Common use of DATA PROTECTION AND DATA PROCESSING Clause in Contracts

DATA PROTECTION AND DATA PROCESSING. 2.10.1 Both parties will comply with all applicable requirements of the Data Protection Legislation. This clause 2.10 is in addition to, and does not relieve, remove or replace, a party's obligations or rights under the Data Protection Legislation. In this Clause 2.10, Applicable Laws means (for so long as and to the extent that they apply to the Supplier) the law of the European Union, the law of any member state of the European Union and/or Domestic UK Law; and Domestic UK Law means the UK Data Protection Legislation and any other law that applies in the UK.‌ 2.10.2 The parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the Controller and the Supplier is the Processor. Schedule 3 sets out the scope, nature and purpose of processing by the Supplier, the duration of the processing and the types of Personal Data and categories of Data Subject. 2.10.3 Without prejudice to the generality of Clause 2.10.1, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to the Supplier and/or lawful collection of the Personal Data by the Supplier on behalf of the Customer for the duration and purposes of this agreement. 2.10.4 Without prejudice to the generality of Clause 2.10.1, the Supplier shall, in relation to any Personal Data processed in connection with the performance by the Supplier of its obligations under this agreement: (i) process that Personal Data only on the documented written instructions of the Customer which are set out in Schedule 3 unless the Supplier is required by Applicable Laws to otherwise process that Personal Data. Where the Supplier is relying on Applicable Laws as the basis for processing Personal Data, the Supplier shall promptly notify the Customer of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit the Supplier from so notifying the Customer; (ii) ensure that it has in place appropriate technical and organisational measures, reviewed and approved by the Customer, to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it); (iii) ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential; and (iv) not transfer any Personal Data outside of the European Economic Area unless the prior written consent of the Customer has been obtained and the following conditions are fulfilled: (v) the Customer or the Supplier has provided appropriate safeguards in relation to the transfer;

DATA PROTECTION AND DATA PROCESSING. 2.10.1 Both 8.1. For the purposes of this Agreement, both parties will may receive Personal Data. Where the parties receive Personal Data as Data Controllers each party agrees to comply with all applicable requirements of the current Data Protection Legislation. 8.2. This clause 2.10 Throughout the commercial relationship of the parties, each party will be processing the Personal Data of the other’s employees in order to facilitate contact and co-operation between the parties. 8.3. Notwithstanding the Personal Data described in Clause 8.2, the Customer will, acting as Data Controller be passing Personal Data to QGate as Data Processor pursuant to this Agreement. 8.4. Where QGate receives Personal Data as a Data Processor, QGate shall: 8.4.1. act solely on the instructions of the Customer in relation to the processing of that Personal Data. In the event that a legal requirement prevents QGate from complying with such instructions QGate shall, unless such legal requirement prohibits it from doing so, inform the Customer of the relevant legal requirement before carrying out the relevant processing activities provided that to the maximum extent permitted by mandatory law, QGate shall have no liability howsoever arising (whether in contract, tort (including negligence) or otherwise) for any losses, costs, expenses or liabilities arising from or in connection with any processing in accordance with the Customer’s processing instructions following the Customer’s receipt of that information; 8.4.2. at all times, ensure that the necessary technical and organisational measures are in place to prevent unauthorised and unlawful processing or disclosure of such Personal Data and such measures shall include taking reasonable steps to ensure the reliability of any of its staff who may have access to Personal Data and ensuring that such staff are subject to appropriate confidentiality undertakings. QGate shall, save where prohibited by law and as soon as reasonably practical, notify the other party of any legal obligation which requires the QGate to disclose the Personal Data to a third party; 8.4.3. not transfer the Personal Data outside of the European Economic Area (as such term is commonly understood) or to any third party without the Customer’s written consent; 8.4.4. send to the other party any communications received from individuals in addition to, and does not relieve, remove or replace, a party's obligations or relation to their Personal Data as soon as reasonably practicable. QGate shall provide reasonable co-operation to the other party in relation to any individuals exercising their rights under the Data Protection Legislation; 8.4.5. In this Clause 2.10, Applicable Laws means (for so long as and give the Customer reasonable assistance in relation to the extent that they apply to the Supplier) the law of the European Union, the law of any member state of the European Union and/or Domestic UK Law; and Domestic UK Law means the UK Data Protection Legislation and any other law that applies in the UK.‌ 2.10.2 The parties acknowledge that for the purposes of the its compliance with Data Protection Legislation, the Customer is the Controller and the Supplier is the Processor. Schedule 3 sets out the scope, nature and purpose of processing by the Supplier, the duration of the processing and the types of Personal Data and categories of Data Subject. 2.10.3 Without prejudice to the generality of Clause 2.10.1, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to the Supplier and/or lawful collection of the Personal Data by the Supplier on behalf of the Customer for the duration and purposes of this agreement. 2.10.4 Without prejudice to the generality of Clause 2.10.1, the Supplier shall, in relation to any Personal Data processed in connection with the performance by the Supplier of its obligations under this agreement: (i) process that Personal Data only on the documented written instructions of the Customer which are set out in Schedule 3 unless the Supplier is required by Applicable Laws to otherwise process that Personal Data. Where the Supplier is relying on Applicable Laws as the basis for processing Personal Data, the Supplier shall promptly notify the Customer of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit the Supplier from so notifying the Customer; (ii) 8.4.6. take reasonable steps to ensure that it has in place appropriate technical and organisational measures, reviewed and approved by the Customer, to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its processing systems and services, ensuring that availability services associated with the processing of Personal Data; 8.4.7. co-operate with and provide such information and access to any facilities, premises or equipment from or on which Personal Data can is, has been, or is to be restored processed pursuant to this Agreement (including any such facilities, premises or equipment used by staff and / or sub-contractors) as the other party may reasonably require enabling it to monitor compliance by QGate with the obligations in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it)this Agreement; (iii) ensure that all personnel who have access to and/or process 8.4.8. notify the Customer without undue delay and assist the Customer with any investigation into and remediation of an actual or suspected Personal Data are obliged Breach. QGate shall also provide the Customer with reasonable assistance with any notifications made to keep the relevant authorities and / or individuals in relation to a Personal Data confidential; andBreach; (iv) 8.4.9. not transfer subcontract any of its obligations under this Agreement regarding the processing of Personal Data outside of the European Economic Area unless to a third party (a “Sub-Processor”) without the prior written consent of the Customer has been obtained Customer. QGate shall be liable for the acts and omissions of the Sub-Processor as if they were the acts or omissions of the QGate itself and QGate shall ensure that there is a written contract executed between QGate and the following conditions Sub-Processor that contains equivalent protections for the Personal Data as are fulfilled:set out in this Agreement; (v) 8.4.10. immediately cease processing the Personal Data and immediately supply any Personal Data to the other party or delete the Personal Data in accordance with the other party’s instructions; and 8.4.11. submit to audits and inspections carried out directly upon it by a supervisory authority or the Customer (no more often than once every twelve (12) months or as the Supplier has provided appropriate safeguards Customer reasonably believes necessary, based on evidence and providing such evidence in relation notification to the transfer;Processor), and co-operate in any audits and inspections carried out upon the Customer; and 8.4.12. inform the Customer immediately of any requests made of it that would involve infringing Data Protection Legislation.

DATA PROTECTION AND DATA PROCESSING. 2.10.1 Both parties will comply with all applicable requirements of the Data Protection Legislation. This clause 2.10 10 is in addition to, and does not relieve, remove or replace, a party's obligations or rights under the Data Protection Legislation. In this Clause 2.10, Applicable Laws means (for so long as and to the extent that they apply to the Supplier) the law of the European Union, the law of any member state of the European Union and/or Domestic UK Law; and Domestic UK Law means the UK Data Protection Legislation and any other law that applies in the UK.‌ 2.10.2 The parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the Controller data controller and the Supplier is the Processordata processor (where Data Controller and Data Processor have the meanings as defined in the Data Protection Legislation). Schedule 3 sets out the scope, nature and purpose of processing by the Supplier, the duration of the processing and the types of Personal Data and categories of Data Subject. 2.10.3 Without prejudice to the generality of Clause 2.10.1prejudice, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data (as defined in the Data Protection Legislation) to the Supplier and/or lawful collection of the Personal Data by the Supplier on behalf of the Customer for the duration and purposes of this agreementthe Contract. 2.10.4 ] Without prejudice to the generality of Clause 2.10.1, the Supplier shall, in relation to any Personal Data processed in connection with the performance by the Supplier of its obligations under this agreementthe Contract: (ia) process that Personal Data only on the documented written instructions of the Customer which are set out in Schedule 3 unless the Supplier is required by the laws of any member of the European Union or by the laws of the European Union applicable to the Supplier to process Personal Data (Applicable Data Processing Laws to otherwise process that Personal Data- GDPR). Where the Supplier is relying on Applicable Laws laws of a member of the European Union or European Union law as the basis for processing Personal Data, the Supplier shall promptly notify the Customer of this before performing the processing required by the Applicable Data Processing Laws unless those Applicable Data Processing Laws prohibit the Supplier from so notifying the Customer; (iib) ensure that it has in place appropriate technical and organisational measures, reviewed and approved by the Customer, to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it); (iiic) ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential; and (ivd) not transfer any Personal Data outside of the European Economic Area unless the prior written consent of the Customer has been obtained and the following conditions are fulfilled: (vi) the Customer or the Supplier has provided appropriate safeguards in relation to the transfer; (ii) the Data Subject (as defined in the Data Protection Legislation) has enforceable rights and effective legal remedies; (iii) the Supplier complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and (iv) the Supplier complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data; (e) [assist the Customer, at the Customer's cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;] (f) [notify the Customer without undue delay on becoming aware of a Personal Data breach;] (g) [at the written direction of the Customer, delete or return Personal Data and copies thereof to the Customer on termination of the agreement unless required by Applicable Data Processing Law to store the Personal Data; and] (h) [maintain complete and accurate records and information to demonstrate its compliance with this clause 10.]] The Customer does not consent to the Supplier appointing any third party processor of Personal Data under the Contract. Either party may, at any time on not less than 30 days' notice, revise this clause 10 by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when replaced by attachment to the Contract

DATA PROTECTION AND DATA PROCESSING. 2.10.1 Both 9.1 For the purposes of this Agreement, both parties will may receive Personal Data. Where the parties receive Personal Data as Data Controllers each party agrees to comply with all applicable requirements of the current Data Protection Legislation. 9.2 Throughout the commercial relationship of the parties, each party will be processing the Personal Data of the other’s employees in order to facilitate contact and co-operation between the parties. 9.3 Notwithstanding the Personal Data described in Clause 8.2, the Customer will, acting as Data Controller be passing Personal Data to QGate as Data Processor pursuant to this Agreement. 9.4 Where QGate receives Personal Data as a Data Processor, QGate shall: 9.4.1 act solely on the instructions of the Customer in relation to the processing of that Personal Data. This clause 2.10 In the event that a legal requirement prevents QGate from complying with such instructions QGate shall, unless such legal requirement prohibits it from doing so, inform the Customer of the relevant legal requirement before carrying out the relevant processing activities provided that to the maximum extent permitted by mandatory law, QGate shall have no liability howsoever arising (whether in contract, tort (including negligence) or otherwise) for any losses, costs, expenses or liabilities arising from or in connection with any processing in accordance with the Customer’s processing instructions following the Customer’s receipt of that information; 9.4.2 at all times, ensure that the necessary technical and organisational measures are in place to prevent unauthorised and unlawful processing or disclosure of such Personal Data and such measures shall include taking reasonable steps to ensure the reliability of any of its staff who may have access to Personal Data and ensuring that such staff are subject to appropriate confidentiality undertakings. QGate shall, save where prohibited by law and as soon as reasonably practical, notify the other party of any legal obligation which requires the QGate to disclose the Personal Data to a third party; 9.4.3 not transfer the Personal Data outside of the European Economic Area (as such term is commonly understood) or to any third party without the Customer’s written consent; 9.4.4 send to the other party any communications received from individuals in addition to, and does not relieve, remove or replace, a party's obligations or relation to their Personal Data as soon as reasonably practicable. QGate shall provide reasonable co-operation to the other party in relation to any individuals exercising their rights under the Data Protection Legislation. In this Clause 2.10, Applicable Laws means (for so long as and ; 9.4.5 give the Customer reasonable assistance in relation to the extent that they apply to the Supplier) the law of the European Union, the law of any member state of the European Union and/or Domestic UK Law; and Domestic UK Law means the UK Data Protection Legislation and any other law that applies in the UK.‌ 2.10.2 The parties acknowledge that for the purposes of the its compliance with Data Protection Legislation, the Customer is the Controller and the Supplier is the Processor. Schedule 3 sets out the scope, nature and purpose of processing by the Supplier, the duration of the processing and the types of Personal Data and categories of Data Subject. 2.10.3 Without prejudice to the generality of Clause 2.10.1, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to the Supplier and/or lawful collection of the Personal Data by the Supplier on behalf of the Customer for the duration and purposes of this agreement. 2.10.4 Without prejudice to the generality of Clause 2.10.1, the Supplier shall, in relation to any Personal Data processed in connection with the performance by the Supplier of its obligations under this agreement: (i) process that Personal Data only on the documented written instructions of the Customer which are set out in Schedule 3 unless the Supplier is required by Applicable Laws to otherwise process that Personal Data. Where the Supplier is relying on Applicable Laws as the basis for processing Personal Data, the Supplier shall promptly notify the Customer of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit the Supplier from so notifying the Customer; (ii) 9.4.6 take reasonable steps to ensure that it has in place appropriate technical and organisational measures, reviewed and approved by the Customer, to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its processing systems and services, ensuring that availability services associated with the processing of Personal Data; 9.4.7 co-operate with and provide such information and access to any facilities, premises or equipment from or on which Personal Data can is, has been, or is to be restored processed pursuant to this Agreement (including any such facilities, premises or equipment used by staff and / or sub-contractors) as the other party may reasonably require enabling it to monitor compliance by QGate with the obligations in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it)this Agreement; (iii) ensure that all personnel who have access to and/or process 9.4.8 notify the Customer without undue delay and assist the Customer with any investigation into and remediation of an actual or suspected Personal Data are obliged Breach. QGate shall also provide the Customer with reasonable assistance with any notifications made to keep the relevant authorities and / or individuals in relation to a Personal Data confidential; andBreach; (iv) 9.4.9 not transfer subcontract any of its obligations under this Agreement regarding the processing of Personal Data outside of the European Economic Area unless to a third party (a “Sub-Processor”) without the prior written consent of the Customer has been obtained Customer. QGate shall be liable for the acts and omissions of the Sub-Processor as if they were the acts or omissions of the QGate itself and QGate shall ensure that there is a written contract executed between QGate and the following conditions Sub-Processor that contains equivalent protections for the Personal Data as are fulfilled:set out in this Agreement; (v) 9.4.10 immediately cease processing the Personal Data and immediately supply any Personal Data to the other party or delete the Personal Data in accordance with the other party’s instructions; and 9.4.11 submit to audits and inspections carried out directly upon it by a supervisory authority or the Customer (no more often than once every twelve (12) months or as the Supplier has provided appropriate safeguards Customer reasonably believes necessary, based on evidence and providing such evidence in relation notification to the transfer;Processor), and co-operate in any audits and inspections carried out upon the Customer; and 9.4.12 inform the Customer immediately of any requests made of it that would involve infringing Data Protection Legislation.

DATA PROTECTION AND DATA PROCESSING. 2.10.1 16.1 Both parties will comply with all applicable requirements of the Data Protection Legislation. This clause 2.10 16 is in addition to, and does not relieve, remove or replace, a party's obligations or rights under the Data Protection Legislation. In this Clause 2.10, Applicable Laws means (for so long as and to . 16.2 For the extent that they apply to the Supplier) the law avoidance of the European Uniondoubt, the law of any member state of terms “data controller”, “data processor”, “data subject”, “processing” and “personal data” bear the European Union and/or Domestic UK Law; and Domestic UK Law means respective meanings given in the UK Data Protection Legislation and any other law that applies in the UK.‌Legislation. 2.10.2 16.3 The parties acknowledge that for the purposes of the Data Protection Legislation, you are the Customer is data controller and we are the Controller and the Supplier is the Processordata processor. Schedule 3 1 sets out the scope, nature and purpose of processing by the Supplierus, the duration of the processing and the types of Personal Data personal data and categories of Data Subjectdata subject. 2.10.3 16.4 Without prejudice to the generality of Clause 2.10.1clause 16.1, the Customer you will ensure that it has you have all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data personal data to the Supplier and/or lawful collection of the Personal Data by the Supplier on behalf of the Customer us for the duration and purposes of this agreementthe Contract. 2.10.4 16.5 Without prejudice to the generality of Clause 2.10.1clause 16.1, the Supplier we shall, in relation to any Personal Data personal data processed in connection with the performance by the Supplier us of its our obligations under this agreementthe Contract: (i) 16.5.1 process that Personal Data personal data only on the documented your written instructions unless we are required by the laws of any member of the Customer which are set out in Schedule 3 unless European Union or by the Supplier is required by laws of the European Union applicable to us to process personal data (Applicable Laws to otherwise process that Personal DataData Processing Laws). Where the Supplier is we are relying on Applicable Laws laws of a member of the European Union or European Union law as the basis for processing Personal Datapersonal data, the Supplier we shall promptly notify the Customer you of this before performing the processing required by the Applicable Laws Data Processing Laws, unless those Applicable Data Processing Laws prohibit the Supplier us from so notifying the Customeryou; (ii) 16.5.2 ensure that it has in place appropriate technical and organisational measures, reviewed and approved by the Customer, measures to protect against unauthorised or unlawful processing of Personal Data personal data and against accidental loss or destruction of, or damage to, Personal Datapersonal data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Datapersonal data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data personal data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it); (iii) 16.5.3 ensure that all personnel who have access to and/or process Personal Data personal data are obliged to keep the Personal Data personal data confidential; and (iv) not 16.5.4 only transfer any Personal Data personal data outside of the European Economic Area unless the prior written consent of the Customer has been obtained and where the following conditions are fulfilled: (v) the Customer 16.5.4.1 you or the Supplier has us have provided appropriate safeguards in relation to the transfer; 16.5.4.2 the data subject has enforceable rights and effective legal remedies; 16.5.4.3 we comply with our obligations under the Data Protection Legislation by providing an adequate level of protection to any personal data that is transferred; and 16.5.4.4 we comply with reasonable instructions notified to us in advance by you with respect to the processing of the personal data; 16.5.5 assist you, at your cost, in responding to any request from a data subject and in ensuring compliance with your obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; 16.5.6 notify you without undue delay on becoming aware of a personal data breach; 16.5.7 at your written direction, delete or return personal data and copies thereof to you on termination of the Contract unless required by Applicable Data Processing Law to store the personal data; and 16.5.8 maintain complete and accurate records and information to demonstrate its compliance with this clause 16. 16.6 You consent to us appointing credit reference agencies, banks, credit insurers, suppliers and sub-contractors as third-party processor(s) (TPP) to process personal data under the Contract. We confirm that we have entered or (as the case may be) will enter into a written agreement with the TPP incorporating terms which are substantially similar to those set out in this clause 16. As between the parties, we shall remain fully liable for all acts or omissions of any TPP (with respect to the processing of personal data) appointed by it pursuant to this clause 16.6. 16.7 Prior to any intended change concerning the addition or replacement of a TPP, we shall provide you with notice (TPP Notice). If you object to the appointment or replacement of the TPP then you shall, within 7 days of receipt of the TPP Notice, provide notice of such objection. We shall have the option to obtain a replacement TPP acceptable to you (consent to which is not to be unreasonably withheld or delayed) or to terminate the Contract on 7 days written notice. 16.8 Either party may, at any time on not less than 30 days' notice, revise this clause 16 by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when replaced by attachment to the Contract).

DATA PROTECTION AND DATA PROCESSING. 2.10.1 13.1 [Both parties will comply with all applicable requirements of the Data Protection Legislation. This clause 2.10 Clause 13 is in addition to, and does not relieve, remove or replace, a party's ’s obligations or rights under the Data Protection Legislation. In this Clause 2.10, Applicable Laws means (for so long as and to the extent that they apply to the Supplier) the law of the European Union, the law of any member state of the European Union and/or Domestic UK Law; and Domestic UK Law means the UK Data Protection Legislation and any other law that applies in the UK.‌.] 2.10.2 13.2 [The parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the Controller data controller and the Supplier is the Processordata processor (where Data Controller and Data Processor have the meanings as defined in the Data Protection Legislation. Schedule 3 5 sets out the scope, nature and purpose of processing by the Supplier, the duration of the processing and the types of Personal Data and categories of Data SubjectSubject (both as defined in the Data Protection Legislation).] 2.10.3 13.3 [Without prejudice to the generality of Clause 2.10.113.1, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to the Supplier and/or lawful collection of the Personal Data by the Supplier on behalf of the Customer for the duration and purposes of this agreement.] 2.10.4 13.4 [Without prejudice to the generality of Clause 2.10.113.1, the Supplier shall, in relation to any Personal Data processed in connection with the performance by the Supplier of its obligations under this agreement: (ia) process that Personal Data only on the documented written instructions of the Customer which are set out in Schedule 3 unless the Supplier is required by the laws of any member of the European Union or by the laws of the European Union applicable to the Supplier to process Personal Data (Applicable Laws to otherwise process that Personal DataData Processing Laws). Where the Supplier is relying on Applicable Laws laws of a member of the European Union or European Union law as the basis for processing Personal Data, the Supplier shall promptly notify the Customer of this before performing the processing required by the Applicable Data Processing Laws unless those Applicable Data Processing Laws prohibit the Supplier from so notifying the Customer; (iib) ensure that it has in place appropriate technical and organisational measures, reviewed and approved by the Customer, to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it);, (iiic) ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential; and (ivd) not transfer any Personal Data outside of the European Economic Area unless the prior written consent of the Customer has been obtained and the following conditions are fulfilled: (vi) the Customer or the Supplier has provided appropriate safeguards in relation to the transfer; (ii) the data subject has enforceable rights and effective legal remedies; (iii) the Supplier complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and (iv) the Supplier complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data; (e) [assist the Customer, at the Customer’s cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;] (f) [notify the Customer without undue delay on becoming aware of a Personal Data breach;] (g) [at the written direction of the Customer, delete or return Personal Data and copies thereof to the Customer on termination of the agreement unless required by Applicable Data Processing Law to store the Personal Data; [and]] (h) maintain complete and accurate records and information to demonstrate its compliance with this Clause 13 [and allow for audits by the Customer or the Customer’s designated auditor][. OR ; and] (i) [[indemnify the Customer against any loss or damage suffered by the Customer in relation to any breach by the Supplier of its obligations under this Clause 11.]]] 13.5 [[The Customer does not consent to the Supplier appointing any third party processor of Personal Data under this agreement. OR The Customer consents to the Supplier appointing [THIRD-PARTY PROCESSOR] as a third-party processor of Personal Data under this agreement. The Supplier confirms that it has entered or (as the case may be) will enter with the third-party processor into a written agreement [substantially on that third party’s standard terms of business OR incorporating terms which are substantially similar to those set out in this Clause 13]. As between the Customer and the Supplier, the Supplier shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this Clause 13].] 13.6 [Either party may, at any time on not less than 30 days’ notice, revise this Clause 13 by replacing it with any applicable controller to processor standard clauses or similar terms forming party of an applicable certification scheme (which shall apply when replaced by attachment to this agreement).]]