want to consider additional obligations regarding data sharing]. Mutual assistance Each Party shall assist the other in complying with all applicable requirements of the Data Protection Legislation. In particular, each Party shall: promptly inform the other Party about the receipt of any data subject access request in relation to Shared Personal Data received from the other Party; provide the other Party with reasonable assistance in complying with any data subject access request in relation to Shared Personal Data received from that other Party; not disclose or release any Shared Personal Data received from the other applicable provision Party in response to a data subject access request without first consulting the other Party wherever possible; assist the other Party, at the cost of the other Party, in ensuring compliance with its obligations under the Data Protection Legislation applies with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; notify the other Party without undue delay on becoming aware of any breach of the Data Protection Legislation in relation to Shared Personal Data received from the other Party; and maintain complete and accurate records and information to demonstrate its compliance with this Schedule. Indemnity Each Party shall indemnify the other from and against all Losses suffered or incurred by the other Party and arising out of or in connection with any breach by that Party or any sub-contractors of this Schedule. - Governance, Monitoring and Reporting : Monitoring and Reporting ANNUAL REPORT87 ESCo shall, by 30 April each year during the term of this Agreement, provide the Developer with an annual report containing details of the following matters for the previous year, that year being the period from 1 April in the preceding calendar year to 31 March in the current calendar year: progress reports on the ESCo Works as against the agreed ESCo Programme of Works; the [CHPQA index]/[carbon intensity] of the Energy System; details of any material changes made to the transferEnergy System; a report reasonably demonstrating compliance with Clause 7.1.5 (ESCo’s Obligations) including calculated CO2 equivalent emissions data including the carbon intensity of heat delivered to each Connection applying carbon factors as applicable at the time of the [Planning Permission]/[Connection]; reasonable details of any connection of the Energy System with any premises or networks outside the Development, to the extent not otherwise contemplated in this Agreement. ESCo shall compile and submit in writing each quarter a performance report that contains as a minimum the following information for the preceding calendar quarter in relation to the Energy System: the amounts of, electricity, gas, water and any other fuels and utilities consumed and their cost for the period; a report on maintenance and repairs carried out during the period and intended to be carried out in the following three months. any business rates or other charges levied on ESCo in relation to the Energy System. a record of incidents during the quarter including: any meter found to be faulty, specifying the location of the meter, the cause of the fault and the action taken; any breakdown that occurred, specifying the cause, duration, impact and the action taken; any asset damaged, lost or stolen during the period, identifying the asset; and any other event that affected the delivery of Heat Supply to any Connection on the Development. ESCo shall, by 30 April each year during the term of this Agreement, provide the Developer with a forecast (the "Performance Forecast") of the following matters for the next financial year, being 1 May until the following 30 April:- expected progress of the ESCo Works and any proposed deviations as against the ESCo Programme of Works; details of all proposed repairs, maintenance and material changes to be undertaken in respect of the Energy System (including any sections of the Heat Distribution Network and HIUs constructed in relation to a Connection); and reasonable details of any proposed connection of the Energy System with any premises or networks outside the Development, to the extent not otherwise contemplated in this Agreement.

Shared Personal Data. The provisions which follow set out the framework for the sharing of personal data between the parties as data controllers. Each party acknowledges that one party (the Data Discloser) will regularly disclose to the other party (the Data Recipient) Shared Personal Data collected by the Data Discloser for the Agreed Purposes. Each party shall: (a) ensure that it has all necessary consents and notices in place to enable lawful transfer of the Shared Personal Data to the Data Recipient for the Agreed Purposes; (b) give full information to any data subject whose personal data may be processed under this agreement of the nature such processing and the rights thereof, including but not limited to the rights to access, erasure and objection. This includes giving notice that, on the termination of this agreement, personal data relating to them may be retained by or, as the case may be, transferred to one or more of the Data Recipients, their successors and assigns; (c) process the Shared Personal Data only for the Agreed Purposes; (d) not disclose or allow access to the Shared Personal Data to anyone other than the Permitted Recipients; (e) ensure that all Permitted Recipients are subject to written contractual obligations concerning the Shared Personal Data (including obligations of confidentiality) which are no less demanding than those imposed by this agreement; (f) ensure that it has in place appropriate technical and organisational measures, reviewed and approved by the other party, to protect against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. (g) not transfer any personal data obtained from the Data Discloser outside of the European Economic Area or the country in which the Data Discloser is based, unless the prior written consent of the data subject has been obtained and the following conditions are fulfilled: (i) complies with the provisions of Articles 26 of the GDPR (in the event the third party is a joint controller) or any other applicable provision in the Data Protection Legislation; and (ii) the transferring party complies with its obligations under the Data Protection Legislation ensures that that (i) the transfer is to a country approved by the European Commission as providing adequate protection pursuant to Article 45 GDPR or any other applicable provision in the Data Protection Legislation; (ii) there are appropriate safeguards in place pursuant to Article 46 GDPR or any other applicable provision in the Data Protection Legislation; or (iii) one of the derogations for specific situations in Article 49 GDPR or any other applicable provision in the Data Protection Legislation applies to the transfer.transfer.‌

Shared Personal Data. The provisions which follow set out the framework for the sharing of personal data between the parties as data controllers. Each party acknowledges that one party (the “Data Discloser”) will regularly disclose to the other party (the “Data Recipient”) Shared Personal Data collected by the Data Discloser for the Agreed Purposes. Each party shall: (a) ensure that it has all necessary consents and notices in place to enable lawful transfer of the Shared Personal Data to the Data Recipient for the Agreed Purposes. Specifically, the Partner shall ensure that it has all necessary consents and notices in place to enable lawful transfer of the Shared Personal Data to the Company and for the onward lawful transfer of that Shared Personal Data by the Company onto FCDEU; (b) give full information to any data subject whose personal data may be processed under this agreement Agreement of the nature such processing and the rights thereof, including but not limited to the rights to access, erasure and objectionprocessing. This includes giving notice that, on the termination of this agreementAgreement, personal data relating to them may be retained by or, as the case may be, transferred to one or more of the Data RecipientsRecipients and FCDEU, their successors and assigns; (c) process the Shared Personal Data only for the Agreed Purposes; (d) not disclose or allow access to the Shared Personal Data to anyone other than the Permitted Recipients; (e) ensure that all Permitted Recipients are subject to written contractual obligations concerning the Shared Personal Data (including obligations of confidentiality) which are no less demanding than those imposed by this agreementAgreement; (f) ensure that it has in place appropriate technical and organisational measures, reviewed and approved by the other party, measures to protect against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. (g) if the Data Recipient is based inside the EEA, the Data Recipient shall not transfer any personal data obtained from the Data Discloser outside of the European Economic Area or the country in which the Data Discloser is based, unless the prior written consent of the data subject has been obtained and the following conditions are fulfilled: (i) the transfer complies with the provisions of Articles 26 of the GDPR (in the event the third party is a joint controller) or any other applicable provision in the Data Protection Legislation); and (ii) the transferring party complies with its obligations under the Data Protection Legislation ensures that ensuring that (i) the transfer is to a country approved by the European Commission as providing adequate protection pursuant to Article 45 GDPR or any other applicable provision in the Data Protection LegislationGDPR; (ii) there are appropriate safeguards in place pursuant to Article 46 GDPR or any other applicable provision in the Data Protection LegislationGDPR; or (iii) one of the derogations for specific situations in Article 49 GDPR or any other applicable provision in the Data Protection Legislation applies to the transfer. (h) if the Data Recipient is based inside the UK, the Data Recipient shall not transfer personal data outside the UK unless such transfer complies with Data Protection Legislation applicable in the UK.

Shared Personal Data. The provisions which follow set This clause sets out the framework for the sharing of personal data between the parties as data controllers. Each party acknowledges that one party (referred to in this clause as the Data Discloser) will regularly disclose to the other party (the Data Recipient) Shared Personal Data collected by the Data Discloser for the Agreed Purposes. Each party shall comply with all the obligations imposed on a controller under the Data Protection Legislation, and any material breach of the Data Protection Legislation by one party shall: (a) , if not remedied within 30 days of written notice from the other party, give grounds to the other party to terminate this agreement with immediate effect. Each party shall: ensure that it has all necessary notices and consents and notices lawful bases in place to enable lawful transfer of the Shared Personal Data to the Data Recipient Permitted Recipients for the Agreed Purposes; (b) ; give full information to any data subject whose personal data may be processed under this agreement of the nature of such processing and the rights thereof, including but not limited to the rights to access, erasure and objectionprocessing. This includes giving notice that, on the termination of this agreement, personal data relating to them may be retained by or, as the case may be, transferred to one or more of the Data Permitted Recipients, their successors and assigns; (c) assignees; process the Shared Personal Data only for the Agreed Purposes; (d) ; not disclose or allow access to the Shared Personal Data to anyone other than the Permitted Recipients; (e) ; ensure that all Permitted Recipients are subject to written contractual obligations concerning the Shared Personal Data (including obligations of confidentiality) which are no less demanding onerous than those imposed by this agreement; (f) ; ensure that it has in place appropriate technical and organisational measures, reviewed and approved by the other party, to protect against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. (g) . not transfer any personal data obtained received from the Data Discloser outside of the European Economic Area or the country in which the Data Discloser is based, UK OR EEA unless the prior written consent of the data subject has been obtained and the following conditions are fulfilled: (i) complies with the provisions of Articles 26 of the GDPR (in the event the third party is a joint controller) or any other applicable provision in the Data Protection Legislation; and (ii) the transferring party complies with its obligations under the Data Protection Legislation transferor ensures that that (i) the transfer is to a country approved by under the European Commission applicable Data Protection Legislation as providing adequate protection pursuant to Article 45 GDPR protection; or any other applicable provision in the Data Protection Legislation; (ii) there are appropriate safeguards or binding corporate rules in place pursuant to Article 46 GDPR or any other the applicable provision in the Data Protection Legislation; or (iii) the transferor otherwise complies with its obligations under the applicable Data Protection Legislation by providing an adequate level of protection to any personal data that is transferred; or (iv) one of the derogations for specific situations in Article 49 GDPR or any other the applicable provision in the Data Protection Legislation applies to the transfer. Each party shall assist the other in complying with all applicable requirements of the Data Protection Legislation. In particular, each party shall: consult with the other party about any notices given to data subjects in relation to the Shared Personal Data; promptly inform the other party about the receipt of any data subject rights request; provide the other party with reasonable assistance in complying with any data subject rights request; not disclose, release, amend, delete or block any Shared Personal Data in response to a data subject rights request without first consulting the other party wherever possible; assist the other party, at the cost of the other party, in responding to any request from a data subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, personal data breach notifications, data protection impact assessments and consultations with the Information Commissioner or other regulators; notify the other party without undue delay on becoming aware of any breach of the Data Protection Legislation; at the written direction of the Data Discloser, delete or return Shared Personal Data and copies thereof to the Data Discloser on termination of this agreement unless required by law to store the Shared Personal Data; use compatible technology for the processing of Shared Personal Data to ensure that there is no lack of accuracy resulting from personal data transfers; maintain complete and accurate records and information to demonstrate its compliance with this clause [NUMBER] [and allow for audits by the other party or the other party's designated auditor]; and provide the other party with contact details of at least one employee as point of contact and responsible manager for all issues arising out of the Data Protection Legislation, including the joint training of relevant staff, the procedures to be followed in the event of a data security breach, and the regular review of the parties' compliance with the Data Protection Legislation.

Shared Personal Data. The provisions which follow set This clause sets out the framework for the sharing of personal data between the parties as data controllers. Each party acknowledges that one party (referred to in this clause as the Data Discloser) will regularly may disclose to the other party (the Data Recipient) Shared Personal Data collected by the Data Discloser for the Agreed Purposes. Effect of non-compliance with Data Protection Law. Each party shall comply with all the obligations imposed on a controller under the Data Protection Law, and any material breach of the Data Protection Law by one party shall, if not remedied within 30 days of written notice from the other party, give grounds to the other party to terminate this agreement with immediate effect. Particular obligations relating to data sharing. Each party shall: (a) : ensure that it has all necessary notices and consents and notices lawful bases in place to enable lawful transfer of the Shared Personal Data to the Data Recipient Permitted Recipients for the Agreed Purposes; (b) ; give full information to any data subject whose personal data may be processed under this agreement of the nature of such processing and the rights thereof, including but not limited to the rights to access, erasure and objectionprocessing. This includes giving notice that, on during the termination course of this agreement, and any longer period of retention under clause 6.1, personal data relating to them may be retained by or, as the case may be, transferred to one or more of the Data Permitted Recipients, their successors and assigns; (c) assignees; process the Shared Personal Data only for the Agreed Purposes; (d) ; not disclose or allow access to the Shared Personal Data to anyone other than the Permitted Recipients; (e) ; ensure that all Permitted Recipients are subject to written contractual obligations concerning the Shared Personal Data (including obligations of confidentiality) which are no less demanding onerous than those imposed by this agreement; (f) ; ensure that it has in place appropriate technical and organisational measures, reviewed and approved by the other party, to protect against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. (g) . not transfer any personal data obtained received from the Data Discloser outside of the European Economic Area or the country in which the Data Discloser is based, UK unless the prior written consent of the data subject has been obtained and the following conditions are fulfilled: (i) complies with the provisions of Articles 26 of the GDPR (in the event the third party is a joint controller) or any other applicable provision in the Data Protection Legislation; and (ii) the transferring party complies with its obligations under the Data Protection Legislation transferor ensures that that (i) the transfer is to a country approved by under the European Commission applicable Data Protection Law as providing adequate protection pursuant to Article 45 GDPR protection; or any other applicable provision in the Data Protection Legislation; (ii) there are appropriate safeguards or binding corporate rules in place pursuant to Article 46 GDPR or any other the applicable provision in the Data Protection LegislationLaw; or (iii) the transferor otherwise complies with its obligations under the applicable Data Protection Law by providing an adequate level of protection to any personal data that is transferred; or (iv) one of the derogations for specific situations in Article 49 GDPR or any other the applicable provision in the Data Protection Legislation Law applies to the transfer. Mutual assistance. Each party shall assist the other in complying with all applicable requirements of the Data Protection Law. In particular, each party shall: consult with the other party about any notices given to data subjects in relation to the Shared Personal Data; promptly inform the other party about the receipt of any data subject rights request; provide the other party with reasonable assistance in complying with any data subject rights request; not disclose, release, amend, delete or block any Shared Personal Data in response to a data subject rights request without first consulting the other party wherever possible; assist the other party, at the cost of the other party, in responding to any request from a data subject and in ensuring compliance with its obligations under the Data Protection Law with respect to security, personal data breach notifications, data protection impact assessments and consultations with the Information Commissioner or other regulators; notify the other party without undue delay on becoming aware of any breach of the Data Protection Law; at the written direction of the Data Discloser, delete or return Shared Personal Data and copies thereof to the Data Discloser on termination of this agreement unless required by law to store the Shared Personal Data; use compatible technology for the processing of Shared Personal Data to ensure that there is no lack of accuracy resulting from personal data transfers; maintain complete and accurate records and information to demonstrate its compliance with this Schedule; and provide the other party with contact details of at least one employee as point of contact and responsible manager for all issues arising out of the Data Protection Law, including the joint training of relevant staff, the procedures to be followed in the event of a data security breach, and the regular review of the parties' compliance with the Data Protection Law.

Shared Personal Data. The provisions which follow set For the purposes of this Schedule 1, terms used but not defined will be interpreted in accordance with Part 12. Revolut and you understand and acknowledge that Revolut may, in certain limited circumstances, process Personal Data as a Processor on your behalf pursuant to the terms of this Agreement. Schedule 2 (Data Processing Information) to this Agreement sets out the framework for subject-matter and duration of the sharing processing, the nature and purpose of personal data between the parties as data controllers. Each party acknowledges that one party (processing, the Data Discloser) will regularly disclose to the other party (the Data Recipient) Shared types of Personal Data collected processed by the Processor and categories of Data Discloser for Subjects whose Personal Data are processed and the Agreed Purposesobligations and rights of the Controller. Each party To the extent that Revolut processes Personal Data on your behalf during the course of providing the Services pursuant to this Agreement, then Revolut agrees that with respect to such Personal Data it shall: (a) ensure that it has process all necessary consents and notices in place Personal Data supplied or provided by you or collected or otherwise obtained on your behalf only on documented instructions from you, including with regard to enable lawful transfer transfers of the Shared Personal Data to a third country or an international organisation, unless required to do so by Applicable Laws in which case Revolut shall promptly and to the Data Recipient for the Agreed Purposesmaximum extent permitted inform you of that legal requirement before processing; (b) give full information take all such steps necessary to ensure that any data subject whose personal data may be processed persons authorised to process the Personal Data have committed themselves to confidentiality or are under this agreement an appropriate statutory obligation of the nature such processing and the rights thereof, including but not limited to the rights to access, erasure and objection. This includes giving notice that, on the termination of this agreement, personal data relating to them may be retained by or, as the case may be, transferred to one or more of the Data Recipients, their successors and assignsconfidentiality; (c) process take all measures required pursuant to Article 32 of the Shared GDPR, including (without limitation) implementing and maintaining appropriate administrative, physical, technical and organisational measures to protect any Personal Data only for the Agreed Purposesaccessed or processed by it pursuant to this Agreement against unauthorised or unlawful processing or accidental loss, destruction, damage or disclosure and any other standards required by law or regulation that are directly applicable; (d) not disclose respect the conditions referred to in paragraphs 2 and 4 of Article 28 of the GDPR for engaging a sub-Processor including (without limitation) informing you of its intention to appoint new or allow access to the Shared Personal Data to anyone other than the Permitted Recipientsreplacement key sub-Processors; (e) ensure that all Permitted Recipients that, in any case where a sub-Processor is instructed, it enters into a contract with the sub-Processor which imposes substantially the same data protection obligations as are subject included in this Schedule 1. For the avoidance of doubt, Revolut shall remain fully responsible and liable to written contractual obligations concerning you for the Shared Personal Data (including obligations acts and omissions of confidentiality) which are no less demanding than those imposed by this agreementits appointed sub-Processors; (f) ensure that it has in place taking into account the nature of the processing, assist and provide support to you by appropriate technical and organisational measures, reviewed insofar as this is possible, for the fulfilment of your obligation(s) to respond to requests for exercising the Data Subject’s rights laid down in Chapter III of the GDPR. Where any such request is submitted to Revolut, it shall promptly notify you of the same and approved by the other party, to protect against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.refrain from taking any action without your prior consent; (g) not transfer any personal data obtained from taking into account the Data Discloser outside nature of the European Economic Area processing and the information available, provide reasonable assistance to you to enable it to comply with its obligations pursuant to Articles 32 to 36 of the GDPR including, for the avoidance of doubt, in relation to the security of processing, Personal Data Breach notifications, data protection impact assessments and prior consultations with Supervisory Authorities; (h) upon termination of this Agreement and at your election, either promptly return all the Personal Data to you and delete any copies of such Personal Data, or the country destroy and delete such Personal Data in which the Data Discloser is basedaccordance with your written instructions, unless required by Applicable Laws to retain them. For the prior written consent avoidance of the data subject has been obtained doubt, Revolut shall securely and the following conditions are fulfilled:permanently erase or destroy any copies of Personal Data stored by it; (i) complies with the provisions upon becoming aware of Articles 26 of the GDPR (any Personal Data Breach, promptly notify to you in the event the third party is a joint controller) or any other applicable provision in the Data Protection Legislationwriting; and (iij) make available to you all information necessary to demonstrate compliance with the transferring party complies with its obligations under laid down in Article 28 of the Data Protection Legislation ensures that GDPR and allow for and contribute to audits, including inspections, conducted by you or another auditor mandated by you, including (iwithout limitation) allowing you, you employees or authorised agents or advisers upon reasonable prior written notice to Revolut, not more frequently than once per rolling twelve month period, at a mutually agreeable date and time, and at your sole cost and expense, reasonable access to any relevant premises, resources and personnel of Revolut, during normal business hours, to inspect the transfer is procedures and measures referred to a country in this Schedule 1 during the term of this Agreement. Such audits must be approved by the European Commission as providing adequate protection pursuant to Article 45 GDPR or any other applicable provision Revolut in the Data Protection Legislation; (ii) there are appropriate safeguards writing in place pursuant to Article 46 GDPR or any other applicable provision in the Data Protection Legislation; or (iii) one of the derogations for specific situations in Article 49 GDPR or any other applicable provision in the Data Protection Legislation applies to the transferadvance.

Shared Personal Data. The provisions which follow set out the framework for the sharing of personal data between the parties as data controllers. Each party acknowledges that one party (the Data Discloser) will regularly disclose to the other party (the Data Recipient) Shared Personal Data collected by the Data Discloser for the Agreed Purposes. Each party shall: (a) ensure that it has all necessary consents and notices in place to enable lawful transfer of the Shared Personal Data to the Data Recipient and other Permitted Recipients for the Agreed Purposes; (b) give full information to any data subject whose personal data may be processed under this agreement of the nature such processing and the rights thereof, including but not limited to the rights to access, erasure and objectionprocessing. This includes giving notice that, on the termination of this agreement, personal data relating to them may be retained by or, as the case may be, transferred to one or more of the Data Recipients, Permitted Recipients, their successors and assigns; (c) process the Shared Personal Data only for the Agreed Purposes; (d) not disclose or allow access to the Shared Personal Data to anyone other than the Permitted Recipients; (e) ensure that all Permitted Recipients are subject to written contractual obligations concerning the Shared Personal Data (including obligations of confidentiality) which are no less demanding than those imposed by this agreement; (f) process no other personal data acquired in connection with this agreement other than the Shared Personal Data; (g) ensure that it has in place appropriate technical and organisational measures, reviewed and approved by the other party, measures to protect against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. (gh) not transfer any personal data obtained from the Data Discloser outside of the European Economic Area Area, or the country any other restricted territory set in which future by the Data Discloser is based, Protection Laws unless the prior written consent of the data subject has been obtained and the following conditions are fulfilled: (i) complies the data subject has enforceable rights and effective legal remedies with regard to the provisions of Articles 26 of the GDPR (in the event the third party is a joint controller) or any other applicable provision in the Data Protection Legislation; andtransferred personal data; (iij) the transferring party complies with its obligations under the Data Protection Legislation ensures that (i) the transfer by providing an adequate level of protection to any personal data that is to a country approved by the European Commission as providing adequate protection pursuant to Article 45 GDPR or any other applicable provision in the Data Protection Legislation; (ii) there are appropriate safeguards in place pursuant to Article 46 GDPR or any other applicable provision in the Data Protection Legislation; or (iii) one of the derogations for specific situations in Article 49 GDPR or any other applicable provision in the Data Protection Legislation applies to the transfertransferred.