Common use of CONTROLLER/PROCESSOR STATUS AND OBLIGATIONS Clause in Contracts

CONTROLLER/PROCESSOR STATUS AND OBLIGATIONS. 2.1 Each Party shall comply with DP Laws and its obligations under this Appendix. 2.2 As at the date of this Agreement, the Parties acknowledge and agree that in respect of the Protected Data, the Counterparty shall be a Controller and IPSX shall be a Controller or a Processor depending on the processing activity. If and to the extent: 2.2.1. IPSX processes any Protected Data as Processor on behalf of Counterparty, paragraphs 2.1, 2.2, 2.8 and 3 of this Appendix shall apply to such processing; and 2.2.2. IPSX processes any Protected Data as Controller, paragraphs 2.1 to 2.8 of this Appendix shall apply to such processing. 2.3 Each Party shall implement and maintain, at its own cost and expense, appropriate technical and organisational measures in relation to its processing of Protected Data (including, in IPSX’s case, during any transfer of Protected Data to the Counterparty). 2.4 Each Party agrees to provide the other Party information, assistance and cooperation in relation to: (a) any request from, or requirement of, any Supervisory Authority or any other regulatory or judicial body of competent jurisdiction; or (b) any Data Subject Request in relation to the Protected Data that may be held by both of them. 2.5 IPSX shall provide reasonable cooperation and assistance to the Counterparty in relation to any remedial action to be taken in response to a Personal Data Breach, including regarding any communication of the Personal Data Breach to the Data Subjects whose Personal Data is affected (subject to the Counterparty’s authorisation). 2.6 To the extent permitted by applicable law, IPSX shall not: (a) notify a Supervisory Authority or Data Subject of any Personal Data Breach; or (b) issue any public statement or otherwise notify any Data Subject of such Personal Data Breach, without first consulting with, and obtaining the consent of, the Counterparty (such consent not to be unreasonably withheld or delayed). 2.7 Without prejudice to paragraph 2.1 of this Appendix, where IPSX transfers Protected Data to the Counterparty, IPSX warrants to the Counterparty that: 2.7.1. it has a lawful basis under DP Laws on which it transfers and processes the Protected Data; 2.7.2. it will only provide or transfer Protected Data to the Counterparty which is: (i) the minimum data required for the performance of the services and its other obligations under this Agreement; and (ii) accurate and up-to-date; 2.7.3. it has provided (or procured the provision of) a privacy notice in respect of such Protected Data to each Data Subject in accordance with DP Laws, and has ensured that such privacy notice is clear and provides sufficient information to the Data Subjects for them to understand what of their Protected Data IPSX is sharing with the Member, the circumstances in which it will be shared, the purposes for the data sharing and either the identity and contact details of the Counterparty or a description of the type of organisation that will receive the Protected Data. 2.8 IPSX shall indemnify and keep indemnified the Counterparty and each member of the Counterparty group in respect of all DP Losses suffered or incurred by, awarded against or agreed to be paid by the Counterparty or member of the Counterparty group, arising from or in connection with: 2.8.1. any breach by IPSX of its obligations under this Appendix; or 2.8.2. IPSX acting outside or contrary to the Counterparty’s lawful instructions when acting as

CONTROLLER/PROCESSOR STATUS AND OBLIGATIONS. 2.1 Each Party shall comply with DP Laws and its obligations under this Appendix. 2.2 As at the date of this Agreement, the Parties acknowledge and agree that in respect of the Protected Data, the Counterparty shall be a Controller and IPSX shall be a Controller or a Processor depending on the processing activity. If and to the extent: 2.2.1. IPSX processes any Protected Data as Processor on behalf of Counterparty, paragraphs 2.1, 2.2, 2.8 and 3 of this Appendix shall apply to such processing; and 2.2.2. IPSX processes any Protected Data as Controller, paragraphs 2.1 to 2.8 of this Appendix shall apply to such processing. 2.3 Each Party shall implement and maintain, at its own cost and expense, appropriate technical and organisational measures in relation to its processing of Protected Data (including, in IPSX’s case, during any transfer of Protected Data to the Counterparty). 2.4 Each Party agrees to provide the other Party information, assistance and cooperation in relation to: (a) any request from, or requirement of, any Supervisory Authority or any other regulatory or judicial body of competent jurisdiction; or (b) any Data Subject Request in relation to the Protected Data that may be held by both of them. 2.5 IPSX shall provide reasonable cooperation and assistance to the Counterparty in relation to any remedial action to be taken in response to a Personal Data Breach, including regarding any communication of the Personal Data Breach to the Data Subjects whose Personal Data is affected (subject to the Counterparty’s authorisation). 2.6 To the extent permitted by applicable law, IPSX shall not: (a) notify a Supervisory Authority or Data Subject of any Personal Data Breach; or (b) issue any public statement or otherwise notify any Data Subject of such Personal Data Breach, without first consulting with, and obtaining the consent of, the Counterparty (such consent not to be unreasonably withheld or delayed). 2.7 Without prejudice to paragraph 2.1 of this Appendix, where IPSX transfers Protected Data to the Counterparty, IPSX warrants to the Counterparty that: 2.7.1. it has a lawful basis under DP Laws on which it transfers and processes the Protected Data; 2.7.2. it will only provide or transfer Protected Data to the Counterparty which is: (i) the minimum data required for the performance of the services and its other obligations under this Agreement; and (ii) accurate and up-to-date; 2.7.3. it has provided (or procured the provision of) a privacy notice in respect of such Protected Data to each Data Subject in accordance with DP Laws, and has ensured that such privacy notice is clear and provides sufficient information to the Data Subjects for them to understand what of their Protected Data IPSX is sharing with the Member, the circumstances in which it will be shared, the purposes for the data sharing and either the identity and contact details of the Counterparty or a description of the type of organisation that will receive the Protected Data. 2.8 IPSX shall indemnify and keep indemnified the Counterparty and each member of the Counterparty group in respect of all DP Losses suffered or incurred by, awarded against or agreed to be paid by the Counterparty or member of the Counterparty group, arising from or in connection with: 2.8.1. any breach by IPSX of its obligations under this Appendix; or 2.8.2. IPSX acting outside or contrary to the Counterparty’s lawful instructions when acting asas Processor. 2.9 The Counterparty shall indemnify and keep indemnified IPSX and each member of the IPSX group in respect of all DP Losses suffered or incurred by, awarded against or agreed to be paid by IPSX or a member of the IPSX group, arising from or in connection with: 2.9.1. any breach by the Counterparty of its obligations under this Appendix; or 2.9.2. the Counterparty failing to get the consent of any Data Subject (including as required by, and in the prescribed manner stated in, DP Laws) to the Processing Instructions.