Common use of Controller to Controller Clause in Contracts

Controller to Controller. Where one Party acting as a Controller (“Disclosing Controller”) discloses Personal Data to the other Party to also Process as a Controller (“Receiving Controller”) the following obligations will apply: 3.1 unless the Parties otherwise agree in writing, Receiving Controller will Process the Personal Data solely for the purpose of performing its obligations under the Agreement and in accordance with applicable Privacy Laws. The Receiving Controller shall not Process the Personal Data for any activity or purpose unless expressly permitted by Privacy Laws; 3.2 Personal Data is provided to the Receiving Controller solely for the purpose of performing its obligations under the Agreement. Disclosing Controller does not provide any monetary or other non-monetary valuable consideration for access to or other processing of Personal Data except for payments agreed under the Agreement for the performance of the Service under the Agreement; 3.3 If Disclosing Controller discloses Personal Data for the purpose of Receiving Controller sending marketing communications, Disclosing Controller agrees to obtain the relevant Data Subjects' prior consent to such disclosure and use by Receiving Controller; 3.4 Each Party shall comply promptly with its obligations to respond to requests from data subjects to exercise their rights under Privacy Laws (including their rights to withdraw consent, of access, restriction, rectification, erasure and portability) in respect of the Personal Data. Receiving Controller will deal promptly with all reasonable inquiries from Disclosing Controller or a Data Subject relating to the Personal Data, including requests for access or correction of Personal Data and information about Receiving Controller’s practices, procedures and/or complaints process; 3.5 In the event a Party receives a request or notification from a third party (including a data protection supervisory authority) or an order of court that concerns the Personal Data processed under the Agreement, it shall promptly notify the other Party, providing all relevant details. The Parties shall reasonably cooperate with each other to respond to such request or notification. Unless required by law, neither Party shall respond to any request or notification on behalf of the other Party unless instructed to do so in writing by such other Party; 3.6 If a Personal Data Breach occurs in connection with the Agreement, the Party experiencing the Personal Data Breach shall notify the other Party without undue delay after becoming aware. Each Party shall cooperate with and assist the other in handling, mitigating and/or resolving a Personal Data Breach. The Parties shall, following consultation with each other, comply with any applicable obligations under Privacy Laws to notify the relevant supervisory authorities and/or data subjects; 3.7 The Receiving Controller shall erase and/or destroy the Personal Data after termination of the Agreement if it is no longer necessary to retain it for the purpose of the Agreement or as otherwise required by applicable laws; 3.8 Receiving Controller is prohibited from: (i) Selling any Personal Data; (ii) retaining, using, or disclosing Personal Data for any purpose other than for the specific purpose of performing the obligations under the Agreement, including but not limited to, retaining, using, or disclosing Personal Data for a commercial purpose other than fulfilling the Agreement; and (iii) retaining, using, or disclosing Personal Data outside of the direct business relationship between Disclosing Controller and Receiving Controller; and 3.9 Receiving Controller represents and warrants that it understands the prohibitions and limitations regarding its use and all other processing activities and related purposes as outlined in this Schedule regarding Personal Data, particularly in Section 3.8 and will comply with them.

Controller to Controller. Where one Party acting as a Controller (“Disclosing Controller”) discloses Personal Data to the other Party to also Process as a Controller (“Receiving Controller”) the following obligations will apply: 3.1 unless the Parties otherwise agree in writing, Receiving Controller will Process the Personal Data solely for the purpose of performing its obligations under the Agreement and in accordance with applicable Privacy Laws. The Receiving Controller shall not Process the Personal Data for any activity or purpose unless expressly permitted by Privacy Laws; 3.2 Personal Data is provided to the Receiving Controller solely for the purpose of performing its obligations under the Agreement. Disclosing Controller does not provide any monetary or other non-non- monetary valuable consideration for access to or other processing of Personal Data except for payments agreed under the Agreement for the performance of the Service under the Agreement; 3.3 If Disclosing Controller discloses Personal Data for the purpose of Receiving Controller sending marketing communications, Disclosing Controller agrees to obtain the relevant Data Subjects' prior consent to such disclosure and use by Receiving Controller; 3.4 Each Party shall comply promptly with its obligations to respond to requests from data subjects to exercise their rights under Privacy Laws (including their rights to withdraw consent, of access, restriction, rectification, erasure and portability) in respect of the Personal Data. Receiving Controller will deal promptly with all reasonable inquiries from Disclosing Controller or a Data Subject relating to the Personal Data, including requests for access or correction of Personal Data and information about Receiving Controller’s practices, procedures and/or complaints process; 3.5 In the event a Party receives a request or notification from a third party (including a data protection supervisory authority) or an order of court that concerns the Personal Data processed under the Agreement, it shall promptly notify the other Party, providing all relevant details. The Parties shall reasonably cooperate with each other to respond to such request or notification. Unless required by law, neither Party shall respond to any request or notification on behalf of the other Party unless instructed to do so in writing by such other Party; 3.6 If a Personal Data Breach occurs in connection with the Agreement, the Party experiencing the Personal Data Breach shall notify the other Party without undue delay after becoming aware. Each Party shall cooperate with and assist the other in handling, mitigating and/or resolving a Personal Data Breach. The Parties shall, following consultation with each other, comply with any applicable obligations under Privacy Laws to notify the relevant supervisory authorities and/or data subjects; 3.7 The Receiving Controller shall erase and/or destroy the Personal Data after termination of the Agreement if it is no longer necessary to retain it for the purpose of the Agreement or as otherwise required by applicable laws; 3.8 Receiving Controller is prohibited from: (i) Selling any Personal Data; (ii) retaining, using, or disclosing Personal Data for any purpose other than for the specific purpose of performing the obligations under the Agreement, including but not limited to, retaining, using, or disclosing Personal Data for a commercial purpose other than fulfilling the Agreement; and (iii) retaining, using, or disclosing Personal Data outside of the direct business relationship between Disclosing Controller and Receiving Controller; and 3.9 Receiving Controller represents and warrants that it understands the prohibitions and limitations regarding its use and all other processing activities and related purposes as outlined in this Schedule regarding Personal Data, particularly in Section 3.8 and will comply with them.