Common use of DATA CONTROLLER OBLIGATIONS Clause in Contracts

DATA CONTROLLER OBLIGATIONS. 1.2.1 Each Party shall in relation to the Processing of the Personal Data comply with its respective obligations under the Data Protection Laws. 1.2.2 Without limiting the generality of the obligation set out in Paragraph 1.2.1, in particular, each Party shall: (a) where required to do so make due notification to the ICO; (b) ensure it is not subject to any prohibition or restriction which would: (i) prevent or restrict it from disclosing or transferring the Personal Data to the other Party as required under this Agreement; (ii) prevent or restrict it from granting the other Party access to the Personal Data as required under this Agreement; or (iii) prevent or restrict either Party from Processing the Personal Data, as envisaged under this Agreement; (c) ensure that all fair processing notices have been given (and/or, as applicable, consents obtained) and are sufficient in scope to enable each Party to Process the Personal Data as required in order to obtain the benefit of its rights and to fulfil its obligations under this Agreement in accordance with the Data Protection Laws; (d) ensure that all Personal Data disclosed or transferred to, or accessed by, another Party is accurate and up-to-date, as well as adequate, relevant and not excessive to enable that Party to Process the Personal Data as envisaged under this Agreement; (e) ensure that appropriate technical and organisational security measures are in place sufficient to comply with at least the obligations imposed on the Controller by the Security Requirements including without limitation, (i) ensuring a level of security appropriate to the risk involved in the processing (which shall include without limitation and, as appropriate, taking steps such as the pseudonymisation and/or encryption of Personal Data, taking steps to ensure the ongoing confidentiality, integrity, availability and resilience of the systems and services used to process Personal Data and regularly testing the effectiveness of the systems in place); (ii) adhering to any relevant codes of conduct or approved certifications; and (iii) ensuring that all individuals who have access to Personal Data maintain the confidentiality and security of Personal Data and comply with the terms of this Agreement and where requested provide to the University evidence of its compliance with such requirements promptly, and in any event within 48 hours of the request (f) notify the other Party promptly, and in any event within five days of receipt of any Data Subject Request or ICO Correspondence which relates directly or indirectly to the Processing of Personal Data under, or in connection with, this Agreement and together with such notice, provide a copy of such Data Subject Request or ICO Correspondence to the other Party and reasonable details of the circumstances giving rise to it. In addition to providing the notice referred to in this Paragraph 1.2.2(f), each Party shall provide the other Party with all reasonable co-operation and assistance required by the other Party in relation to any such Data Subject Request or ICO Correspondence; (g) use reasonable endeavours to notify the other Party if it is obliged to make a disclosure of any of the Personal Data under any statutory requirement, such notification to be made in advance of such disclosure or immediately thereafter unless prohibited by law; (h) notify the other Parties in writing without under delay and, in any event, within twenty four (24) hours of it becoming aware of any actual or suspected Personal Data Breach in relation to the Personal Data received from another Party and shall, within such timescale to be agreed by the Parties (acting reasonably and in good faith) : (i) implement any measures necessary to restore the security of compromised Personal Data; and (ii) support the other Parties to make any required notifications to the ICO and/or other equivalent relevant Regulator and affected Data Subjects (i) take reasonable steps to ensure the reliability of any of its personnel who have access to the Personal Data; (j) not do anything which shall damage the reputation of the other Party or that Party's relationship with the Data Subjects; (k) not transfer any Personal Data it is processing to a Restricted Country; (l) hold the information contained in the Personal Data confidentially and under at least the conditions of confidence as such Party holds Personal Data Processed by it other than the Personal Data. (m) not disclose the Personal Data to a third party (including a sub-contractor) in any circumstances without the other Parties' prior written consent, save in relation to: (i) disclosures to Permitted Recipients; and (ii)

DATA CONTROLLER OBLIGATIONS. 1.2.1 Each Party shall in relation to the Processing of the Personal Data comply with its respective obligations under the Data Protection Laws. 1.2.2 . Without limiting the generality of the obligation set out in Paragraph 1.2.1, in particular, each Party shall: (a) : where required to do so make due notification to the ICO; (b) ; ensure it is not subject to any prohibition or restriction which would: (i) : prevent or restrict it from disclosing or transferring the Personal Data to the other Party as required under this Agreement; (ii) ; prevent or restrict it from granting the other Party access to the Personal Data as required under this Agreement; or (iii) or prevent or restrict either Party from Processing the Personal Data, as envisaged under this Agreement; (c) ; ensure that all fair processing notices have been given (and/or, as applicable, consents obtained) and are sufficient in scope to enable each Party to Process the Personal Data as required in order to obtain the benefit of its rights and to fulfil its obligations under this Agreement in accordance with the Data Protection Laws; (d) ; ensure that all Personal Data disclosed or transferred to, or accessed by, another the other Party is accurate and up-to-date, as well as adequate, relevant and not excessive to enable that either Party to Process the Personal Data as envisaged under this Agreement; (e) ; ensure that appropriate technical and organisational security measures are in place sufficient to comply with at least the obligations imposed on the Controller by the Security Requirements including without limitation, (i) ensuring a level of security appropriate to the risk involved in the processing (which shall include without limitation and, as appropriate, taking steps such as the pseudonymisation and/or encryption of Personal Data, taking steps to ensure the ongoing confidentiality, integrity, availability and resilience of the systems and services used to process Personal Data and regularly testing the effectiveness of the systems in place); (ii) adhering to any relevant codes of conduct or approved certifications; and (iii) ensuring that all individuals who have access to Personal Data maintain the confidentiality and security of Personal Data and comply with the terms of this Agreement and where requested provide to the University evidence of its compliance with such requirements promptly, and in any event within 48 hours of the request (f) Requirements: notify the other Party promptly, and in any event within five days forty-eight (48) hours of receipt of any Data Subject Request or ICO Correspondence which relates directly or indirectly to the Processing of Personal Data under, or in connection with, this Agreement and together with such notice, provide a copy of such Data Subject Request or ICO Correspondence to the other Party and reasonable details of the circumstances giving rise to it. In addition to providing the notice referred to in this Paragraph 1.2.2(f), each Party shall provide the other Party with all reasonable co-operation and assistance required by the other Party in relation to any such Data Subject Request or ICO Correspondence; (g) ; use reasonable endeavours to notify the other Party if it is obliged to make a disclosure of any of the Personal Data under any statutory requirement, such notification to be made in advance of such disclosure or immediately thereafter unless prohibited by law; (h) ; notify the other Parties Party in writing without under undue delay and, in any event, within twenty twenty-four (24) hours of it becoming aware of any actual or suspected Personal Data Breach in relation to the Personal Data received from another the other Party and shall, within such timescale to be agreed by the Parties (acting reasonably and in good faith) : (i) ): implement any measures necessary to restore the security of compromised Personal Data; and (ii) and support the other Parties Party to make any required notifications to the ICO and/or other equivalent relevant Regulator and affected Data Subjects (i) ; take reasonable steps to ensure the reliability of any of its personnel who have access to the Personal Data; (j) ; not do anything which shall damage the reputation of the other Party or that Party's relationship with the Data Subjects; (k) ; not transfer any Personal Data it is processing to a Restricted Country; (l) ; hold the information contained in the Personal Data confidentially and under at least the conditions of confidence as such Party holds Personal Data Processed by it other than the Personal Data. (m) not disclose the Personal Data to a third party (including a sub-contractor) in any circumstances without the other Parties' prior written consent, save in relation to: (i) disclosures to Permitted Recipients; and (ii);

DATA CONTROLLER OBLIGATIONS. 1.2.1 2.2.1 Each Party shall in relation to the Processing of the Personal Data comply with its respective obligations under the Data Protection Laws.Laws.‌ 1.2.2 2.2.2 Without limiting the generality of the obligation set out in Paragraph 1.2.12.2.1, in particular, each Party shall:shall:‌ (a) where required to do so make due notification to the ICO; (b) ensure it is not subject to any prohibition or restriction which would: (i) prevent or restrict it from disclosing or transferring the Personal Data to the other Party as required under this Agreement; (ii) prevent or restrict it from granting the other Party access to the Personal Data as required under this Agreement; or (iii) prevent or restrict either Party from Processing the Personal Data, as envisaged under this Agreement; (c) ensure that all fair processing notices have been given (and/or, as applicable, consents obtained) and are sufficient in scope to enable each Party to Process the Personal Data as required in order to obtain the benefit of its rights and to fulfil its obligations under this Agreement in accordance with the Data Protection Laws;; For the avoidance of doubt the University does not warrant to the Union that any use of the Personal Data outside the scope of this Agreement shall be compliant with the Data Protection Laws. (d) ensure that all Personal Data disclosed or transferred to, or accessed by, another the other Party is accurate and up-to-date, as well as adequate, relevant and not excessive to enable that either Party to Process the Personal Data as envisaged under this Agreement;Agreement;‌ (e) ensure that appropriate technical and organisational security measures are in place sufficient to comply with with: (i) at least the obligations imposed on the Controller by the Security Requirements including without limitation, (i) ensuring a level of security appropriate to the risk involved in the processing (which shall include without limitation and, as appropriate, taking steps such as the pseudonymisation and/or encryption of Personal Data, taking steps to ensure the ongoing confidentiality, integrity, availability and resilience of the systems and services used to process Personal Data and regularly testing the effectiveness of the systems in place); (ii) adhering to any relevant codes of conduct or approved certificationsRequirements; and (iii) ensuring that all individuals who have access to Personal Data maintain the confidentiality and security of Personal Data and comply with the terms of this Agreement and where requested provide to the University evidence of its compliance with such requirements promptly, and in any event within 48 forty-eight (48) hours of the request; (f) notify the other Party promptly, and in any event within five days forty-eight (48) hours of receipt of any Data Subject Request or ICO Correspondence which relates directly or indirectly to the Processing of Personal Data under, or in connection with, this Agreement and together with such notice, provide a copy of such Data Subject Request or ICO Correspondence to the other Party and reasonable details of the circumstances giving rise to it. In addition to providing the notice referred to in this Paragraph 1.2.2(f2.2.2(f), each Party shall provide the other Party with all reasonable co-operation and assistance required by the other Party in relation to any such Data Subject Request or ICO Correspondence; (g) use reasonable endeavours to notify the other Party if it is obliged to make a disclosure of any of the Personal Data under any statutory requirement, such notification to be made in advance of such disclosure or immediately thereafter unless prohibited by law; (h) notify the other Parties Party in writing without under undue delay and, in any event, within twenty twenty-four (24) hours of it becoming aware of any actual or suspected Personal Data Breach in relation to the Personal Data received from another the other Party and shall, within such timescale to be agreed by the Parties (acting reasonably and in good faith) :): (i) implement any measures necessary to restore the security of compromised Personal Data; and (ii) support the other Parties Party to make any required notifications to the ICO and/or other equivalent relevant Regulator and affected Data Subjects; (i) take reasonable steps to ensure the reliability of any of its personnel who have access to the Personal Data; (j) not do anything which shall damage the reputation of the other Party or that Party's relationship with the Data Subjects; (k) not transfer any Personal Data it is processing to a Restricted Country; (l) hold the information contained in the Personal Data confidentially and under at least the conditions of confidence as such Party holds Personal Data Processed by it other than the Personal Data. (m) not disclose the Personal Data to a third party (including a sub-contractor) in any circumstances without the other Parties' prior written consent, save in relation to: (i) disclosures to Permitted Recipients; and (ii);

DATA CONTROLLER OBLIGATIONS. 1.2.1 Each Party shall in relation to the Processing of the Personal Data comply with its respective obligations under the Data Protection Laws. 1.2.2 . Without limiting the generality of the obligation set out in Paragraph 1.2.12.2.1, in particular, each Party shall: (a) : where required to do so make due notification to the ICO; (b) ; ensure it is not subject to any prohibition or restriction which would: (i) : prevent or restrict it from disclosing or transferring the Personal Data to the other Party as required under this Agreement; (ii) ; prevent or restrict it from granting the other Party access to the Personal Data as required under this Agreement; or (iii) or prevent or restrict either Party from Processing the Personal Data, as envisaged under this Agreement; (c) . ensure that all fair processing notices have been given (and/or, as applicable, consents obtained) and are sufficient in scope to enable each Party to Process the Personal Data as required in order to obtain the benefit of its rights and to fulfil its obligations under this Agreement in accordance with the Data Protection Laws; (d) ensure that all Personal Data disclosed or transferred to, or accessed by, another Party is accurate and up-to-date, as well as adequate, relevant and not excessive to enable that Party to Process the Personal Data as envisaged under this Agreement; (e) ; ensure that appropriate technical and organisational security measures are in place sufficient to comply with at least the obligations imposed on the Controller by the Security Requirements including without limitation, (i) ensuring a level of security appropriate to the risk involved in the processing (which shall include without limitation and, as appropriate, taking steps such as the pseudonymisation and/or encryption of Personal Data, taking steps to ensure the ongoing confidentiality, integrity, availability and resilience of the systems and services used to process Personal Data and regularly testing the effectiveness of the systems in place)Requirements; (ii) adhering to any relevant codes of conduct or approved certifications; and (iii) ensuring that all individuals who have access to Personal Data maintain the confidentiality and security of Personal Data and comply with the terms of this Agreement and where requested provide to the University evidence of its compliance with such requirements promptly, and in any event within 48 hours of the request (f) notify the other Party promptly, and in any event within five days forty-eight (48) hours of receipt of any Data Subject Request or ICO Correspondence which relates directly or indirectly to the Processing of Personal Data under, or in connection with, this Agreement and together with such notice, provide a copy of such Data Subject Request or ICO Correspondence to the other Party and reasonable details of the circumstances giving rise to it. In addition to providing the notice referred to in this Paragraph 1.2.2(f2.2.2(e), each Party shall provide the other Party with all reasonable co-operation and assistance required by the other Party in relation to any such Data Subject Request or ICO Correspondence; (g) ; use reasonable endeavours to notify the other Party if it is obliged to make a disclosure of any of the Personal Data under any statutory requirement, such notification to be made in advance of such disclosure or immediately thereafter unless prohibited by law; (h) ; notify the other Parties Party in writing without under undue delay and, in any event, within twenty twenty-four (24) hours of it becoming aware of any actual or suspected Personal Data Breach in relation to the Personal Data received from another the other Party and shall, within such timescale to be agreed by the Parties (acting reasonably and in good faith) : (i) ): implement any measures necessary to restore the security of compromised Personal Data; and (ii) and support the other Parties Party to make any required notifications to the ICO and/or other equivalent relevant Regulator and affected Data Subjects (i) ; take reasonable steps to ensure the reliability of any of its personnel who have access to the Personal Data; (j) ; not do anything which shall damage the reputation of the other Party or that Party's relationship with the Data Subjects; (k) ; not transfer any Personal Data it is processing to a Restricted Country; (l) ; hold the information contained in the Personal Data confidentially and under at least the conditions of confidence as such Party holds Personal Data Processed by it other than the Personal Data. (m) not disclose the Personal Data to a third party (including a sub-contractor) in any circumstances without the other Parties' prior written consent, save in relation to: (i) disclosures to Permitted Recipients; and (ii);

DATA CONTROLLER OBLIGATIONS. 1.2.1 2.2.1 Each Party shall in relation to the Processing of the Personal Data comply with its respective obligations under the Data Protection Laws. 1.2.2 2.2.2 Without limiting the generality of the obligation set out in Paragraph 1.2.1clause 2.1.1, in particular, each Party shall: (a) where required to do so make due notification to the ICO; (b) ensure it is not subject to any prohibition or restriction which would: (i) prevent or restrict it from disclosing or transferring the Personal Data to the other Party as required under this Agreement; (ii) prevent or restrict it from granting the other Party access to the Personal Data as required under this Agreement; or (iii) prevent or restrict either Party from Processing the Personal Data, as envisaged under this Agreement; (c) ensure that all fair processing notices have been given (and/or, as applicable, consents obtained) and are sufficient in scope to enable each Party to Process the Personal Data as required in order to obtain use the benefit of its rights and to fulfil its obligations under this Agreement in accordance with Personal Data for the Data Protection LawsPermitted Purpose; (db) ensure that all Personal Data disclosed or transferred to, or accessed by, another the other Party is accurate and accurate, up-to-date, as well as adequate, relevant date and not excessive complete to enable that either Party to Process the Personal Data as envisaged under this AgreementData; (ec) work together to answer Data Subject Requests within 30 days and free of charge to the Data Subject; (d) ensure that appropriate technical and organisational security measures are in place sufficient to comply with at least the obligations imposed on the Controller by the Security Requirements including without limitation, (i) ensuring a level of security appropriate to the risk involved in the processing (which shall include without limitation and, as appropriate, taking steps such as the pseudonymisation and/or encryption of Personal Data, taking steps to ensure the ongoing confidentiality, integrity, availability and resilience of the systems and services used to process Personal Data and regularly testing the effectiveness of the systems in place); (ii) adhering to any relevant codes of conduct or approved certifications; and (iii) ensuring that all individuals who have access to Personal Data maintain the confidentiality and security of Personal Data and comply with the terms of this Agreement and where requested the each Party shall provide to the University other evidence of its compliance with such requirements promptly, requirements; (e) support the other Party to make any required notifications to the ICO and/or other equivalent relevant regulator and in any event within 48 hours of the requestaffected Data Subjects; (f) notify the other Party promptly, and in any event within five days of receipt of any Data Subject Request or ICO Correspondence which relates directly or indirectly to the Processing of Personal Data under, or in connection with, this Agreement and together with such notice, provide a copy of such Data Subject Request or ICO Correspondence to the other Party and reasonable details of the circumstances giving rise to it. In addition to providing the notice referred to in this Paragraph 1.2.2(f), each Party shall provide the other Party with all reasonable co-operation and assistance required by the other Party in relation to any such Data Subject Request or ICO Correspondence; (g) use reasonable endeavours to notify the other Party if it is obliged to make a disclosure of any of the Personal Data under any statutory requirement, such notification to be made in advance of such disclosure or immediately thereafter unless prohibited by law; (h) notify the other Parties in writing without under delay and, in any event, within twenty four (24) hours promptly of it becoming aware of any actual or suspected Personal Data Breach in relation to the Personal Data received from another the other Party. Any such notice will include full details of the Personal Data involved and the types of Data Subjects affected. The Party notified shall provide reasonable support and shall, within such timescale assistance to be agreed the Party affected by the Parties (acting reasonably and Personal Data Breach in good faith) : (i) implement any measures necessary to restore the security of compromised Personal Data; and (ii) support the other Parties to make any required notifications to notifying the ICO and/or other equivalent relevant Regulator and affected Data SubjectsSubjects (as appropriate). (ig) take reasonable steps to ensure the reliability of any of its personnel Personnel who have access to the Personal Data; (j) not do anything which shall damage the reputation of the other Party or that Party's relationship with the Data Subjects; (kh) not transfer any Personal Data it is processing Processing to a Restricted Country; (l) hold the information contained , without first ensuring adequate safeguards are in the Personal Data confidentially and under at least the conditions of confidence as such Party holds Personal Data Processed by it other than the Personal Dataplace. (m) not disclose the Personal Data to a third party (including a sub-contractor) in any circumstances without the other Parties' prior written consent, save in relation to: (i) disclosures to Permitted Recipients; and (ii)

DATA CONTROLLER OBLIGATIONS. 1.2.1 2.2.1 Each Party shall in relation to the Processing of the Personal Data comply with its respective obligations under the Data Protection Laws. 1.2.2 2.2.2 Without limiting the generality of the obligation set out in Paragraph 1.2.12.2.1, in particular, each Party shall: (a) where required to do so make due notification to the ICO; (b) ensure it is not subject to any prohibition or restriction which would: (i) prevent or restrict it from disclosing or transferring the Personal Data to the other Party as required under this Agreement; (ii) prevent or restrict it from granting the other Party access to the Personal Data as required under this Agreement; or (iii) prevent or restrict either Party from Processing the Personal Data, as envisaged under this Agreement; (c) ensure that all fair processing notices have been given (and/or, as applicable, consents obtained) and are sufficient in scope to enable each Party to Process the Personal Data as required in order to obtain the benefit of its rights and to fulfil its obligations under this Agreement in accordance with the Data Protection Laws; (d) ensure that all Personal Data disclosed or transferred to, or accessed by, another the other Party is accurate and up-to-date, as well as adequate, relevant and not excessive to enable that either Party to Process the Personal Data as envisaged under this Agreement; (e) ensure that appropriate technical and organisational security measures are in place sufficient to comply with at least the obligations imposed on the Controller by the Security Requirements including without limitation, (i) ensuring a level of security appropriate to the risk involved in the processing (which shall include without limitation and, as appropriate, taking steps such as the pseudonymisation and/or encryption of Personal Data, taking steps to ensure the ongoing confidentiality, integrity, availability and resilience of the systems and services used to process Personal Data and regularly testing the effectiveness of the systems in place); (ii) adhering to any relevant codes of conduct or approved certifications; and (iii) ensuring that all individuals who have access to Personal Data maintain the confidentiality and security of Personal Data and comply with the terms of this Agreement and where requested provide to the University evidence of its compliance with such requirements promptly, and in any event within 48 hours of the request; (f) notify the other Party promptly, and in any event within five days [forty-eight (48)] hours of receipt of any Data Subject Request or ICO Correspondence which relates directly or indirectly to the Processing of Personal Data under, or in connection with, this Agreement and together with such notice, provide a copy of such Data Subject Request or ICO Correspondence to the other Party and reasonable details of the circumstances giving rise to it. In addition to providing the notice referred to in this Paragraph 1.2.2(f2.2.2(f), each Party shall provide the other Party with all reasonable co-operation and assistance required by the other Party in relation to any such Data Subject Request or ICO Correspondence; (g) use reasonable endeavours to notify the other Party if it is obliged to make a disclosure of any of the Personal Data under any statutory requirement, such notification to be made in advance of such disclosure or immediately thereafter unless prohibited by law; (h) notify the other Parties Party in writing without under undue delay and, in any event, within twenty [twenty-four (24) hours hours] of it becoming aware of any actual or suspected Personal Data Breach in relation to the Personal Data received from another the other Party and shall, within such timescale to be agreed by the Parties (acting reasonably and in good faith) :): (i) implement any measures necessary to restore the security of compromised Personal Data; and (ii) support the other Parties Party to make any required notifications to the ICO and/or other equivalent relevant Regulator and affected Data Subjects; (i) take reasonable steps to ensure the reliability of any of its personnel who have access to the Personal Data; (j) not do anything which shall damage the reputation of the other Party or that Party's relationship with the Data Subjects; (k) not transfer any Personal Data it is processing to a Restricted Country; (l) hold the information contained in the Personal Data confidentially and under at least the conditions of confidence as such Party holds Personal Data Processed by it other than the Personal Data.; and (m) not disclose the Personal Data to a third party (including a sub-sub- contractor) in any circumstances without the other Parties' Party's prior written consent, save in relation to: : (i) disclosures to Permitted Recipients; and (ii)and

DATA CONTROLLER OBLIGATIONS. 1.2.1 Each Party shall in relation to the Processing of the Personal Data comply with its respective obligations under the Data Protection Laws. 1.2.2 Without limiting the generality of the obligation set out in Paragraph 1.2.12.2.1, in particular, each Party shall: (a) where required to do so make due notification to the ICO; (b) ensure it is not subject to any prohibition or restriction which would: (i) prevent or restrict it from disclosing or transferring the Personal Data to the other Party as required under this Agreement; (ii) prevent or restrict it from granting the other Party access to the Personal Data as required under this Agreement; or (iii) prevent or restrict either Party from Processing the Personal Data, as envisaged under this Agreement; (c) ensure that all fair processing notices have been given (and/or, as applicable, consents obtained) and are sufficient in scope to enable each Party to Process the Personal Data as required in order to obtain the benefit of its rights and to fulfil its obligations under this Agreement in accordance with the Data Protection Laws; (db) ensure that all Personal Data disclosed or transferred to, or accessed by, another the other Party is accurate and up-to-date, as well as adequate, relevant and not excessive to enable that either Party to Process the Personal Data as envisaged under this Agreement; (ec) ensure that appropriate technical and organisational security measures are in place sufficient to comply with with: (i) at least the obligations imposed on the Controller by the Security Requirements including without limitation, (i) ensuring a level of security appropriate to the risk involved in the processing (which shall include without limitation and, as appropriate, taking steps such as the pseudonymisation and/or encryption of Personal Data, taking steps to ensure the ongoing confidentiality, integrity, availability and resilience of the systems and services used to process Personal Data and regularly testing the effectiveness of the systems in place)Requirements; (ii) adhering to any relevant codes of conduct or approved certifications; and (iii) ensuring that all individuals who have access to Personal Data maintain the confidentiality and security of Personal Data and comply with the terms of this Agreement and where requested the Partner shall provide to the University Manchester evidence of its compliance with such requirements promptly, and in any event within 48 hours of the requestrequirements; (fd) support the other Party to make any required notifications to the ICO and/or other equivalent relevant regulator and affected Data Subjects; (e) notify the other Party promptly, and in any event within five days of receipt of any Data Subject Request or ICO Correspondence which relates directly or indirectly to the Processing of Personal Data under, or in connection with, this Agreement and together with such notice, provide a copy of such Data Subject Request or ICO Correspondence to the other Party and reasonable details of the circumstances giving rise to it. In addition to providing the notice referred to in this Paragraph 1.2.2(f), each Party shall provide the other Party with all reasonable co-operation and assistance required by the other Party in relation to any such Data Subject Request or ICO Correspondence; (g) use reasonable endeavours to notify the other Party if it is obliged to make a disclosure of any of the Personal Data under any statutory requirement, such notification to be made in advance of such disclosure or immediately thereafter unless prohibited by law; (h) notify the other Parties in writing without under undue delay and, in any event, within twenty twenty-four (24) hours of it becoming aware of any actual or suspected Personal Data Breach in relation to the Personal Data received from another the other Party and shall, within such timescale to be agreed by the Parties Party (acting reasonably and in good faith) :): (i) implement any measures necessary to restore the security of compromised Personal Data; and (ii) support the other Parties Party to make any required notifications to the ICO and/or other equivalent relevant Regulator regulator and affected Data Subjects; (if) take reasonable steps to ensure the reliability of any of its personnel who have access to the Personal Data; (j) not do anything which shall damage the reputation of the other Party or that Party's relationship with the Data Subjects; (kg) not transfer any Personal Data it is processing Processing to a Restricted Country;; and (lh) hold the information contained in the Personal Data confidentially and under at least the conditions of confidence as such Party holds Personal Data Processed by it other than the Personal Data. (m) not disclose the Personal Data to a third party (including a sub-contractor) in any circumstances without the other Parties' prior written consent, save in relation to: (i) disclosures to Permitted Recipients; and (ii)

DATA CONTROLLER OBLIGATIONS. 1.2.1 Each Party shall in relation to the Processing of the Personal Data comply with its respective obligations under the Data Protection Laws. 1.2.2 2.2.1 Without limiting the generality of the obligation obligations set out in Paragraph 1.2.12.1.2, in particular, each Party the Customer shall: (a) where make all required to do so make due notification notification(s) to the ICOICO in relation to its Processing of Personal Data; (b) ensure that it is not subject to any prohibition or restriction which would: : (i) prevent or restrict it from disclosing or transferring the Personal Data to the other Party as required under this Agreement; The Growth Company; (ii) prevent or restrict it from granting the other Party The Growth Company access to the Personal Data as required under this AgreementData; or and/or (iii) prevent or restrict either Party The Growth Company from Processing the Personal Data, in each case as envisaged under required for The Growth Company to perform the Services in accordance with this Agreement; (c) ensure that all fair processing notices have been given (and/or, as applicable, consents obtained) and are sufficient in scope to enable each Party allow The Growth Company to Process the Personal Data as required in order to obtain connection with the benefit provision of its rights and to fulfil its obligations the Services under this Agreement and in accordance with the Data Protection Laws; (d) ensure that all Personal Data disclosed or transferred to, or accessed by, another Party The Growth Company is accurate and accurate, up-to-date, as well as adequate, relevant and not excessive to enable that Party The Growth Company to Process the process Personal Data as envisaged under required for The Growth Company to perform the Services in accordance with this Agreement; (e) ensure that appropriate maintain technical and organisational security measures are in place sufficient to comply with at least with the obligations imposed on the Controller by the Security Requirements including Data Protection Laws including, without limitation, (i) ensuring a level of security appropriate to the risk involved in the processing (which shall include without limitation and, as appropriate, taking steps such as the pseudonymisation and/or encryption of Personal Datapersonal data, taking steps to ensure the ongoing confidentiality, integrity, availability and resilience of the systems and services used to process Personal Data, ensuring the ability to restore the availability and access to Personal Data and regularly testing the effectiveness of the systems in place); (ii) adhering to any relevant codes of conduct or approved certifications; and (iii) ensuring that all individuals who have access to Personal Data maintain the confidentiality and security of Personal Data and comply with the terms of this Agreement and where requested provide to the University evidence of its compliance with such requirements promptly, and in any event within 48 hours of the request (f) notify the other Party promptly, and in any event within five days of receipt of any Data Subject Request or ICO Correspondence which relates directly or indirectly to the Processing of Personal Data under, or in connection with, this Agreement and together with such notice, provide a copy of such Data Subject Request or ICO Correspondence to the other Party and reasonable details of the circumstances giving rise to it. In addition to providing the notice referred to in this Paragraph 1.2.2(f), each Party shall provide the other Party with all reasonable co-operation and assistance required by the other Party in relation to any such Data Subject Request or ICO Correspondence; (g) use reasonable endeavours to notify the other Party if it is obliged to make a disclosure of any of the Personal Data under any statutory requirement, such notification to be made in advance of such disclosure or immediately thereafter unless prohibited by law; (h) notify the other Parties in writing without under delay and, in any event, within twenty four (24) hours of it becoming aware of any actual or suspected Personal Data Breach in relation to the Personal Data received from another Party and shall, within such timescale to be agreed by the Parties (acting reasonably and in good faith) : (i) implement any measures necessary to restore the security of compromised Personal DataAgreement; and (ii) support the other Parties to make any required notifications to the ICO and/or other equivalent relevant Regulator and affected Data Subjects (i) take reasonable steps to ensure the reliability of any of its personnel who have access to the Personal Data; (jf) not do anything which shall damage the reputation of the other Party or that Party's relationship with the Data Subjects; (k) not transfer any Personal Data it is processing to a Restricted Country; (l) hold the information contained in the Personal Data confidentially and under at least the conditions of confidence as such Party holds Personal Data Processed by it other than the Personal DataThe Growth Company. (m) not disclose the Personal Data to a third party (including a sub-contractor) in any circumstances without the other Parties' prior written consent, save in relation to: (i) disclosures to Permitted Recipients; and (ii)

DATA CONTROLLER OBLIGATIONS. 1.2.1 Each Party The Parties shall in relation to the Processing of the Personal Data comply with its respective obligations under the Data Protection Laws. 1.2.2 GDPR legislation. Without limiting the generality of the obligation set out in Paragraph 1.2.14.1, in particular, each Party shall: (a) the Parties: where required to do so make due notification to the ICO; (b) relevant authorities; ensure it is not subject to any prohibition or restriction which would: (i) : prevent or restrict it from disclosing or transferring the Personal Data to the other Party Parties as required under this Agreement; (ii) ; prevent or restrict it from granting the other Party Parties access to the Personal Data as required under this Agreement; or (iii) or prevent or restrict either Party the other Parties from Processing the Personal Data, as envisaged under this Agreement; (c) ; ensure that all fair processing notices have been given (and/or, as applicable, consents obtained) and are sufficient in scope to enable each Party to Process the Personal Data as required in order to obtain the benefit of its rights and to fulfil its obligations under this Agreement in accordance with the Data Protection Laws; (d) ensure that all Personal Data disclosed or transferred to, or accessed by, another Party is accurate and up-to-date, as well as adequate, relevant and not excessive to enable that Party to Process the Personal Data as envisaged under this Agreement; (e) ensure that appropriate technical and organisational security measures are in place sufficient to comply with at least the obligations imposed on the Controller by the Security Requirements including without limitation, (i) ensuring a level of security appropriate to the risk involved in the processing (which shall include without limitation and, as appropriate, taking steps such as the pseudonymisation and/or encryption of Personal Data, taking steps to ensure the ongoing confidentiality, integrity, availability and resilience of the systems and services used to process Personal Data and regularly testing the effectiveness of the systems in place)GDPR legislation; (ii) adhering to any relevant codes of conduct or approved certifications; and (iii) ensuring that all individuals who have access to Personal Data maintain the confidentiality and security of Personal Data and comply with the terms of this Agreement and where requested provide to the University evidence of its compliance with such requirements promptly, and in any event within 48 hours of the request (f) notify the other Party promptly, and in any event within five days forty-eight (48) hours of receipt of any Data Subject Request or ICO Correspondence which relates directly or indirectly to the Processing of Personal Data under, or in connection with, this Agreement and together with such notice, provide a copy of such Data Subject Request or ICO Correspondence to the other Party and reasonable details of the circumstances giving rise to it. In addition to providing the notice referred to in this Paragraph 1.2.2(f)such notice, each Party they shall provide the other Party with all reasonable co-operation and assistance required by the other Party in relation to any such Data Subject Request or ICO Correspondence; (g) Request; use reasonable endeavours to notify the other Party if Parties it is obliged to make a disclosure of any of the Personal Data under any statutory requirement, such notification to be made in advance of such disclosure or immediately thereafter unless prohibited by law; (h) notify the other Parties in writing without under delay and, in any event, within twenty four (24) hours of it becoming aware of any actual or suspected Personal Data Breach in relation to the Personal Data received from another Party and shall, within such timescale to be agreed by the Parties (acting reasonably and in good faith) : (i) implement any measures necessary to restore the security of compromised Personal Data; and (ii) support the other Parties to make any required notifications to the ICO and/or other equivalent relevant Regulator and affected Data Subjects (i) take reasonable steps to ensure the reliability of any of its personnel who have access to the Personal Data; (j) ; not do anything which shall damage the reputation of the other Party Parties or that Party's their relationship with the Data Subjects; (k) not transfer any Personal Data it is processing to a Restricted Country; (l) ; hold the information contained in the Personal Data confidentially and under at least the conditions of confidence as such Party holds Personal Data Processed by it other than the Personal Data. (m) not disclose the Personal Data to a third party (including a sub-contractor) in any circumstances without the other Parties' prior written consent, save in relation to: (i) disclosures to Permitted Recipients; and (ii);

DATA CONTROLLER OBLIGATIONS. 1.2.1 Each Party shall in relation to the Processing of the Personal Data comply with its respective obligations under the Data Protection Laws. 1.2.2 2.2.1 Without limiting the generality of the obligation obligations set out in Paragraph 1.2.12.1.2, in particular, each Party the Customer shall: (a) where make all required to do so make due notification notification(s) to the ICOICO in relation to its Processing of Personal Data; (b) ensure that it is not subject to any prohibition or restriction which would: : (i) prevent or restrict it from disclosing or transferring the Personal Data to the other Party as required under this Agreement; The Growth Company; (ii) prevent or restrict it from granting the other Party The Growth Company access to the Personal Data as required under this AgreementData; or and/or (iii) prevent or restrict either Party The Growth Company from Processing the Personal Data, in each case as envisaged under required for The Growth Company to perform the Services in accordance with this Agreement; (c) ensure that all fair processing notices have been given (and/or, as applicable, consents obtained) and are sufficient in scope to enable each Party allow The Growth Company to Process the Personal Data as required in order to obtain connection with the benefit provision of its rights and to fulfil its obligations the Services under this Agreement and in accordance with the Data Protection Laws; (d) ensure that all Personal Data disclosed or transferred to, or accessed by, another Party The Growth Company is accurate and accurate, up-to-to- date, as well as adequate, relevant and not excessive to enable that Party The Growth Company to Process the process Personal Data as envisaged under required for The Growth Company to perform the Services in accordance with this Agreement; (e) ensure that appropriate maintain technical and organisational security measures are in place sufficient to comply with at least with the obligations imposed on the Controller by the Security Requirements including Data Protection Laws including, without limitation, (i) ensuring a level of security appropriate to the risk involved in the processing (which shall include without limitation and, as appropriate, taking steps such as the pseudonymisation and/or encryption of Personal Datapersonal data, taking steps to ensure the ongoing confidentiality, integrity, availability and resilience of the systems and services used to process Personal Data, ensuring the ability to restore the availability and access to Personal Data and regularly testing the effectiveness of the systems in place); (ii) adhering to any relevant codes of conduct or approved certifications; and (iii) ensuring that all individuals who have access to Personal Data maintain the confidentiality and security of Personal Data and comply with the terms of this Agreement and where requested provide to the University evidence of its compliance with such requirements promptly, and in any event within 48 hours of the request (f) notify the other Party promptly, and in any event within five days of receipt of any Data Subject Request or ICO Correspondence which relates directly or indirectly to the Processing of Personal Data under, or in connection with, this Agreement and together with such notice, provide a copy of such Data Subject Request or ICO Correspondence to the other Party and reasonable details of the circumstances giving rise to it. In addition to providing the notice referred to in this Paragraph 1.2.2(f), each Party shall provide the other Party with all reasonable co-operation and assistance required by the other Party in relation to any such Data Subject Request or ICO Correspondence; (g) use reasonable endeavours to notify the other Party if it is obliged to make a disclosure of any of the Personal Data under any statutory requirement, such notification to be made in advance of such disclosure or immediately thereafter unless prohibited by law; (h) notify the other Parties in writing without under delay and, in any event, within twenty four (24) hours of it becoming aware of any actual or suspected Personal Data Breach in relation to the Personal Data received from another Party and shall, within such timescale to be agreed by the Parties (acting reasonably and in good faith) : (i) implement any measures necessary to restore the security of compromised Personal DataAgreement; and (ii) support the other Parties to make any required notifications to the ICO and/or other equivalent relevant Regulator and affected Data Subjects (i) take reasonable steps to ensure the reliability of any of its personnel who have access to the Personal Data; (jf) not do anything which shall damage the reputation of the other Party or that Party's relationship with the Data Subjects; (k) not transfer any Personal Data it is processing to a Restricted Country; (l) hold the information contained in the Personal Data confidentially and under at least the conditions of confidence as such Party holds Personal Data Processed by it other than the Personal DataThe Growth Company. (m) not disclose the Personal Data to a third party (including a sub-contractor) in any circumstances without the other Parties' prior written consent, save in relation to: (i) disclosures to Permitted Recipients; and (ii)

DATA CONTROLLER OBLIGATIONS. 1.2.1 2.2.1 Each Party shall in relation to the Processing of the Personal Data comply with its respective obligations under the Data Protection Laws. 1.2.2 2.2.2 Without limiting the generality of the obligation set out in Paragraph 1.2.12.2.1, in particular, each Party shall: (a) where required to do so make due notification to the ICO; (b) ensure it is not subject to any prohibition or restriction which would: (i) prevent or restrict it from disclosing or transferring the Personal Data to the other Party as required under this Agreement; (ii) prevent or restrict it from granting the other Party access to the Personal Data as required under this Agreement; or (iii) prevent or restrict either Party from Processing the Personal Data, as envisaged under this Agreement; (c) ensure that all fair processing notices have been given (and/or, as applicable, consents obtained) and are sufficient in scope to enable each Party to Process the Personal Data as required in order to obtain the benefit of its rights and to fulfil its obligations under this Agreement in accordance with the Data Protection Laws; (d) ensure that all Personal Data disclosed or transferred to, or accessed by, another the other Party is accurate and accurate, up-to-date, as well as adequate, relevant date and not excessive complete to enable that either Party to Process the Personal Data as envisaged under this Agreement; (e) ensure that appropriate technical and organisational security measures are in place sufficient to comply with with: (i) at least the obligations imposed on the Controller by the Security Requirements including without limitation, (i) ensuring a level of security appropriate to the risk involved in the processing (which shall include without limitation Requirements; and, as appropriate, taking steps such as the pseudonymisation and/or encryption of Personal Data, taking steps to ensure the ongoing confidentiality, integrity, availability and resilience of the systems and services used to process Personal Data and regularly testing the effectiveness of the systems in place); (ii) adhering to any relevant codes of conduct or approved certifications; and (iii) ensuring that all individuals who have access to Personal Data maintain the confidentiality and security of Personal Data and comply with the terms of this Agreement and where requested provide to the University evidence of its compliance with such requirements promptly, and in any event within 48 hours of the request (f) notify the other Party promptly, and in any event within five days forty-eight (48) hours of receipt of any Data Subject Request or ICO Correspondence which relates directly or indirectly to the Processing of Personal Data under, or in connection with, this Agreement and together with such notice, provide a copy of such Data Subject Request or ICO Correspondence to the other Party and reasonable details of the circumstances giving rise to it. In addition to providing the notice referred to in this Paragraph 1.2.2(f2.2.2 (f), each Party shall provide the other Party with all reasonable co-operation and assistance required by the other Party in relation to any such Data Subject Request or ICO Correspondence; (g) use reasonable endeavours to notify the other Party if it is obliged to make a disclosure of any of the Personal Data under any statutory requirement, such notification to be made in advance of such disclosure or immediately thereafter unless prohibited by law; (h) notify the other Parties Party in writing without under undue delay and, in any event, within twenty twenty-four (24) hours of it becoming aware of any actual or suspected Personal Data Breach in relation to the Personal Data received from another the other Party and shall, within such timescale to be agreed by the Parties (acting reasonably and in good faith) :): (i) implement any measures necessary to restore the security of compromised Personal Data; and (ii) support the other Parties Party to make any required notifications to the ICO and/or other equivalent relevant Regulator and affected Data Subjects; (i) take reasonable steps to ensure the reliability of any of its personnel who have access to the Personal Data; (j) not do anything which shall damage the reputation of the other Party or that Party's relationship with the Data Subjects; (k) not transfer any or otherwise process (and not instruct or permit a third party to transfer or otherwise process) Personal Data it is processing to a Restricted Countryoutside of the UK; (l) hold the information contained in the Personal Data confidentially and under at least the conditions of confidence as such Party holds Personal Data Processed by it other than the Personal Data.; (m) not disclose the Personal Data to a third party (including a sub-sub- contractor) in any circumstances without the other Parties' Party's prior written consent, save in relation to: : (i) disclosures to Permitted Recipients; and (ii)and

DATA CONTROLLER OBLIGATIONS. 1.2.1 Each Party shall in relation to the Processing of the Personal Data comply with its respective obligations under the Data Protection Laws. 1.2.2 Without limiting the generality of the obligation set out in Paragraph 1.2.1, in particular, each Party shall: (a) where required to do so make due notification to the ICO; (b) ensure it is not subject to any prohibition or restriction which would: (i) prevent or restrict it from disclosing or transferring the Personal Data to the other Party as required under this Agreement; (ii) prevent or restrict it from granting the other Party access to the Personal Data as required under this Agreement; or (iii) prevent or restrict either Party from Processing the Personal Data, as envisaged under this Agreement; (c) ensure that all fair processing notices have been given (and/or, as applicable, consents obtained) and are sufficient in scope to enable each Party to Process the Personal Data as required in order to obtain the benefit of its rights and to fulfil its obligations under this Agreement in accordance with the Data Protection Laws; (d) ensure that all Personal Data disclosed or transferred to, or accessed by, another Party is accurate and up-to-date, as well as adequate, relevant and not excessive to enable that Party to Process the Personal Data as envisaged under this Agreement; (e) ensure that appropriate technical and organisational security measures are in place sufficient to comply with at least the obligations imposed on the Controller by the Security Requirements including without limitation, (i) ensuring a level of security appropriate to the risk involved in the processing (which shall include without limitation and, as appropriate, taking steps such as the pseudonymisation and/or encryption of Personal Data, taking steps to ensure the ongoing confidentiality, integrity, availability and resilience of the systems and services used to process Personal Data and regularly testing the effectiveness of the systems in place); (ii) adhering to any relevant codes of conduct or approved certifications; and (iii) ensuring that all individuals who have access to Personal Data maintain the confidentiality and security of Personal Data and comply with the terms of this Agreement and where requested provide to the University evidence of its compliance with such requirements promptly, and in any event within 48 hours of the request (f) notify the other Party promptly, and in any event within five days of receipt of any Data Subject Request or ICO Correspondence which relates directly or indirectly to the Processing of Personal Data under, or in connection with, this Agreement and together with such notice, provide a copy of such Data Subject Request or ICO Correspondence to the other Party and reasonable details of the circumstances giving rise to it. In addition to providing the notice referred to in this Paragraph 1.2.2(f), each Party shall provide the other Party with all reasonable co-operation and assistance required by the other Party in relation to any such Data Subject Request or ICO Correspondence; (g) use reasonable endeavours to notify the other Party if it is obliged to make a disclosure of any of the Personal Data under any statutory requirement, such notification to be made in advance of such disclosure or immediately thereafter unless prohibited by law; (h) notify the other Parties in writing without under delay and, in any event, within twenty four (24) hours of it becoming aware of any actual or suspected Personal Data Breach in relation to the Personal Data received from another Party and shall, within such timescale to be agreed by the Parties (acting reasonably and in good faith) :): (i) implement any measures necessary to restore the security of compromised Personal Data; and (ii) support the other Parties to make any required notifications to the ICO and/or other equivalent relevant Regulator and affected Data Subjects (i) take reasonable steps to ensure the reliability of any of its personnel who have access to the Personal Data; (j) not do anything which shall damage the reputation of the other Party or that Party's relationship with the Data Subjects; (k) not transfer any Personal Data it is processing to a Restricted Country; (l) hold the information contained in the Personal Data confidentially and under at least the conditions of confidence as such Party holds Personal Data Processed by it other than the Personal Data. (m) not disclose the Personal Data to a third party (including a sub-contractor) in any circumstances without the other Parties' prior written consent, save in relation to: (i) disclosures to Permitted Recipients; and (ii)

DATA CONTROLLER OBLIGATIONS. 1.2.1 Each Party The Parties shall in relation to the Processing of the Personal Data comply with its respective obligations under the Data Protection Laws. 1.2.2 GDPR legislation. Without limiting the generality of the obligation set out in Paragraph 1.2.14.1, in particular, each Party shall: (a) where the Parties: Where required to do so make due notification to the ICO; (b) relevant authorities; ensure it is not subject to any prohibition or restriction which would: (i) : prevent or restrict it from disclosing or transferring the Personal Data to the other Party Parties as required under this Agreement; (ii) ; prevent or restrict it from granting the other Party Parties access to the Personal Data as required under this Agreement; or (iii) or prevent or restrict either Party the other Parties from Processing the Personal Data, as envisaged under this Agreement; (c) ; ensure that all fair processing notices have been given (and/or, as applicable, consents obtained) and are sufficient in scope to enable each Party to Process the Personal Data as required in order to obtain the benefit of its rights and to fulfil its obligations under this Agreement in accordance with the Data Protection Laws; (d) ensure that all Personal Data disclosed or transferred to, or accessed by, another Party is accurate and up-to-date, as well as adequate, relevant and not excessive to enable that Party to Process the Personal Data as envisaged under this Agreement; (e) ensure that appropriate technical and organisational security measures are in place sufficient to comply with at least the obligations imposed on the Controller by the Security Requirements including without limitation, (i) ensuring a level of security appropriate to the risk involved in the processing (which shall include without limitation and, as appropriate, taking steps such as the pseudonymisation and/or encryption of Personal Data, taking steps to ensure the ongoing confidentiality, integrity, availability and resilience of the systems and services used to process Personal Data and regularly testing the effectiveness of the systems in place)GDPR legislation; (ii) adhering to any relevant codes of conduct or approved certifications; and (iii) ensuring that all individuals who have access to Personal Data maintain the confidentiality and security of Personal Data and comply with the terms of this Agreement and where requested provide to the University evidence of its compliance with such requirements promptly, and in any event within 48 hours of the request (f) notify the other Party promptly, and in any event within five days [forty-eight (48)] hours of receipt of any Data Subject Request or ICO Correspondence which relates directly or indirectly to the Processing of Personal Data under, or in connection with, this Agreement and together with such notice, provide a copy of such Data Subject Request or ICO Correspondence to the other Party and reasonable details of the circumstances giving rise to it. In addition to providing the notice referred to in this Paragraph 1.2.2(f)such notice, each Party they shall provide the other Party with all reasonable co-operation and assistance required by the other Party in relation to any such Data Subject Request or ICO Correspondence; (g) Request; use reasonable endeavours to notify the other Party if Parties it is obliged to make a disclosure of any of the Personal Data under any statutory requirement, such notification to be made in advance of such disclosure or immediately thereafter unless prohibited by law; (h) notify the other Parties in writing without under delay and, in any event, within twenty four (24) hours of it becoming aware of any actual or suspected Personal Data Breach in relation to the Personal Data received from another Party and shall, within such timescale to be agreed by the Parties (acting reasonably and in good faith) : (i) implement any measures necessary to restore the security of compromised Personal Data; and (ii) support the other Parties to make any required notifications to the ICO and/or other equivalent relevant Regulator and affected Data Subjects (i) take reasonable steps to ensure the reliability of any of its personnel who have access to the Personal Data; (j) ; not do anything which shall damage the reputation of the other Party Parties or that Party's their relationship with the Data Subjects; (k) not transfer any Personal Data it is processing to a Restricted Country; (l) ; hold the information contained in the Personal Data confidentially and under at least the conditions of confidence as such Party holds Personal Data Processed by it other than the Personal Data. (m) not disclose the Personal Data to a third party (including a sub-contractor) in any circumstances without the other Parties' prior written consent, save in relation to: (i) disclosures to Permitted Recipients; and (ii);

DATA CONTROLLER OBLIGATIONS. 1.2.1 Each Party 2.2.1 UoM shall in relation to the Processing of the Personal Data comply with its respective obligations under the Data Protection Laws. The Partner shall, where relevant, in relation to the Processing of the Personal Data comply with any obligations it may have under the Data Protection Laws, together with any obligations in relation to the Processing of Personal Data that it has under its own national laws and/or any other applicable jurisdiction. 1.2.2 2.2.2 Without limiting the generality of the obligation set out in Paragraph 1.2.12.2.1, in particular, each Party Institution shall: (a) where required to do so make due notification to the ICO; (b) ensure it is not subject to any prohibition or restriction which would: (i) prevent or restrict it from disclosing or transferring the Personal Data to the other Party as required under this Agreement; (ii) prevent or restrict it from granting the other Party access to the Personal Data as required under this Agreement; or (iii) prevent or restrict either Party from Processing the Personal Data, as envisaged under this Agreement; (c) ensure that all fair processing notices have been given (and/or, as applicable, consents obtained) and are sufficient in scope to enable each Party Institution to Process the Personal Data as required in order to obtain the benefit of its rights and to fulfil its obligations under this Agreement MOU in accordance with the Data Protection LawsLaws and/or, in the case of the Partner, its own national laws and/or any other applicable jurisdiction; (db) ensure that all Personal Data disclosed or transferred to, or accessed by, another Party the other Institution is accurate and up-to-date, as well as adequate, relevant and not excessive to enable that Party either Institution to Process the Personal Data as envisaged under this AgreementMOU; (ec) ensure that appropriate technical and organisational security measures are in place sufficient to comply with at least the obligations imposed on the Controller by the Security Requirements including without limitation, (i) ensuring a level of security appropriate to the risk involved in the processing (which shall include without limitation and, as appropriate, taking steps such as the pseudonymisation and/or encryption of Personal Data, taking steps to ensure the ongoing confidentiality, integrity, availability and resilience of the systems and services used to process Personal Data and regularly testing the effectiveness of the systems in place); (ii) adhering to any relevant codes of conduct or approved certifications; and (iii) ensuring that all individuals who have access to Personal Data maintain the confidentiality and security of Personal Data and comply with the terms of this Agreement and where reasonably requested the Partner shall provide to the University UoM evidence of its compliance with such requirements promptly, and in any event within 48 hours of the requestrequirements; (fd) support the other Institution to make any required notifications to any relevant regulator and affected Data Subjects. In the case of UoM, the relevant regulator is the ICO; (e) notify the other Party promptly, and in any event within five days of receipt of any Data Subject Request or ICO Correspondence which relates directly or indirectly to the Processing of Personal Data under, or in connection with, this Agreement and together with such notice, provide a copy of such Data Subject Request or ICO Correspondence to the other Party and reasonable details of the circumstances giving rise to it. In addition to providing the notice referred to in this Paragraph 1.2.2(f), each Party shall provide the other Party with all reasonable co-operation and assistance required by the other Party in relation to any such Data Subject Request or ICO Correspondence; (g) use reasonable endeavours to notify the other Party if it is obliged to make a disclosure of any of the Personal Data under any statutory requirement, such notification to be made in advance of such disclosure or immediately thereafter unless prohibited by law; (h) notify the other Parties Institution in writing without under undue delay and, in any event, within twenty twenty-four (24) hours of it becoming aware of any actual or suspected Personal Data Breach in relation to the Personal Data received from another Party the other Institution and shall, within such timescale to be agreed by the Parties Institution (acting reasonably and in good faith) :): (i) implement any measures necessary to restore the security of compromised Personal Data; and (ii) support the other Parties Institution to make any required notifications to the ICO and/or other equivalent any relevant Regulator regulator and affected Data Subjects. In the case of UoM, the relevant regulator is the (if) take reasonable steps to ensure the reliability of any of its personnel who have access to the Personal Data;; and (j) not do anything which shall damage the reputation of the other Party or that Party's relationship with the Data Subjects; (k) not transfer any Personal Data it is processing to a Restricted Country; (lg) hold the information contained in the Personal Data confidentially and under at least the conditions of confidence as such Party Institution holds Personal Data Processed by it other than the Personal Data. (m) not disclose the Personal Data to a third party (including a sub-contractor) in any circumstances without the other Parties' prior written consent, save in relation to: (i) disclosures to Permitted Recipients; and (ii)

DATA CONTROLLER OBLIGATIONS. 1.2.1 2.3.1 Each Party shall in relation to the Processing of the Personal Data comply with its respective obligations under the Data Protection Laws. 1.2.2 2.3.2 Without limiting the generality of the obligation set out in Paragraph 1.2.12.3.1, in particular, each Party shall: (a) where required to do so make due notification to the ICO; (b) ensure it is not subject to any prohibition or restriction which would: (i) prevent or restrict it from disclosing or transferring the Personal Data to the other Party as required under this Agreement; (ii) prevent or restrict it from granting the other Party access to the Personal Data as required under this Agreement; or (iii) prevent or restrict either Party from Processing the Personal Data, as envisaged under this Agreement;. (c) ensure that all fair processing notices have been given (and/or, as applicable, consents obtained) and are sufficient in scope to enable each Party to Process the Personal Data as required in order to obtain the benefit of its rights and to fulfil its obligations under this Agreement in accordance with the Data Protection Laws; (d) ensure that all Personal Data disclosed or transferred to, or accessed by, another Party is accurate and up-to-date, as well as adequate, relevant and not excessive to enable that Party to Process the Personal Data as envisaged under this Agreement; (e) ensure that appropriate technical and organisational security measures are in place sufficient to comply with at least the obligations imposed on the Controller by the Security Requirements including without limitation, (i) ensuring a level of security appropriate to the risk involved in the processing (which shall include without limitation and, as appropriate, taking steps such as the pseudonymisation and/or encryption of Personal Data, taking steps to ensure the ongoing confidentiality, integrity, availability and resilience of the systems and services used to process Personal Data and regularly testing the effectiveness of the systems in place); (ii) adhering to any relevant codes of conduct or approved certifications; and (iii) ensuring that all individuals who have access to Personal Data maintain the confidentiality and security of Personal Data and comply with the terms of this Agreement and where requested provide to the University evidence of its compliance with such requirements promptly, and in any event within 48 hours of the requestRequirements; (fe) notify the other Party promptly, and in any event within five days forty-eight (48) hours of receipt of any Data Subject Request or ICO Correspondence which relates directly or indirectly to the Processing of Personal Data under, or in connection with, this Agreement and together with such notice, provide a copy of such Data Subject Request or ICO Correspondence to the other Party and reasonable details of the circumstances giving rise to it. In addition to providing the notice referred to in this Paragraph 1.2.2(f2.3.2(e), each Party shall provide the other Party with all reasonable co-operation and assistance required by the other Party in relation to any such Data Subject Request or ICO Correspondence; (gf) use reasonable endeavours to notify the other Party if it is obliged to make a disclosure of any of the Personal Data under any statutory requirement, such notification to be made in advance of such disclosure or immediately thereafter unless prohibited by law; (hg) notify the other Parties Party in writing without under undue delay and, in any event, within twenty twenty-four (24) hours of it becoming aware of any actual or suspected Personal Data Breach in relation to the Personal Data received from another the other Party and shall, within such timescale to be agreed by the Parties (acting reasonably and in good faith) :): (i) implement any measures necessary to restore the security of compromised Personal Data; and (ii) support the other Parties Party to make any required notifications to the ICO and/or other other (iii) equivalent relevant Regulator and affected Data Subjects; (ih) take reasonable steps to ensure the reliability of any of its personnel who have access to the Personal Data; (ji) not do anything which shall damage the reputation of the other Party or that Party's relationship with the Data Subjects; (kj) not transfer any Personal Data it is processing to a Restricted Country; (lk) hold the information contained in the Personal Data confidentially and under at least the conditions of confidence as such Party holds Personal Data Processed by it other than the Personal Data.; (ml) not disclose the Personal Data to a third party (including a sub-sub- contractor) in any circumstances without the other Parties' Party's prior written consent, save in relation to: : (i) disclosures to Permitted Recipients; and (ii)and

DATA CONTROLLER OBLIGATIONS. 1.2.1 2.2.1 Each Party shall in relation to the Processing of the Personal Data comply with its respective obligations under the Data Protection Laws. 1.2.2 2.2.2 Without limiting the generality of the obligation set out in Paragraph 1.2.12.2.1, in particular, each Party shall: (a) where required to do so make due notification to the ICO; (b) ensure it is not subject to any prohibition or restriction which would: (i) prevent or restrict it from disclosing or transferring the Personal Data to the other Party as required under this Agreement; (ii) prevent or restrict it from granting the other Party access to the Personal Data as required under this Agreement; or (iii) prevent or restrict either Party from Processing the Personal Data, as envisaged under this Agreement; (c) ensure that all fair processing notices have been given (and/or, as applicable, consents obtained) and are sufficient in scope to enable each Party to Process the Personal Data as required in order to obtain the benefit of its rights and to fulfil its obligations under this Agreement in accordance with the Data Protection Laws; (d) ensure that all Personal Data disclosed or transferred to, or accessed by, another Party is accurate and up-to-date, as well as adequate, relevant and not excessive to enable that Party to Process the Personal Data as envisaged under this Agreement; (e) ensure that appropriate technical and organisational security measures are in place sufficient to comply with at least the obligations imposed on the Controller by the Security Requirements including without limitation, (i) ensuring a level of security appropriate to the risk involved in the processing (which shall include without limitation and, as appropriate, taking steps such as the pseudonymisation and/or encryption of Personal Data, taking steps to ensure the ongoing confidentiality, integrity, availability and resilience of the systems and services used to process Personal Data and regularly testing the effectiveness of the systems in place); (ii) adhering to any relevant codes of conduct or approved certifications; and (iii) ensuring that all individuals who have access to Personal Data maintain the confidentiality and security of Personal Data and comply with the terms of this Agreement and where requested provide to the University evidence of its compliance with such requirements promptly, and in any event within 48 hours of the request (f) notify the other Party promptly, and in any event within five days of receipt of any Data Subject Request or ICO Correspondence which relates directly or indirectly to the Processing of Personal Data under, or in connection with, this Agreement and together with such notice, provide a copy of such Data Subject Request or ICO Correspondence to the other Party and reasonable details of the circumstances giving rise to it. In addition to providing the notice referred to in this Paragraph 1.2.2(f), each Party shall provide the other Party with all reasonable co-operation and assistance required by the other Party in relation to any such Data Subject Request or ICO Correspondence; (g) use reasonable endeavours to notify the other Party if it is obliged to make a disclosure of any of the Personal Data under any statutory requirement, such notification to be made in advance of such disclosure or immediately thereafter unless prohibited by law; (h) notify the other Parties in writing without under delay and, in any event, within twenty four (24) hours of it becoming aware of any actual or suspected Personal Data Breach in relation to the Personal Data received from another Party and shall, within such timescale to be agreed by the Parties (acting reasonably and in good faith) : (i) implement any measures necessary to restore the security of compromised Personal Data; and (ii) support the other Parties to make any required notifications to the ICO and/or other equivalent relevant Regulator and affected Data Subjects (i) take reasonable steps to ensure the reliability of any of its personnel who have access to the Personal Data; (j) not do anything which shall damage the reputation of the other Party or that Party's relationship with the Data Subjects; (k) not transfer any Personal Data it is processing to a Restricted Country; (l) hold the information contained in the Personal Data confidentially and under at least the conditions of confidence as such Party holds Personal Data Processed by it other than the Personal Data. (m) not disclose the Personal Data to a third party (including a sub-contractor) in any circumstances without the other Parties' prior written consent, save in relation to: (i) disclosures to Permitted Recipients; and (ii)

DATA CONTROLLER OBLIGATIONS. 1.2.1 Each Party shall in relation to the Processing of the Personal Data comply with its respective obligations under the Data Protection Laws. 1.2.2 . Without limiting the generality of the obligation set out in Paragraph 1.2.12.2.1, in particular, each Party shall: (a) : where required to do so make due notification to the ICO; (b) ; ensure it is not subject to any prohibition or restriction which would: (i) : prevent or restrict it from disclosing or transferring the Personal Data to the other Party as required under this Agreement; (ii) ; prevent or restrict it from granting the other Party access to the Personal Data as required under this Agreement; or (iii) or prevent or restrict either Party from Processing the Personal Data, as envisaged under this Agreement; (c) ; ensure that all fair processing notices have been given (and/or, as applicable, consents obtained) and are sufficient in scope to enable each Party to Process the Personal Data as required in order to obtain the benefit of its rights and to fulfil its obligations under this Agreement in accordance with the Data Protection Laws; (d) ; ensure that all Personal Data disclosed or transferred to, or accessed by, another Party is accurate and up-to-date, as well as adequate, relevant and not excessive to enable that Party to Process the Personal Data as envisaged under this Agreement; (e) ; ensure that appropriate technical and organisational security measures are in place sufficient to comply with at least the obligations imposed on the Controller by the Security Requirements including without limitation, (i) ensuring a level of security appropriate to the risk involved in the processing (which shall include without limitation and, as appropriate, taking steps such as the pseudonymisation and/or encryption of Personal Data, taking steps to ensure the ongoing confidentiality, integrity, availability and resilience of the systems and services used to process Personal Data and regularly testing the effectiveness of the systems in place); (ii) adhering to any relevant codes of conduct or approved certifications; and (iii) ensuring that all individuals who have access to Personal Data maintain the confidentiality and security of Personal Data and comply with the terms of this Agreement and where requested provide to the University evidence of its compliance with such requirements promptly, and in any event within 48 hours of the request (f) . notify the other Party promptly, and in any event within five days of receipt of any Data Subject Request or ICO Correspondence which relates directly or indirectly to the Processing of Personal Data under, or in connection with, this Agreement and together with such notice, provide a copy of such Data Subject Request or ICO Correspondence to the other Party and reasonable details of the circumstances giving rise to it. In addition to providing the notice referred to in this Paragraph 1.2.2(f2.2.2(f), each Party shall provide the other Party with all reasonable co-operation and assistance required by the other Party in relation to any such Data Subject Request or ICO Correspondence; (g) use reasonable endeavours to notify the other Party if it is obliged to make a disclosure of any of the Personal Data under any statutory requirement, such notification to be made in advance of such disclosure or immediately thereafter unless prohibited by law; (h) ; notify the other Parties in writing without under delay and, in any event, within twenty four (24) hours of it becoming aware of any actual or suspected Personal Data Breach in relation to the Personal Data received from another Party and shall, within such timescale to be agreed by the Parties (acting reasonably and in good faith) : (i) : implement any measures necessary to restore the security of compromised Personal Data; and (ii) and support the other Parties to make any required notifications to the ICO and/or other equivalent relevant Regulator and affected Data Subjects (i) Subjects use reasonable endeavours to notify the other Party if it is obliged to make a disclosure of any of the Personal Data under any statutory requirement, such notification to be made in advance of such disclosure or immediately thereafter unless prohibited by law; take reasonable steps to ensure the reliability of any of its personnel who have access to the Personal Data; (j) ; not do anything which shall damage the reputation of the other Party or that Party's relationship with the Data Subjects; (k) ; not transfer any Personal Data it is processing to a Restricted Country; (l) ; hold the information contained in the Personal Data confidentially and under at least the conditions of confidence as such Party holds Personal Data Processed by it other than the Personal Data. (m) not disclose the Personal Data to a third party (including a sub-contractor) in any circumstances without the other Parties' prior written consent, save in relation to: (i) disclosures to Permitted Recipients; and (ii)

DATA CONTROLLER OBLIGATIONS. 1.2.1 2.2.1 Each Party shall in relation to the Processing of the Personal Data comply with its respective obligations under the Data Protection Laws.Laws.‌ 1.2.2 2.2.2 Without limiting the generality of the obligation set out in Paragraph 1.2.12.2.1, in particular, each Party shall:shall:‌ (a) where required to do so make due notification to the ICO; (b) ensure it is not subject to any prohibition or restriction which would: (i) prevent or restrict it from disclosing or transferring the Personal Data to the other Party as required under this Agreement; (ii) prevent or restrict it from granting the other Party access to the Personal Data as required under this Agreement; or (iii) prevent or restrict either Party from Processing the Personal Data, as envisaged under this Agreement; (c) ensure that all fair processing notices have been given (and/or, as applicable, consents obtained) and are sufficient in scope to enable each Party to Process the Personal Data as required in order to obtain the benefit of its rights and to fulfil its obligations under this Agreement in accordance with the Data Protection Laws; (d) ensure that all Personal Data disclosed or transferred to, or accessed by, another the other Party is accurate and up-to-date, as well as adequate, relevant and not excessive to enable that either Party to Process the Personal Data as envisaged under this Agreement; (e) ensure that appropriate technical and organisational security measures are in place sufficient to comply with at least the obligations imposed on the Controller by the Security Requirements including without limitation, (i) ensuring a level of security appropriate to the risk involved in the processing (which shall include without limitation and, as appropriate, taking steps such as the pseudonymisation and/or encryption of Personal Data, taking steps to ensure the ongoing confidentiality, integrity, availability and resilience of the systems and services used to process Personal Data and regularly testing the effectiveness of the systems in place); (ii) adhering to any relevant codes of conduct or approved certifications; and (iii) ensuring that all individuals who have access to Personal Data maintain the confidentiality and security of Personal Data and comply with the terms of this Agreement and where requested provide to the University evidence of its compliance with such requirements promptly, and in any event within 48 hours of the requestplace;‌ (f) notify the other Party promptly, and in any event within five days [forty-eight (48)] hours of receipt of any Data Subject Request or ICO Correspondence which relates directly or indirectly to the Processing of Personal Data under, or in connection with, this Agreement and together with such notice, provide a copy of such Data Subject Request or ICO Correspondence to the other Party and reasonable details of the circumstances giving rise to it. In addition to providing the notice referred to in this Paragraph 1.2.2(f2.2.2(f), each Party shall provide the other Party with all reasonable co-operation and assistance required by the other Party in relation to any such Data Subject Request or ICO Correspondence;Correspondence;‌ (g) use reasonable endeavours to notify the other Party if it is obliged to make a disclosure of any of the Personal Data under any statutory requirement, such notification to be made in advance of such disclosure or immediately thereafter unless prohibited by law; (h) notify the other Parties Party in writing without under undue delay and, in any event, within twenty [twenty-four (24) hours hours] of it becoming aware of any actual or suspected Personal Data Breach in relation to the Personal Data received from another the other Party and shall, within such timescale to be agreed by the Parties (acting reasonably and in good faith) :): (i) implement any measures necessary to restore the security of compromised Personal Data; and (ii) support the other Parties Party to make any required notifications to the ICO and/or other equivalent relevant Regulator and affected Data Subjects; (i) take reasonable steps to ensure the reliability of any of its personnel who have access to the Personal Data; (j) not do anything which shall damage the reputation of the other Party or that Party's relationship with the Data Subjects; (k) not transfer any Personal Data it is processing to a Restricted Country; (l) hold the information contained in the Personal Data confidentially and under at least the conditions of confidence as such Party holds Personal Data Processed by it other than the Personal Data.; and (m) not disclose the Personal Data to a third party (including a sub-sub- contractor) in any circumstances without the other Parties' Party's prior written consent, save in relation to: : (i) disclosures to Permitted Recipients; and (ii)and

DATA CONTROLLER OBLIGATIONS. 1.2.1 Each Party shall in relation to the Processing of the Personal Data comply with its respective obligations under the Data Protection Laws. 1.2.2 2.2.1 Without limiting the generality of the obligation obligations set out in Paragraph 1.2.12.1.2, in particular, each Party the Firm/Organisation shall: (a) where make all required to do so make due notification notification(s) to the ICOICO in relation to its Processing of Personal Data; (b) ensure that it is not subject to any prohibition or restriction which would: : (i) prevent or restrict it from disclosing or transferring the Personal Data to the other Party as required under this Agreement; Centre for Assessment Ltd; (ii) prevent or restrict it from granting the other Party Centre for Assessment Ltd access to the Personal Data as required under this AgreementData; or and/or (iii) prevent or restrict either Party Centre for Assessment Ltd from Processing the Personal Data, in each case as envisaged under required for Centre for Assessment Ltd to perform the Services in accordance with this Agreement; (c) ensure that all fair processing notices have been given (and/or, as applicable, consents obtained) and are sufficient in scope to enable each Party allow Centre for Assessment Ltd to Process the Personal Data as required in order to obtain connection with the benefit provision of its rights and to fulfil its obligations the Services under this Agreement and in accordance with the Data Protection Laws; (d) ensure that all Personal Data disclosed or transferred to, or accessed by, another Party Centre for Assessment Ltd is accurate and accurate, up-to-date, as well as adequate, relevant and not excessive to enable that Party Centre for Assessment Ltd to Process the process Personal Data as envisaged under required for Centre for Assessment Ltd to perform the Services in accordance with this Agreement; (e) ensure that appropriate maintain technical and organisational security measures are in place sufficient to comply with at least with the obligations imposed on the Controller by the Security Requirements including Data Protection Laws including, without limitation, (i) ensuring a level of security appropriate to the risk involved in the processing (which shall include without limitation and, as appropriate, taking steps such as the pseudonymisation and/or encryption of Personal Datapersonal data, taking steps to ensure the ongoing confidentiality, integrity, availability and resilience of the systems and services used to process Personal Data, ensuring the ability to restore the availability and access to Personal Data and regularly testing the effectiveness of the systems in place); (ii) adhering to any relevant codes of conduct or approved certifications; and (iii) ensuring that all individuals who have access to Personal Data maintain the confidentiality and security of Personal Data and comply with the terms of this Agreement and where requested provide to the University evidence of its compliance with such requirements promptly, and in any event within 48 hours of the request (f) notify the other Party promptly, and in any event within five days of receipt of any Data Subject Request or ICO Correspondence which relates directly or indirectly to the Processing of Personal Data under, or in connection with, this Agreement and together with such notice, provide a copy of such Data Subject Request or ICO Correspondence to the other Party and reasonable details of the circumstances giving rise to it. In addition to providing the notice referred to in this Paragraph 1.2.2(f), each Party shall provide the other Party with all reasonable co-operation and assistance required by the other Party in relation to any such Data Subject Request or ICO Correspondence; (g) use reasonable endeavours to notify the other Party if it is obliged to make a disclosure of any of the Personal Data under any statutory requirement, such notification to be made in advance of such disclosure or immediately thereafter unless prohibited by law; (h) notify the other Parties in writing without under delay and, in any event, within twenty four (24) hours of it becoming aware of any actual or suspected Personal Data Breach in relation to the Personal Data received from another Party and shall, within such timescale to be agreed by the Parties (acting reasonably and in good faith) : (i) implement any measures necessary to restore the security of compromised Personal DataAgreement; and (ii) support the other Parties to make any required notifications to the ICO and/or other equivalent relevant Regulator and affected Data Subjects (i) take reasonable steps to ensure the reliability of any of its personnel who have access to the Personal Data; (jf) not do anything which shall damage the reputation of the other Party or that Party's relationship with the Data Subjects; (k) not transfer any Personal Data it is processing to a Restricted Country; (l) hold the information contained in the Personal Data confidentially and under at least the conditions of confidence as such Party holds Personal Data Processed by it other than the Personal Data. (m) not disclose the Personal Data to a third party (including a sub-contractor) in any circumstances without the other Parties' prior written consent, save in relation to: (i) disclosures to Permitted Recipients; and (ii)Centre for Assessment Ltd.