Common use of Data Protection and Cybersecurity Clause in Contracts

Data Protection and Cybersecurity. (a) For the purposes of this Section 6.24, the terms “controller,” “data subject,” “personal data,” “personal data breach,” “processor,” “processing” (and its cognates), and “special categories of personal data” shall have the meaning given to them in the GDPR. (b) Each Target Company complies in all material respects with all Data Protection Laws and contractual obligations relating to the privacy, security, processing, transfer and confidentiality of personal data. Each Target Company has (i) implemented and maintains appropriate policies, notices, logs, and procedures in relation to the processing and transfer of personal data and carried out regular staff training, testing, audits or other mechanisms designed to ensure and monitor compliance with such policies and procedures to demonstrate compliance with Data Protection Laws, (ii) maintained and keeps up-to-date records of all its personal data processing activities as required under Data Protection Laws, (iii) issued fair processing notices to the relevant data subjects in accordance with Data Protection Laws, (iv) obtained all appropriate consents, approvals and/or authorisation to process and transfer such personal data lawfully and in accordance with Data Protection Laws, including in relation to the placement of cookies or similar technologies on the devices of users of each Target Company’s website. (c) Each Target Company has implemented and maintains appropriate technical and organisational measures to protect personal data and other data relating to the business of the Target Company against personal data breaches and cybersecurity incidents, as monitored through regular external penetration tests and vulnerability assessments (including by remediating any and all material identified vulnerabilities). (d) In the past three (3) years, no Target Company has (i) suffered, or has discovered, any personal data breach or security breach or, to the Knowledge of the Company, intrusion into a Target Company’s computer networks or systems or any other computer networks or systems containing personal data or a Target Company’s data, (ii) been subject to any actual, pending, or threatened investigations, notices or requests from any Governmental Authority in relation to their data processing or cybersecurity activities, and (iii) received any actual, pending, or threatened claims from individuals alleging any breach of, or exercising their rights under, Data Protection Laws, except where such a claim would not be reasonably likely to be material to the Target Companies, taken as a whole. (e) The systems used by the Target Companies to store or use personal data are all located inside the European Economic Area or the United Kingdom. (f) To the extent any personal data originating in the United Kingdom or European Economic Area is transferred by a Target Company outside of the United Kingdom or European Economic Area (as applicable), this is carried out in accordance with Data Protection Laws and with appropriate safeguards in place for such transfer. (g) Each Target Company that processes personal data is registered with the United Kingdom Information Commissioner, and has paid any relevant fees, to the extent it is required to do so under Data Protection Laws. (h) No Target Company is, or has been, an operator of essential services or a relevant digital service provider as defined in the NIS Directive and has no reason to believe it would be so classified in the future.

Data Protection and Cybersecurity. (a) For the purposes of this Section 6.246.25, the terms “controller,” “data subject,” “personal data,” “personal data breach,” “processor,” “processing” (and its cognates), and “special categories of personal data” shall have the meaning given to them in the GDPR. (b) Each Target Company complies in all material respects with all Data Protection Laws and contractual obligations relating to the privacy, security, processing, transfer and confidentiality of personal data. Each Target Company has (i) implemented and maintains appropriate policies, notices, logs, and procedures in relation to the processing and transfer of personal data and carried out regular staff training, testing, audits or other mechanisms designed to ensure and monitor compliance with such policies and procedures to demonstrate compliance with Data Protection Laws, (ii) maintained and keeps kept up-to-date records of all its personal data processing activities as required under Data Protection Laws, (iii) issued fair processing notices to the relevant data subjects in accordance with Data Protection Laws, (iv) obtained all appropriate consents, approvals and/or authorisation authorization to process and transfer such personal data lawfully and in accordance with Data Protection Laws, including in relation to the placement of cookies or similar technologies on the devices of users of each Target Company’s website. (c) Each Target Company has implemented and maintains appropriate technical and organisational organizational measures to protect personal data and other data relating to the business of the Target Company against personal data breaches and cybersecurity incidents, as monitored through regular external penetration tests and vulnerability assessments (including by remediating any and all material identified vulnerabilities). (d) In the past three two (32) years, no Target Company has (i) suffered, or has discovered, any material personal data breach or material security breach or, to the Knowledge of the Company, intrusion into a Target Company’s computer networks or systems or any other computer networks or systems containing personal data or a Target Company’s data, (ii) been subject to any actual, pending, or threatened investigations, notices or requests from any Governmental Authority in relation to their data processing or cybersecurity activities, and (iii) received any actual, pending, or threatened claims from individuals alleging any breach of, or exercising their rights under, Data Protection Laws, except where such a claim would not be reasonably likely to be material to the Target Companies, taken as a whole. (e) The systems used by the Target Companies to store or use personal data are all located inside the European Economic Area or the United Kingdom. (f) To the extent any personal data originating in the United Kingdom or European Economic Area is transferred by a Target Company outside of the United Kingdom or European Economic Area (as applicable), this is carried out in accordance with Data Protection Laws and with appropriate safeguards in place for such transfer. (g) Each Target Company that processes personal data is registered with the United Kingdom Information Commissioner, and has paid any relevant fees, to the extent it is required to do so under Data Protection Laws. (h) No Target Company is, or has been, an operator of essential services or a relevant digital service provider as defined in the NIS Directive and has no reason to believe it would be so classified in the future.

Data Protection and Cybersecurity. (a) For the purposes of this Section 6.24, the terms “controller,” “data subject,” “personal data,” “personal data breach,” “processor,” “processing” (and its cognates), and “special categories of personal data” shall have the meaning given to them in the GDPR. (b) Each Target Company complies in all material respects with all Data Protection Laws and contractual obligations relating to the privacy, security, processing, transfer and confidentiality of personal data. Each Target Company has (i) implemented and maintains appropriate policies, notices, logs, and procedures in relation to the processing and transfer of personal data and carried out regular staff training, testing, audits or other mechanisms designed to ensure and monitor compliance with such policies and procedures to demonstrate compliance with Data Protection Laws, (ii) maintained and keeps up-to-date records of all its personal data processing activities as required under Data Protection Laws, (iii) issued fair materially compliant processing notices to the relevant data subjects in accordance with Data Protection Laws, (iv) to the extent legally required, obtained all appropriate consents, approvals and/or authorisation authorization to process and transfer such personal data lawfully and in accordance with Data Protection Laws, including in relation to the placement of cookies or similar technologies on the devices of users of each Target Company’s website. (c) Each Target Company has implemented and maintains appropriate technical and organisational organizational measures to protect personal data and other data relating to the business of the Target Company against personal data breaches and cybersecurity incidents, as monitored through regular external penetration tests and vulnerability assessments (including by remediating any and all material identified vulnerabilities). (d) In the past three two (32) years, no Target Company has (i) suffered, or has discovered, any personal data breach or security breach or, to the Knowledge of the Company, intrusion into a Target Company’s computer networks or systems or any other computer networks or systems containing personal data or a Target Company’s data, (ii) been subject to any actual, pending, or threatened investigations, notices or requests from any Governmental Authority in relation to their data processing or cybersecurity activities, and (iii) received any actual, pending, or threatened claims from individuals alleging any breach of, or exercising their rights under, Data Protection Laws, except where such a claim would not be reasonably likely to be material to the Target Companies, taken as a whole. (e) The systems used by the Target Companies to store or use personal data are all located inside the European Economic Area or the United Kingdom. (f) To the extent any personal data originating in the United Kingdom or European Economic Area is transferred by a Target Company outside of the United Kingdom or European Economic Area (as applicable), this is carried out in accordance with Data Protection Laws and with appropriate safeguards in place for such transfer. (g) Each Target Company that processes personal data is registered with the United Kingdom Information Commissioner, and has paid any relevant fees, to the extent it is required to do so under Data Protection Laws. (h) No Target Company is, or has been, an operator of essential services or a relevant digital service provider as defined in the NIS Directive and has no reason to believe it would be so classified in the future.