Common use of CUSTOMER DATA AND CUSTOMER PERSONAL DATA Clause in Contracts

CUSTOMER DATA AND CUSTOMER PERSONAL DATA. 5.1 The Customer shall own all right, title and interest in and to all of the Customer Data (other than the Customer Personal Data) and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of all such Customer Data (including the Customer Personal Data). 5.2 The Customer Data shall be backed up as set out in the Back-Up Policy (as such document may be amended from time to time). In the event of any loss or damage to Customer Data, the Customer‘s sole and exclusive remedy against the Supplier shall be for the Supplier to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data in accordance with the archiving procedure described in its Back-Up Policy. The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier to perform services related to Customer Data maintenance and back- up for which it shall remain fully liable). 5.3 Both parties will comply with all applicable requirements of the Data Protection Legislation. This clause 5 is in addition to, and does not relieve, remove or replace, a party‘s obligations under the Data Protection Legislation. 5.4 The parties acknowledge that: 5.4.1 if the Supplier processes any personal data on the Customer‘s behalf when performing its obligations under this agreement, the Customer is the data controller and the Supplier is the data processor for the purposes of the Data Protection Legislation (where Data Controller and Data Processor have the meanings as defined in the Data Protection Legislation). 5.4.2 Schedule 3 sets out the scope, nature and purpose of processing by the Supplier, the duration of the processing and the types of personal data (as defined in the Data Protection Legislation, Personal Data) and categories of Data Subject. 5.4.3 the personal data may be transferred or stored outside the EEA or the country where the Customer and the Authorised Users are located in order to carry out the Services and the Supplier‘s other obligations under this agreement. 5.5 Without prejudice to the generality of clause 5.3, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to the Supplier for the duration and purposes of this agreement so that the Supplier may lawfully use, process and transfer the Personal Data in accordance with this agreement on the Customer‘s behalf. 5.6 Without prejudice to the generality of clause 5.3, the Supplier shall, in relation to any Personal Data processed in connection with the performance by the Supplier of its obligations under this agreement: 5.6.1 process that Personal Data only on the written instructions of the Customer unless the Supplier is required by the laws of any member of the European Union or by the laws of the European Union applicable to the Supplier to process Personal Data (Applicable Laws). Where the Supplier is relying on laws of a member of the European Union or European Union law as the basis for processing Personal Data, the Supplier shall promptly notify the Customer of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit the Supplier from so notifying the Customer; 5.6.2 not transfer any Personal Data outside of the European Economic Area and the United Kingdom unless the following conditions are fulfilled: 5.6.2.1 the Customer or the Supplier has provided appropriate safeguards in relation to the transfer; 5.6.2.2 the data subject has enforceable rights and effective legal remedies; 5.6.2.3 the Supplier complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and 5.6.2.4 the Supplier complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data; 5.6.3 assist the Customer, at the Customer‘s cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; 5.6.4 notify the Customer without undue delay on becoming aware of a Personal Data breach; 5.6.5 at the written direction of the Customer, delete or return Personal Data and copies thereof to the Customer on termination of the agreement unless required by Applicable Law to store the Personal Data; and 5.6.6 maintain complete and accurate records and information to demonstrate its compliance with this clause 5. 5.7 The Supplier shall ensure that it has in place appropriate technical and organisational measures, reviewed and approved by the Customer, to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it). 5.8 The Customer consents to the Supplier appointing third-party processors of Personal Data under this agreement subject to the Supplier entering into a written agreement incorporating terms which are substantially similar to those set out in this clause 5 with each third-party processor. A full list of third-party processors used by the Supplier is available to the Customer on request. 5.9 The Supplier may, at any time on not less than 30 days’ notice, revise this clause 5 by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when replaced by attachment to this agreement).

CUSTOMER DATA AND CUSTOMER PERSONAL DATA. 5.1 The Customer shall own all right, title and interest in and to all of the Customer Data (other than the Customer Personal Data) and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of all such Customer Data (including the Customer Personal Data). 5.2 The Customer Data shall be backed up as set out in the Back-Up Policy (as such document may be amended from time to time). In the event of any loss or damage to Customer Data, the Customer‘s sole and exclusive remedy against the Supplier shall be for the Supplier to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data in accordance with the archiving procedure described in its Back-Up Policy. The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier to perform services related to Customer Data maintenance and back- up for which it shall remain fully liable). 5.3 Both parties will comply with all applicable requirements of the Data Protection Legislation. This clause 5 is in addition to, and does not relieve, remove or replace, a party‘s obligations under the Data Protection Legislation. 5.4 The parties acknowledge have determined that: 5.4.1 if the Supplier processes any personal data on the Customer‘s behalf when performing its obligations under this agreement, the Customer is the data controller and the Supplier is the data processor for the purposes of the Data Protection Legislation (where Data Controller and Data Processor have the meanings as defined in the Data Protection Legislation).: 5.4.1 the Supplier will act as Controller when processing Personal Data of the Customer’s personnel for the purpose of entering into, administering and enforcing this agreement as described in the Supplier’s privacy policy at xxxxx://xxxxxxxxxxxxxxxxxx.xx.xx/privacy-policy; and 5.4.2 Schedule 3 sets out the scope, nature and Supplier will act as Processor when processing Customer Personal Data for the purpose of processing by the Supplier, the duration of the processing and the types of personal data (as defined in the Data Protection Legislation, Personal Data) and categories of Data Subject. 5.4.3 the personal data may be transferred or stored outside the EEA or the country where the Customer and the Authorised Users are located in order to carry out delivering the Services and to the Supplier‘s other obligations under this agreementCustomer. 5.5 Without prejudice to the generality of clause 5.3, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data and the Customer Personal Data to the Supplier and/or lawful collection of the same by the Supplier for the duration and purposes of this agreement so that the Supplier may lawfully use, process and transfer the Personal Data and Customer Personal Data in accordance with this agreement on the Customer‘s behalfagreement. 5.6 Schedule 3 sets out the scope, nature and purpose of the Supplier’s processing of Customer Personal Data, the duration of the processing and the types of Customer Personal Data and categories of Data Subject. 5.7 Without prejudice to the generality of clause 5.3, the Supplier shall, in relation to any the Customer Personal Data processed in connection with the performance by the Supplier of its obligations under this agreementData: 5.6.1 5.7.1 process that Customer Personal Data only on the written instructions of the Customer, which are to process Customer Personal Data for the purpose set out in Schedule 3, unless the Supplier is required by the laws of any member law of the European Union United Kingdom or by the laws a part of the European Union applicable to the Supplier to process Personal Data United Kingdom (Applicable Laws)) to otherwise process Customer Personal Data. Where the Supplier is relying on laws of a member of the European Union or European Union law Applicable Laws as the basis for processing Customer Personal Data, the Supplier shall promptly notify the Customer of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit the Supplier from so notifying the Customer; 5.6.2 not transfer any Personal Data outside of the European Economic Area and the United Kingdom unless the following conditions are fulfilled: 5.6.2.1 the Customer or the Supplier has provided appropriate safeguards in relation to the transfer; 5.6.2.2 the data subject has enforceable rights and effective legal remedies; 5.6.2.3 the Supplier complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and 5.6.2.4 the Supplier complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data; 5.6.3 assist the Customer, at the Customer‘s cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; 5.6.4 notify the Customer without undue delay on becoming aware of a Personal Data breach; 5.6.5 at the written direction of the Customer, delete or return Personal Data and copies thereof to the Customer on termination of the agreement unless required by Applicable Law to store the Personal Data; and 5.6.6 maintain complete and accurate records and information to demonstrate its compliance with this clause 5. 5.7 The Supplier shall 5.7.2 ensure that it has in place appropriate technical and organisational measures, reviewed and approved by the Customer, to protect against unauthorised or unlawful processing of Customer Personal Data and against accidental loss or destruction of, or damage to, Customer Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Customer Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Customer Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it); 5.7.3 ensure that any personnel engaged and authorised by the Supplier to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory or common law obligation of confidentiality; 5.7.4 assist the Customer, at the Customer‘s cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; 5.7.5 notify the Customer without undue delay on becoming aware of a Personal Data Breach involving the Customer Personal Data; 5.7.6 at the written direction of the Customer, delete or return Customer Personal Data and copies thereof to the Customer on termination of the agreement unless required by Applicable Law to store the Customer Personal Data; and 5.7.7 maintain complete and accurate records and information to demonstrate its compliance with this clause 5.7. 5.8 The Customer consents to hereby provides its prior, general authorisation for the Supplier appointing to: 5.8.1 appoint third-party processors Processors of Customer Personal Data under this agreement subject to provided that the Supplier: 5.8.1.1 shall ensure that the terms on which it appoints such Processors comply with Data Protection Laws and are consistent with the obligations imposed on the Supplier entering into a written agreement incorporating terms which are substantially similar to those set out in this clause 5 with each third-party processor. A full Clause 5; 5.8.1.2 shall remain responsible for the acts and omission of any such Processor as if they were the acts and omissions of the Supplier; and 5.8.1.3 shall make a list of third-party processors all Processors used by the Supplier is available to the Customer on requestrequest and shall inform the Customer of any intended changes concerning the addition or replacement of the Processors, thereby giving the Customer the opportunity to object to such changes where it reasonably considers that the change will result in an actual or likely breach of Data Protection Legislation. 5.8.2 transfer Customer Personal Data outside of the UK, provided that the Supplier shall ensure that all such transfers are effected in accordance with Data Protection Legislation. For this purpose, the Supplier is hereby authorised by the Customer to enter into data transfer agreements on behalf of and in the name of the Customer with recipients of Customer Personal Data outside of the UK incorporating standard data protection clauses adopted by the Information Commissioner from time to time, including but not limited to the data transfer agreement attached at Schedule 4. 5.9 The Supplier may, at any time on not less than 30 days’ notice, revise this clause 5 by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when replaced by attachment to this agreement).

CUSTOMER DATA AND CUSTOMER PERSONAL DATA. 5.1 The Customer shall own all right, title and interest in and to all of the Customer Data (other than the Customer Personal Data) and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of all such Customer Data (including the Customer Personal Data). 5.2 . The Customer Data shall be backed up as set out in the Back-Up Policy (as such document may be amended from time to time). In the event of any loss or damage to Customer Data, the Customer‘s sole and exclusive remedy against the Supplier shall be for the Supplier to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data in accordance with the archiving procedure described in its Back-Up Policy. The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier to perform services related to Customer Data maintenance and back- back-up for which it shall remain fully liable). 5.3 . Both parties will comply with all applicable requirements of the Data Protection Legislation. This clause 5 0 is in addition to, and does not relieve, remove or replace, a party‘s obligations under the Data Protection Legislation. 5.4 . The parties acknowledge that: 5.4.1 : if the Supplier processes any personal data on the Customer‘s behalf when performing its obligations under this agreement, the Customer is the data controller and the Supplier is the data processor for the purposes of the Data Protection Legislation (where Data Controller and Data Processor have the meanings as defined in the Data Protection Legislation). 5.4.2 . Schedule 3 sets out the scope, nature and purpose of processing by the Supplier, the duration of the processing and the types of personal data (as defined in the Data Protection Legislation, Personal Data) and categories of Data Subject. 5.4.3 . the personal data may be transferred or stored outside the EEA or the country where the Customer and the Authorised Users are located in order to carry out the Services and the Supplier‘s other obligations under this agreement. 5.5 . Without prejudice to the generality of clause 5.30, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to the Supplier for the duration and purposes of this agreement so that the Supplier may lawfully use, process and transfer the Personal Data in accordance with this agreement on the Customer‘s behalf. 5.6 . Without prejudice to the generality of clause 5.30, the Supplier shall, in relation to any Personal Data processed in connection with the performance by the Supplier of its obligations under this agreement: 5.6.1 : process that Personal Data only on the written instructions of the Customer unless the Supplier is required by the laws of any member of the European Union or by the laws of the European Union applicable to the Supplier to process Personal Data (Applicable Laws). Where the Supplier is relying on laws of a member of the European Union or European Union law as the basis for processing Personal Data, the Supplier shall promptly notify the Customer of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit the Supplier from so notifying the Customer; 5.6.2 ; not transfer any Personal Data outside of the European Economic Area and the United Kingdom unless the following conditions are fulfilled: 5.6.2.1 : the Customer or the Supplier has provided appropriate safeguards in relation to the transfer; 5.6.2.2 ; the data subject has enforceable rights and effective legal remedies; 5.6.2.3 ; the Supplier complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and 5.6.2.4 and the Supplier complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data; 5.6.3 ; assist the Customer, at the Customer‘s cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; 5.6.4 ; notify the Customer without undue delay on becoming aware of a Personal Data breach; 5.6.5 ; at the written direction of the Customer, delete or return Personal Data and copies thereof to the Customer on termination of the agreement unless required by Applicable Law to store the Personal Data; and 5.6.6 and maintain complete and accurate records and information to demonstrate its compliance with this clause 5. 5.7 0. The Supplier shall ensure that it has in place appropriate technical and organisational measures, reviewed and approved by the Customer, to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it). 5.8 . The Customer consents to the Supplier appointing third-party processors of Personal Data under this agreement subject to the Supplier entering into a written agreement incorporating terms which are substantially similar to those set out in this clause 5 0 with each third-party processor. A full list of third-party processors used by the Supplier is available to the Customer on request. 5.9 . The Supplier may, at any time on not less than 30 days’ notice, revise this clause 5 0 by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when replaced by attachment to this agreement).

CUSTOMER DATA AND CUSTOMER PERSONAL DATA. 5.1 The Customer shall own all right, title and interest in and to all of the Customer Data (other than the Customer Personal Data) and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of all such Customer Data (including the Customer Personal Data). 5.2 The Customer Data shall be backed up as set out in the Back-Up Policy (as such document may be amended from time to time). In the event of any loss or damage to Customer Data, the Customer‘s sole and exclusive remedy against the Supplier shall be for the Supplier to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data in accordance with the archiving procedure described in its Back-Up Policy. The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier to perform services related to Customer Data maintenance and back- up for which it shall remain fully liable). 5.3 Both parties will comply with all applicable requirements of the Data Protection Legislation. This clause 5 0 is in addition to, and does not relieve, remove or replace, a party‘s obligations under the Data Protection Legislation. 5.4 The parties acknowledge that: 5.4.1 if the Supplier processes any personal data on the Customer‘s behalf when performing its obligations under this agreement, the Customer is the data controller and the Supplier is the data processor for the purposes of the Data Protection Legislation (where Data Controller and Data Processor have the meanings as defined in the Data Protection Legislation). 5.4.2 Schedule 3 sets out the scope, nature and purpose of processing by the Supplier, the duration of the processing and the types of personal data (as defined in the Data Protection Legislation, Personal Data) and categories of Data Subject. 5.4.3 the personal data may be transferred or stored outside the EEA or the country where the Customer and the Authorised Users are located in order to carry out the Services and the Supplier‘s other obligations under this agreement. 5.5 Without prejudice to the generality of clause 5.30, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to the Supplier for the duration and purposes of this agreement so that the Supplier may lawfully use, process and transfer the Personal Data in accordance with this agreement on the Customer‘s behalf. 5.6 Without prejudice to the generality of clause 5.30, the Supplier shall, in relation to any Personal Data processed in connection with the performance by the Supplier of its obligations under this agreement: 5.6.1 process that Personal Data only on the written instructions of the Customer unless the Supplier is required by the laws of any member of the European Union or by the laws of the European Union applicable to the Supplier to process Personal Data (Applicable Laws). Where the Supplier is relying on laws of a member of the European Union or European Union law as the basis for processing Personal Data, the Supplier shall promptly notify the Customer of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit the Supplier from so notifying the Customer; 5.6.2 not transfer any Personal Data outside of the European Economic Area and the United Kingdom unless the following conditions are fulfilled: 5.6.2.1 the Customer or the Supplier has provided appropriate safeguards in relation to the transfer; 5.6.2.2 the data subject has enforceable rights and effective legal remedies; 5.6.2.3 the Supplier complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and 5.6.2.4 the Supplier complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data; 5.6.3 assist the Customer, at the Customer‘s cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; 5.6.4 notify the Customer without undue delay on becoming aware of a Personal Data breach; 5.6.5 at the written direction of the Customer, delete or return Personal Data and copies thereof to the Customer on termination of the agreement unless required by Applicable Law to store the Personal Data; and 5.6.6 maintain complete and accurate records and information to demonstrate its compliance with this clause 50. 5.7 The Supplier shall ensure that it has in place appropriate technical and organisational measures, reviewed and approved by the Customer, to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it). 5.8 The Customer consents to the Supplier appointing third-party processors of Personal Data under this agreement subject to the Supplier entering into a written agreement incorporating terms which are substantially similar to those set out in this clause 5 0 with each third-party processor. A full list of third-party processors used by the Supplier is available to the Customer on request. 5.9 The Supplier may, at any time on not less than 30 days’ notice, revise this clause 5 0 by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when replaced by attachment to this agreement).