Common use of Without prejudice to the generality of Clause Clause in Contracts

Without prejudice to the generality of Clause. 12.2, the Manager shall, in relation to any Personal Data processed in connection with the performance by the Manager of its obligations under this Agreement: 12.4.1 process that Personal Data only on the written instructions of the General Partner unless the Manager is required by the laws of any member of the European Union or by the laws of the European Union applicable to the Manager to process Personal Data (“Applicable Laws”). Where the Manager is relying on laws of a member of the European Union or European Union law as the basis for processing Personal Data, the Manager shall promptly notify the General Partner of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit the Manager from so notifying the General Partner; 12.4.2 ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures; 12.4.3 ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential; 12.4.4 not transfer any Personal Data outside of the European Economic Area unless the following conditions are fulfilled: (a) the Manager has provided appropriate safeguards in relation to the transfer; (b) the data subject has enforceable rights and effective legal remedies; (c) the Manager complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and (d) the Manager complies with reasonable instructions notified to it in advance by the General Partner with respect to such processing of the Personal Data; 12.4.5 assist the General Partner, at the Manager's cost, in responding to any request from a data subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; 12.4.6 notify the General Partner without undue delay (and in any event within 24 hours) in the event that it suspects or becomes aware of any Personal Data breach or breach of any Data Protection Legislation by the Manager in connection with the Agreement, and shall, at the Manager’s cost: (i) investigate the incident and provide the General Partner, on an ongoing basis, with detailed information about the breach; and (ii) take all reasonable steps to mitigate the effects of the breach and to minimise any damage resulting from the breach; and (iii) co-operate with General Partner to provide information in connection with the breach or any notice required to be sent out to any third party in connection with the breach; 12.4.7 at the written direction of the General Partner, delete or return Personal Data and copies thereof to the General Partner (or its nominee) on expiry or termination of the Agreement unless required by Applicable Law to store the Personal Data; and 12.4.8 maintain complete and accurate records and information to demonstrate its compliance with this Clause 12 and allow for audits by the General Partner or its designated auditor.

Without prejudice to the generality of Clause. 12.213.1, the Manager Provider shall, in relation to any Personal Data processed in connection with the performance by the Manager Provider of its obligations under this Agreementagreement: 12.4.1 (a) process that Personal Data only on the written instructions of the General Partner Council (as set out in Schedule 7), unless the Manager Provider is required by the laws of any member of the European Union or by the laws of the European Union (Applicable Laws) applicable to the Manager Provider to otherwise process the Personal Data (“Applicable Laws”)Data. Where the Manager Provider is relying on laws of a member of the European Union or European Union law as the basis for processing Personal Dataso required, the Manager it shall promptly notify the General Partner of this Council before performing processing the processing required Personal Data, unless prohibited by the Applicable Laws unless those Applicable Laws prohibit the Manager from so notifying the General Partnerapplicable laws; 12.4.2 (b) ensure that it has in place appropriate technical and organisational measures measures, reviewed and approved by the Council, to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measuresmeasures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it); 12.4.3 ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential; 12.4.4 (c) not transfer any Personal Data outside of the European Economic Area unless the prior written consent of the Council has been obtained and the following conditions are fulfilled: (a) i. the Manager Council or the Provider has provided appropriate safeguards in relation to the transfer; (b) ii. the data subject Data Subject has enforceable rights and effective legal remedies; (c) iii. the Manager Provider complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and (d) iv. the Manager Provider complies with the reasonable instructions notified to it in advance by the General Partner Council with respect to such the processing of the Personal Data; 12.4.5 (d) notify the Council immediately if it receives: i. a request from a Data Subject to have access to that person's Personal Data; ii. a request to rectify, block or erase any Personal Data; iii. receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation (including any communication from the Information Commissioner); (e) assist the General Partner, at the Manager's cost, Council in responding to any request from a data subject Data Subject and in ensuring compliance with its the Council's obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; 12.4.6 (f) notify the General Partner without undue delay (Council immediately and in any event within 24 hours) in the event that it suspects or becomes hours on becoming aware of any a Personal Data breach including without limitation any event that results, or may result, in unauthorised access, loss, destruction, or alteration of Personal Data in breach of any Data Protection Legislation by the Manager in connection with the Agreement, and shall, at the Manager’s cost: (i) investigate the incident and provide the General Partner, on an ongoing basis, with detailed information about the breach; and (ii) take all reasonable steps to mitigate the effects of the breach and to minimise any damage resulting from the breach; and (iii) co-operate with General Partner to provide information in connection with the breach or any notice required to be sent out to any third party in connection with the breachthis agreement; 12.4.7 (g) at the written direction of the General PartnerCouncil, delete or return Personal Data and copies thereof to the General Partner (Service User on termination or its nominee) on expiry or termination of the Agreement agreement unless required by Applicable Law the applicable laws to store the Personal Data; and; 12.4.8 (h) maintain complete and accurate records and information to demonstrate its compliance with this Clause 12 clause 13 and allow for audits by the General Partner Council or its the Council's designated auditor.auditor pursuant to clause 10;

Without prejudice to the generality of Clause. 12.215.1, the Manager AvISO shall, in relation to any Personal Data processed in connection with the performance by the Manager AvISO of its obligations under this Agreement: 12.4.1 15.4.1 process that Personal Data only on the written instructions of the General Partner Client unless the Manager AvISO is required by the laws of any member of the European Union or by the laws of the European Union applicable to the Manager AvISO to process Personal Data (“Applicable Laws”). Where the Manager AvISO is relying on laws of a member of the European Union or European Union law as the basis for processing Personal Data, the Manager AvISO shall promptly notify the General Partner Client of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit the Manager AvISO from so notifying the General PartnerClient; 12.4.2 15.4.2 ensure that it has in place appropriate technical and organisational measures measures, reviewed and approved by the Client, to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measuresmeasures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it); 12.4.3 15.4.3 ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential;; and 12.4.4 15.4.4 not transfer any Personal Data outside of the European Economic Area UK unless the prior written consent of the Client has been obtained and the following conditions are fulfilled: (a) 15.4.4.1 the Manager Client or AvISO has provided appropriate safeguards in relation to the transfer; (b) 15.4.4.2 the data subject has enforceable rights and effective legal remedies; (c) the Manager 15.4.4.3 AvISO complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and (d) the Manager 15.4.4.4 AvISO complies with reasonable instructions notified to it in advance by the General Partner Client with respect to such the processing of the Personal Data; 12.4.5 15.4.5 assist the General PartnerClient, at the ManagerClient's cost, in responding to any request from a data subject Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; 12.4.6 15.4.6 notify the General Partner Client without undue delay (and in any event within 24 hours) in the event that it suspects or becomes on becoming aware of any a Personal Data breach or breach of any Data Protection Legislation by the Manager in connection with the Agreement, and shall, at the Manager’s cost: (i) investigate the incident and provide the General Partner, on an ongoing basis, with detailed information about the breach; and (ii) take all reasonable steps to mitigate the effects of the breach and to minimise any damage resulting from the breach; and (iii) co-operate with General Partner to provide information in connection with the breach or any notice required to be sent out to any third party in connection with the breach; 12.4.7 15.4.7 at the written direction of the General PartnerClient, delete or return Personal Data and copies thereof to the General Partner (or its nominee) Client on expiry or termination of the Agreement unless required by Applicable Law to store the Personal Data; and 12.4.8 15.4.8 maintain complete and accurate records and information to demonstrate its compliance with this Clause 12 and allow for audits by the General Partner or its designated auditorclause 15.

Without prejudice to the generality of Clause. 12.220.1, the Manager Supplier shall, in relation to any Personal Data processed in connection with the performance by the Manager Supplier of its obligations under this Agreementagreement: 12.4.1 (a) process that Personal Data only on the written instructions of the General Partner Customer unless the Manager Supplier is required by the laws of any member of the European Union or by the laws of the European Union applicable to the Manager Supplier to process Personal Data (“Applicable Laws”). Where the Manager Supplier is relying on laws of a member of the European Union or European Union law as the basis for processing Personal Data, the Manager Supplier shall promptly notify the General Partner Customer of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit the Manager Supplier from so notifying the General PartnerCustomer; 12.4.2 (b) ensure that it has in place appropriate technical and organisational measures measures, to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measuresmeasures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it); 12.4.3 (c) ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential; 12.4.4 (d) excluding any access to or use of the Supplier Software by any of the Licensed Users from a country outside of the European Economic Area (EEA) or routing of emails outside of the Supplier’s control, not transfer any Personal Data outside of the European Economic Area EEA unless the following conditions are fulfilled: (ai) the Manager Customer or the Supplier has provided appropriate safeguards in relation to the transfer; (bii) the data subject has enforceable rights and effective legal remedies; (ciii) the Manager Supplier complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and (div) the Manager Supplier complies with reasonable instructions notified to it in advance by the General Partner Customer with respect to such the processing of the Personal Data; 12.4.5 (e) assist the General PartnerCustomer, at the ManagerCustomer's cost, in responding to any request from a data subject Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; 12.4.6 (f) notify the General Partner Customer without undue delay (and in any event within 24 hours) in the event that it suspects or becomes on becoming aware of any a Personal Data breach or breach of any Data Protection Legislation by the Manager in connection with the Agreement, and shall, at the Manager’s cost: (i) investigate the incident and provide the General Partner, on an ongoing basis, with detailed information about the breach; and (ii) take all reasonable steps to mitigate the effects of the breach and to minimise any damage resulting from the breach; and (iii) co-operate with General Partner to provide information in connection with the breach or any notice required to be sent out to any third party in connection with the breach; 12.4.7 (g) at the written direction of the General PartnerCustomer, delete or return Personal Data and copies thereof to the General Partner (or its nominee) Customer on expiry or termination of the Agreement agreement unless required by Applicable Law to store the Personal Data; and 12.4.8 (h) maintain complete and accurate records and information to demonstrate its compliance with this Clause 12 and allow for audits by the General Partner or its designated auditorclause 20.

Without prejudice to the generality of Clause. 12.211.1, the Manager Supplier shall, in relation to any Personal Data processed in connection with the performance by the Manager Supplier of its obligations under this Agreement: 12.4.1 (a) process that Personal Data only on the written instructions of the General Partner Client unless the Manager Supplier is required by the laws of any member of the European Union or by the laws of the European Union applicable to the Manager Supplier to process Personal Data (“Applicable Laws”). Where the Manager Supplier is relying on laws of a member of the European Union or European Union law Applicable Law as the basis for processing Personal Data, the Manager Supplier shall promptly notify the General Partner Client of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit the Manager Supplier from so notifying the General PartnerClient; 12.4.2 (b) ensure that it has in place appropriate technical and organisational measures measures, to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measuresmeasures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it); 12.4.3 ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential; 12.4.4 (c) not transfer any Personal Data outside of the European Economic Area EEA unless the following conditions are fulfilled: (ai) the Manager Client or the Supplier has provided appropriate safeguards in relation to the transfer. If cross border transfer of Personal Data occurs, the Client authorises the Supplier to enter into SCC with the third-party processors in the Client’s name and on its behalf, when these are necessary. Standard Contractual Clauses (SCC) means the European Commission's Standard Contractual Clauses for the transfer of Personal Data from the European Union to processors established in third countries (controller-to-processor transfers), as set out in the Annex to Commission Decision 2010/87/EU as adapted for the UK; (bii) the data subject Data Subject has enforceable rights and effective legal remedies; (ciii) the Manager Supplier complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and (div) the Manager Supplier complies with reasonable instructions notified to it in advance by the General Partner Client with respect to such the processing of the Personal Data; 12.4.5 (d) assist the General PartnerClient, at the ManagerClient's cost, in responding to any request from a data subject Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; 12.4.6 (e) notify the General Partner Client without undue delay (and in any event within 24 hours) in the event that it suspects or becomes on becoming aware of any a Personal Data breach or breach of any Data Protection Legislation by the Manager in connection with the Agreement, and shall, at the Manager’s cost: (i) investigate the incident and provide the General Partner, on an ongoing basis, with detailed information about the breach; and (ii) take all reasonable steps to mitigate the effects of the breach and to minimise any damage resulting from the breach; and (iii) co-operate with General Partner to provide information in connection with the breach or any notice required to be sent out to any third party in connection with the breach; 12.4.7 (f) at the written direction of the General PartnerClient, delete or return Personal Data and copies thereof to the General Partner (or its nominee) Client on expiry or termination of the Agreement unless required by Applicable Law to store the Personal Data; and 12.4.8 (g) maintain complete and accurate records and information to demonstrate its compliance with this Clause 12 and allow for audits by the General Partner or its designated auditor11.

Without prejudice to the generality of Clause. 12.223.1, the Manager Supplier shall, in relation to any Personal Data processed in connection with the performance by the Manager Supplier of its obligations under this Agreementagreement: 12.4.1 (a) process that Personal Data only on the written instructions of the General Partner Authority, unless the Manager Supplier is required to do otherwise by the laws of any member of the European Union or by the laws of the European Union applicable to the Manager to process Personal Data (“Applicable Laws”)Law. Where the Manager If it is relying on laws of a member of the European Union or European Union law as the basis for processing Personal Dataso required, the Manager Supplier shall promptly notify the General Partner of this Authority before performing processing the processing required Personal Data, unless prohibited by the Applicable Laws unless those Applicable Laws prohibit the Manager from so notifying the General PartnerLaws; 12.4.2 (b) ensure that it has in place appropriate technical and organisational measures which have been reviewed and approved by the Authority, to protect against unauthorised or unlawful processing a Data Loss Event having taken account of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the the: (i) nature of the data to be protected, having regard to ; (ii) harm that might result from a Data Loss Event; (iii) the state of technological development and development; and (iv) the cost of implementing any measures (c) the Supplier’s Personnel do not process Personal Data except in accordance with this Agreement; 12.4.3 (d) it takes all reasonable steps to ensure that all personnel the reliability and integrity of any Supplier’s Personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidentialand ensure that they: (i) are aware of and comply with the Supplier’s duties under this clause; 12.4.4 (ii) are subject to appropriate confidentiality undertakings with the Supplier or any Sub-Processor (iii) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority or as otherwise permitted by this Agreement; and (iv) have undergone adequate training in the use, care, protection and handling of Personal Data; and (e) not transfer any Personal Data outside of the European Economic Area EU unless the prior written consent of the Authority has been obtained and the following conditions are fulfilled: (ai) the Manager Authority or the Supplier has provided appropriate safeguards in relation to the transfer; (bii) the data subject Data Subject has enforceable rights and effective legal remedies; (ciii) the Manager Supplier complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and (div) the Manager Supplier complies with the reasonable instructions notified to it in advance by the General Partner Authority with respect to such the processing of the Personal Data; 12.4.5 assist the General Partner, at the Manager's cost, in responding to any request from a data subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; 12.4.6 notify the General Partner without undue delay (and in any event within 24 hoursf) in the event that it suspects or becomes aware of any Personal Data breach or breach of any Data Protection Legislation by the Manager in connection with the Agreement, and shall, at the Manager’s cost: (i) investigate the incident and provide the General Partner, on an ongoing basis, with detailed information about the breach; and (ii) take all reasonable steps to mitigate the effects of the breach and to minimise any damage resulting from the breach; and (iii) co-operate with General Partner to provide information in connection with the breach or any notice required to be sent out to any third party in connection with the breach; 12.4.7 at the written direction of the General PartnerAuthority, delete or return Personal Data (and any copies thereof of it) to the General Partner (or its nominee) Authority on expiry or termination of the Agreement unless the Supplier is required by Applicable Law to store retain the Personal Data; and 12.4.8 maintain complete and accurate records and information to demonstrate its compliance with this Clause 12 and allow for audits by the General Partner or its designated auditor.

Without prejudice to the generality of Clause. 12.215.1, where the Manager shall, in relation to any Contractor processes Personal Data processed as a Data Processor on behalf of the Authority as Data Controller in connection with the performance by the Manager Contractor of its obligations under this AgreementContractor Licence, the Personal Data shall be specified in the Schedule and the Contractor shall: 12.4.1 15.3.1 process that Personal Data only on the documented written instructions of the General Partner Authority unless the Manager Contractor is required by the laws of any member of the European Union or by the laws of the European Union applicable Applicable Laws to the Manager to otherwise process that Personal Data (“Applicable Laws”)Data. Where the Manager Contractor is relying on laws of a member of the European Union or European Union law Applicable Laws as the basis for processing Personal Data, the Manager Contractor shall promptly notify the General Partner Authority of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit the Manager Contractor from so notifying the General PartnerAuthority; 12.4.2 15.3.2 ensure that it has in place appropriate technical and organisational measures measures, to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measuresmeasures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it); 12.4.3 15.3.3 ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential;; and 12.4.4 15.3.4 not transfer any Personal Data outside of the European Economic Area unless the prior written consent of the Authority has been obtained and the following conditions are fulfilled: (a) the Manager has provided appropriate safeguards in relation to the transfer; (b) the data subject has enforceable rights and effective legal remedies; (c) the Manager complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and (d) the Manager complies with reasonable instructions notified to it in advance by the General Partner with respect to such processing of the Personal Data; 12.4.5 assist the General Partner, at the Manager's cost, in responding to any request from a data subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; 12.4.6 notify the General Partner without undue delay (and in any event within 24 hours) in the event that it suspects or becomes aware of any Personal Data breach or breach of any Data Protection Legislation by the Manager in connection with the Agreement, and shall, at the Manager’s cost: (i) investigate the incident and provide the General Partner, on an ongoing basis, with detailed information about the breach; and (ii) take all reasonable steps to mitigate the effects of the breach and to minimise any damage resulting from the breach; and (iii) co-operate with General Partner to provide information in connection with the breach or any notice required to be sent out to any third party in connection with the breach; 12.4.7 at the written direction of the General Partner, delete or return Personal Data and copies thereof to the General Partner (or its nominee) on expiry or termination of the Agreement unless required by Applicable Law to store the Personal Data; and 12.4.8 maintain complete and accurate records and information to demonstrate its compliance with this Clause 12 and allow for audits by the General Partner or its designated auditor.

Without prejudice to the generality of Clause. 12.28.1, the Manager Consultant shall, in relation to any Personal Data processed in connection with the performance by the Manager Consultant of its obligations under this Agreement: 12.4.1 Contract: process that Personal Data only on the documented written instructions of the General Partner University unless the Manager Consultant is required by the laws of any member of the European Union or by the laws of the European Union applicable Law to the Manager to otherwise process that Personal Data (“Applicable Laws”)Data. Where the Manager Consultant is relying on laws of a member of the European Union or European Union law as the basis for processing Personal Data, the Manager Consultant shall promptly notify the General Partner University of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit the Manager Consultant from so notifying the General Partner; 12.4.2 University ensure that it has in place appropriate technical and organisational measures measures, reviewed and approved by the University, to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures; 12.4.3 measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it); ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential; 12.4.4 ; and not transfer any Personal Data outside of the European Economic Area unless the prior written consent of the University has been obtained and the following conditions are fulfilled: (a) : the Manager University or the Consultant has provided appropriate safeguards in relation to the transfer; (b) ; the data subject has enforceable rights and effective legal remedies; (c) ; the Manager Consultant complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and (d) and the Manager Consultant complies with reasonable instructions notified to it in advance by the General Partner University with respect to such the processing of the Personal Data; 12.4.5 ; assist the General PartnerUniversity, at the ManagerUniversity's cost, in responding to any request from a data subject Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; 12.4.6 ; notify the General Partner University without undue delay (and in any event within 24 hours) in the event that it suspects or becomes on becoming aware of any a Personal Data breach or breach of any Data Protection Legislation by the Manager in connection with the Agreement, and shall, at the Manager’s cost: (i) investigate the incident and provide the General Partner, on an ongoing basis, with detailed information about the breachBreach; and (ii) take all reasonable steps to mitigate the effects of the breach and to minimise any damage resulting from the breach; and (iii) co-operate with General Partner to provide information in connection with the breach or any notice required to be sent out to any third party in connection with the breach; 12.4.7 at the written direction of the General PartnerUniversity, delete or return Personal Data and copies thereof to the General Partner (or its nominee) University on expiry or termination of the Agreement Contract unless required by Applicable Law to store the Personal Data; and 12.4.8 and maintain complete and accurate records and information to demonstrate its compliance with this Clause 12 clause 8 and allow for audits by the General Partner University or its the University's designated auditorauditor and immediately inform the University if, in the opinion of the Consultant, an instruction infringes the Data Protection Legislation.