Common use of Data Privacy Obligations Clause in Contracts

Data Privacy Obligations. In the event that country-specific privacy obligations applies to Supplier, Supplier shall comply with the requirements stipulated in the Data Privacy Supplement and the relevant country-specific supplements as set forth therein on the DXC Portal at (DXC-Data Privacy Supplement). The Data Privacy Supplement sets out the terms and conditions for the Processing of Personal Information by Supplier on behalf of DXC under the Agreement and forms an integral part of the Agreement. In the event of any conflict between the terms of the Data Privacy Supplement, the Agreement, or Data Protection Laws, the following order of precedence shall apply: 1) Applicable Data Protection Laws, 2) The Data Privacy Supplement and its appendices 3) The Agreement. 18 HIPAA To the extent (if any) that DXC discloses “Protected Health Information” or “PHI” as defined in the HIPAA Privacy and Security Rules (45 CFR, Part 160-164) issued pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) to Supplier or Supplier accesses, maintains, uses, or discloses PHI in connection with the performance of Services or functions under this Agreement, Supplier will: (a) not use or further disclose PHI other than as permitted or required by this Agreement or as required by law; (b) use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement, including implementing requirements of the HIPAA Security Rule with regard to electronic PHI; (c) report to DXC any use or disclosure of PHI not provided for under this Agreement of which Supplier becomes aware, including breaches of unsecured protected health information as required by 45 CFR §164.410, (d) in accordance with 45 CFR §164.502(e)(1)(ii), ensure that any subcontractors or agents of Supplier that create, receive, maintain, or transmit PHI created, received, maintained or transmitted by Supplier on DXC’s behalf, agree to the same restrictions and conditions that apply to Supplier with respect of such PHI; (e) make available PHI in a Designated Record Set (if any is maintained by Supplier) in accordance with 45 CFR section 164.524; (f) make available PHI for amendment and incorporate any amendments to PHI in a Designated Record Set in accordance 45 CFR section 164.526; (g) make available PHI required to provide an accounting of disclosures in accordance with 45 CFR section 164.528, (h) make Supplier’s internal practices, applicable documentation and records to the extent that such relate to the use and disclosure of PHI received from DXC, or created or received by Supplier on DXC’s behalf, available to the Secretary of the HHS for the purpose of determining DXC’s compliance with the HIPAA Privacy and Security Rules, (i) in the event Supplier is to carry out any obligations by or on behalf of DXC that DXC performs on behalf of a covered entity arising under the Privacy Rule, comply with the requirements of the Privacy Rule that apply to the performance of such obligations, and (j) at termination of this Agreement, return or destroy all PHI received from, or created or received by Supplier on behalf of DXC that Supplier still maintains in any form and retain no copies of such information or, if such return or destruction is not feasible, extend the protections of the Agreement to the information and limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible.

Data Privacy Obligations. In the event that country-specific privacy obligations applies to Supplier, Supplier shall comply with the requirements stipulated in the Data Privacy Supplement and the relevant country-specific supplements as set forth therein on the DXC Portal at (DXC-Data Privacy Supplement). The Data Privacy Supplement sets out the terms and conditions for the Processing of Personal Information by Supplier on behalf of DXC under the Agreement and forms an integral part of the Agreement. In the event of any conflict between the terms of the Data Privacy Supplement, the Agreement, or Data Protection Laws, the following order of precedence shall apply: 1) Applicable Data Protection Laws, 2) The Data Privacy Supplement and its appendices 3) The Agreement. 18 29 HIPAA To the extent (if any) that DXC discloses “Protected Health Information” or “PHI” as defined in the HIPAA Privacy and Security Rules (45 CFR, Part 160-164) issued pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) to Supplier or Supplier accesses, maintains, uses, or discloses PHI in connection with the performance of Services or functions under this Agreement, Supplier will: (a) not use or further disclose PHI other than as permitted or required by this Agreement or as required by law; (b) use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement, including implementing requirements of the HIPAA Security Rule with regard to electronic PHI; (c) report to DXC any use or disclosure of PHI not provided for under this Agreement of which Supplier becomes aware, including breaches of unsecured protected health information as required by 45 CFR §164.410, (d) in accordance with 45 CFR §164.502(e)(1)(ii), ensure that any subcontractors or agents of Supplier that create, receive, maintain, or transmit PHI created, received, maintained or transmitted by Supplier on DXC’s behalf, agree to the same restrictions and conditions that apply to Supplier with respect of such PHI; (e) make available PHI in a Designated Record Set (if any is maintained by Supplier) in accordance with 45 CFR section 164.524; (f) make available PHI for amendment and incorporate any amendments to PHI in a Designated Record Set in accordance 45 CFR section 164.526; (g) make available PHI required to provide an accounting of disclosures in accordance with 45 CFR section 164.528, (h) make Supplier’s internal practices, applicable documentation and records to the extent that such relate to the use and disclosure of PHI received from DXC, or created or received by Supplier on DXC’s behalf, available to the Secretary of the HHS for the purpose of determining DXC’s compliance with the HIPAA Privacy and Security Rules, , (i) in the event Supplier is to carry out any obligations by or on behalf of DXC that DXC performs on behalf of a covered entity arising under the Privacy Rule, comply with the requirements of the Privacy Rule that apply to the performance of such obligations, and and (j) at termination of this Agreement, return or destroy all PHI received from, or created or received by Supplier on behalf of DXC that Supplier still maintains in any form and retain no copies of such information or, if such return or destruction is not feasible, extend the protections of the Agreement to the information and limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible. 22.1 (No assignment Of any credit and agreement/order); art. 22.2 (No Sub- contract); art. 22.3 (Applicable law and jurisdiction).

Data Privacy Obligations. In the event that country-specific privacy obligations applies to Supplier, Supplier shall comply with the requirements stipulated in the Data Privacy Supplement and the relevant country-specific supplements as set forth therein on the DXC Portal at (DXC-Data Privacy Supplement). The Data Privacy Supplement sets out the terms and conditions for the Processing of Personal Information by Supplier on behalf of DXC under the Agreement and forms an integral part of the Agreement. In the event of any conflict between the terms of the Data Privacy Supplement, the Agreement, or Data Protection Laws, the following order of precedence shall apply: 1) Applicable Data Protection Laws, 2) The Data Privacy Supplement and its appendices 3) The Agreement. 18 Agreement 17 HIPAA To the extent (if any) that DXC discloses “Protected Health Information” or “PHI” as defined in the HIPAA Privacy and Security Rules (45 CFR, Part 160-164) issued pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) to Supplier or Supplier accesses, maintains, uses, or discloses PHI in connection with the performance of Services or functions under this Agreement, Supplier will: (a) not use or further disclose PHI other than as permitted or required by this Agreement or as required by law; (b) use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement, including implementing requirements of the HIPAA Security Rule with regard to electronic PHI; (c) report to DXC any use or disclosure of PHI not provided for under this Agreement of which Supplier becomes aware, including breaches of unsecured protected health information as required by 45 CFR §164.410, (d) in accordance with 45 CFR §164.502(e)(1)(ii), ensure that any subcontractors or agents of Supplier that create, receive, maintain, or transmit PHI created, received, maintained or transmitted by Supplier on DXC’s behalf, agree to the same restrictions and conditions that apply to Supplier with respect of such PHI; (e) make available PHI in a Designated Record Set (if any is maintained by Supplier) in accordance with 45 CFR section 164.524; (f) make available PHI for amendment and incorporate any amendments to PHI in a Designated Record Set in accordance 45 CFR section 164.526; (g) make available PHI required to provide an accounting of disclosures in accordance with 45 CFR section 164.528, (h) make Supplier’s internal practices, applicable documentation and records to the extent that such relate to the use and disclosure of PHI received from DXC, or created or received by Supplier on DXC’s behalf, available to the Secretary of the HHS for the purpose of determining DXC’s compliance with the HIPAA Privacy and Security Rules, (i) in the event Supplier is to carry out any obligations by or on behalf of DXC that DXC performs on behalf of a covered entity arising under the Privacy Rule, comply with the requirements of the Privacy Rule that apply to the performance of such obligations, and (j) at termination of this Agreement, return or destroy all PHI received from, or created or received by Supplier on behalf of DXC that Supplier still maintains in any form and retain no copies of such information or, if such return or destruction is not feasible, extend the protections of the Agreement to the information and limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible.

Data Privacy Obligations. In the event that country-specific privacy obligations applies to SupplierSupplier , Supplier shall comply with the requirements stipulated in the Data Privacy Supplement and the relevant country-specific supplements as set forth therein on the DXC Portal at (DXC-Data Privacy Supplement). The Data Privacy Supplement sets out the terms and conditions for the Processing of Personal Information by Supplier on behalf of DXC under the Agreement and forms an integral part of the Agreement. In the event of any conflict between the terms of the Data Privacy Supplement, the Agreement, or Data Protection Laws, the following order of precedence shall apply: 1) Applicable Data Protection Laws, 2) The Data Privacy Supplement and its appendices 3) The Agreement. 18 HIPAA To the extent (if any) that DXC discloses “Protected Health Information” or “PHI” as defined in the HIPAA Privacy and Security Rules (45 CFR, Part 160-164) issued pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) to Supplier or Supplier accesses, maintains, uses, or discloses PHI in connection with the performance of Services or functions under this Agreement, Supplier will: (a) not use or further disclose PHI other than as permitted or required by this Agreement or as required by law; (b) use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement, including implementing requirements of the HIPAA Security Rule with regard to electronic PHI; (c) report to DXC any use or disclosure of PHI not provided for under this Agreement of which Supplier becomes aware, including breaches of unsecured protected health information as required by 45 CFR §164.410, (d) in accordance with 45 CFR §164.502(e)(1)(ii), ensure that any subcontractors or agents of Supplier that create, receive, maintain, or transmit PHI created, received, maintained or transmitted by Supplier on DXC’s behalf, agree to the same restrictions and conditions that apply to Supplier with respect of such PHI; (e) make available PHI in a Designated Record Set (if any is maintained by Supplier) in accordance with 45 CFR section 164.524; (f) make available PHI for amendment and incorporate any amendments to PHI in a Designated Record Set in accordance 45 CFR section 164.526; (g) make available PHI required to provide an accounting of disclosures in accordance with 45 CFR section 164.528, (h) make Supplier’s internal practices, applicable documentation and records to the extent that such relate to the use and disclosure of PHI received from DXC, or created or received by Supplier on DXC’s behalf, available to the Secretary of the HHS for the purpose of determining DXC’s compliance with the HIPAA Privacy and Security Rules, (i) in the event Supplier is to carry out any obligations by or on behalf of DXC that DXC performs on behalf of a covered entity arising under the Privacy Rule, comply with the requirements of the Privacy Rule that apply to the performance of such obligations, and (j) at termination of this Agreement, return or destroy all PHI received from, or created or received by Supplier on behalf of DXC that Supplier still maintains in any form and retain no copies of such information or, if such return or destruction is not feasible, extend the protections of the Agreement to the information and limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible.;