Common use of DATA PROTECTION AND DATA PROCESSING Clause in Contracts

DATA PROTECTION AND DATA PROCESSING. 7.1 With respect to the Parties' rights and obligations under the Agreement, the Parties agree that for the purposes of the Data Protection Legislation, the Supplier is a Data Controller in relation to Personal Data. 7.2 The Customer will obtain all necessary consents required under the Data Protection Legislation from data subjects to enable the Customer to share such personal data with the Supplier and to allow the Supplier to process the same in accordance with this agreement and the Data Protection Legislation. 7.3 The Supplier shall process Personal Data under this agreement only to the extent, and in such a manner, as is necessary for the purpose of performing its obligations under this agreement. The Supplier not will transfer any Personal Data processed under the agreement outside the European Economic Area, except with the express written consent of the data subject. 7.4 The Supplier shall comply with its obligations under the Data Protection Legislation by: 7.4.1 obtaining any consents required under the Data Protection Legislation and ensuring that information provided to data subjects at the time of collecting their Personal Data is clear and provides sufficient information to the data subjects for them to understand the circumstances in which it will be shared and the purposes for the data sharing; and 7.4.2 providing to the Customer any information necessary to enable it to perform its obligations under the Data Protection Legislation; 7.4.3 co-operating with the Customer so that it can comply with its obligations under the Data Protection Legislation in respect of any Personal Data collected, held or processed under this Agreement; and 7.4.4 taking appropriate technical and organisational measures against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data (including, but not limited to, adequate back-up procedures and disaster recovery systems) to ensure a level of security appropriate to the risk and which, from implementation of GDPR satisfies the requirements of GDPR as a minimum. 7.5 The Supplier agrees to indemnify and keep the Customer indemnified against all claims and proceedings and all liability, loss, costs and expenses whatsoever incurred in connection therewith by the Customer as a result of any claim made or brought by any individual or other legal person in respect of any loss, damage or distress caused to that individual or other legal person as a result of the Supplier’s unauthorised processing, unlawful processing, destruction of or damage to any Personal Data processed by it, its employees or agents in its performance of this agreement or as otherwise agreed between the parties. 7.6 Both Parties agree to use all reasonable efforts to assist each other to comply with the Data Protection Legislation. For the avoidance of doubt, this includes (without limitation) each Party notifying the other party immediately upon becoming aware of a breach of this Clause 7.

DATA PROTECTION AND DATA PROCESSING. 7.1 With respect to the Parties' rights and obligations under the Agreement, the Parties agree that for 9.1 For the purposes of the Data Protection Legislationthis Agreement, the Supplier is a Data Controller in relation to both parties may receive Personal Data. 7.2 The Customer will obtain all necessary consents required under . Where the parties receive Personal Data Protection Legislation from data subjects as Data Controllers each party agrees to enable the Customer to share such personal data comply with the Supplier and to allow the Supplier to process the same in accordance with this agreement and the current Data Protection Legislation. 7.3 The Supplier shall process 9.2 Throughout the commercial relationship of the parties, each party will be processing the Personal Data under of the other’s employees in order to facilitate contact and co-operation between the parties. 9.3 Notwithstanding the Personal Data described in Clause 8.2, the Customer will, acting as Data Controller be passing Personal Data to QGate as Data Processor pursuant to this agreement only Agreement. 9.4 Where QGate receives Personal Data as a Data Processor, QGate shall: 9.4.1 act solely on the instructions of the Customer in relation to the extentprocessing of that Personal Data. In the event that a legal requirement prevents QGate from complying with such instructions QGate shall, unless such legal requirement prohibits it from doing so, inform the Customer of the relevant legal requirement before carrying out the relevant processing activities provided that to the maximum extent permitted by mandatory law, QGate shall have no liability howsoever arising (whether in contract, tort (including negligence) or otherwise) for any losses, costs, expenses or liabilities arising from or in connection with any processing in accordance with the Customer’s processing instructions following the Customer’s receipt of that information; 9.4.2 at all times, ensure that the necessary technical and organisational measures are in place to prevent unauthorised and unlawful processing or disclosure of such a manner, as is necessary for the purpose of performing its obligations under this agreement. The Supplier not will transfer any Personal Data processed under and such measures shall include taking reasonable steps to ensure the agreement reliability of any of its staff who may have access to Personal Data and ensuring that such staff are subject to appropriate confidentiality undertakings. QGate shall, save where prohibited by law and as soon as reasonably practical, notify the other party of any legal obligation which requires the QGate to disclose the Personal Data to a third party; 9.4.3 not transfer the Personal Data outside of the European Economic Area, except with Area (as such term is commonly understood) or to any third party without the express Customer’s written consent of consent; 9.4.4 send to the data subject. 7.4 The Supplier shall comply with its obligations under the Data Protection Legislation by: 7.4.1 obtaining other party any consents required under the Data Protection Legislation and ensuring that information provided communications received from individuals in relation to data subjects at the time of collecting their Personal Data is clear and provides sufficient information as soon as reasonably practicable. QGate shall provide reasonable co-operation to the data subjects for them other party in relation to understand the circumstances in which it will be shared and the purposes for the data sharing; and 7.4.2 providing to the Customer any information necessary to enable it to perform its obligations individuals exercising their rights under the Data Protection Legislation; 7.4.3 9.4.5 give the Customer reasonable assistance in relation to its compliance with Data Protection Legislation; 9.4.6 take reasonable steps to ensure the confidentiality, integrity, availability and resilience of processing systems and services associated with the processing of Personal Data; 9.4.7 co-operating operate with and provide such information and access to any facilities, premises or equipment from or on which Personal Data is, has been, or is to be processed pursuant to this Agreement (including any such facilities, premises or equipment used by staff and/or sub-contractors) as the other party may reasonably require enabling it to monitor compliance by QGate with the obligations in this Agreement; 9.4.8 notify the Customer so that it can comply without undue delay and assist the Customer with any investigation into and remediation of an actual or suspected Personal Data Breach. QGate shall also provide the Customer with reasonable assistance with any notifications made to relevant authorities and/or individuals in relation to a Personal Data Breach; 9.4.9 not subcontract any of its obligations under this Agreement regarding the Data Protection Legislation in respect of any Personal Data collected, held or processed under this Agreement; and 7.4.4 taking appropriate technical and organisational measures against unauthorised or unlawful processing of Personal Data to a third party (a “Sub-Processor”) without the prior written consent of the Customer. QGate shall be liable for the acts and against accidental loss omissions of the Sub-Processor as if they were the acts or destruction of, or damage to, omissions of the QGate itself and QGate shall ensure that there is a written contract executed between QGate and the Sub-Processor that contains equivalent protections for the Personal Data (including, but not limited to, adequate back-up procedures as are set out in this Agreement; 9.4.10 immediately cease processing the Personal Data and disaster recovery systems) to ensure a level of security appropriate to the risk and which, from implementation of GDPR satisfies the requirements of GDPR as a minimum. 7.5 The Supplier agrees to indemnify and keep the Customer indemnified against all claims and proceedings and all liability, loss, costs and expenses whatsoever incurred in connection therewith by the Customer as a result of any claim made or brought by any individual or other legal person in respect of any loss, damage or distress caused to that individual or other legal person as a result of the Supplier’s unauthorised processing, unlawful processing, destruction of or damage to immediately supply any Personal Data processed to the other party or delete the Personal Data in accordance with the other party’s instructions; 9.4.11 submit to audits and inspections carried out directly upon it by it, its employees a supervisory authority or agents in its performance of this agreement the Customer (no more often than once every twelve (12) months or as otherwise agreed between the parties.Customer reasonably believes necessary, based on evidence and providing such evidence in notification to the Processor), and co-operate in any audits and inspections carried out upon the Customer; and 7.6 Both Parties agree to use all reasonable efforts to assist each other to comply with 9.4.12 inform the Customer immediately of any requests made of it that would involve infringing Data Protection Legislation. For the avoidance of doubt, this includes (without limitation) each Party notifying the other party immediately upon becoming aware of a breach of this Clause 7.

DATA PROTECTION AND DATA PROCESSING. 7.1 With respect to 25.1 Both parties will comply with all applicable requirements of the Parties' rights Data Protection Legislation. This clause 25 is in addition to, and does not relieve, remove or replace, a party's obligations under the Agreement, the Parties agree Data Protection Legislation. 25.2 The parties acknowledge that for the purposes of the Data Protection Legislation, the Supplier Hirer is a Data Controller the data controller and the Owner is the data processor (where data controller and data processor have the meanings as defined in relation to Personal Data. 7.2 The Customer will obtain all necessary consents required under the Data Protection Legislation from data subjects to enable the Customer to share such personal data with the Supplier and to allow the Supplier to process the same in accordance with this agreement and the Data Protection Legislation). 7.3 The Supplier shall process Personal Data under this agreement only 25.3 Without prejudice to the extentgenerality of clause 25.1, the Hirer will ensure that it has all necessary appropriate consents and notices in such a manner, as is necessary place to enable lawful transfer of any and all personal data transferred to the Owner for the purpose duration and purposes of performing this Agreement. 25.4 The Hirer acknowledges that the Owner is reliant on the Hirer for direction as to the extent to which the Owner is entitled to use and process personal data. Consequently, the Owner will not be liable for any claim brought by a data subject arising from any act or omission by the Owner, to the extent that such action or omission resulted from the Hirer’s instructions or failure to adequately instruct the Owner. The Hirer hereby indemnifies and agrees to hold harmless the Owner against any liability, costs, or damage incurred as a direct or indirect result thereof. 25.5 Without prejudice to the generality of clause 25.1, the Owner shall, in relation to any personal data processed in connection with the performance by the Owner of its obligations under this agreement. The Supplier not will transfer any Personal Data processed under the agreement outside the European Economic Area, except with the express written consent of the data subject. 7.4 The Supplier shall comply with its obligations under the Data Protection Legislation byAgreement: 7.4.1 obtaining any consents required under the Data Protection Legislation and ensuring that information provided to data subjects at the time of collecting their Personal Data is clear and provides sufficient information to the data subjects for them to understand the circumstances in which it will be shared and the purposes for the data sharing; and 7.4.2 providing to the Customer any information necessary to enable it to perform its obligations under the Data Protection Legislation; 7.4.3 co-operating with the Customer so 25.5.1 ensure that it can comply with its obligations under the Data Protection Legislation has in respect of any Personal Data collected, held or processed under this Agreement; and 7.4.4 taking place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Personal Data personal data and against accidental loss or destruction of, or damage to, Personal Data (includingpersonal data, but not limited to, adequate back-up procedures and disaster recovery systems) to ensure a level of security appropriate to the risk harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and whichthe nature of the data to be protected, from implementation having regard to the state of GDPR satisfies technological development and the requirements cost of GDPR as implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting personal data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to personal data can be restored in a minimum.timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it); 7.5 The Supplier agrees 25.5.2 ensure that all personnel who have access to indemnify and and/or process personal data are obliged to keep the Customer indemnified against all claims and proceedings and all liability, loss, costs and expenses whatsoever incurred in connection therewith by the Customer as a result of personal data confidential; and 25.5.3 not transfer any claim made or brought by any individual or other legal person in respect of any loss, damage or distress caused to that individual or other legal person as a result personal data outside of the Supplier’s unauthorised processing, unlawful processing, destruction European Economic Area unless the prior written consent of the Hirer has been obtained and the following conditions are fulfilled: 25.5.3.1 the Hirer or damage the Owner has provided appropriate safeguards in relation to any Personal Data processed by it, the transfer; 25.5.3.2 the data subject has enforceable rights and effective legal remedies; 25.5.3.3 the Owner complies with its employees or agents in its performance of this agreement or as otherwise agreed between the parties. 7.6 Both Parties agree to use all reasonable efforts to assist each other to comply with obligations under the Data Protection Legislation. For Legislation by providing an adequate level of protection to any personal data that is transferred; and 25.5.3.4 the avoidance Owner complies with reasonable instructions notified to it in advance by the Hirer with respect to the processing of doubtthe personal data; 25.5.4 assist the Hirer, this includes (at the Hirer's cost, in responding to any request from a data subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; and 25.5.5 notify the Hirer without limitation) each Party notifying the other party immediately upon undue delay on becoming aware of a breach personal data breach. 25.6 The Hirer consents to the Owner appointing third-party processors of personal data under this Clause 7Agreement.

DATA PROTECTION AND DATA PROCESSING. 7.1 With respect to the Parties' rights and obligations under the Agreement, the Parties agree that for 8.1 For the purposes of the Data Protection Legislationthis Agreement, the Supplier is a Data Controller in relation to both parties may receive Personal Data. 7.2 The Customer will obtain all necessary consents required under . Where the parties receive Personal Data Protection Legislation from data subjects as Data Controllers each party agrees to enable the Customer to share such personal data comply with the Supplier and to allow the Supplier to process the same in accordance with this agreement and the current Data Protection Legislation. 7.3 The Supplier shall process 8.2 Throughout the commercial relationship of the parties, each party will be processing the Personal Data under of the other’s employees in order to facilitate contact and co-operation between the parties. 8.3 Notwithstanding the Personal Data described in Clause 8.2, the Customer will, acting as Data Controller be passing Personal Data to QGate as Data Processor pursuant to this agreement only Agreement. 8.4 Where QGate receives Personal Data as a Data Processor, QGate shall: 8.4.1 act solely on the instructions of the Customer in relation to the extentprocessing of that Personal Data. In the event that a legal requirement prevents QGate from complying with such instructions QGate shall, unless such legal requirement prohibits it from doing so, inform the Customer of the relevant legal requirement before carrying out the relevant processing activities provided that to the maximum extent permitted by mandatory law, QGate shall have no liability howsoever arising (whether in contract, tort (including negligence) or otherwise) for any losses, costs, expenses or liabilities arising from or in connection with any processing in accordance with the Customer’s processing instructions following the Customer’s receipt of that information; 8.4.2 at all times, ensure that the necessary technical and organisational measures are in place to prevent unauthorised and unlawful processing or disclosure of such a manner, as is necessary for the purpose of performing its obligations under this agreement. The Supplier not will transfer any Personal Data processed under and such measures shall include taking reasonable steps to ensure the agreement reliability of any of its staff who may have access to Personal Data and ensuring that such staff are subject to appropriate confidentiality undertakings. QGate shall, save where prohibited by law and as soon as reasonably practical, notify the other party of any legal obligation which requires the QGate to disclose the Personal Data to a third party; 8.4.3 not transfer the Personal Data outside of the European Economic Area, except with Area (as such term is commonly understood) or to any third party without the express Customer’s written consent of consent; 8.4.4 send to the data subject. 7.4 The Supplier shall comply with its obligations under the Data Protection Legislation by: 7.4.1 obtaining other party any consents required under the Data Protection Legislation and ensuring that information provided communications received from individuals in relation to data subjects at the time of collecting their Personal Data is clear and provides sufficient information as soon as reasonably practicable. QGate shall provide reasonable co-operation to the data subjects for them other party in relation to understand the circumstances in which it will be shared and the purposes for the data sharing; and 7.4.2 providing to the Customer any information necessary to enable it to perform its obligations individuals exercising their rights under the Data Protection Legislation; 7.4.3 8.4.5 give the Customer reasonable assistance in relation to its compliance with Data Protection Legislation; 8.4.6 take reasonable steps to ensure the confidentiality, integrity, availability and resilience of processing systems and services associated with the processing of Personal Data; 8.4.7 co-operating operate with and provide such information and access to any facilities, premises or equipment from or on which Personal Data is, has been, or is to be processed pursuant to this Agreement (including any such facilities, premises or equipment used by staff and / or sub-contractors) as the other party may reasonably require enabling it to monitor compliance by QGate with the obligations in this Agreement; 8.4.8 notify the Customer so that it can comply without undue delay and assist the Customer with any investigation into and remediation of an actual or suspected Personal Data Breach. QGate shall also provide the Customer with reasonable assistance with any notifications made to relevant authorities and / or individuals in relation to a Personal Data Breach; 8.4.9 not subcontract any of its obligations under this Agreement regarding the Data Protection Legislation in respect of any Personal Data collected, held or processed under this Agreement; and 7.4.4 taking appropriate technical and organisational measures against unauthorised or unlawful processing of Personal Data to a third party (a “Sub-Processor”) without the prior written consent of the Customer. QGate shall be liable for the acts and against accidental loss omissions of the Sub-Processor as if they were the acts or destruction of, or damage to, omissions of the QGate itself and QGate shall ensure that there is a written contract executed between QGate and the Sub-Processor that contains equivalent protections for the Personal Data (including, but not limited to, adequate back-up procedures as are set out in this Agreement; 8.4.10 immediately cease processing the Personal Data and disaster recovery systems) to ensure a level of security appropriate to the risk and which, from implementation of GDPR satisfies the requirements of GDPR as a minimum. 7.5 The Supplier agrees to indemnify and keep the Customer indemnified against all claims and proceedings and all liability, loss, costs and expenses whatsoever incurred in connection therewith by the Customer as a result of any claim made or brought by any individual or other legal person in respect of any loss, damage or distress caused to that individual or other legal person as a result of the Supplier’s unauthorised processing, unlawful processing, destruction of or damage to immediately supply any Personal Data processed to the other party or delete the Personal Data in accordance with the other party’s instructions; and 8.4.11 submit to audits and inspections carried out directly upon it by it, its employees a supervisory authority or agents in its performance of this agreement the Customer (no more often than once every twelve (12) months or as otherwise agreed between the parties.Customer reasonably believes necessary, based on evidence and providing such evidence in notification to the Processor), and co-operate in any audits and inspections carried out upon the Customer; and 7.6 Both Parties agree to use all reasonable efforts to assist each other to comply with 8.4.12 inform the Customer immediately of any requests made of it that would involve infringing Data Protection Legislation. For the avoidance of doubt, this includes (without limitation) each Party notifying the other party immediately upon becoming aware of a breach of this Clause 7.

DATA PROTECTION AND DATA PROCESSING. 7.1 With respect to the Parties' rights and obligations under the Agreement, the Parties agree that for For the purposes of the Data Protection Legislationthis Agreement, the Supplier is a Data Controller in relation to both parties may receive Personal Data. 7.2 The Customer will obtain all necessary consents required under . Where the parties receive Personal Data Protection Legislation from data subjects as Data Controllers each party agrees to enable the Customer to share such personal data comply with the Supplier and to allow the Supplier to process the same in accordance with this agreement and the current Data Protection Legislation. 7.3 The Supplier shall process 7.2 Throughout the commercial relationship of the parties, each party will be processing the Personal Data under of the other’s employees in order to facilitate contact and co-operation between the parties. 7.3 Notwithstanding the Personal Data described in Clause 7.2, the Customer will, acting as Data Controller be passing Personal Data to QWARE as Data Processor pursuant to this agreement only Agreement. 7.4 Where QWARE receives Personal Data as a Data Processor, QWARE shall: 7.4.1 act solely on the instructions of the Customer in relation to the extentprocessing of that Personal Data. In the event that a legal requirement prevents QWARE from complying with such instructions QWARE shall, unless such legal requirement prohibits it from doing so, inform the Customer of the relevant legal requirement before carrying out the relevant processing activities provided that to the maximum extent permitted by mandatory law, QWARE shall have no liability howsoever arising (whether in contract, tort (including negligence) or otherwise) for any losses, costs, expenses or liabilities arising from or in connection with any processing in accordance with the Customer’s processing instructions following the Customer’s receipt of that information; 7.4.2 at all times, ensure that the necessary technical and organisational measures are in place to prevent unauthorised and unlawful processing or disclosure of such a manner, as is necessary for the purpose of performing its obligations under this agreement. The Supplier not will transfer any Personal Data processed under and such measures shall include taking reasonable steps to ensure the agreement reliability of any of its staff who may have access to Personal Data and ensuring that such staff are subject to appropriate confidentiality undertakings. QWARE shall, save where prohibited by law and as soon as reasonably practical, notify the other party of any legal obligation which requires the QWARE to disclose the Personal Data to a third party; 7.4.3 not transfer the Personal Data outside of the European Economic Area, except with Area (as such term is commonly understood) or to any third party without the express Customer’s written consent of consent; 7.4.4 send to the data subject. 7.4 The Supplier shall comply with its obligations under the Data Protection Legislation by: 7.4.1 obtaining other party any consents required under the Data Protection Legislation and ensuring that information provided communications received from individuals in relation to data subjects at the time of collecting their Personal Data is clear and provides sufficient information as soon as reasonably practicable. QWARE shall provide reasonable co-operation to the data subjects for them other party in relation to understand the circumstances in which it will be shared and the purposes for the data sharing; and 7.4.2 providing to the Customer any information necessary to enable it to perform its obligations individuals exercising their rights under the Data Protection Legislation; 7.4.3 7.4.5 give the Customer reasonable assistance in relation to its compliance with Data Protection Legislation; 7.4.6 take reasonable steps to ensure the confidentiality, integrity, availability and resilience of processing systems and services associated with the processing of Personal Data; 7.4.7 co-operating operate with and provide such information and access to any facilities, premises or equipment from or on which Personal Data is, has been, or is to be processed pursuant to this Agreement (including any such facilities, premises or equipment used by staff and/or sub-contractors) as the other party may reasonably require enabling it to monitor compliance by QWARE with the obligations in this Agreement; 7.4.8 notify the Customer so that it can comply without undue delay and assist the Customer with any investigation into and remediation of an actual or suspected Personal Data Breach. QWARE shall also provide the Customer with reasonable assistance with any notifications made to relevant authorities and/or individuals in relation to a Personal Data Breach; 7.4.9 not subcontract any of its obligations under this Agreement regarding the processing of Personal Data to a third party (a “Sub-Processor”) without the prior written consent of the Customer. QWARE shall be liable for the acts and omissions of the Sub-Processor as if they were the acts or omissions of the QWARE itself and QWARE shall ensure that there is a written contract executed between QWARE and the Sub-Processor that contains equivalent protections for the Personal Data as are set out in this Agreement; 7.4.10 immediately cease processing the Personal Data and immediately supply any Personal Data to the other party or delete the Personal Data in accordance with the other party’s instructions; 7.4.11 submit to audits and inspections carried out directly upon it by a supervisory authority or the Customer (no more often than once every twelve (12) months or as the Customer reasonably believes necessary, based on evidence and providing such evidence in notification to the Processor), and co-operate in any audits and inspections carried out upon the Customer; and 7.4.12 inform the Customer immediately of any requests made of it that would involve infringing Data Protection Legislation. 7.5 Where QWARE receives Personal Data as a Data Processor the Customer warrants, represents and undertakes, that: 7.5.1 all data sourced by the Customer for use in connection with the Services, prior to such data being provided to or accessed by QWARE for the performance of the Services under this Agreement, shall comply in all respects, including in terms of its collection, storage and processing (which shall include the Customer providing all of the required fair processing information to, and obtaining all necessary consents from, Data Subjects), with Data Protection Legislation; and 7.5.2 all instructions given by it to QWARE in respect of Personal Data shall at all times be in accordance with Data Protection Laws. 7.6 The Data Processor shall maintain and keep up to date records detailing the location of all Customer data (including Personal Data) together with details of any third parties with whom QWARE has shared any Customer data. 7.7 Nothing in this agreement relieves QWARE of its own direct obligations under Data Protection Legislation and QWARE shall comply with the following additional obligations: 7.7.1 to co-operate with supervisory authorities as reasonably required; 7.7.2 to keep records of its own processing activities; 7.7.3 to employ a Data Protection Officer (if applicable); and 7.7.4 the schedule of processing activities is detailed in respect Schedule 1. 7.8 QWARE shall (and shall ensure that all persons acting on its behalf and all QWARE Personnel shall), promptly following the Customer’s written request, either securely delete or securely return all Personal Data to the Customer in such form as the Customer reasonably requests. 7.9 QWARE shall (and shall ensure that all persons acting on its behalf and all QWARE Personnel shall), following written confirmation by the Customer that it has received a functional copy of all Personal Data, securely delete all the Personal Data promptly after the earlier of: 7.9.1 the end of the provision of the relevant Services or Support related to processing of such Personal Data; or 7.9.2 once processing by QWARE of any Personal Data collected, held or processed is no longer required for the purpose of QWARE’s performance of its relevant obligations under this Agreement; , (unless storage of any data is required by Applicable Law and 7.4.4 taking appropriate technical and organisational measures against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage toif so, Personal Data (including, but not limited to, adequate back-up procedures and disaster recovery systems) to ensure a level of security appropriate to the risk and which, from implementation of GDPR satisfies the requirements of GDPR as a minimum. 7.5 The Supplier agrees to indemnify and keep QWARE shall inform the Customer indemnified against all claims and proceedings and all liability, loss, costs and expenses whatsoever incurred in connection therewith by the Customer as a result of any claim made or brought by any individual or other legal person in respect of any loss, damage or distress caused to that individual or other legal person as a result of the Supplier’s unauthorised processing, unlawful processing, destruction of or damage to any Personal Data processed by it, its employees or agents in its performance of this agreement or as otherwise agreed between the partiessuch requirement). 7.6 Both Parties agree to use all reasonable efforts to assist each other to comply with the Data Protection Legislation. For the avoidance of doubt, this includes (without limitation) each Party notifying the other party immediately upon becoming aware of a breach of this Clause 7.

DATA PROTECTION AND DATA PROCESSING. 7.1 With respect to the Parties' rights and obligations under the Agreement, the Parties agree that for For the purposes of the Data Protection Legislationthis Agreement, the Supplier is a Data Controller in relation to both parties may receive Personal Data. 7.2 The Customer will obtain all necessary consents required under . Where the parties receive Personal Data Protection Legislation from data subjects as Data Controllers each party agrees to enable the Customer to share such personal data comply with the Supplier and to allow the Supplier to process the same in accordance with this agreement and the current Data Protection Legislation. 7.3 The Supplier shall process 7.2 Throughout the commercial relationship of the parties, each party will be processing the Personal Data under of the other’s employees in order to facilitate contact and co-operation between the parties. 7.3 Notwithstanding the Personal Data described in Clause 7.2, the Customer will, acting as Data Controller be passing Personal Data to QWARE as Data Processor pursuant to this agreement only Agreement. 7.4 Where QWARE receives Personal Data as a Data Processor, QWARE shall: 7.4.1 act solely on the instructions of the Customer in relation to the extentprocessing of that Personal Data. In the event that a legal requirement prevents QWARE from complying with such instructions QWARE shall, unless such legal requirement prohibits it from doing so, inform the Customer of the relevant legal requirement before carrying out the relevant processing activities provided that to the maximum extent permitted by mandatory law, QWARE shall have no liability howsoever arising (whether in contract, tort (including negligence) or otherwise) for any losses, costs, expenses or liabilities arising from or in connection with any processing in accordance with the Customer’s processing instructions following the Customer’s receipt of that information; 7.4.2 at all times, ensure that the necessary technical and organisational measures are in place to prevent unauthorised and unlawful processing or disclosure of such a manner, as is necessary for the purpose of performing its obligations under this agreement. The Supplier not will transfer any Personal Data processed under and such measures shall include taking reasonable steps to ensure the agreement reliability of any of its staff who may have access to Personal Data and ensuring that such staff are subject to appropriate confidentiality undertakings. QWARE shall, save where prohibited by law and as soon as reasonably practical, notify the other party of any legal obligation which requires the QWARE to disclose the Personal Data to a third party; 7.4.3 not transfer the Personal Data outside of the European Economic Area, except with Area (as such term is commonly understood) or to any third party without the express Customer’s written consent of consent; 7.4.4 send to the data subject. 7.4 The Supplier shall comply with its obligations under the Data Protection Legislation by: 7.4.1 obtaining other party any consents required under the Data Protection Legislation and ensuring that information provided communications received from individuals in relation to data subjects at the time of collecting their Personal Data is clear and provides sufficient information as soon as reasonably practicable. QWARE shall provide reasonable co-operation to the data subjects for them other party in relation to understand the circumstances in which it will be shared and the purposes for the data sharing; and 7.4.2 providing to the Customer any information necessary to enable it to perform its obligations individuals exercising their rights under the Data Protection Legislation; 7.4.3 7.4.5 give the Customer reasonable assistance in relation to its compliance with Data Protection Legislation; 7.4.6 take reasonable steps to ensure the confidentiality, integrity, availability and resilience of processing systems and services associated with the processing of Personal Data; 7.4.7 co-operating operate with and provide such information and access to any facilities, premises or equipment from or on which Personal Data is, has been, or is to be processed pursuant to this Agreement (including any such facilities, premises or equipment used by staff and/or sub-contractors) as the other party may reasonably require enabling it to monitor compliance by QWARE with the obligations in this Agreement; 7.4.8 notify the Customer so that it can comply without undue delay and assist the Customer with any investigation into and remediation of an actual or suspected Personal Data Breach. QWARE shall also provide the Customer with reasonable assistance with any notifications made to relevant authorities and/or individuals in relation to a Personal Data Breach; 7.4.9 not subcontract any of its obligations under this Agreement regarding the Data Protection Legislation in respect of any Personal Data collected, held or processed under this Agreement; and 7.4.4 taking appropriate technical and organisational measures against unauthorised or unlawful processing of Personal Data to a third party (a “Sub-Processor”) without the prior written consent of the Customer. QWARE shall be liable for the acts and against accidental loss omissions of the Sub-Processor as if they were the acts or destruction of, or damage to, omissions of the QWARE itself and QWARE shall ensure that there is a written contract executed between QWARE and the Sub-Processor that contains equivalent protections for the Personal Data (including, but not limited to, adequate back-up procedures as are set out in this Agreement; 7.4.10 immediately cease processing the Personal Data and disaster recovery systems) to ensure a level of security appropriate to the risk and which, from implementation of GDPR satisfies the requirements of GDPR as a minimum. 7.5 The Supplier agrees to indemnify and keep the Customer indemnified against all claims and proceedings and all liability, loss, costs and expenses whatsoever incurred in connection therewith by the Customer as a result of any claim made or brought by any individual or other legal person in respect of any loss, damage or distress caused to that individual or other legal person as a result of the Supplier’s unauthorised processing, unlawful processing, destruction of or damage to immediately supply any Personal Data processed to the other party or delete the Personal Data in accordance with the other party’s instructions; 7.4.11 submit to audits and inspections carried out directly upon it by it, its employees a supervisory authority or agents in its performance of this agreement the Customer (no more often than once every twelve (12) months or as otherwise agreed between the parties.Customer reasonably believes necessary, based on evidence and providing such evidence in notification to the Processor), and co-operate in any audits and inspections carried out upon the Customer; and 7.6 Both Parties agree to use all reasonable efforts to assist each other to comply with 7.4.12 inform the Customer immediately of any requests made of it that would involve infringing Data Protection Legislation. For the avoidance of doubt, this includes (without limitation) each Party notifying the other party immediately upon becoming aware of a breach of this Clause 7.

DATA PROTECTION AND DATA PROCESSING. 7.1 With respect 9.1 Both parties will comply with all applicable requirements of the Data Protection Legislation and Twiggls Privacy Policy and any applicable laws Applicable Laws means (for so long as and to the Parties' rights and obligations under extent that they apply to Real Analytics ) the Agreementlaw of the European Union, the Parties agree law of any member state of the European Union and/or Domestic UK Law; and Domestic UK Law means the UK Data Protection Legislation and any other law that applies in the UK. . For the Purposes of this Agreement means the Data Protection Act 2018 which incorporates the General Data Protection Regulations. 9.2 The parties acknowledge that for the purposes of the Data Protection Legislation, Twiggls is the Supplier data controller and the Customer is a the data processor (where Data Controller and Data Processor have the meanings as defined in relation to Personal Data. 7.2 The Customer will obtain all necessary consents required under the Data Protection Legislation from data subjects to enable the Customer to share such personal data with the Supplier and to allow the Supplier to process the same in accordance with this agreement and the Data Protection Legislation). 7.3 The Supplier shall process 9.3 Without prejudice to the generality of Clause 12.1, Xxxxxxx will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data under this agreement only (as defined in the Data Protection Legislation) to the extent, and in such a manner, as is necessary Customer for the purpose duration and purposes of performing its obligations under this agreement. The Supplier not will transfer the Contract. 9.4 Without prejudice to the generality of Clause 12.1, the Customer shall, in relation to any Personal Data processed under the agreement outside the European Economic Area, except in connection with the express written consent performance by The Customer of the data subject. 7.4 The Supplier shall comply with its obligations under the Data Protection Legislation byContract: 7.4.1 obtaining any consents required under the Data Protection Legislation and ensuring 9.4.1 Process that information provided to data subjects at the time of collecting their Personal Data only on the written instructions of twiggls unless The Customer is clear and provides sufficient information required by Applicable Laws to otherwise process that Personal Data. Where The Customer is relying on laws of a member of the data subjects European Union or European Union law as the basis for them to understand processing Personal Data, The Customer shall promptly notify twiggls of this before performing the circumstances in which it will be shared and processing required by the purposes for the data sharing; and 7.4.2 providing to the Applicable Laws unless those Applicable Laws prohibit The Customer any information necessary to enable it to perform its obligations under the Data Protection Legislationfrom so notifying twiggls; 7.4.3 co-operating with the Customer so 9.4.2 Ensure that it can comply with its obligations under the Data Protection Legislation has in respect of any Personal Data collected, held or processed under this Agreement; and 7.4.4 taking place appropriate technical and organisational measures measures, to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data (includingData, but not limited to, adequate back-up procedures and disaster recovery systems) to ensure a level of security appropriate to the risk harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and whichthe nature of the data to be protected, from implementation having regard to the state of GDPR satisfies technological development and the requirements cost of GDPR as implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a minimum.timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it); 7.5 The Supplier agrees 9.4.3 Ensure that all personnel who have access to indemnify and and/or process Personal Data are obliged to keep the Customer indemnified against all claims Personal Data confidential; and 9.4.4 Not transfer any Personal Data outside of the European Economic Area unless the prior written consent of twiggls has been obtained and proceedings and all liability, loss, costs and expenses whatsoever incurred in connection therewith by the following conditions are fulfilled: 9.4.4.1 Twiggls or the Customer has provided appropriate safeguards in relation to the transfer; 9.4.4.2 The Data Subject (as a result defined in the Data Protection Legislation) has enforceable rights and effective legal remedies; 9.4.4.3 The Customer complies with its obligations under the Data Protection Legislation by providing an adequate level of any claim made or brought by any individual or other legal person in respect of any loss, damage or distress caused to that individual or other legal person as a result of the Supplier’s unauthorised processing, unlawful processing, destruction of or damage protection to any Personal Data processed that is transferred; and 9.4.4.4 The Customer complies with reasonable instructions notified to it in advance by itXxxxxxx with respect to the processing of the Personal Data; 9.4.5 Assist Twiggls, in responding to any request from a Data Subject and in ensuring compliance with its employees or agents in its performance of this agreement or as otherwise agreed between the parties. 7.6 Both Parties agree to use all reasonable efforts to assist each other to comply with obligations under the Data Protection Legislation. For the avoidance of doubtLegislation with respect to security, this includes (breach notifications, impact assessments and consultations with supervisory authorities or regulators; 9.4.6 Notify twiggls without limitation) each Party notifying the other party immediately upon undue delay on becoming aware of a breach Personal Data breach; 9.4.7 At the written direction of this Clause 7Xxxxxxx, delete or return Personal Data and copies thereof to Twiggls on termination of the agreement unless required by Applicable Law to store the Personal Data.

DATA PROTECTION AND DATA PROCESSING. 7.1 With respect 11.1 The Customer shall own all right, title and interest in and to all of the Customer Data that is not personal data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of all such Customer Data. 11.2 The Supplier shall follow its archiving procedures for Customer Data as communicated to the Parties' rights Customer from time to time (such process as amended by the Supplier in its sole discretion). In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy against the Supplier shall be for the Supplier to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier in accordance with the archiving procedure. The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party. 11.3 The Supplier shall, in providing the Services, comply with its privacy and security policies relating to the privacy and security of the Customer Data as available from the Supplier on request by the Customer. 11.4 Both parties will comply with all applicable requirements of the Data Protection Legislation. This clause 11 is in addition to, and does not relieve, remove or replace, a party's obligations under the AgreementData Protection Legislation. 11.5 The parties acknowledge that: (a) if the Supplier processes any personal data on the Customer's behalf when performing its obligations under this agreement, the Parties agree that Customer is the data controller and the Supplier is the data processor for the purposes of the Data Protection Legislation, the Supplier is a Legislation (where Data Controller and Data Processor have the meanings as defined in relation to Personal Data. 7.2 The Customer will obtain all necessary consents required under the Data Protection Legislation from Legislation). (b) the Customer acknowledges and agrees that the personal data subjects may be transferred or stored outside the EEA or the country where the Customer is located in order to carry out the Services and the Supplier's other obligations under this agreement. 11.6 Without prejudice to the generality of clause 11.1, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Customer Personal Data to share such personal data with the Supplier for the duration and to allow purposes of this agreement so that the Supplier to may lawfully use, process and transfer the same Personal Data in accordance with this agreement and on the Data Protection LegislationCustomer's behalf. 7.3 The 11.7 Without prejudice to the generality of clause 11.1, the Supplier shall process shall, in relation to any Personal Data under this agreement only to processed in connection with the extent, and in such a manner, as is necessary for performance by the purpose Supplier of performing its obligations under this agreement: (a) process that Personal Data only on the written instructions of the Customer unless the Supplier is required by the laws of any member of the European Union or by the laws of the European Union applicable to the Supplier to process Personal Data (Applicable Laws). The Where the Supplier is relying on laws of a member of the European Union or European Union law as the basis for processing Personal Data, the Supplier shall promptly notify the Customer of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit the Supplier from so notifying the Customer; (b) ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential; and (c) not will transfer any Personal Data processed under the agreement outside the European Economic Area, except with the express written consent of the EEA unless the following conditions are fulfilled: (i) the Customer or the Supplier has provided appropriate safeguards in relation to the transfer; (ii) the data subject.subject has enforceable rights and effective legal remedies; 7.4 The (iii) the Supplier shall comply complies with its obligations under the Data Protection Legislation by: 7.4.1 obtaining by providing an adequate level of protection to any consents required under the Data Protection Legislation and ensuring that information provided to data subjects at the time of collecting their Personal Data that is clear and provides sufficient information to the data subjects for them to understand the circumstances in which it will be shared and the purposes for the data sharingtransferred; and 7.4.2 providing (iv) the Supplier complies with reasonable instructions notified to it in advance by the Customer with respect to the Customer any information necessary to enable it to perform its obligations under processing of the Data Protection LegislationPersonal Data; 7.4.3 co-operating with (d) assist the Customer so that it can comply Customer, at the Customer's cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation in with respect of any Personal Data collectedto security, held breach notifications, impact assessments and consultations with supervisory authorities or processed under this Agreement; andregulators; 7.4.4 taking appropriate technical and organisational measures against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data (including, but not limited to, adequate back-up procedures and disaster recovery systemse) to ensure a level of security appropriate to the risk and which, from implementation of GDPR satisfies the requirements of GDPR as a minimum. 7.5 The Supplier agrees to indemnify and keep notify the Customer indemnified against all claims and proceedings and all liability, loss, costs and expenses whatsoever incurred in connection therewith by the Customer as a result of any claim made or brought by any individual or other legal person in respect of any loss, damage or distress caused to that individual or other legal person as a result of the Supplier’s unauthorised processing, unlawful processing, destruction of or damage to any Personal Data processed by it, its employees or agents in its performance of this agreement or as otherwise agreed between the parties. 7.6 Both Parties agree to use all reasonable efforts to assist each other to comply with the Data Protection Legislation. For the avoidance of doubt, this includes (without limitation) each Party notifying the other party immediately upon undue delay on becoming aware of a breach Personal Data breach; (f) at the written direction of the Customer, delete or return Personal Data and copies thereof to the Customer on termination of the agreement unless required by Applicable Law to store the Personal Data; and 11.8 maintain complete and accurate records and information to demonstrate its compliance with this Clause 7clause 11.

DATA PROTECTION AND DATA PROCESSING. 7.1 With respect to 17.1 Both parties will comply with all applicable requirements of the Parties' rights Data Protection Legislation. This Condition 17 is in addition to, and does not relieve, remove or replace, a party’s obligations under the Agreement, the Parties agree Data Protection Legislation. 17.2 The parties acknowledge that for the purposes of the Data Protection Legislation, Intertek is the data controller and the Supplier is a the data processor (where Data Controller and Data Processor have the meanings as defined in the Data Protection Legislation). Schedule 2 sets out the scope, nature and purpose of processing by the Supplier, the duration of the processing and the types of Personal Data and categories of Data Subject (both as defined in the Data Protection Legislation). 17.3 Without prejudice to the generality of Condition 17.1, Intertek will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to the Supplier for the duration and purposes of this Contract. 17.4 Without prejudice to the generality of Condition 17.1, the Supplier shall, in relation to any Personal Data. 7.2 The Customer will obtain all necessary consents required under the Data Protection Legislation from data subjects to enable the Customer to share such personal data processed in connection with the performance by the Supplier and of its obligations under this Contract: 17.4.1 process that Personal Data only on the written instructions of Intertek unless the Supplier is required by the laws of any member of the European Union or by the laws of the European Economic Area applicable to allow the Supplier to process the same in accordance with this agreement and the Data Protection Legislation. 7.3 The Supplier shall process Personal Data under this agreement only to (Applicable Data Processing Laws). Where the extent, and in such Supplier is relying on laws of a manner, as is necessary for the purpose member of performing its obligations under this agreement. The Supplier not will transfer any Personal Data processed under the agreement outside the European Economic AreaArea or European Union law as the basis for processing Personal Data, except with the express written consent of the data subject. 7.4 The Supplier shall comply with its obligations under promptly notify Intertek of this before performing the processing required by the Applicable Data Protection Legislation by: 7.4.1 obtaining any consents required under Processing Laws unless those Applicable Data Processing Laws prohibit the Data Protection Legislation and ensuring that information provided to data subjects at the time of collecting their Personal Data is clear and provides sufficient information to the data subjects for them to understand the circumstances in which it will be shared and the purposes for the data sharing; and 7.4.2 providing to the Customer any information necessary to enable it to perform its obligations under the Data Protection LegislationSupplier from so notifying Intertek; 7.4.3 co-operating with the Customer so 17.4.2 ensure that it can comply with its obligations under the Data Protection Legislation has in respect of any Personal Data collected, held or processed under this Agreement; and 7.4.4 taking place appropriate technical and organisational measures measures, reviewed and approved by Intertek, to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data (includingData, but not limited to, adequate back-up procedures and disaster recovery systems) to ensure a level of security appropriate to the risk harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and whichthe nature of the data to be protected, from implementation having regard to the state of GDPR satisfies technological development and the requirements cost of GDPR as implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a minimum.timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it); 7.5 The Supplier agrees 17.4.3 ensure that all personnel who have access to indemnify and and/or process Personal Data are obliged to keep the Customer indemnified against all claims and proceedings and all liability, loss, costs and expenses whatsoever incurred in connection therewith by the Customer as a result of Personal Data confidential; and 17.4.4 not transfer any claim made or brought by any individual or other legal person in respect of any loss, damage or distress caused to that individual or other legal person as a result Personal Data outside of the Supplier’s unauthorised processing, unlawful processing, destruction European Economic Area unless the prior written consent of Intertek has been obtained and the following conditions are fulfilled: (i) Intertek or damage the Supplier has provided appropriate safeguards in relation to the transfer; (ii) the data subject has enforceable rights and effective legal remedies; (iii) the Supplier complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data processed that is transferred; and (iv) the Supplier complies with reasonable instructions notified to it in advance by itIntertek with respect to the processing of the Personal Data; (e) assist Intertek, at Intertek’s cost, in responding to any request from a Data Subject and in ensuring compliance with its employees or agents in its performance of this agreement or as otherwise agreed between the parties. 7.6 Both Parties agree to use all reasonable efforts to assist each other to comply with obligations under the Data Protection Legislation. For the avoidance of doubtLegislation with respect to security, this includes breach notifications, impact assessments and consultations with supervisory authorities or regulators; (f) notify Intertek without limitation) each Party notifying the other party immediately upon undue delay on becoming aware of a Personal Data breach; (g) at the written direction of Intertek, delete or return Personal Data and copies thereof to Intertek on termination of the Contract unless required by Applicable Data Processing Law to store the Personal Data; and (h) maintain complete and accurate records and information to demonstrate its compliance with this Condition 17 and allow for audits by Intertek or Intertek’s designated auditor; and (i) indemnify Intertek against any loss or damage suffered by Intertek in relation to any breach by the Supplier of its obligations under this Clause 7Condition 17. 17.5 Intertek does not consent to the Supplier appointing any third party processor of Personal Data under this agreement without its prior consent. If Intertek has consented to the Supplier appointing a third-party processor of Personal Data under this agreement, the Supplier confirms that it has entered or (as the case may be) will enter with the third-party processor into a written agreement incorporating terms which are substantially similar to those set out in this Condition 17. As between Intertek and the Supplier, the Supplier shall remain fully liable for all acts or omissions of any third- party processor appointed by it pursuant to this Condition 17].

DATA PROTECTION AND DATA PROCESSING. 7.1 With 10.1 The parties agree that, in respect to of the Parties' rights Processing of Personal Data, the Customer shall be the Controller and the Supplier shall be the Processor. 10.2 Each party shall comply with Data Protection Law and its relevant obligations under this clause 10. The Processing of Personal Data to be carried out by the Agreement, Supplier under this clause 10 will comprise the Parties agree that for the purposes of Processing set out in the Data Protection Legislation, Addendum as updated from time to time by written agreement of the parties. 10.3 The Customer shall ensure all instructions given by it to the Supplier is a in respect of Personal Data Controller (including the terms of this Contract) shall at all times be in relation to Personal Dataaccordance with Data Protection Law. 7.2 10.4 The Customer will obtain all necessary consents required under Supplier shall: 10.4.1 only Process (and shall ensure Supplier Personnel only Process) the Personal Data Protection Legislation from data subjects to enable the Customer to share such personal data with the Supplier and to allow the Supplier to process the same in accordance with this agreement Contract (and not otherwise unless alternative Processing instructions are agreed between the parties in writing) except where otherwise required by applicable law (and shall inform the Customer of that legal requirement before Processing, unless applicable law prevents it doing so on important grounds of public interest); and 10.4.2 without prejudice to clause 10.3, if the Supplier believes that any instruction received by it from the Customer is likely to infringe the Data Protection LegislationLaw it shall promptly inform the Customer and be entitled to cease to provide the relevant Services until the parties have agreed appropriate amended instructions which are not infringing. 7.3 10.5 The Supplier shall process Personal Data under this agreement only to the extentimplement and maintain, at its reasonable cost and in such a mannerexpense, as is necessary for the purpose of performing its obligations under this agreement. The Supplier not will transfer any Personal Data processed under the agreement outside the European Economic Area, except with the express written consent of the data subject. 7.4 The Supplier shall comply with its obligations under the Data Protection Legislation by: 7.4.1 obtaining any consents required under the Data Protection Legislation and ensuring that information provided to data subjects at the time of collecting their Personal Data is clear and provides sufficient information to the data subjects for them to understand the circumstances in which it will be shared and the purposes for the data sharing; and 7.4.2 providing to the Customer any information necessary to enable it to perform its obligations under the Data Protection Legislation; 7.4.3 co-operating with the Customer so that it can comply with its obligations under the Data Protection Legislation in respect of any Personal Data collected, held or processed under this Agreement; and 7.4.4 taking appropriate technical and organisational measures against unauthorised or unlawful processing in relation to the Processing of Personal Data by the Supplier such that the Processing will: 10.5.1 meet the requirements of Data Protection Law and against accidental loss or destruction of, or damage to, Personal ensure the protection of the rights of Data (including, but not limited to, adequate back-up procedures and disaster recovery systems) Subjects; and 10.5.2 so as to ensure a level of security in respect of Personal Data processed by it is appropriate to the risk and whichrisks that are presented by the Processing, in particular from implementation of GDPR satisfies the requirements of GDPR as a minimum. 7.5 The Supplier agrees to indemnify and keep the Customer indemnified against all claims and proceedings and all liabilityaccidental or unlawful destruction, loss, costs alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise Processed. 10.6 The Supplier shall not engage another Processor to perform specific Processing activities in respect of the Personal Data without the Customer’s authorisation (such authorisation not to be unreasonably withheld, conditioned or delayed), provided that the Customer authorises the appointment of any of the Supplier’s Group or any supplier engaged by the Supplier in the ordinary course of providing the Services. The Supplier shall appoint each sub- Processor under a binding written contract (“Processor Contract”) which imposes substantially the same data protection obligations as are contained in this clause 10. Where the Customer has concerns about the sub- Processor’s compliance with Data Protection Law or the Processor Contract, the Supplier shall discuss these concerns with the Customer and expenses whatsoever incurred use its reasonable endeavours to resolve them. The Supplier shall remain fully liable to the Customer under this Contract for all the acts and omissions of each sub-Processor as it they were its own. 10.7 The Supplier shall, in connection therewith accordance with Data Protection Law, make available to the Customer such information that is in its possession or control as is necessary to demonstrate the Supplier's compliance with the obligations placed on it under this clause 10 and to demonstrate compliance with the obligations on each party imposed by Data Protection Law and allow for and contribute to audits, including inspections, by the Customer as for this purpose (subject to a result maximum of one audit request during the Term of this Contract). 10.8 The Supplier shall not Process and/or transfer, or otherwise directly or indirectly disclose, any Personal Data in or to countries outside the European Economic Area or to any international organisation without the prior written consent of the Customer. The supplier agrees to Process Data in Amazon Web Services UK locations. 10.9 The Supplier shall notify the Customer without undue delay and in writing, within 72 hours on becoming aware of any claim made or brought by any individual or other legal person Personal Data Breach in respect of any loss, damage or distress caused to that individual or other legal person as a result Personal Data. 10.10 On the end of the Supplierprovision of the Services relating to the Processing of Personal Data, at the Customer’s unauthorised processingcost and the Customer’s option, unlawful processing, destruction the Supplier shall either return all of or damage to any the Personal Data processed by to the Customer or securely dispose of the Personal Data (and thereafter promptly delete all existing copies of it, its employees ) except to the extent that any applicable law requires the Supplier to store such Personal Data. This clause 10 shall survive termination or agents in its performance expiry of this agreement or as otherwise agreed between the partiesContract. 7.6 Both Parties agree 10.11 Subject to use all reasonable efforts clause 10.10, the supplier agrees to assist each other to comply with delete any customer data within 3 months of the Data Protection Legislation. For end of the avoidance provision of doubt, this includes (without limitation) each Party notifying the other party immediately upon becoming aware of a breach of this Clause 7service.

DATA PROTECTION AND DATA PROCESSING. 7.1 With 16.1 The provision of the Services may require ECMS to Process Personal Information for and on behalf of the Client. In respect to the Parties' rights and obligations under the Agreementof such Processing, the Parties parties acknowledge and agree that for that: (a) the purposes of Client shall be the Data Protection Legislation, the Supplier is a Data Controller in relation to Personal Data. 7.2 The Customer will obtain all necessary consents required under and ECMS shall be the Data Protection Legislation from data subjects to enable Processor; (b) ECMS shall Process Personal Information as set out in the Customer to share such personal data with the Supplier and to allow the Supplier to process the same in accordance with this agreement and the Data Protection Legislation. 7.3 The Supplier shall process Personal Data under this agreement only to the extent, and in such a manner, as is necessary for the purpose of performing its obligations under this agreement. The Supplier not will transfer any Personal Data processed under the agreement outside the European Economic Area, except with the express written consent of the data subject. 7.4 The Supplier shall comply with its obligations under the Data Protection Legislation by: 7.4.1 obtaining any consents required under the Data Protection Legislation and ensuring that information provided to data subjects at the time of collecting their Personal Data is clear and provides sufficient information to the data subjects for them to understand the circumstances in which it will be shared and the purposes for the data sharingSOW; and 7.4.2 providing (c) clauses 16.2 to 16.9 below shall apply. 16.2 The Client shall: (a) comply with all Data Privacy Laws; (b) obtain and maintain all relevant registrations (and similar) required by Data Privacy Laws; and (c) ensure that all instructions that it issues to ECMS comply with Data Privacy Laws. 16.3 When Processing Personal Information as part of the delivery of the Services, ECMS shall: (a) Process the Personal Information only on the documented instructions of the Client, except to the Customer extent that any information necessary to enable it to perform its obligations under the Data Protection LegislationProcessing of Personal Information is required by Relevant Laws; 7.4.3 co-operating with (b) where Processing of Personal Information by ECMS is required by Relevant Laws, ECMS shall inform the Customer so that it can comply with its obligations under Client of the Data Protection Legislation relevant legal requirement before processing, unless such law prohibits ECMS from doing so; (c) notify the Client where ECMS reasonably believes any documented instructions from the Client in respect of the Processing of Personal Information infringe any Data Privacy Laws or any other Relevant Laws; (d) ensure that its personnel who are authorised to Process the Personal Data collected, held or processed under this Agreement; andInformation have committed themselves to confidentiality; 7.4.4 taking (e) implement appropriate technical and organisational measures against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data (including, but not limited to, adequate back-up procedures and disaster recovery systems) to ensure a level of security appropriate to the risk of Processing; (f) only appoint a third party to Process Personal Information on its behalf in accordance with clauses 16.5 and which, from implementation of GDPR satisfies 16.6 below; (g) taking into account the requirements of GDPR as a minimum. 7.5 The Supplier agrees to indemnify and keep the Customer indemnified against all claims and proceedings and all liability, loss, costs and expenses whatsoever incurred in connection therewith by the Customer as a result of any claim made or brought by any individual or other legal person in respect of any loss, damage or distress caused to that individual or other legal person as a result nature of the Supplier’s unauthorised processingProcessing, unlawful processingassist the Client by appropriate technical and organisational measures, destruction insofar as this is possible, for the fulfilment of or damage the Client's obligation to any Personal Data processed by it, its employees or agents in its performance of this agreement or as otherwise agreed between the parties. 7.6 Both Parties agree respond to use all reasonable efforts to assist each other to comply with requests for exercising the Data Protection Legislation. For Subject's rights under Data Privacy Laws; (h) notify the avoidance of doubt, this includes (Client without limitation) each Party notifying the other party immediately upon undue delay after becoming aware of a breach Data Breach; (i) at the Client's expense assist the Client in its compliance with its obligations under Data Privacy Laws in respect of security of Processing, carrying out data protection impact assessments (as defined in Data Privacy Laws), remedial action to be taken in response to a Data Breach (including notifying Data Breaches to the ICO and affected Data Subjects) and consulting with the ICO regarding high risk Processing, in each case insofar as it is able taking into account the nature of the Processing and the information available to ECMS; (j) at the Client's discretion, delete or return to the Client all of the Personal Information Processed under the applicable SOW on completion of the applicable SOW, and delete any copies of such Personal Information unless any Relevant Laws require that copies are kept; and (k) make available to the Client all information necessary to demonstrate compliance with its obligations in this Clause 7clause 16.3. 16.4 The Client hereby authorises ECMS to sub-contract its Processing of Personal Information to any Operative it appoints to undertake the provision of the Services. 16.5 Subject to clause 16.4, ECMS shall not sub-contract its Processing of Personal Information to a third party without the Client's prior specific or general written authorisation (not to be unreasonably withheld, conditioned or delayed). Where any sub-contracting of Processing of Personal Information is based on the Client's general written authorisation, ECMS shall inform the Client of any intended changes concerning the addition or replacement of any sub-contractors and the Client shall notify ECMS of any objections it has to any such changes in writing within five (5) Business Days, after which any such changes which the Client has not objected to in accordance with this clause 16.4 shall be deemed to be accepted. 16.6 Where ECMS sub-contracts its Processing of Personal Information to a third party in accordance with clause 16.5 above, ECMS shall: (a) ensure that any such third party is subject to the same data protection obligations as those set out in clause 16.3 above; (b) obtain sufficient guarantees from any such third party that they will implement appropriate technical and organisational measures in such a manner that the Processing of Personal Information by such third party will meet the requirements of Data Privacy Laws; and (c) remain liable to the Client for any Processing of Personal Information by any such third party. 16.7 Each party shall co-operate with the ICO on the request of the other party in respect of the performance of its tasks under this agreement and any SOW. 16.8 ECMS shall not transfer Personal Information to any country outside of the UK or the EEA without the prior written consent of the Client, such consent may be subject to and given on such terms as the Client may in its discretion prescribe (acting reasonably and in compliance with Data Privacy Laws). 16.9 In the event that the Client consents to the transfer of Personal Data from ECMS to a country outside of the UK or EEA under clause 16.8, ECMS shall confirm in writing details of how ECMS will ensure an adequate level of protection and adequate safeguards in respect of the Personal Information that will be processed in and/or transferred outside of the EEA so as to ensure compliance with the Data Privacy Laws.