Common use of DATA PROCESSING OBLIGATIONS Clause in Contracts

DATA PROCESSING OBLIGATIONS. 1.1. When Processing Personal Data, Pelican undertakes to the Retailer that it shall: 1.1.1. taking into account the nature of the Processing and the information available to Pelican, provide reasonable assistance to the Retailer with any data protection impact assessments, and prior consultations with Regulatory Authorities or other competent data privacy authorities, which the Retailer is required to undertake under Article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Legislation; 1.1.2. Process the Personal Data only to the extent necessary for the Permitted Purposes; 1.1.3. not Process the Personal Data other than on the Retailer’s documented instructions, including with regard to transfer of Personal Data to a Third Country or an international organisation, unless required to do so by Applicable Laws, in which case Pelican shall to the extent permitted by Applicable Laws inform the Retailer of that legal requirement before the relevant Processing of that Personal Data; 1.1.4. keep a record of any Processing of Personal Data it carries out on behalf of the Retailer; 1.1.5. comply with Data Protection Legislation when Processing the Personal Data and not knowingly do or omit to do or permit anything to be done which causes the Retailer to breach the Data Protection Legislation; 1.1.6. taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk; 1.1.7. promptly after becoming aware of any Personal Data Breach notify and provide sufficient information to the Retailer to allow the Retailer to meet any obligations to report or inform Data Subjects of such Personal Data Breach under the Data Protection Legislation. Pelican shall co-operate with the Retailer to assist in the investigation, mitigation and remediation of such breach and shall provide further information where so required by a Regulatory Authority; 1.1.8. restrict access to the Personal Data to Permitted Recipients (and in the case of any access by any employee, ensure that access to the Personal Data is limited to such part or parts of the Personal Data as is strictly necessary for performance of that employee's duties), ensure that all such Permitted Recipients are subject to confidentiality undertakings or professional or statutory obligations of confidentiality; 1.1.9. promptly notify the Retailer of any request for disclosure of the Personal Data by a law enforcement authority unless otherwise prohibited; 1.1.10. promptly notify the Retailer of any request of a Regulatory Authority in relation to the Personal Data and co-operate and comply with the directions or decisions of any Regulatory Authority in relation to the Personal Data, and in each case within such timescale as would enable the Retailer to meet any time limit imposed by any Regulatory Authority (as applicable); 1.1.11. taking into account the nature of the Processing, assist the Retailer by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Retailer’s obligations to respond to requests for exercising the Data Subject’s rights under the Data Protection Legislation; 1.1.12. promptly notify the Retailer of any request from a Data Subject for access to that person's Personal Data and provide the Retailer with reasonable co- operation and assistance in complying with any such request; 1.1.13. not respond to any request from a Data Subject or third party except on the documented instructions of the Retailer or as required by Applicable Laws, in which case Pelican shall to the extent permitted by Applicable Laws inform the Retailer of that legal requirement before Pelican responds to the request; and 1.2. If Pelican receives any complaint, notice or communication which relates to the Processing of the Personal Data or to either party's compliance with the Data Protection Legislation, it will promptly notify the Retailer and it shall provide the Retailer with full co- operation and assistance in relation to any such complaint, notice or communication. 1.3. Pelican shall not transfer the Personal Data to any country outside the EEA unless it has in place suitable measures to meet all requirements of the Data Protection Legislation. 1.4. Pelican shall co-operate with any Regulatory Authority requests relating to the Processing of Personal Data. 1.5. Subject to Pelican being required to maintain such copies by law, upon expiry or termination of the Agreement (for any reason whatsoever), Pelican shall at the request of the Retailer promptly return to the Retailer or destroy all Personal Data securely (regardless of form, and whether computerised or physical). Pelican shall certify the deletion or destruction (as applicable) to the Retailer in writing. 1.6. Pelican shall promptly notify the Retailer if, in its opinion, an instruction given by the Retailer to Pelican under this clause 2 (Data Processing Obligations) infringes the GDPR or any other relevant Data Protection Legislation. 1.7. Pelican shall make available to the Retailer all information necessary to demonstrate compliance with this clause 2 (Data Processing Obligations) and allow for and contribute to audits including inspections conducted by the Retailer or another auditor mandated by the Retailer in relation to the Processing of Personal Data and the implementation of technical and organisations measures by Pelican as referred to in these Data Processing Obligations. 1.8. Pelican may only authorise a third party (sub-contractor) to process the Personal Data: 1.8.1. provided that Xxxxxxx has carried out adequate due diligence to ensure that the sub-contractor is capable of providing the level of protection required by the Agreement; 1.8.2. provided that the relationship between Pelican and the sub-contractor is governed by a written contract which contains obligations required by Data Protection Legislation; 1.9. Any sub-contracting or transfer of Personal Data permitted by the Retailer shall not relieve Pelican from any of its liabilities, responsibilities and obligations to the Retailer under the Agreement and Pelican shall remain fully liable for the acts and omissions of its sub-contractors.

DATA PROCESSING OBLIGATIONS. 1.12.1. When Processing In respect of any Personal DataData to be processed by a party acting as Data Processor pursuant to this Agreement for which the other party is Data Controller, Pelican undertakes to the Retailer that it Data Processor shall: 1.1.12.1.1. taking into account the nature of the Processing and the information available to Pelican, provide reasonable assistance to the Retailer with any data protection impact assessments, and prior consultations with Regulatory Authorities or other competent data privacy authorities, which the Retailer is required to undertake under Article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Legislation; 1.1.2. Process the Personal Data only to the extent necessary for the Permitted Purposes; 1.1.3. not Process the Personal Data other than on the Retailer’s documented instructions, including with regard to transfer of Personal Data to a Third Country or an international organisation, unless required to do so by Applicable Laws, in which case Pelican shall to the extent permitted by Applicable Laws inform the Retailer of that legal requirement before the relevant Processing of that Personal Data; 1.1.4. keep a record of any Processing of Personal Data it carries out on behalf of the Retailer; 1.1.5. comply with Data Protection Legislation when Processing the Personal Data and not knowingly do or omit to do or permit anything to be done which causes the Retailer to breach the Data Protection Legislation; 1.1.6. taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, implement appropriate technical and organisational measures in such a manner as is designed to ensure the protection of the rights of the data subject and to ensure a level of security appropriate to the risk; 1.1.72.1.2. promptly after becoming aware not engage any sub-processor without the prior specific or general written authorisation of any Personal Data Breach notify and provide sufficient information to the Retailer to allow the Retailer to meet any obligations to report or inform Data Subjects of such Personal Data Breach under the Data Protection Legislation. Pelican shall co-operate with the Retailer to assist in the investigation, mitigation and remediation of such breach and shall provide further information where so required by a Regulatory Authority; 1.1.8. restrict access to the Personal Data to Permitted Recipients Controller (and in the case of general written authorisation; the Data Processor shall inform the Data Controller of any access by any employeeintended changes concerning the addition or replacement of other processors, thereby giving the Data Controller the opportunity to object to such changes); 2.1.3. ensure that access any sub-processor that is engaged to process such Personal Data by the Data Processor is subject to data protection obligations that are similar to those applicable to the Personal Data is Processor under this Schedule; 2.1.4. process that personal data only to perform its obligations under this Agreement or other documented instructions and for no other purpose save to the limited to such part extent required by law; 2.1.5. on termination of this Agreement, at the Data Controller’s option either return or parts destroy the personal data (including all copies of the Personal Data as is strictly necessary for performance of that employee's duties), it) immediately; 2.1.6. ensure that all such Permitted Recipients persons authorised to access the personal data are subject to confidentiality undertakings or professional or statutory obligations of confidentiality; 1.1.92.1.7. promptly notify make available to the Retailer of any request for disclosure Data Controller (at the cost of the Personal Data Controller, at the Processor’s then current rates) all information necessary to demonstrate compliance with the obligations laid out in Article 28 of GDPR and this Schedule and allow for and contribute to audits, including inspections, conducted by a law enforcement authority unless otherwise prohibitedthe Data Controller or another auditor mandated by the Data Controller; provided that, in respect of this provision the Data Processor shall immediately inform the Data Controller if, in its opinion, an instruction infringes Data Protection Laws; 1.1.10. promptly notify the Retailer of any request of a Regulatory Authority in relation to the Personal Data and co-operate and comply with the directions or decisions of any Regulatory Authority in relation to the Personal Data, and in each case within such timescale as would enable the Retailer to meet any time limit imposed by any Regulatory Authority (as applicable); 1.1.112.1.8. taking into account the nature of the Processingprocessing, assist (at the Retailer by implementing appropriate technical and organisational measurescost of the Data Controller, at the Processor’s then current rates) provide assistance to the Data Controller, insofar as this is possible, for in connection with the fulfilment of the RetailerData Controller’s obligations obligation to respond to requests for exercising the Data Subject’s exercise of data subjects’ rights under the Data Protection Legislation; 1.1.12. promptly notify the Retailer of any request from a Data Subject for access pursuant to that person's Personal Data and provide the Retailer with reasonable co- operation and assistance in complying with any such request; 1.1.13. not respond to any request from a Data Subject or third party except on the documented instructions Chapter III of the Retailer or as required by Applicable Laws, in which case Pelican shall GDPR to the extent permitted by Applicable Laws inform the Retailer of that legal requirement before Pelican responds to the request; andapplicable; 1.22.1.9. If Pelican receives any complaint, notice or communication which relates to the Processing of the Personal Data or to either party's compliance with provide the Data Protection Legislation, it will promptly notify Controller (at the Retailer and it shall provide the Retailer with full co- operation and assistance in relation to any such complaint, notice or communication. 1.3. Pelican shall not transfer the Personal Data to any country outside the EEA unless it has in place suitable measures to meet all requirements cost of the Data Protection Legislation. 1.4. Pelican shall co-operate Controller, at the Processor’s then current rates) with any Regulatory Authority requests relating assistance in ensuring compliance with articles 32 to 36 (inclusive) of the GDPR (concerning security of processing, data breach notification, communication of a personal data breach to the Processing of Personal Data. 1.5. Subject to Pelican being required to maintain such copies by lawdata subject, upon expiry or termination of the Agreement (for any reason whatsoever), Pelican shall at the request of the Retailer promptly return to the Retailer or destroy all Personal Data securely (regardless of formdata protection impact assessments, and whether computerised or physical). Pelican shall certify the deletion or destruction (as applicableprior consultation with supervisory authorities) to the Retailer in writing. 1.6. Pelican shall promptly notify extent applicable to the Retailer ifData Controller, in its opinion, an instruction given by taking into account the Retailer to Pelican under this clause 2 (Data Processing Obligations) infringes nature of the GDPR or any other relevant Data Protection Legislation. 1.7. Pelican shall make processing and the information available to the Retailer all information necessary to demonstrate compliance with this clause 2 (Data Processing Obligations) and allow for and contribute to audits including inspections conducted by the Retailer or another auditor mandated by the Retailer in relation to the Processing of Personal Data and the implementation of technical and organisations measures by Pelican as referred to in these Data Processing Obligations. 1.8. Pelican may only authorise a third party (sub-contractor) to process the Personal Data: 1.8.1. provided that Xxxxxxx has carried out adequate due diligence to ensure that the sub-contractor is capable of providing the level of protection required by the AgreementProcessor; 1.8.2. provided that the relationship between Pelican and the sub-contractor is governed by a written contract which contains obligations required by Data Protection Legislation; 1.9. Any sub-contracting or transfer of Personal Data permitted by the Retailer shall not relieve Pelican from any of its liabilities, responsibilities and obligations to the Retailer under the Agreement and Pelican shall remain fully liable for the acts and omissions of its sub-contractors.

DATA PROCESSING OBLIGATIONS. 1.1. When Processing Personal Data, Pelican undertakes to the Retailer that it shall: 1.1.1. taking into account the nature of the Processing and the information available to Pelican, provide reasonable assistance to the Retailer with any data protection impact assessments, and prior consultations with Regulatory Authorities or other competent data privacy authorities, which the Retailer is required to undertake under Article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Legislation; 1.1.2. Process the Personal Data only to the extent necessary for the Permitted Purposes; 1.1.3. not Process the Personal Data other than on the Retailer’s documented instructions, including with regard to transfer of Personal Data to a Third Country or an international organisation, unless required to do so by Applicable Laws, in which case Pelican shall to the extent permitted by Applicable Laws inform the Retailer of that legal requirement before the relevant Processing of that Personal Data; 1.1.4. keep a record of any Processing of Personal Data it carries out on behalf of the Retailer; 1.1.5. comply with Data Protection Legislation when Processing the Personal Data and not knowingly do or omit to do or permit anything to be done which causes the Retailer to breach the Data Protection Legislation; 1.1.6. taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk; 1.1.7. promptly after becoming aware of any Personal Data Breach notify and provide sufficient information to the Retailer to allow the Retailer to meet any obligations to report or inform Data Subjects of such Personal Data Breach under the Data Protection Legislation. Pelican shall co-operate with the Retailer to assist in the investigation, mitigation and remediation of such breach and shall provide further information where so required by a Regulatory Authority; 1.1.8. restrict access to the Personal Data to Permitted Recipients (and in the case of any access by any employee, ensure that access to the Personal Data is limited to such part or parts of the Personal Data as is strictly necessary for performance of that employee's duties), ensure that all such Permitted Recipients are subject to confidentiality undertakings or professional or statutory obligations of confidentiality; 1.1.9. promptly notify the Retailer of any request for disclosure of the Personal Data by a law enforcement authority unless otherwise prohibited; 1.1.10. promptly notify the Retailer of any request of a Regulatory Authority in relation to the Personal Data and co-operate and comply with the directions or decisions of any Regulatory Authority in relation to the Personal Data, and in each case within such timescale as would enable the Retailer to meet any time limit imposed by any Regulatory Authority (as applicable); 1.1.11. taking into account the nature of the Processing, assist the Retailer by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Retailer’s obligations to respond to requests for exercising the Data Subject’s rights under the Data Protection Legislation; 1.1.12. promptly notify the Retailer of any request from a Data Subject for access to that person's Personal Data and provide the Retailer with reasonable co- operation and assistance in complying with any such request; 1.1.13. not respond to any request from a Data Subject or third party except on the documented instructions of the Retailer or as required by Applicable Laws, in which case Pelican shall to the extent permitted by Applicable Laws inform the Retailer of that legal requirement before Pelican responds to the request; and 1.2. If Pelican receives any complaint, notice or communication which relates to the Processing of the Personal Data or to either party's compliance with the Data Protection Legislation, it will promptly notify the Retailer and it shall provide the Retailer with full co- operation and assistance in relation to any such complaint, notice or communication. 1.3. Pelican shall not transfer the Personal Data to any country outside the EEA unless it has in place suitable measures to meet all requirements of the Data Protection Legislation. 1.4. Pelican shall co-operate with any Regulatory Authority requests relating to the Processing of Personal Data. 1.5. Subject to Pelican being required to maintain such copies by law, upon expiry or termination of the Agreement (for any reason whatsoever), Pelican shall at the request of the Retailer promptly return to the Retailer or destroy all Personal Data securely (regardless of form, and whether computerised or physical). Pelican shall certify the deletion or destruction (as applicable) to the Retailer in writing. 1.6. Pelican shall promptly notify the Retailer if, in its opinion, an instruction given by the Retailer to Pelican under this clause 2 (Data Processing Obligations) infringes the GDPR or any other relevant Data Protection Legislation. 1.7. Pelican shall make available to the Retailer all information necessary to demonstrate compliance with this clause 2 (Data Processing Obligations) and allow for and contribute to audits including inspections conducted by the Retailer or another auditor mandated by the Retailer in relation to the Processing of Personal Data and the implementation of technical and organisations measures by Pelican as referred to in these Data Processing Obligations. 1.8. Pelican may only authorise a third party (sub-contractor) to process the Personal Data: 1.8.1. provided that Xxxxxxx Pelican has carried out adequate due diligence to ensure that the sub-contractor is capable of providing the level of protection required by the Agreement; 1.8.2. provided that the relationship between Pelican and the sub-contractor is governed by a written contract which contains obligations required by Data Protection Legislation; 1.9. Any sub-contracting or transfer of Personal Data permitted by the Retailer shall not relieve Pelican from any of its liabilities, responsibilities and obligations to the Retailer under the Agreement and Pelican shall remain fully liable for the acts and omissions of its sub-contractors.

DATA PROCESSING OBLIGATIONS. 1.1. When Processing Personal Data, Pelican undertakes to the Retailer that it shall: 1.1.1. taking into account the nature of the Processing and the information available to Pelican, provide reasonable assistance to the Retailer with any data protection impact assessments, and prior consultations with Regulatory Authorities or other competent data privacy authorities, which the Retailer is required to undertake under Article 35 or 36 of the GDPR or equivalent provisions In respect of any other Data Protection Legislation; 1.1.2. Process the Personal Data only to the extent necessary for the Permitted Purposes; 1.1.3. not Process the Personal Data other than on the Retailer’s documented instructions, including with regard to transfer of Personal Data to be processed by a Third Country or an international organisationParty acting as Data Processor pursuant to this Agreement for which the other Party is Data Controller, unless required to do so by Applicable Laws, in which case Pelican shall to the extent permitted by Applicable Laws inform the Retailer of that legal requirement before the relevant Processing of that Personal Data; 1.1.4. keep a record of any Processing of Personal Data it carries out on behalf of the Retailer; 1.1.5. comply with Data Protection Legislation when Processing the Personal Data and not knowingly do or omit to do or permit anything to be done which causes the Retailer to breach the Data Protection Legislation; 1.1.6. taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, implement Processor shall: provide appropriate technical and organisational measures in such a manner as is designed to ensure the protection of the rights of the data subject and to ensure a level of security appropriate to the risk; 1.1.7. promptly after becoming aware ; not engage any sub-processor without the prior specific or general written authorisation of any Personal Data Breach notify and provide sufficient information to the Retailer to allow the Retailer to meet any obligations to report or inform Data Subjects of such Personal Data Breach under the Data Protection Legislation. Pelican shall co-operate with the Retailer to assist in the investigation, mitigation and remediation of such breach and shall provide further information where so required by a Regulatory Authority; 1.1.8. restrict access to the Personal Data to Permitted Recipients Controller (and in the case of general written authorisation; the Data Processor shall inform the Data Controller of any access by any employeeintended changes concerning the addition or replacement of other processors, thereby giving the Data Controller the opportunity to object to such changes); ensure that access any sub-processor that is engaged to process such Personal Data by the Data Processor is subject to data protection obligations that are similar to those applicable to the Personal Data is Processor under this Schedule; process that personal data only to perform its obligations under this Agreement or other documented instructions and for no other purpose save to the limited to such part extent required by law; on termination of this Agreement, at the Data Controller’s option either return or parts destroy the personal data (including all copies of the Personal Data as is strictly necessary for performance of that employee's duties), it) immediately; ensure that all such Permitted Recipients persons authorised to access the personal data are subject to confidentiality undertakings or professional or statutory obligations of confidentiality; 1.1.9. promptly notify the Retailer of any request for disclosure of the Personal Data by a law enforcement authority unless otherwise prohibited; 1.1.10. promptly notify the Retailer of any request of a Regulatory Authority in relation ; make available to the Personal Data and co-operate and comply with the directions or decisions of any Regulatory Authority in relation Controller all information necessary to the Personal Data, and in each case within such timescale as would enable the Retailer to meet any time limit imposed by any Regulatory Authority (as applicable); 1.1.11. taking into account the nature of the Processing, assist the Retailer by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Retailer’s obligations to respond to requests for exercising the Data Subject’s rights under the Data Protection Legislation; 1.1.12. promptly notify the Retailer of any request from a Data Subject for access to that person's Personal Data and provide the Retailer with reasonable co- operation and assistance in complying with any such request; 1.1.13. not respond to any request from a Data Subject or third party except on the documented instructions of the Retailer or as required by Applicable Laws, in which case Pelican shall to the extent permitted by Applicable Laws inform the Retailer of that legal requirement before Pelican responds to the request; and 1.2. If Pelican receives any complaint, notice or communication which relates to the Processing of the Personal Data or to either party's demonstrate compliance with the Data Protection Legislationobligations laid out in Article 28 of GDPR and this Schedule and allow for and contribute to audits, it will promptly notify the Retailer and it shall provide the Retailer with full co- operation and assistance in relation to any such complaintincluding inspections, notice or communication. 1.3. Pelican shall not transfer the Personal Data to any country outside the EEA unless it has in place suitable measures to meet all requirements of conducted by the Data Protection Legislation. 1.4. Pelican Controller or another auditor mandated by the Data Controller; provided that, in respect of this provision the Data Processor shall co-operate with any Regulatory Authority requests relating to immediately inform the Processing of Personal Data. 1.5. Subject to Pelican being required to maintain such copies by law, upon expiry or termination of the Agreement (for any reason whatsoever), Pelican shall at the request of the Retailer promptly return to the Retailer or destroy all Personal Data securely (regardless of form, and whether computerised or physical). Pelican shall certify the deletion or destruction (as applicable) to the Retailer in writing. 1.6. Pelican shall promptly notify the Retailer Controller if, in its opinion, an instruction given infringes Data Protection Laws; taking into account the nature of the processing, provide assistance to the Data Controller, insofar as possible, in connection with the fulfilment of the Data Controller’s obligation to respond to requests for the exercise of data subjects’ rights pursuant to Chapter III of the UK GDPR to the extent applicable. Such assistance to be chargeable at Data Processor’s standard rates or rates agreed by the Retailer Parties from time-to-time; provide the Data Controller with assistance in ensuring compliance with articles 32 to Pelican under this clause 2 36 (Data Processing Obligationsinclusive) infringes of the GDPR or any other relevant (concerning security of processing, data breach notification, communication of a personal data breach to the data subject, data protection impact assessments, and prior consultation with supervisory authorities) to the extent applicable to the Data Protection Legislation. 1.7. Pelican shall make Controller, taking into account the nature of the processing and the information available to the Retailer all information necessary Data Processor. Such assistance to demonstrate compliance with this clause 2 (be chargeable at Data Processing Obligations) and allow for and contribute to audits including inspections conducted Processor’s standard rates or rates agreed by the Retailer or another auditor mandated by Parties from time-to-time; notify the Retailer Data Controller without undue delay (and in relation to the Processing any event, within 24 hours of becoming aware of a security breach in respect of Personal Data that it processes on behalf of the Data Controller in writing if the Data Processor becomes aware of a Data Breach; maintain a record of its processing activities in accordance with Article 30(1) of the GDPR; and allow the implementation of technical and organisations measures by Pelican as referred to in these Data Processing Obligations. 1.8. Pelican may only authorise a Controller (or its appointed third party (sub-contractorParty auditor) to process the Personal Data: 1.8.1. provided that Xxxxxxx has carried out adequate due diligence to ensure that the sub-contractor is capable conduct an audit of providing the level compliance of protection required this Schedule by the Agreement; 1.8.2. Data Processor pursuant to this Agreement (including by way of physical inspection) no more frequently than once per year during the term and on at least 10 days’ notice to the Data Processor in advance (provided that the relationship between Pelican and Data Processor shall be entitled to require that any third party auditor appointed to conduct such an audit enters into a confidentiality agreement with the sub-contractor is governed by a written contract which contains obligations required by Data Protection Legislation; 1.9Processor prior to such audit being conducted. Any sub-contracting Support for audits to be chargeable at Data Processor’s standard rates or transfer of Personal Data permitted rates agreed by the Retailer shall not relieve Pelican Parties from any of its liabilities, responsibilities and obligations to the Retailer under the Agreement and Pelican shall remain fully liable for the acts and omissions of its subtime-contractorsto-time.