Common use of Data Protection and Information Security Clause in Contracts

Data Protection and Information Security. 1.1 The GLA authorises the Grantee, to Process the Agreement Personal Data during the term of this Agreement as a Processor solely for the purpose and to the extent described in Schedule 14. 1.2 In performing the Services and its other obligations under this Agreement the Grantee will: 1.2.1 comply with the Data Protection Laws; 1.2.2 not cause the GLA to breach any obligation under the Data Protection Laws; and 1.2.3 notify the GLA without undue delay if it identifies any areas of actual or potential non- compliance with the Data Protection Laws or this Schedule 13, without prejudice to its obligations to comply with, or to any rights or remedies which the GLA may have for breach of, the Data Protection Laws or this Schedule 13. 1.3 The Grantee will not engage or use any third party for the Processing of Agreement Personal Data or permit any third party to Process Agreement Personal Data without the prior written consent of the GLA. 1.4 If the Grantee appoints a Sub-Processor, the Grantee will ensure that, prior to the Processing taking place, there is a written Grant Agreement in place between the Grantee and the Sub- Processor that specifies the Sub-Processor’s Processing activities and imposes on the Sub- Processor the same terms as those imposed on the Grantee in this Schedule 13. The Grantee will procure that Sub-Processors will perform all obligations set out in this Schedule 13 and the Grantee will remain responsible for all acts and omissions of Sub-Processors as if they were its own. 1.5 The Grantee will: 1.5.1 Process the Agreement Personal Data only on documented instructions (including this Agreement) from the GLA (unless the Grantee or the relevant Sub-Processor is required to Process Agreement Personal Data to comply with United Kingdom, European Union (as it is made up from time to time) or European Union member state Applicable Laws, in which case the Grantee will notify the GLA of such legal requirement prior to such Processing unless such Applicable Laws prohibit notice to the GLA on public interest grounds); 1.5.2 immediately inform the GLA in writing if, in its reasonable opinion, any instruction received from the GLA or a member of its Group infringes any Data Protection Laws; 1.5.3 without prejudice to paragraph 1.5.1, ensure that Agreement Personal Data will only be used for the purpose and to the extent described in Schedule 14; 1.5.4 without prejudice to paragraph 1.5.3, not without the prior written consent of the GLA:

Data Protection and Information Security. 1.1 The GLA authorises the Grantee, to Process the Agreement Personal Data during the term of this Agreement as a Processor solely for the purpose and to the extent described in Schedule 14. 1.2 In performing the Services and its other obligations under this Agreement the Grantee will: 1.2.1 comply with the Data Protection Laws; 1.2.2 not cause the GLA to breach any obligation under the Data Protection Laws; and 1.2.3 notify the GLA without undue delay if it identifies any areas of actual or potential non- compliance with the Data Protection Laws or this Schedule 13, without prejudice to its obligations to comply with, or to any rights or remedies which the GLA may have for breach of, the Data Protection Laws or this Schedule 13. 1.3 The Grantee will not engage or use any third party for the Processing of Agreement Personal Data or permit any third party to Process Agreement Personal Data without the prior written consent of the GLA. 1.4 If the Grantee appoints a Sub-Processor, the Grantee will ensure that, prior to the Processing taking place, there is a written Grant Agreement in place between the Grantee and the Sub- Processor that specifies the Sub-Processor’s Processing activities and imposes on the Sub- Processor the same terms as those imposed on the Grantee in this Schedule 13. The Grantee will procure that Sub-Processors will perform all obligations set out in this Schedule 13 and the Grantee will remain responsible for all acts and omissions of Sub-Processors as if they were its own. 1.5 The Grantee will: 1.5.1 Process the Agreement Personal Data only on documented instructions (including this Agreement) from the GLA (unless the Grantee or the relevant Sub-Processor is required to Process Agreement Personal Data to comply with United Kingdom, European Union (as it is made up from time to time) or European Union member state Applicable Laws, in which case the Grantee will notify the GLA of such legal requirement prior to such Processing unless such Applicable Laws prohibit notice to the GLA on public interest grounds); 1.5.2 immediately inform the GLA in writing if, in its reasonable opinion, any instruction received from the GLA or a member of its Group infringes any Data Protection Laws; 1.5.3 without prejudice to paragraph 1.5.1, ensure that Agreement Personal Data will only be used for the purpose and to the extent described in Schedule 14; 1.5.4 without prejudice to paragraph 1.5.3, not without the prior written consent of the GLA: 1.5.4.1 convert any Agreement Personal Data into anonymised, pseudonymised, depersonalised, aggregated or statistical data; 1.5.4.2 use any Agreement Personal Data for “big data” analysis or purposes; or 1.5.4.3 match or compare any Agreement Personal Data with or against any other Personal Data (whether The Grantee’s or any third party’s); 1.5.5 ensure that any individual authorised to Process Agreement Personal Data accesses such Agreement Personal Data strictly on a need to know basis as necessary to perform their role in the performance of this Agreement, and: 1.5.5.1 is subject to confidentiality obligations equivalent to those set out in clause 33 or is under an appropriate statutory obligation of confidentiality; 1.5.5.2 complies with this paragraph 1; and 1.5.5.3 is appropriately reliable, qualified and trained in relation to their Processing of Agreement Personal Data; 1.5.6 keep all Agreement Personal Data confidential in accordance with the provisions of clause 33 provided that in the event and to the extent only of any conflict between this paragraph 1 and clause 33, this paragraph 1 will prevail; and 1.5.7 at the option of the GLA, securely delete or return to the GLA in the format required by the GLA) all Agreement Personal Data promptly after the end of the provision of Services relating to Processing or at any time upon request, and securely delete any remaining copies and promptly certify (via a director) when this exercise has been completed. 1.6 The Grantee will not make an International Transfer without the GLA’s prior written consent. If the GLA gives its prior written consent to an International Transfer, before making that International Transfer the Grantee will demonstrate or implement, to the GLA’s satisfaction, appropriate safeguards for that International Transfer in accordance with Data Protection Laws and will ensure that enforceable rights and effective legal remedies for Data Subjects are available. Such appropriate safeguards may include: 1.6.1 there is in force a European Commission decision that the country or territory to which the International Transfer is to be made ensures an adequate level of protection for Processing of Personal Data; 1.6.2 the relevant Data Processor/Processor enters into an agreement with the GLA in the form of the standard grant clauses approved by the European Commission decision for the transfer of personal data to processors established in third countries from time to time, completed with such information as the GLA may reasonably require; or 1.6.3 the International Transfer is to the United States of America and the relevant Processor has and maintains for the duration of the Processing a current registration under the US-EU Privacy Shield. If the appropriate safeguards demonstrated or implemented by the Grantee (or the relevant Processor) in accordance with this paragraph 1.6 are deemed at any time not to provide an adequate level of protection in relation to Agreement Personal Data, The Grantee will implement such alternative measures as may be required by the GLA to ensure that the relevant International Transfer and all resulting Processing are compliant with Data Protection Laws. The Grantee or the relevant Sub-Processor will not need to comply with the conditions set out in this paragraph 1.6 if it is required to make an International Transfer to comply with United Kingdom, European Union (as it is made up from time to time) or European Union member state Applicable Laws, in which case The Grantee will notify the GLA of such legal requirement prior to such International Transfer unless such Applicable Laws prohibit notice to the GLA on public interest grounds. 1.7 The Grantee will: 1.7.1 implement, and assist the GLA [and the other members of its Group] to implement, technical and organisational measures to ensure a level of security appropriate to the risk presented by Processing the Agreement Personal Data, in particular from a Data Security Incident; 1.7.2 notify the GLA immediately if at any time the Grantee or a Sub-Processor is, or ought to be, aware of any reason why it is unable to comply with paragraph 1.7.1, without prejudice to its obligation to comply with, or to any rights or remedies which the GLA may have for breach of, paragraph 1.7.1; 1.7.3 notify the GLA immediately (and in any event within 24 hours) after becoming aware of a reasonably suspected, “near miss” or actual Data Security Incident, including the nature of the Data Security Incident, the categories and approximate number of Data Subjects and Agreement Personal Data records concerned, the likely consequences of the Data Security Incident and any measure proposed to be taken to address the Data Security Incident and to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all the relevant information at the same time, the information may be provided in phases without undue delay, but the Grantee (and Sub-Processors) may not delay notification under this paragraph 1.7.3 on the basis that an investigation is incomplete or ongoing; 1.7.4 promptly (and in any event within 72 hours) notify the GLA of any request that it receives for exercise of a Data Subject’s rights under the Data Protection Laws or communication or complaint that it receives from a Data Subject or Supervisory Authority or other third party in connection with Agreement Personal Data; 1.7.5 provide reasonable assistance to the GLA in responding to requests for exercising Data Subjects’ rights under the Data Protection Laws and communications and complaints from Data Subjects and Supervisory Authorities and other third parties in connection with Agreement Personal Data, including by appropriate technical and organisational measures, insofar as this is possible; 1.7.6 not, without the GLA’s prior written consent, make or permit any announcement in respect of a Data Security Incident or respond to any request for exercise of a Data Subject’s rights under the Data Protection Laws or communication or complaint from a Data Subject or Supervisory Authority in connection with Agreement Personal Data; 1.7.7 assist the GLA in: 1.7.7.1 documenting any Data Security Incidents and reporting any Data Security Incidents to any Supervisory Authority and/or Data Subjects; 1.7.7.2 taking measures to address Data Security Incidents, including, where appropriate, measures to mitigate their possible adverse effects; and 1.7.7.3 conducting privacy impact assessments of any Processing operations and consulting with Supervisory Authorities, Data Subjects and their representatives accordingly. 1.8 The Grantee will: 1.8.1 make available to the GLA all information necessary to demonstrate compliance with the obligations set out in this paragraph 1; and 1.8.2 allow for and contribute to audits, including inspections, conducted by The GLA or another auditor mandated by The GLA. 1.9 The Grantee will prepare and securely maintain a record of all categories of Processing activities carried out on behalf of the GLA in relation to the Agreement Personal Data, including as a minimum: (i) its name and contact details and details of its Data Protection officer [or other person with responsibility for data protection compliance]; (ii) the categories of Processing it carries out on behalf of the GLA; (iii) International Transfers; (iv) a general description of the technical and organisational security measures referred to in paragraph 1.7.1; and (v) the same information in relation to any Sub-Processor, together with its name and contact details (together the “Data Record”). The Grantee will promptly upon request securely supply a copy of the Data Record to the GLA. 1.10 The Grantee will indemnify the GLA against the Recoverable Liabilities, in each case arising out of or in connection with any breach by the Grantee or any Sub-Processor of any of its obligations under this paragraph 1 (including any failure or delay in performing, or negligent performance or non-performance of, any of those obligations. 1.11 Any breach of this paragraph 1 by the Grantee or any Sub-Processor will be a material breach of this Agreement [which is not capable of being remedied], irrespective of whether any financial loss or reputational damage arises, and irrespective of the level of any financial loss or deprivation of benefit arising, as a consequence of such breach.