Common use of Whitespace as the Processor shall Clause in Contracts

Whitespace as the Processor shall. 15.8.1. Process the Personal Data only on the instructions of the Customer; 15.8.2. not transfer the Personal Data outside of the UK unless it has appropriate safeguards in place permitting such transfer in accordance with clause 15.8.5. 15.8.3. ensure that its staff who process Personal Data have had the necessary training regarding handling and security of Personal Data and have committed themselves to confidentiality or are under appropriate statutory obligation of confidentiality; 15.8.4. Take all reasonable measures pursuant to Article 32 of GDPR, in particular: i. implement and maintain suitable and appropriate technical and organisational measures and controls to prevent unauthorised or unlawful processing of Personal Data and accidental loss, destruction, damage, theft, use or disclosure of such Personal Data, and shall protect against any security threats to the Personal Data and detect and prevent unauthorised processing of or access to Personal Data; ii. comply with its Information Security Standards; iii. install and maintain all necessary software updates to ensure compliance of Article 32 and shall give notice to the Client of such updates which affect the Whitespace Service. iv. in assessing the appropriate level of security, taking into account the risks that are presented by the Processing of Personal Data, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise Processed; and v. take such steps to ensure that any person acting under the authority of the Processor who has access to the Personal Data does not Process such Personal Data except in respect of the Whitespace Service, unless he or she is required to do so by law. 15.8.5. Where the Processor engages another processor for carrying out specific processing activities on behalf of the Client (a sub-processor), the Processor shall impose the same data protection obligations as required by GDPR on the sub-processor. 15.8.6. On request from the Client and subject to the Client paying Whitespace’s reasonable costs (as detailed in Schedule 3 and Schedule 4) in collating and such data, assisting in any Data Subject requests and/or any co- operation under Article 28(3)(f) of GDPR. 15.8.7. At the request of the Client destroy, anonymise or return Personal Data relating to the Whitespace Service to the Client at the end of this Agreement, unless the Personal Data is required by law and/or to carry out contractual obligation. Whitespace will provide written confirm such actions have been completed. Whitespace reserves the right to charge for such services at the daily rate detailed in Schedule 3 and Schedule 4. 15.8.8. Make available to the Client all information necessary to demonstrate compliance with the obligations set out in clause 15.8. 15.8.9. Inform the Client if, in Whitespace’s opinion, an instruction infringes GDPR. 15.8.10. Notify the Client within 48 hours after becoming aware of: 15.8.10.1. a Personal Data Breach; 15.8.10.2. any Personal Data Breach notification, complaint or other notice or communication in relation to the Processing of either party’s compliance to GDPR.

Whitespace as the Processor shall. 15.8.116.8.1. Process the Personal Data only on the instructions of the CustomerClient; 15.8.216.8.2. not transfer the Personal Data outside of the UK unless it has appropriate safeguards in place permitting such transfer in accordance with clause 15.8.5. 15.8.316.8.3. ensure that its staff who process Personal Data have had the necessary training regarding handling and security of Personal Data and have committed themselves to confidentiality or are under appropriate statutory obligation of confidentiality; 15.8.416.8.4. Take all reasonable measures pursuant to Article 32 of GDPR, in particular: i. implement and maintain suitable and appropriate technical and organisational measures and controls to prevent unauthorised or unlawful processing of Personal Data and accidental loss, destruction, damage, theft, use or disclosure of such Personal Data, and shall protect against any security threats to the Personal Data and detect and prevent unauthorised processing of or access to Personal Data; ii. comply with its Information Security Standards; iii. install and maintain all necessary software updates to ensure compliance of Article 32 and shall give notice to the Client of such updates which affect the Whitespace Service. iv. in assessing the appropriate level of security, taking into account the risks that are presented by the Processing of Personal Data, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise Processed; and v. take such steps to ensure that any person acting under the authority of the Processor who has access to the Personal Data does not Process such Personal Data except in respect of the Whitespace Service, unless he or she is required to do so by law. 15.8.516.8.5. Where the Processor engages another processor for carrying out specific processing activities on behalf of the Client (a sub-processor), the Processor shall impose the same data protection obligations as required by GDPR on the sub-processor. 15.8.616.8.6. On request from the Client and subject to the Client paying Whitespace’s reasonable costs (as detailed in Schedule 3 1 and Schedule 42) in collating and such data, assisting in any Data Subject requests and/or any co- operation under Article 28(3)(f) of GDPR. 15.8.716.8.7. At the request of the Client destroy, anonymise or return Personal Data relating to the Whitespace Service to the Client at the end of this the Agreement, unless the Personal Data is required by law and/or to carry out contractual obligation. Whitespace will provide written confirm such actions have been completed. Whitespace reserves the right to charge for such services at the daily rate detailed in Schedule 3 1 and Schedule 42. 15.8.816.8.8. Make available to the Client all information necessary to demonstrate compliance with the obligations set out in clause 15.8. 15.8.916.8.9. Inform the Client if, in Whitespace’s opinion, an instruction infringes GDPR. 15.8.1016.8.10. Notify the Client within 48 6 hours after becoming aware of: 15.8.10.116.8.10.1. a Personal Data Breach; 15.8.10.216.8.10.2. any Personal Data Breach notification, complaint or other notice or communication in relation to the Processing of either party’s compliance to GDPR.