Common use of DATA PROTECTION AND DATA PROCESSING Clause in Contracts

DATA PROTECTION AND DATA PROCESSING. 5.1 Both parties will comply with all applicable requirements of the Data Protection Legislation. This clause is in addition to, and does not relieve, remove or replace, a party's obligations under the Data Protection Legislation. 5.2 The parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the Data Controller and USC is the Data Processor. 5.3 Without prejudice to the generality of clause 5.1, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to USC for the duration and purposes of the Agreement. 5.4 Without prejudice to the generality of clause 5.1, USC shall, in relation to any Personal Data processed in connection with the performance by USC of its obligations under the Agreement: 5.4.1 process that Personal Data only on the written instructions of the Customer unless USC is required by the Data Protection Legislation to otherwise process that Personal Data. Where USC is relying on laws of a member of the EU or EU law as the basis for processing Personal Data, it shall promptly notify the Customer of this before performing the processing required by the applicable laws unless USC is so prohibited from notifying the Customer; 5.4.2 ensure that it has in place appropriate technical and organisational measures, reviewed and approved by the Customer, to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it); 5.4.3 ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential; and 5.4.4 not transfer any Personal Data outside of the EEA unless the prior written consent of the Customer has been obtained and the following conditions are fulfilled: (a) the Customer or USC has provided appropriate safeguards in relation to the transfer; (b) the Data Subject has enforceable rights and effective legal remedies; (c) USC complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and (d) USC complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data; 5.4.5 at the written direction of the Customer, delete or return Personal Data and copies thereof to the Customer on termination of the agreement unless required by applicable law to store the Personal Data; and 5.4.6 maintain complete and accurate records and information to demonstrate its compliance with this clause. 5.5 The Customer consents to USC appointing third parties as a third-party processor of Personal Data under the Agreement. USC confirms that it has entered or (as the case may be) will enter with the third-party processor into a written agreement incorporating terms which are substantially similar to those set out in this clause. As between the Customer and USC, USC shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this clause.

DATA PROTECTION AND DATA PROCESSING. 5.1 1.1 Both parties Parties will comply with all applicable requirements of the Data Protection Legislation. This clause Schedule 1 is in addition to, and does not relieve, remove or replace, a partyParty's obligations under the Data Protection Legislation. 5.2 1.2 The parties Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the data controller and ECA is the data processor (where Data Controller and USC is Data Processor have the meanings as defined in the Data ProcessorProtection Legislation). The personal data being processed by ECA shall: (a) include the personal details of its Customers and clients; and (b) concern ECA's Customers and clients. 5.3 1.3 Without prejudice to the generality of clause 5.1paragraph 1.1, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to USC ECA for the duration and purposes of the this Agreement. 5.4 1.4 Without prejudice to the generality of clause 5.1paragraph 1.1, USC ECA shall, in relation to any Personal Data processed in connection with the performance by USC ECA of its obligations under the this Agreement: 5.4.1 (a) process that Personal Data only on the written instructions of the Customer unless USC ECA is required by the Data Protection Legislation Applicable Laws to otherwise process that Personal Data. Where USC is relying on laws of a member of the EU or EU law as the basis for processing Personal Data, it shall promptly notify the Customer of this before performing the processing required by the applicable laws unless USC is so prohibited from notifying the Customer; 5.4.2 (b) ensure that it has in place appropriate technical and organisational measures, reviewed and approved by the Customer, measures to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it); 5.4.3 (c) ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential; and 5.4.4 (d) not transfer any Personal Data outside of the EEA European Economic Area unless the prior written consent of the Customer has been obtained and the following conditions are fulfilled: (a) the Customer or USC has provided appropriate safeguards in relation to the transfer; (be) assist the Customer, at the Customer's cost, in responding to any request from a Data Subject has enforceable rights and effective legal remedies; (c) USC complies in ensuring compliance with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and (d) USC complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data; 5.4.5 at the written direction of the Customersecurity, delete breach notifications, impact assessments and consultations with supervisory authorities or return Personal Data and copies thereof to the Customer on termination of the agreement unless required by applicable law to store the Personal Data; and 5.4.6 maintain complete and accurate records and information to demonstrate its compliance with this clauseregulators. 5.5 The Customer consents (f) Please tick this box [ ] if you do not give ECA permission to USC appointing third parties as a third-party processor of Personal Data under the Agreement. USC confirms that it has entered use your companies name or (as the case may be) will enter with the third-party processor into a written agreement incorporating terms which are substantially similar to those set out logo in this clause. As between the Customer and USC, USC shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this clausefuture ECA literature.

DATA PROTECTION AND DATA PROCESSING. 5.1 Both parties will comply with all applicable requirements of the Data Protection Legislation. This clause is in addition to, and does not relieve, remove or replace, a party's obligations under the Data Protection Legislation.Legislation.‌ 5.2 The parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the Data Controller and USC IDCD is the Data Processor. 5.3 Without prejudice to the generality of clause 5.1, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to USC IDCD for the duration and purposes of the Agreement. 5.4 Without prejudice to the generality of clause 5.1, USC IDCD shall, in relation to any Personal Data processed in connection with the performance by USC IDCD of its obligations under the Agreement: 5.4.1 process that Personal Data only on the written instructions of the Customer unless USC IDCD is required by the Data Protection Legislation to otherwise process that Personal Data. Where USC IDCD is relying on laws of a member of the EU or EU law as the basis for processing Personal Data, it shall promptly notify the Customer of this before performing the processing required by the applicable laws unless USC IDCD is so prohibited from notifying the Customer; 5.4.2 ensure that it has in place appropriate technical and organisational measures, reviewed and approved by the Customer, to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it); 5.4.3 ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential; and 5.4.4 not transfer any Personal Data outside of the EEA unless the prior written consent of the Customer has been obtained and the following conditions are fulfilled: (a) the Customer or USC IDCD has provided appropriate safeguards in relation to the transfer; (b) the Data Subject has enforceable rights and effective legal remedies; (c) USC IDCD complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and (d) USC IDCD complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data; 5.4.5 at the written direction of the Customer, delete or return Personal Data and copies thereof to the Customer on termination of the agreement unless required by applicable law to store the Personal Data; and 5.4.6 maintain complete and accurate records recor§ds and information to demonstrate its compliance with this clause. 5.5 The Customer consents to USC IDCD appointing third parties as a third-party processor of Personal Data under the Agreement. USC IDCD confirms that it has entered or (as the case may be) will enter with the third-party processor into a written agreement incorporating terms which are substantially similar to those set out in this clause. As between the Customer and USCIDCD, USC IDCD shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this clause.

DATA PROTECTION AND DATA PROCESSING. 5.1 ‌ 10.1 Both parties will comply with all applicable requirements of the Data Protection Legislation. This clause 10 is in addition to, and does not relieve, remove or replace, a party's obligations under the Data Protection Legislation. 5.2 10.2 The parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the Data Controller and USC is the Data Processor. 5.3 Without prejudice to the generality of clause 5.1, the Customer Client will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to USC RedRock for the duration and purposes of the Agreementthis agreement. 5.4 Without prejudice to the generality of clause 5.1, USC 10.3 RedRock shall, in relation to any Personal Data processed in connection with the performance by USC XxxXxxx of its obligations under the Agreementthis agreement: 5.4.1 process that Personal Data only on the written instructions of the Customer unless USC is required by the Data Protection Legislation to otherwise process that Personal Data. Where USC is relying on laws of a member of the EU or EU law as the basis for processing Personal Data, it shall promptly notify the Customer of this before performing the processing required by the applicable laws unless USC is so prohibited from notifying the Customer; 5.4.2 (i) ensure that it has in place appropriate technical and organisational measures, reviewed and approved by the CustomerClient, to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it); 5.4.3 (ii) ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential; andconfidential in accordance with clause 6; 5.4.4 (iii) not transfer any Personal Data outside of the EEA European Economic Area unless the prior written consent of the Customer has been obtained and the following conditions are fulfilled: (a) : • the Customer Client or USC RedRock has provided appropriate safeguards in relation to the transfer; (b) ; • the Data Subject data subject has enforceable rights and effective legal remedies; (c) USC ; • RedRock complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and (d) USC and • RedRock complies with reasonable instructions notified to it in advance by the Customer Client with respect to the processing of the Personal Data;. 5.4.5 at (iv) notify the written direction Client without undue delay on becoming aware of the Customer, delete or return a Personal Data and copies thereof to the Customer on termination of the agreement unless required by applicable law to store the Personal Data; and 5.4.6 maintain complete and accurate records and information to demonstrate its compliance with this clausebreach. 5.5 10.4 The Customer Client consents to USC RedRock Consulting appointing third parties as a third-party processor processors of Personal Data under necessary for the Agreementpurpose of delivering the Services. USC The Supplier confirms that it has entered or (as the case may be) will enter with the third-party processor into a written agreement incorporating substantially on that third party's standard terms which are substantially similar to those set out in this clauseof business. As between the Customer and USCRedRock Consulting, USC RedRock Consulting shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this clauseclause 10.