Common use of Data Protection and Cybersecurity Clause in Contracts

Data Protection and Cybersecurity. (a) For the purposes of this Section 7.23, the terms “controller,” “data subject,” “personal data breach,” “processor,” “processing” (and its cognates), and “special categories of personal data” shall have the meaning given to them in the GDPR. (b) Each Target Company complies in all material respects with all Data Protection Laws, contractual obligations in contracts that are material to the relevant Target Company, and such Target Company’s posted or publicly facing privacy policies relating to the privacy, security, processing, storage, transmission, transfer, disclosures, confidentiality and use of Personal Data (including Personal Data of employees, directors, officers, partners, consultants, contractors, third parties who have provided information to a Target Company, and any information which may be re-identified or associated with a unique identifier). Each Target Company has (i) implemented and maintains appropriate policies, notices, logs, and procedures in relation to the processing and transfer of Personal Data (including cross-border transfer) and carried out regular staff training, testing, audits or other mechanisms designed to ensure and monitor compliance with such policies and procedures to demonstrate compliance with Data Protection Laws, (ii) maintained and keeps up-to-date records of its Personal Data processing activities as required under Data Protection Laws, (iii) issued fair processing notices to the relevant data subjects in accordance with Data Protection Laws, (iv) made all disclosures to, and obtained all appropriate consents, approvals and/or authorization from, users, customers, employees, directors, officers, partners, consultants, contractors, and other applicable Persons required in all material respects by applicable Data Protection Laws to process and transfer such Personal Data lawfully and in accordance with Data Protection Laws, and (v) has filed all registrations required in all material respects under Data Protection Laws with the applicable data protection authority. (c) Each Target Company has implemented and maintains appropriate technical and organizational measures designed or otherwise intended to protect Personal Data and other data relating to the business of the Target Company against Personal Data breaches and cybersecurity incidents. Each Target Company has undertaken, and resolved in all material respects any material issues identified by, all necessary surveys, audits, inventories, reviews, analysis and/or assessments (including any necessary risk assessments and risk analyses) of all areas of its business and operations, in each case required by Data Protection Laws. To the Knowledge of the Company, in the five years prior to the date of this Agreement there has been no material loss of, damage to, unauthorized access to, or unauthorized use, modification, or misuse of, any Personal Data in the possession or control of a Target Company. (d) In the past five years, no Target Company has (i) to the Knowledge of the Company, been subject to any actual, pending, or, to the Knowledge of the Company, threatened investigations, notices or requests from any Governmental Authority in relation to their data processing or cybersecurity activities, and (ii) received any actual, pending, or threatened claims from individuals or Governmental Authorities alleging any breach of Data Protection Laws. The execution, delivery, and performance by each Target Company of this Agreement and the consummation of the Transactions complies (and the disclosure to and use by the Second Merger Surviving Company of such information immediately after the Second Merger Effective Time will comply) in all material respects with all Data Protection Laws (including any such Laws in the jurisdictions where the applicable information is collected). (e) To the extent any Personal Data originating in the United Kingdom or European Economic Area is transferred by a Target Company outside of the United Kingdom or European Economic Area (as applicable), this is carried out in accordance with Data Protection Laws and, where applicable, with appropriate safeguards in place for such transfer in all material respects. (f) Each Target Company that processes Personal Data is registered with the United Kingdom Information Commissioner, and has paid any relevant fees, in each case, to the extent it is required to do so under Data Protection Laws. (g) No Target Company is, or has been, an operator of essential services or a relevant digital service provider under the NIS Directive and has no reason to believe it would be so classified in the future.

Data Protection and Cybersecurity. (a) For the purposes of this Section 7.235.23, the terms “controller,” “data subject,” personal data”, “personal data breach,” ”, “processor,” “processingprocess” (and its cognates), ) and “special categories of personal datasupervisory authority” shall have the meaning meanings given to them in the GDPRapplicable Data Protection Laws. (b) Each Except as has not had and would not reasonably be expected to adversely affect the Target Company complies Companies in any material respect, the Target Companies (i) comply in all material respects with all Data Protection Laws, contractual obligations in contracts that are material to the relevant Target Company, and such Target Company’s posted or publicly facing privacy policies relating to the privacy, security, processing, storage, transmission, transfer, disclosures, confidentiality and use of Personal Data (including Personal Data of employees, directors, officers, partners, consultants, contractors, third parties who have provided information to a Target Company, and any information which may be re-identified or associated with a unique identifier). Each Target Company has (i) implemented and maintains appropriate policies, notices, logs, and procedures in relation to the processing and transfer of Personal Data (including cross-border transfer) and carried out regular staff training, testing, audits or other mechanisms designed to ensure and monitor compliance with such policies and procedures to demonstrate compliance with Data Protection Laws, (ii) maintained and keeps up-to-date records of its Personal Data processing activities as required under Data Protection Laws, (iii) issued fair processing notices to the relevant data subjects in accordance with Data Protection Laws, (iv) made all disclosures to, and obtained all appropriate consents, approvals and/or authorization from, users, customers, employees, directors, officers, partners, consultants, contractors, and other applicable Persons required in all material respects by applicable Data Protection Laws to process and transfer such Personal Data lawfully and in accordance with Data Protection Laws, and (vii) has filed all registrations have obtained from their customers any required in all material respects under Data Protection Laws with consents to receive, access, or process Personal Information the applicable data protection authorityTarget Companies process. (c) Each The Target Company Companies have, where required by applicable Law, entered into contracts with their suppliers, customers, service providers, and other vendors that are designed to comply with the requirements of Data Protection Laws in all material respects. (d) Except as has not had and would not reasonably be expected to adversely affect the Target Companies in any material respect, the Target Companies are and, since December 31, 2019, have been in material compliance with applicable Data Security Requirements. (e) The Target Companies have, where required by applicable Law, implemented and maintains appropriate commercially reasonable technical and organizational measures designed or otherwise intended to protect against personal data breaches (including unauthorized access to Personal Data and other data relating to the business of the Target Company against Personal Data breaches Information) and cybersecurity incidents. Each Target Company has undertaken, and resolved in all material respects any material issues identified by, all necessary surveys, audits, inventories, reviews, analysis and/or assessments . (including any necessary risk assessments and risk analysesf) of all areas of its business and operations, in each case required by Data Protection Laws. To the Knowledge of the Company, in the five years prior to the date of this Agreement there has been no material loss ofsince December 31, damage to, unauthorized access to, or unauthorized use, modification, or misuse of, any Personal Data in the possession or control of a Target Company. (d) In the past five years2019, no Target Company has has: (i) to the Knowledge of the Company, suffered any material personal data breach or cybersecurity incident; (ii) been subject to any actual, pending, or, to the Knowledge of the Company, threatened investigations, notices or requests from any Governmental Authority supervisory authority or other regulatory authority in relation to their data processing or cybersecurity activities, activities and (ii) received any actual, pending, or threatened claims from individuals or Governmental Authorities alleging any breach of compliance with Data Protection Laws. The execution, delivery, and performance by each Target Company of this Agreement and the consummation of the Transactions complies ; (and the disclosure to and use by the Second Merger Surviving Company of such information immediately after the Second Merger Effective Time will complyiii) in all material respects with all Data Protection Laws (including any such Laws in the jurisdictions where the applicable information is collected). (e) To the extent any Personal Data originating in the United Kingdom provided or European Economic Area is transferred by a Target Company outside of the United Kingdom or European Economic Area (as applicable), this is carried out in accordance with Data Protection Laws and, where applicable, with appropriate safeguards in place for such transfer in all material respects. (f) Each Target Company that processes Personal Data is registered with the United Kingdom Information Commissioner, and has paid any relevant fees, in each case, to the extent it is been required to do so under provide any notices to individuals related to actual or suspected unauthorized access to their Personal Information; or (iv) received written notice from any Governmental Authority alleging non-compliance with applicable Data Protection Laws. (g) No To the extent required by applicable Law, the Target Company isCompanies have provided and maintained Privacy Policies, or has beenincluding notices governing the collection, an operator use, and transfer of essential services or a relevant digital service provider under Personal Information on websites and mobile applications, if any, made available by the NIS Directive and has no reason to believe it would be so classified in the futureTarget Companies.

Data Protection and Cybersecurity. (a) For the purposes of this Section 7.235.24, the terms “controller,” “data subject,” “personal data,” “personal data breach,” “processor,” “processing” (and its cognates), and “special categories of personal data” shall have the meaning given to them in the GDPRGDPR or other applicable Data Protection Laws (and, for the purposes of the Data Protection Laws of Russia to the extent applicable, “controller” shall denote “personal data operator” (Operator Personalnykh Dannikh) and “processor” shall denote a person appointed by the controller and specified in paragraph 3 of Article 6 of Federal Law of the Russian Federation as of 27 July 2006 No. 152-FZ “On Personal Data”). (b) Each The Company and each Target Company complies in all material respects with all Data Protection Laws, contractual obligations in contracts that are material to the relevant Target Company, . The Company and such Target Company’s posted or publicly facing privacy policies relating to the privacy, security, processing, storage, transmission, transfer, disclosures, confidentiality and use of Personal Data (including Personal Data of employees, directors, officers, partners, consultants, contractors, third parties who have provided information to a Target Company, and any information which may be re-identified or associated with a unique identifier). Each each Target Company has (i) implemented and maintains appropriate policies, notices, logs, and procedures in relation to the processing and transfer of Personal Data (including cross-border transfer) personal data and complies with them and carried out regular staff training, testing, audits or other mechanisms designed to ensure and monitor compliance with such policies and procedures to demonstrate accountability and compliance with Data Protection Laws, (ii) maintained and keeps kept up-to-date records of all its Personal Data personal data processing activities as required under Data Protection Laws, (iii) issued fair processing notices to the relevant data subjects in accordance with Data Protection Laws and processes personal data only in accordance with those notices, or, where the Data Protection Laws of Russia so require, obtained consents in due form of the relevant data subjects in accordance with such Data Protection Laws and processes personal data and other types of data only in accordance with such consents, unless otherwise permitted by the Data Protection Laws, (iv) made all disclosures to, and obtained all appropriate consents, approvals approvals, registrations and/or authorization from, users, customers, employees, directors, officers, partners, consultants, contractors, and other applicable Persons required in all material respects by applicable Data Protection Laws authorizations to process (in any relevant form and by any relevant means) and transfer such Personal Data personal data lawfully and in accordance with Data Protection Laws, including in relation to marketing and the placement of cookies or similar technologies on the devices of users of the Company’s and each Target Company’s website, and (v) has filed all registrations required entered into agreements with Data Partners and customers that satisfy the requirements under the Data Protection Laws, in each case of the forgoing (i) – (v), in all material respects under respects. Except as would not reasonably be expected to have a Material Adverse Effect with respect to the Company and the Target Companies, taken as a whole, the execution, delivery and performance of this Agreement and the Transactions comply, and will comply, with the Data Protection Laws with the applicable data protection authorityLaws. (c) Each The Company and each Target Company has implemented and maintains appropriate commercially reasonable technical and organizational measures appropriate to companies of a similar size, industry and maturity that are designed or otherwise intended to protect Personal personal data, other categories of data required to be protected under applicable Data Protection Laws and other data relating to the business of the Company and the Target Company Companies against Personal Data personal data breaches and cybersecurity incidents. Each Target Company has undertaken, as monitored through regular external penetration tests and resolved in all material respects any material issues identified by, all necessary surveys, audits, inventories, reviews, analysis and/or vulnerability assessments (including by remediating any and all material identified vulnerabilities). Except as would not reasonably be expected to have a Material Adverse Effect with respect to the Company and the Target Companies, taken as a whole, to the extent necessary risk assessments and risk analyses) of all areas of its business and operations, in each case required by under applicable Data Protection Laws. To , the Knowledge Company and each Target Company are using the databases that are required to be used for processing of the Companydata, including, where necessary, databases located in the five years prior to the date of this Agreement there has been no material loss of, damage to, unauthorized access to, or unauthorized use, modification, or misuse of, any Personal Data in the possession or control of a Target Companycertain jurisdictions. (d) In Except as would not, individually or in the aggregate, reasonably be expected to be material to the Company and the Target Companies, taken as a whole, in the past five three (3) years, no neither the Company nor any Target Company has (i) to the Knowledge of suffered or has discovered, any personal data breach, security breach or intrusion into the Company’s or a Target Company’s computer networks or systems or any other computer networks or systems containing personal data or the Company’s or a Target Company’s data, (ii) been subject to any actual, pending, or, to the Knowledge of the Company, or threatened investigations, notices notices, requests or requests correspondence from any Governmental Authority in relation to their data processing or cybersecurity activities, and (iiiii) received any actual, pending, or threatened claims from individuals or Governmental Authorities other Persons alleging any breach of of, or exercising their rights under, Data Protection Laws. The execution, delivery, and performance by each Target Company there is no fact or circumstance that may lead to any such event set out in clauses (ii) or (iii) of this Agreement and the consummation of the Transactions complies (and the disclosure to and use by the Second Merger Surviving Company of such information immediately after the Second Merger Effective Time will comply) in all material respects with all Data Protection Laws (including any such Laws in the jurisdictions where the applicable information is collectedSection 5.24(d). (e) To the extent any Personal Data originating in the United Kingdom or European Economic Area is transferred by a Target Company outside of the United Kingdom or European Economic Area (as applicable), this is carried out in accordance with Data Protection Laws and, where applicable, with appropriate safeguards in place for such transfer in all material respects. (f) Each Target Company that processes Personal Data is registered with the United Kingdom Information Commissioner, and has paid any relevant fees, in each case, to the extent it is required to do so under Data Protection Laws. (g) No Target Company is, or has been, an operator of essential services or a relevant digital service provider under the NIS Directive and has no reason to believe it would be so classified in the future.

Data Protection and Cybersecurity. (a) For the purposes of this Section 7.233.18, the terms “controller,” “data subject,” “personal data breach,” “processor,” “processing” (and its cognates), ) and “special categories of personal datasell” shall have the meaning given to them in the GDPRCCPA. (ba) Each Target The Company complies and has complied at all times in all material respects with (i) all applicable Data Protection Laws, contractual (ii) all obligations in contracts that are material to the relevant Target Company, and such Target Company’s posted or publicly facing privacy policies relating to restrictions concerning the privacy, security, processing, storage, transmission, transfer, disclosures, confidentiality and use security or processing of Personal Data (including Personal Data of employees, directors, officers, partners, consultants, contractors, third parties who have provided information Information imposed under any Contract to which the Company is a Target Companyparty to or otherwise bound, and any information which may be re-identified or associated with a unique identifier)(iii) the Company’s own Company Data Protection Policies. Each Target As required by applicable Data Protection Laws, the Company has (iA) implemented and maintains appropriate policies, notices, logs, and procedures in relation to the processing its processing, retention, protection, and transfer of Personal Information (“Company Data (including cross-border transferProtection Policies”) and carried out regular staff training, testing, audits or other mechanisms designed to that ensure and monitor compliance with such policies and procedures to demonstrate compliance with Company Data Protection LawsPolicies, (iiB) maintained and keeps kept up-to-date records of all its Personal Data Information processing activities as required under Data Protection Laws, (iii) issued fair processing notices to the relevant data subjects in accordance with Data Protection Laws, (iv) made all disclosures toactivities, and (C) obtained all appropriate consents, approvals and/or authorization from, users, customers, employees, directors, officers, partners, consultants, contractors, and other applicable Persons required in all material respects by applicable Data Protection Laws to process and transfer such Personal Data lawfully and Information lawfully, including in accordance with Data Protection Laws, and (v) has filed all registrations required in all material respects under Data Protection Laws with relation to the applicable data protection authorityplacement of cookies or similar technologies on the devices of users of the Company’s websites. (cb) Each Target The Company has implemented and maintains appropriate technical and organizational measures designed or otherwise intended to protect Personal Data Information and other sensitive, proprietary or confidential Company data relating to the business of the Target Company against Personal Data breaches unauthorized access and cybersecurity incidents. Each Target Company has undertakenexfiltration, theft, or disclosure, as monitored through regular external penetration tests and resolved in all material respects any material issues identified by, all necessary surveys, audits, inventories, reviews, analysis and/or vulnerability assessments (including by remediating any necessary risk assessments and risk analyses) of all areas of its business and operations, in each case required by Data Protection Laws. To the Knowledge of the Company, in the five years prior to the date of this Agreement there has been no material loss of, damage to, unauthorized access to, or unauthorized use, modification, or misuse of, any Personal Data in the possession or control of a Target Companyidentified vulnerabilities). (dc) In the past five years, no Target The Company has not (i) to suffered or discovered any actual data breach or security incident involving unauthorized access, use, disclosure, loss, denial, disruption, alteration, destruction, compromise, unauthorized processing, or intrusion into the Knowledge of Company IT Systems or any Personal Information stored on or accessible from the Company, been subject to any actual, pending, Company IT Systems or, to the Knowledge of the Company, any other computer networks or systems containing sensitive, proprietary, or confidential data or Personal Information of the Company; (ii) been subject to or received any actual, pending, or threatened investigations, notices notices, claims, complaints, requests, correspondence or requests other communication from any Governmental Authority in relation to their data processing processing, cybersecurity or cybersecurity activities, and Personal Information; (iiiii) received any actual, pending, or threatened claims from individuals or Governmental Authorities natural persons alleging any breach of Data Protection Laws. Laws or the exercise of their rights thereunder; (iv) been a party to any other Action relating to, any actual, alleged or suspected violation of any Data Protection Law involving Personal Information in the possession or control of the Company, or held or processed by any vendor, processor or other third party for or on behalf of the Company; or (v) experienced circumstances which could reasonably be expected to give rise to any of the consequences in (i) through (iv). (d) The Company does not sell any Personal Information. (e) The execution, delivery, and delivery or performance by each Target Company of this Agreement and the consummation of the Transactions complies transactions contemplated hereby do not and will not (and the disclosure to and use by the Second Merger Surviving i) violate any Company of such information immediately after the Second Merger Effective Time will complyData Protection Policies; (ii) in all material respects with all violate any Data Protection Laws or (including iii) require the consent of or notice to any such Laws in the jurisdictions where the applicable information is collected)Person concerning Personal Information. (e) To the extent any Personal Data originating in the United Kingdom or European Economic Area is transferred by a Target Company outside of the United Kingdom or European Economic Area (as applicable), this is carried out in accordance with Data Protection Laws and, where applicable, with appropriate safeguards in place for such transfer in all material respects. (f) Each Target Company that processes Personal Data is registered with the United Kingdom Information Commissioner, and has paid any relevant fees, in each case, to the extent it is required to do so under Data Protection Laws. (g) No Target Company is, or has been, an operator of essential services or a relevant digital service provider under the NIS Directive and has no reason to believe it would be so classified in the future.

Data Protection and Cybersecurity. (a) For the purposes of this Section 7.235.18, the terms “controller,” “data subject,” “personal data breach,” “processor,” “processing” (and its cognates), ) and “special categories of personal datasell” shall have the meaning given to them in the GDPRCCPA. (ba) Each Target The Company complies and has complied at all times in all material respects with (i) all applicable Data Protection Laws, contractual (ii) all obligations in contracts that are material to the relevant Target Company, and such Target Company’s posted or publicly facing privacy policies relating to restrictions concerning the privacy, security, processing, storage, transmission, transfer, disclosures, confidentiality and use security or processing of Personal Data (including Personal Data of employees, directors, officers, partners, consultants, contractors, third parties who have provided information Information imposed under any Contract to which the Company is a Target Companyparty to or otherwise bound, and any information which may be re-identified or associated with a unique identifier)(iii) the Company’s own Company Data Protection Policies. Each Target As required by applicable Data Protection Laws, the Company has (iA) implemented and maintains appropriate policies, notices, logs, and procedures in relation to the processing its processing, retention, protection, and transfer of Personal Information (“Company Data (including cross-border transferProtection Policies”) and carried out regular staff training, testing, audits or other mechanisms designed to that ensure and monitor compliance with such policies and procedures to demonstrate compliance with Company Data Protection LawsPolicies, (iiB) maintained and keeps kept up-to-date records of all its Personal Data Information processing activities as required under Data Protection Laws, (iii) issued fair processing notices to the relevant data subjects in accordance with Data Protection Laws, (iv) made all disclosures toactivities, and (C) obtained all appropriate consents, approvals and/or authorization from, users, customers, employees, directors, officers, partners, consultants, contractors, and other applicable Persons required in all material respects by applicable Data Protection Laws to process and transfer such Personal Data lawfully and Information lawfully, including in accordance with Data Protection Laws, and (v) has filed all registrations required in all material respects under Data Protection Laws with relation to the applicable data protection authority.placement of cookies or similar technologies on the devices of users of the Company’s websites. 42 (cb) Each Target The Company has implemented and maintains appropriate maintained technical and organizational measures designed or otherwise intended to protect Personal Data Information and other sensitive, proprietary or confidential Company data relating to the business of the Target Company against Personal Data breaches unauthorized access and cybersecurity incidents. Each Target Company has undertakenexfiltration, theft, or disclosure, as monitored through regular external penetration tests and resolved in all material respects any material issues identified by, all necessary surveys, audits, inventories, reviews, analysis and/or vulnerability assessments (including by remediating any necessary risk assessments and risk analysesall material identified vulnerabilities) of all areas of its business and operations, in each case required by Data Protection Laws. To the Knowledge of the Company, in the five years prior to the date of this Agreement there has been no material loss of, damage to, unauthorized access to, or unauthorized use, modification, or misuse of, any Personal Data in the possession or control of a Target Companyaccordance with industry standard. (dc) In the past five years, no Target The Company has not (i) to suffered or discovered any actual data breach or security incident involving unauthorized access, use, disclosure, loss, denial, disruption, alteration, destruction, compromise, unauthorized processing, or intrusion into the Knowledge of Company IT Systems or any Personal Information stored on or accessible from the Company, been subject to any actual, pending, Company IT Systems or, to the Knowledge of the Company, any other computer networks or systems containing sensitive, proprietary, or confidential data or Personal Information of the Company; (ii) been subject to or received any actual, pending, or threatened investigations, notices notices, claims, complaints, requests, correspondence or requests other communication from any Governmental Authority in relation to their data processing processing, cybersecurity or cybersecurity activities, and Personal Information; (iiiii) received any actual, pending, or threatened claims from individuals or Governmental Authorities natural persons alleging any breach of Data Protection Laws. Laws or the exercise of their rights thereunder; (iv) been a party to any other Action relating to, any actual, alleged or suspected violation of any Data Protection Law involving Personal Information in the possession or control of the Company, or held or processed by any vendor, processor or other third party for or on behalf of the Company; or (v) experienced circumstances which could reasonably be expected to give rise to any of the consequences in (i) through (iv). (d) The Company does not sell any Personal Information. (e) The execution, delivery, and delivery or performance by each Target Company of this Agreement and the consummation of the Transactions complies transactions contemplated hereby do not and will not (and the disclosure to and use by the Second Merger Surviving i) violate any Company of such information immediately after the Second Merger Effective Time will complyData Protection Policies; (ii) in all material respects with all violate any Data Protection Laws or (including iii) require the consent of or notice to any such Laws in the jurisdictions where the applicable information is collected)Person concerning Personal Information. (e) To the extent any Personal Data originating in the United Kingdom or European Economic Area is transferred by a Target Company outside of the United Kingdom or European Economic Area (as applicable), this is carried out in accordance with Data Protection Laws and, where applicable, with appropriate safeguards in place for such transfer in all material respects. (f) Each Target Company that processes Personal Data is registered with the United Kingdom Information Commissioner, and has paid any relevant fees, in each case, to the extent it is required to do so under Data Protection Laws. (g) No Target Company is, or has been, an operator of essential services or a relevant digital service provider under the NIS Directive and has no reason to believe it would be so classified in the future.

Data Protection and Cybersecurity. (a) For 10.1 To the purposes of this Section 7.23extent NV or Company collects, the terms “controller,” “data subject,” “personal data breach,” “processor,” “processing” (and its cognates)stores, and “special categories of personal data” shall have the meaning given to them in the GDPR. (b) Each Target Company complies in all material respects with all Data Protection Laws, contractual obligations in contracts that are material to the relevant Target Company, and such Target Company’s posted or publicly facing privacy policies relating to the privacy, security, processing, storage, transmission, transfer, disclosures, confidentiality and use of Personal Data (including Personal Data of employees, directors, officers, partners, consultants, contractors, third parties who have provided information to a Target Company, and any information which may be re-identified or associated with a unique identifier). Each Target Company has (i) implemented and maintains appropriate policies, notices, logs, and procedures in relation to the processing and transfer of Personal Data (including cross-border transfer) and carried out regular staff training, testing, audits or other mechanisms designed to ensure and monitor compliance with such policies and procedures to demonstrate compliance with Data Protection Laws, (ii) maintained and keeps up-to-date records of its Personal Data processing activities as required under Data Protection Laws, (iii) issued fair processing notices to the relevant data subjects in accordance with Data Protection Laws, (iv) made all disclosures to, and obtained all appropriate consents, approvals and/or authorization from, users, customers, employees, directors, officers, partners, consultants, contractors, and other applicable Persons required in all material respects by applicable Data Protection Laws to process and transfer such Personal Data lawfully and in accordance with Data Protection Laws, and (v) has filed all registrations required in all material respects under Data Protection Laws with the applicable data protection authority. (c) Each Target Company has implemented and maintains appropriate technical and organizational measures designed hosts or otherwise intended to protect Personal Data and other data relating to the business of the Target Company against Personal Data breaches and cybersecurity incidents. Each Target Company has undertaken, and resolved in all material respects any material issues identified by, all necessary surveys, audits, inventories, reviews, analysis and/or assessments (including any necessary risk assessments and risk analyses) of all areas of its business and operations, in each case required by Data Protection Laws. To the Knowledge of the Company, in the five years prior to the date of this Agreement there has been no material loss of, damage to, unauthorized access to, or unauthorized use, modification, or misuse of, any processes Personal Data in the possession or control of a Target Company. (d) In the past five yearsconnection with this Agreement, no Target NV and Company has (i) to the Knowledge of the Company, been subject to any actual, pending, or, to the Knowledge of the Company, threatened investigations, notices or requests from any Governmental Authority in relation to their data processing or cybersecurity activities, and (ii) received any actual, pending, or threatened claims from individuals or Governmental Authorities alleging any breach of Data Protection Laws. The execution, delivery, and performance by each Target Company of this Agreement and the consummation of the Transactions complies (and the disclosure to and use by the Second Merger Surviving Company of such information immediately after the Second Merger Effective Time will comply) in all material respects shall comply with all Data Protection Laws (including any such Laws in the jurisdictions where the applicable information is collected). (e) To the extent any Personal Data originating in the United Kingdom or European Economic Area is transferred by a Target Company outside of the United Kingdom or European Economic Area (as applicable), this is carried out in accordance with Data Protection Laws and, where applicable, with appropriate safeguards in place for such transfer in all material respects. (f) Each Target Company that processes Personal Data is registered with the United Kingdom Information Commissioner, and has paid any relevant fees, in each case, to the extent it is required to do so under Applicable Data Protection Laws. 10.2 To the extent NV collects, stores, hosts or otherwise processes Personal Data on behalf of Company in connection with the performance of the NV Services set out in Schedule 2 (gScope of Services) No Target as a data processor (as defined in the GDPR), the data processing clauses set forth in Schedule 3 (Personal Data and Information Security) shall apply and Part B of Schedule 3 (Personal Data and Information Security) shall also apply to the extent NV collects, stores, hosts or otherwise processes Personal Data on behalf of Company isas a data processor and such processing is subject to the KSA PDPL. 10.3 To the extent that the performance of the NV Services set out in Schedule 2 (Scope of Services) entail data processing operations which do not qualify as a controller-to-processor relationship under Article 28 of the GDPR, the Parties undertake to negotiate in good faith and enter into any further data protection related agreement to the extent such an agreement is necessary to comply with the GDPR and/or any other Applicable Data Protection Laws, such as the KSA PDPL, prior to the commencement of the respective NV Services. 10.4 The Parties further agree to negotiate in good faith modifications to this Agreement, including Schedule 3 (Personal Data and Information Security), if changes are required for the Parties to continue to process Personal Data as contemplated by this Agreement in compliance with Applicable Data Protection Laws or to address the legal interpretation of Applicable Data Protection Laws, including: 10.4.1 to comply with the KSA PDPL, including any guidance issued by a Regulatory Authority; 10.4.2 to comply with applicable international Personal Data transfer requirements; and 10.4.3 to obtain authorisation or approval from a Regulatory Authority prior to transferring Personal Data outside of the relevant jurisdiction if such authorisation or approval is required. 10.5 To the extent NV collects, stores, hosts or otherwise processes Personal Data on behalf of Company in connection with the performance of the NV Services set out in Schedule 2 (Scope of Services), NV shall comply with the cybersecurity requirements set forth below: 10.5.1 Notify Company without undue delay and in any event within 48 hours of becoming aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or has beenaccess to, an operator of essential services or a relevant digital service provider under such Personal Data; 10.5.2 Reasonably comply with Company organisational policies and procedures regarding cybersecurity, as provided to NV in writing and in advance from time to time; and 10.5.3 Process such Personal Data in accordance with laws relating to cybersecurity and cloud computing, including as issued by Regulatory Authorities such as the NIS Directive National Cybersecurity Authority and has no reason to believe it would be so classified in the futureCommunications, Space and Technology Commission.