Common use of DATA CONTROLLER OBLIGATIONS Clause in Contracts

DATA CONTROLLER OBLIGATIONS. 2.2.1 Without limiting the generality of the obligations set out in Paragraph 2.1.2, in particular, the Customer shall: (a) make all required notification(s) to the ICO in relation to its Processing of Personal Data; (b) ensure that it is not subject to any prohibition or restriction which would: (i) prevent or restrict it from disclosing or transferring Personal Data to The Growth Company; (ii) prevent or restrict it from granting The Growth Company access to Personal Data; and/or (iii) prevent or restrict The Growth Company from Processing Personal Data, in each case as required for The Growth Company to perform the Services in accordance with this Agreement; (c) ensure that all fair processing notices have been given (and/or, as applicable, consents obtained) and are sufficient in scope to allow The Growth Company to Process Personal Data as required in connection with the provision of the Services under this Agreement and in accordance with the Data Protection Laws; (d) ensure that all Personal Data disclosed or transferred to, or accessed by, The Growth Company is accurate, up-to- date, adequate, relevant and not excessive to enable The Growth Company to process Personal Data as required for The Growth Company to perform the Services in accordance with this Agreement; (e) maintain technical and organisational security measures sufficient to comply at least with the obligations imposed on the Controller by Data Protection Laws including, without limitation, (i) ensuring a level of security appropriate to the risk involved in the processing (which shall include without limitation and, as appropriate, taking steps such as the pseudonymisation and/or encryption of personal data, taking steps to ensure the ongoing confidentiality, integrity, availability and resilience of the systems and services used to process Personal Data, ensuring the ability to restore the availability and access to Personal Data and regularly testing the effectiveness of the systems in place); (ii) adhering to any relevant codes of conduct or approved certifications; and (iii) ensuring that all individuals who have access to Personal Data maintain the confidentiality and security of Personal Data and comply with the terms of this Agreement; and (f) not do anything which shall damage the reputation of The Growth Company.

DATA CONTROLLER OBLIGATIONS. 2.2.1 Without limiting the generality of the obligations set out in Paragraph 2.1.2, in particular, the Customer shall: (a) make all required notification(s) to the ICO in relation to its Processing of Personal Data; (b) ensure that it is not subject to any prohibition or restriction which would: (i) prevent or restrict it from disclosing or transferring Personal Data to The Growth Company; (ii) prevent or restrict it from granting The Growth Company access to Personal Data; and/or (iii) prevent or restrict The Growth Company from Processing Personal Data, in each case as required for The Growth Company to perform the Services in accordance with this Agreement; (c) ensure that all fair processing notices have been given (and/or, as applicable, consents obtained) and are sufficient in scope to allow The Growth Company to Process Personal Data as required in connection with the provision of the Services under this Agreement and in accordance with the Data Protection Laws; (d) ensure that all Personal Data disclosed or transferred to, or accessed by, The Growth Company is accurate, up-to- to-date, adequate, relevant and not excessive to enable The Growth Company to process Personal Data as required for The Growth Company to perform the Services in accordance with this Agreement; (e) maintain technical and organisational security measures sufficient to comply at least with the obligations imposed on the Controller by Data Protection Laws including, without limitation, (i) ensuring a level of security appropriate to the risk involved in the processing (which shall include without limitation and, as appropriate, taking steps such as the pseudonymisation and/or encryption of personal data, taking steps to ensure the ongoing confidentiality, integrity, availability and resilience of the systems and services used to process Personal Data, ensuring the ability to restore the availability and access to Personal Data and regularly testing the effectiveness of the systems in place); (ii) adhering to any relevant codes of conduct or approved certifications; and (iii) ensuring that all individuals who have access to Personal Data maintain the confidentiality and security of Personal Data and comply with the terms of this Agreement; and (f) not do anything which shall damage the reputation of The Growth Company.

DATA CONTROLLER OBLIGATIONS. 2.2.1 Without limiting the generality of the obligations set out in Paragraph 2.1.2, in particular, the Customer Firm/Organisation shall: (a) make all required notification(s) to the ICO in relation to its Processing of Personal Data; (b) ensure that it is not subject to any prohibition or restriction which would: (i) prevent or restrict it from disclosing or transferring Personal Data to The Growth CompanyCentre for Assessment Ltd; (ii) prevent or restrict it from granting The Growth Company Centre for Assessment Ltd access to Personal Data; and/or (iii) prevent or restrict The Growth Company Centre for Assessment Ltd from Processing Personal Data, in each case as required for The Growth Company Centre for Assessment Ltd to perform the Services in accordance with this Agreement; (c) ensure that all fair processing notices have been given (and/or, as applicable, consents obtained) and are sufficient in scope to allow The Growth Company Centre for Assessment Ltd to Process Personal Data as required in connection with the provision of the Services under this Agreement and in accordance with the Data Protection Laws; (d) ensure that all Personal Data disclosed or transferred to, or accessed by, The Growth Company Centre for Assessment Ltd is accurate, up-to- to-date, adequate, relevant and not excessive to enable The Growth Company Centre for Assessment Ltd to process Personal Data as required for The Growth Company Centre for Assessment Ltd to perform the Services in accordance with this Agreement; (e) maintain technical and organisational security measures sufficient to comply at least with the obligations imposed on the Controller by Data Protection Laws including, without limitation, (i) ensuring a level of security appropriate to the risk involved in the processing (which shall include without limitation and, as appropriate, taking steps such as the pseudonymisation and/or encryption of personal data, taking steps to ensure the ongoing confidentiality, integrity, availability and resilience of the systems and services used to process Personal Data, ensuring the ability to restore the availability and access to Personal Data and regularly testing the effectiveness of the systems in place); (ii) adhering to any relevant codes of conduct or approved certifications; and (iii) ensuring that all individuals who have access to Personal Data maintain the confidentiality and security of Personal Data and comply with the terms of this Agreement; and (f) not do anything which shall damage the reputation of The Growth Company.Centre for Assessment Ltd.

DATA CONTROLLER OBLIGATIONS. 2.2.1 UoM shall in relation to the Processing of the Personal Data comply with its obligations under the Data Protection Laws. The Partner shall, where relevant, in relation to the Processing of the Personal Data comply with any obligations it may have under the Data Protection Laws, together with any obligations in relation to the Processing of Personal Data that it has under its own national laws and/or any other applicable jurisdiction. 2.2.2 Without limiting the generality of the obligations obligation set out in Paragraph 2.1.22.2.1, in particular, the Customer each Institution shall: (a) make all required notification(s) to the ICO in relation to its Processing of Personal Data; (b) ensure that it is not subject to any prohibition or restriction which would: (i) prevent or restrict it from disclosing or transferring Personal Data to The Growth Company; (ii) prevent or restrict it from granting The Growth Company access to Personal Data; and/or (iii) prevent or restrict The Growth Company from Processing Personal Data, in each case as required for The Growth Company to perform the Services in accordance with this Agreement; (c) ensure that all fair processing notices have been given (and/or, as applicable, consents obtained) and are sufficient in scope to allow The Growth Company enable each Institution to Process the Personal Data as required in connection with order to obtain the provision benefit of the Services its rights and to fulfil its obligations under this Agreement and MOU in accordance with the Data Protection LawsLaws and/or, in the case of the Partner, its own national laws and/or any other applicable jurisdiction; (db) ensure that all Personal Data disclosed or transferred to, or accessed by, The Growth Company the other Institution is accurate, accurate and up-to- to-date, as well as adequate, relevant and not excessive to enable The Growth Company either Institution to process Process the Personal Data as required for The Growth Company to perform the Services in accordance with envisaged under this AgreementMOU; (ec) maintain ensure that appropriate technical and organisational security measures are in place sufficient to comply with at least with the obligations imposed on the Controller by the Security Requirements and where reasonably requested the Partner shall provide to UoM evidence of its compliance with such requirements; (d) support the other Institution to make any required notifications to any relevant regulator and affected Data Protection Laws includingSubjects. In the case of UoM, the relevant regulator is the ICO; (e) notify the other Institution in writing without limitationundue delay and, in any event, within twenty-four (24) hours of it becoming aware of any actual or suspected Personal Data Breach in relation to the Personal Data received from the other Institution and shall, within such timescale to be agreed by the Institution (acting reasonably and in good faith): (i) ensuring a level implement any measures necessary to restore the security of security appropriate compromised Personal Data; and (ii) support the other Institution to make any required notifications to any relevant regulator and affected Data Subjects. In the risk involved in case of UoM, the processing relevant regulator is the (which shall include without limitation and, as appropriate, taking steps such as the pseudonymisation and/or encryption of personal data, taking f) take reasonable steps to ensure the ongoing confidentiality, integrity, availability and resilience reliability of the systems and services used to process Personal Data, ensuring the ability to restore the availability and access to Personal Data and regularly testing the effectiveness any of the systems in place); (ii) adhering to any relevant codes of conduct or approved certifications; and (iii) ensuring that all individuals its personnel who have access to the Personal Data maintain the confidentiality and security of Personal Data and comply with the terms of this AgreementData; and (fg) not do anything which shall damage hold the reputation information contained in the Personal Data confidentially and under at least the conditions of The Growth Companyconfidence as such Institution holds Personal Data Processed by it other than the Personal Data.