Common use of Data Protection Clause in Contracts

Data Protection. The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the Controller and the Supplier is the Processor unless otherwise specified in Contract Schedule 7. The only processing that the Processor is authorised to do is listed in Contract Schedule 7 by the Controller and may not be determined by the Processor. The Processor shall notify the Controller immediately if it considers that any of the Controller's instructions infringe the Data Protection Legislation. The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller, include: a systematic description of the envisaged processing operations and the purpose of the processing; an assessment of the necessity and proportionality of the processing operations in relation to the Services; an assessment of the risks to the rights and freedoms of Data Subjects; and the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. The Processor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: process that Personal Data only in accordance with Contract Schedule 7, unless the Processor is required to do otherwise by Law. If it is so required the Processor shall promptly notify the Controller before processing the Personal Data unless prohibited by Law; ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), having taken account of the: nature of the data to be protected; harm that might result from a Data Loss Event; state of technological development; and cost of implementing any measures; ensure that : the Processor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 7); it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they:

Data Protection. 20.1 The Parties parties acknowledge that for the purposes of the Data Protection Legislation, the Customer nature of the activity carried out by each of them in relation to their respective obligations under this DPS Agreement will determine the status of each party under the Data Protection Legislation. A party may act as: 20.1.1 Controller (where the other party acts as the Processor); 20.1.2 Processor (where the other party acts as the Controller); 20.1.3 Joint Controller (where both parties are considered to jointly control the same Personal Data); and 20.1.4 Independent Controller of the Personal Data where the other party is also Controller of the Controller same Personal Data in its own right (but there is no element of joint control); and the Supplier parties shall set out in Schedule 12 (Processing Personal Data) which scenario or scenarios are intended to apply under this DPS Agreement. 20.2 Where a party is a Processor, the Processor unless otherwise specified in Contract Schedule 7. The only processing that the Processor it is authorised to do is listed in Contract Schedule 7 12 (Processing Personal Data) by the Controller and may not be determined by the Processor. Controller. 20.3 The Processor shall notify the Controller immediately if it considers that any of the Controller's ’s instructions infringe the Data Protection Legislation. . 20.4 The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller, include: : 20.4.1 a systematic description of the envisaged processing operations and the purpose of the processing; ; 20.4.2 an assessment of the necessity and proportionality of the processing operations in relation to the Services; requirements of the Administering Authority hereunder; 20.4.3 an assessment of the risks to the rights and freedoms of Data Subjects; and and 20.4.4 the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 20.5 The Processor shall, in relation to any Personal Data processed in connection with its obligations under this DPS Agreement: : 20.5.1 process that Personal Data only in accordance with Contract Schedule 712 (Processing Personal Data), unless the Processor is required to do otherwise by Law. If it is so required the Processor shall promptly notify the Controller Contracting Authority before processing the Personal Data unless prohibited by Law; ; 20.5.2 ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, Measures which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), ) having taken account of the: : (a) nature of the data to be protected; ; (b) harm that might result from a Data Loss Event; ; (c) state of technological development; and and (d) cost of implementing any measures; ; 20.5.3 ensure that : that: (i) the Processor Personnel do not process Personal Data except in accordance with this DPS Agreement (and in particular Schedule 712 (Processing Personal Data); ); (ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they: (A) are aware of and comply with the Processor’s duties under this Clause and Clauses 17 (Confidentiality) and 19 (Freedom of Information); (B) are subject to appropriate confidentiality undertakings with the Processor or any Sub-processor; (C) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Controller or as otherwise permitted by this DPS Agreement; and (D) have undergone adequate training in the use, care, protection and handling of Personal Data; 20.5.4 not transfer Personal Data outside of the UK unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled: (a) the Controller or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or DPA 2018 Section

Data Protection. 11.1 The Parties parties acknowledge that for the purposes of the Data Protection Legislation, the Customer SFC is the Controller and the Supplier Contractor is the Processor unless otherwise specified in Contract Schedule Part 7. The only processing that the Processor is authorised to do is listed in Contract Schedule Part 7 by the Controller and may not be determined by the Processor. . 11.2 The Processor shall notify the Controller immediately if it considers that any of the Controller's instructions infringe the Data Protection Legislation. . 11.3 The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller, include: : 11.3.1 a systematic description of the envisaged processing operations and the purpose of the processing; ; 11.3.2 an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; 11.3.3 an assessment of the risks to the rights and freedoms of Data Subjects; and and 11.3.4 the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 11.4 The Processor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: : 11.4.1 process that Personal Data only in accordance with Contract Schedule Part 7, unless the Processor is required to do otherwise by Law. If it is so required the Processor shall promptly notify the Controller before processing the Personal Data unless prohibited by Law; ; 11.4.2 ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), having taken account of the: : 11.4.2.1 nature of the data to be protected; ; 11.4.2.2 harm that might result from a Data Loss Event; ; 11.4.2.3 state of technological development; and and 11.4.2.4 cost of implementing any measures; ; 11.4.3 ensure that : that: 11.4.3.1 the Processor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule Part 7); ; 11.4.3.2 it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they: 11.4.3.2.1 are aware of and comply with the Processor's duties under this Clause; 11.4.3.2.2 are subject to appropriate confidentiality undertakings with the Processor or any Sub-processor; 11.4.3.2.3 are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Controller or as otherwise permitted by this Agreement; and 11.4.3.2.4 have undergone adequate training in the use, care, protection and handling of Personal Data; and 11.4.3.2.5 it shall not transfer Personal Data outside of the United Kingdom unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled: i. the Controller or the Processor has provided appropriate safeguards in relation to the transfer in accordance with the Data Protection Legislation as determined by the Controller; ii. the Data Subject has enforceable rights and effective legal remedies; iii. the Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and iv. the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing of the Personal Data; 11.4.4 at the written direction of the Controller, delete or return Personal Data (and any copies of it) to the Controller on termination of the Agreement unless the Processor is required by Law to retain the Personal Data. 11.5 Subject to Clause 11.6, the Processor shall notify the Controller immediately if it: 11.5.1 receives a Data Subject Request (or purported Data Subject Request); 11.5.2 receives a request to rectify, block or erase any Personal Data; 11.5.3 receives any other request, complaint or communication relating to either party's obligations under the Data Protection Legislation; 11.5.4 receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Agreement; 11.5.5 receives a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or 11.5.6 becomes aware of a Data Loss Event. 11.6 The Processor's obligation to notify under Clause 11.5 shall include the provision of further information to the Controller in phases, as details become available. 11.7 Taking into account the nature of the processing, the Processor shall provide the Controller with full assistance in relation to either party's obligations under Data Protection Legislation and any complaint, communication or request made under Clause 11.5 (and insofar as possible within the timescales reasonably required by the Controller) including by promptly providing: 11.7.1 the Controller with full details and copies of the complaint, communication or request; 11.7.2 such assistance as is reasonably requested by the Controller to enable the Controller to comply with a Data Subject Request within the relevant timescales set out in the Data Protection Legislation; 11.7.3 the Controller, at its request, with any Personal Data it holds in relation to a Data Subject; 11.7.4 assistance as requested by the Controller following any Data Loss Event; 11.7.5 assistance as requested by the Controller with respect to any request from the Information Commissioner's Office, or any consultation by the Controller with the Information Commissioner's Office. 11.8 The Processor shall maintain complete and accurate records and information to demonstrate its compliance with this Clause. 11.9 The Processor shall allow for audits of its Data Processing activity by the Controller or the Controller's designated auditor. 11.10 Each party shall designate its own data protection officer if required by the Data Protection Legislation. 11.11 Before allowing any Sub-processor to process any Personal Data related to this Agreement, the Processor must: 11.11.1 notify the Controller in writing of the intended Sub-processor and processing; 11.11.2 obtain the written consent of the Controller; 11.11.3 enter into a written agreement with the Sub-processor which give effect to the terms set out in this Clause 11 and the requirements of the Data Protection Legislation such that they apply to the Sub- processor; and 11.11.4 provide the Controller with such information regarding the Sub- processor as the Controller may reasonably require. 11.12 The Processor shall remain fully liable for all acts or omissions of any of its Sub-processors. 11.13 The Controller may, at any time on not less than 30 Business Days' notice, revise this Clause by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Agreement). 11.14 The parties agree to take account of any guidance issued by the Information Commissioner's Office. The Controller may on not less than 30 Business Days' notice to the Processor amend this Agreement to ensure that it complies with any guidance issued by the Information Commissioner's Office. 11.15 Where the parties include two or more Joint Controllers as identified in Part 7 in accordance with the Data Protection Legislation, those parties shall enter into a Joint Controller Agreement based on the terms outlined in Part 8 in replacement of Clauses 11.1 to 11.14 for the Personal Data under joint control.

Data Protection. 1.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer Council is the Controller and the Supplier Contractor is the Processor unless otherwise specified in Contract Schedule 7Processor. The only processing that the Processor Contractor is authorised to do is listed in Contract Schedule 7 schedule 1A below by the Controller Council and may not be determined by the Processor. Contractor. 1.2 The Processor Contractor shall notify the Controller Council immediately if it considers that any of the Controller's Council’s instructions infringe the Data Protection Legislation. . 1.3 The Processor Contractor shall provide all reasonable assistance to the Controller Council in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance mayassistance, at the discretion of the ControllerCouncil, include: a : (a) systematic description of the envisaged envisage processing operations and the purpose of the processing; ; (b) an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; (c) an assessment of the risks to the rights and freedoms of Data Subjects; and and (d) the measures envisaged to address the risks, including safeguards, security measures measures, and mechanisms to ensure the protection of Personal Data. . 1.4 The Processor Contractor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: : (a) process that Personal Data only in accordance with Contract Schedule 7, schedule 1A below unless the Processor Contractor is required to do otherwise by Law. If it is so required the Processor Contractor shall promptly notify the Controller Council before processing the Personal Data unless prohibited by Law; ; (b) ensure that it has in place Protective Measures, which are have been reviewed and approved by the Council as appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), Event having taken account of the: : (i) nature of the data to be protected; ; (ii) harm that might result from a Data Loss Event; ; (iii) state of technological development; and and (iv) cost of implementing any measures; ; (c) ensure that : that: (i) the Processor Contractor Personnel do not process Personal Data except accept in accordance with this Agreement Contract (and in particular Schedule 7schedule 1A); ; (ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Contractor Personnel who have access to the Personal Data and ensure that they: (A) are aware of and comply with the Contractor’s duties under this clause; (B) are subject to appropriate confidentiality undertakings with the Contractor or any Sub-processor; (C) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Council or as otherwise permitted by this Contract; and (D) have undergone adequate training in the use, care, protection and handling of Personal Data; and (d) not transfer Personal Data outside of the EU unless the prior written consent of the Council has been obtained and the following conditions are fulfilled: (i) the Council or the Contractor has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 47) as determined by the Council; (ii) the Data Subject has enforceable rights and effective legal remedies; (iii) the Contractor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist) the Council in meeting its obligations); and (iv) the Contractor complies with any reasonable instructions notified to it in advance by the Council with respect to the processing of the Personal Data; (e) at the written direction of the Council, delete or return Personal Data and any copies of it to the Council on termination of the Contract unless the Contractor is required by Law to retain the Personal Data. 1.5 Subject to clause 1.6, the Contractor shall notify the Council immediately if it: (a) receives a Data Subject Access Request (or purported Data Subject Access Request); (b) receives a request to rectify, block or erase any Personal Data; (c) receives any other request, complaint or communication relating to either Party’s obligations under the Data Protection Legislation; (d) receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Agreement; (e) receives a request from any third party for disclosure of Personal data where compliance with such request is required or purported to be required by Law; or (f) becomes aware of a Data Loss Event. 1.6 The Contractor’s obligation to notify under clause 1.5 shall include the provision of further information to the Council in phases as details become available. 1.7 Taking into account the nature of the processing, the Contractor shall provide the Council with full assistance in relation to either Parties obligations under the Data Protection Legislation and any complaint, communication or request made under clause 1.5 (and insofar as possible within the timescales reasonably required by the Council) including by promptly providing: (a) the Council with full details and copies of the complaint, communication or request; (b) such assistance as is reasonably requested by the Council to enable the Council to comply with a data Subject Access Request within the relevant timescales set out in the Data Protection Legislation; (c) the Council, at its request, with any Personal Data it holds in relation to a Data Subject; (d) assistance as requested by the Council following any Data Loss Event; (e) assistance as requested by the Council with respect to any request from the Information Commissioner’s Office, or any consultation by the Council with the information Commissioner’s Office. 1.8 the Contractor shall maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Contractor employs fewer than 250 staff, unless: (a) the Council determines that the processing is not occasional; (b) the Council determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; and (c) the Council determines that the processing is likely to result in a risk to the rights and freedoms of the Data Subjects. 1.9 The Contractor shall allow for audits of its Data Processing activity by the Council or the Council’s designated auditor. 1.10 The Contractor shall designate a data protection officer if required by Data Protection Legislation. 1.11 Before allowing any Sub-processor to process any Personal Data related to this Contract, the Contractor must: (a) notify the Council in writing of the intended Sub-processor and processing; (b) obtain the written consent of the Council; (c) enter into a written agreement with the Sub-processor which give effect to the terms set out in this clause such that they apply to the Sub-processor; and (d) provide the Council with such information regarding the Sub-processor as the Council may reasonably require. 1.12 The Contractor shall remain fully liable for all such acts or omissions of any Sub-processor. 1.13 The Council may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Contract). 1.14 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Council may on not less than 30 Working Days’ notice to the Contractor amend this Contract to ensure it complies with any guidance issued by the Information Commissioner’s Office. 1.15 The provisions of this Appendix I shall apply during the term of the Contract and indefinitely after its expiry.

Data Protection. i. The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the Controller and the Supplier Contractor is the Processor unless otherwise specified in Contract Schedule 7Processor. The only processing that the Processor Contractor is authorised to do is listed in Contract Schedule 7 1 by the Controller Customer and may not be determined by the ProcessorContractor. ii. The Processor Contractor shall notify the Controller Customer immediately if it considers that any of the ControllerCustomer's instructions infringe the Data Protection Legislation. iii. The Processor Contractor shall provide all reasonable assistance to the Controller Customer in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the ControllerCustomer, include: : a) a systematic description of the envisaged processing operations and the purpose of the processing; ; b) an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; c) an assessment of the risks to the rights and freedoms of Data Subjects; and and d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. iv. The Processor Contractor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: : a) process that Personal Data only in accordance with Contract Schedule 71, unless the Processor Contractor is required to do otherwise by Law. If it is so required the Processor Contractor shall promptly notify the Controller Customer before processing the Personal Data unless prohibited by Law; ; b) ensure that it has in place Protective Measures, which are have been reviewed and approved by the Customer as appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), Event having taken account of the: : i) nature of the data to be protected; ; ii) harm that might result from a Data Loss Event; ; iii) state of technological development; and and iv) cost of implementing any measures; ; c) ensure that : that: i) the Processor Contractor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 71); ; ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Contractor Personnel who have access to the Personal Data and ensure that they: A) are aware of and comply with the Contractor’s duties under this clause; B) are subject to appropriate confidentiality undertakings with the Contractor or any Sub-processor; C) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Customer or as otherwise permitted by this Agreement; and D) have undergone adequate training in the use, care, protection and handling of Personal Data; and d) not transfer Personal Data outside of the EU unless the prior written consent of the Customer has been obtained and the following conditions are fulfilled: i) the Customer or the Contractor has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Customer; ii) the Data Subject has enforceable rights and effective legal remedies; iii) the Contractor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Customer in meeting its obligations); and iv) the Contractor complies with any reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data; e) at the written direction of the Customer, delete or return Personal Data (and any copies of it) to the Customer on termination of the Agreement unless the Contractor is required by Law to retain the Personal Data. v. Subject to clause 3.5, the Contractor shall notify the Customer immediately if it: a) receives a Data Subject Access Request (or purported Data Subject Access Request); b) receives a request to rectify, block or erase any Personal Data; c) receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; d) receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Agreement; e) receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or f) becomes aware of a Data Loss Event. vi. The Contractor’s obligation to notify under clause 3.4 shall include the provision of further information to the Customer in phases, as details become available. vii. Taking into account the nature of the processing, the Contractor shall provide the Customer with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under clause 3.4 (and insofar as possible within the timescales reasonably required by the Customer) including by promptly providing: a) the Customer with full details and copies of the complaint, communication or request; b) such assistance as is reasonably requested by the Customer to enable the Customer to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation; c) the Customer, at its request, with any Personal Data it holds in relation to a Data Subject; d) assistance as requested by the Customer following any Data Loss Event; e) assistance as requested by the Customer with respect to any request from the Information Commissioner’s Office, or any consultation by the Customer with the Information Commissioner's Office. viii. The Contractor shall maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement applies because: a) the Customer determines that the processing is not occasional; b) the Customer determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR. ix. The Contractor shall allow for audits of its Data Processing activity by the Customer or the Customer’s designated auditor. x. The Contractor shall designate a data protection officer if required by the Data Protection Legislation. xi. Before allowing any Sub-processor to process any Personal Data related to this Agreement, the Contractor must: a) notify the Customer in writing of the intended Sub-processor and processing; b) obtain the written consent of the Customer; c) enter into a written agreement with the Sub-processor which give effect to the terms set out in this clause such that they apply to the Sub-processor; and d) provide the Customer with such information regarding the Sub-processor as the Customer may reasonably require. xii. The Contractor shall remain fully liable for all acts or omissions of any Sub-processor. xiii. The Contractor may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Agreement). xiv. The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Customer may on not less than 30 Working Days’ notice to the Contractor amend this agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office.

Data Protection. 9.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the Controller and the Supplier Hornbill is the Processor unless otherwise specified in Contract Schedule 7Processor. The only processing Processing that the Processor Hornbill is authorised to do is listed in Contract Schedule 7 1 by the Controller Customer and may not be determined by the Processor. The Processor Hornbill. 9.2 Hornbill shall notify the Controller Customer immediately if it considers that any of the ControllerCustomer's instructions infringe the Data Protection Legislation. The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller, include: a systematic description of the envisaged processing operations and the purpose of the processing; an assessment of the necessity and proportionality of the processing operations in relation to the Services; an assessment of the risks to the rights and freedoms of Data Subjects; and the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. The Processor . 9.3 Hornbill shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: agreement: (a) unless Hornbill is required to do otherwise by Law, process that Personal Data only in accordance with Contract Schedule 7, unless 1 as updated from time to time by written agreement of the Processor is required to do otherwise by Lawparties. If it is so required the Processor Hornbill shall promptly notify the Controller Customer before processing the Personal Data unless prohibited by Law; ensure that it has and (b) implement and maintain at its cost and expense Protective Measures as set out in place Protective MeasuresSchedule 2, which are appropriate to safeguard the security of the Personal Data in accordance with Data Protection Laws and protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), Event having taken account of the: : (i) nature of the data to be protected; and (ii) harm that might result from a Data Loss Event; and (iii) state of technological development. The Parties acknowledge that the adequacy of the Protective Measures mentioned in this clause 9.3 and Schedule 2 may change over time, and that an effective set of Protective Measures demands frequent evaluation and improvement of the Protective Measures. Therefore Hornbill will frequently evaluate and tighten, increase or improve such Protective Measures to ensure compliance with Data Protection Legislation and the Protective Measures set out in Schedule 2 may as a result be changed from time to time by Hornbill where such changes are required by best practice, changing technological requirements, to protect against security weaknesses or other such situations that in the reasonable opinion of Hornbill are required to ensure the Protective Measures remain effective and compliant with Data Protection Legislation. The Customer will be notified in writing when a change is made to the Protective Measures; and cost of implementing any measures; and (c) ensure that : the Processor that: (i) Hornbill Personnel do not process Personal Data except in accordance with this Agreement agreement (and in particular Schedule 71); ; (ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Hornbill Personnel who have access to the Personal Data and ensure that they: (A) have received adequate training on and comply with Hornbill’s duties under this agreement; and (B) are in relation to Personal Data subject to a legally binding confidentiality undertaking with Hornbill or any Sub-processor; and (C) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Customer or as otherwise permitted by this Agreement; and (D) have undergone adequate training in the use, care, protection and handling of Personal Data. (d) not transfer Personal Data outside of the EEA or such third countries as the European Commission may from time to time designate unless the prior written consent of the Customer has been obtained and the following conditions are fulfilled: (i) the Customer or Hornbill has provided appropriate safeguards in relation to the transfer (in accordance with GDPR Article 46) as determined by the Customer; and (ii) the Data Subject has enforceable rights and effective legal remedies; and (iii) Hornbill complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Customer in meeting its obligations); and (iv) Hornbill complies with any reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data. (e) at the written direction of the Customer, securely delete and / or securely return Personal Data (and any copies of it) to the Customer promptly on termination of this agreement unless Hornbill is required by Law to retain the Personal Data. 9.4 Subject to clause 9.6, Hornbill shall notify the Customer immediately if it: (a) receives a Data Subject Access Request (or purported Data Subject Access Request); or (b) receives a request to rectify, block or erase any Personal Data; or (c) receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; or (d) receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Agreement; or (e) receives a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or (f) becomes aware of a Data Loss Event.

Data Protection. The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer Council is the Controller and the Supplier Contractor is the Processor unless otherwise specified in Contract Schedule 7Processor. The only processing that the Processor Contractor is authorised to do is listed in Contract the Schedule 7 by the Controller Council and may not be determined by the ProcessorContractor. The Processor Contractor shall notify the Controller Council immediately if it considers that any of the ControllerCouncil's instructions infringe the Data Protection Legislation. The Processor Contractor shall provide all reasonable assistance to the Controller Council in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the ControllerCouncil, include: a systematic description of the envisaged processing operations and the purpose of the processing; an assessment of the necessity and proportionality of the processing operations in relation to the Services; an assessment of the risks to the rights and freedoms of Data Subjects; and the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. The Processor Contractor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: process that Personal Data only in accordance with Contract Schedule 7the Schedule, unless the Processor Contractor is required to do otherwise by Law. If it is so required required, the Processor Contractor shall promptly notify the Controller Council before processing the Personal Data Data, unless prohibited by Law; ensure that it has in place Protective Measures, which are have been reviewed and approved by the Council as appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), Event having taken account of the: nature of the data to be protected; harm that might result from a Data Loss Event; state of technological development; and cost of implementing any measures; ensure that that: the Processor Contractor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 7particular, the Schedule); it takes all reasonable steps to ensure the reliability and integrity of any Processor Contractor Personnel who have access to the Personal Data and ensure that they: are aware of and comply with the Contractor’s duties under this clause; are subject to appropriate confidentiality undertakings with the Contractor or any Sub-processor; are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Council or as otherwise permitted by this Agreement; and have undergone adequate training in the use, care, protection and handling of Personal Data. not transfer Personal Data outside of the EU unless the prior written consent of the Council has been obtained and the following conditions are fulfilled: the Council or the Contractor has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Council; the Data Subject has enforceable rights and effective legal remedies; the Contractor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Council in meeting its obligations); and the Contractor complies with any reasonable instructions notified to it in advance by the Council with respect to the processing of the Personal Data; at the written direction of the Council, delete or return Personal Data (and any copies of it) to the Council on termination of the Agreement unless the Contractor is required by Law to retain the Personal Data. Subject to clause 1.6, the Contractor shall notify the Council immediately if it:

Data Protection. 9.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the Controller and the Supplier Hornbill is the Processor unless otherwise specified in Contract Schedule 7Processor. The only processing Processing that the Processor Xxxxxxxx is authorised to do is listed in Contract Schedule 7 1 by the Controller Customer and may not be determined by the Processor. The Processor Hornbill. 9.2 Hornbill shall notify the Controller Customer immediately if it considers that any of the ControllerCustomer's instructions infringe the Data Protection Legislation. The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller, include: a systematic description of the envisaged processing operations and the purpose of the processing; an assessment of the necessity and proportionality of the processing operations in relation to the Services; an assessment of the risks to the rights and freedoms of Data Subjects; and the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. The Processor . 9.3 Hornbill shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: agreement: (a) unless Hornbill is required to do otherwise by Law, process that Personal Data only in accordance with Contract Schedule 7, unless 1 as updated from time to time by written agreement of the Processor is required to do otherwise by Lawparties. If it is so required the Processor Hornbill shall promptly notify the Controller Customer before processing the Personal Data unless prohibited by Law; ensure that it has and (b) implement and maintain at its cost and expense Protective Measures as set out in place Protective MeasuresSchedule 2, which are appropriate to safeguard the security of the Personal Data in accordance with Data Protection Laws and protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), Event having taken account of the: : (i) nature of the data to be protected; and (ii) harm that might result from a Data Loss Event; and (iii) state of technological development. The Parties acknowledge that the adequacy of the Protective Measures mentioned in this clause 9.3 and Schedule 2 may change over time, and that an effective set of Protective Measures demands frequent evaluation and improvement of the Protective Measures. Therefore Hornbill will frequently evaluate and tighten, increase or improve such Protective Measures to ensure compliance with Data Protection Legislation and the Protective Measures set out in Schedule 2 may as a result be changed from time to time by Hornbill where such changes are required by best practice, changing technological requirements, to protect against security weaknesses or other such situations that in the reasonable opinion of Hornbill are required to ensure the Protective Measures remain effective and compliant with Data Protection Legislation. The Customer will be notified in writing when a change is made to the Protective Measures; and cost of implementing any measures; and (c) ensure that : the Processor that: (i) Hornbill Personnel do not process Personal Data except in accordance with this Agreement agreement (and in particular Schedule 71); ; (ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Hornbill Personnel who have access to the Personal Data and ensure that they: (A) have received adequate training on and comply with Xxxxxxxx’s duties under this agreement; and (B) are in relation to Personal Data subject to a legally binding confidentiality undertaking with Hornbill or any Sub-processor; and (C) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Customer or as otherwise permitted by this Agreement; and (D) have undergone adequate training in the use, care, protection and handling of Personal Data. (d) not transfer Personal Data outside of the EEA or such third countries as the European Commission may from time to time designate unless the prior written consent of the Customer has been obtained and the following conditions are fulfilled: (i) the Customer or Hornbill has provided appropriate safeguards in relation to the transfer (in accordance with GDPR Article 46) as determined by the Customer; and (ii) the Data Subject has enforceable rights and effective legal remedies; and (iii) Hornbill complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Customer in meeting its obligations); and (iv) Hornbill complies with any reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data. (e) at the written direction of the Customer, securely delete and / or securely return Personal Data (and any copies of it) to the Customer promptly on termination of this agreement unless Hornbill is required by Law to retain the Personal Data. 9.4 Subject to clause 9.6, Hornbill shall notify the Customer immediately if it: (a) receives a Data Subject Access Request (or purported Data Subject Access Request); or (b) receives a request to rectify, block or erase any Personal Data; or (c) receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; or (d) receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Agreement; or (e) receives a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or (f) becomes aware of a Data Loss Event.

Data Protection. The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer Buyer Controller is the Controller and the Supplier (Abavus and iTouch Vision) is the Processor unless otherwise specified in Contract Schedule 7specified. The only processing that the Processor is authorised to do is listed in Contract Schedule 7 by relation to the Controller and may not be determined by delivery of the Processor. Service. 6.5.1 The Processor shall notify the Controller immediately if it considers that any of the Controller's Buyer’s instructions infringe the Data Protection Legislation. . 6.5.2 The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller, include: : (a) a systematic description of the envisaged processing operations and the purpose of the processing; ; (b) an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; (c) an assessment of the risks to the rights and freedoms of Data Subjects; and and (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 6.5.3 The Processor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: contract: (a) process that Personal Data only in accordance with Contract Schedule 7delivery of the Service, unless the Processor is required to do otherwise by Law. If it is so required the Processor shall promptly notify the Controller before processing the Personal Data unless prohibited by Law; ; (b) ensure that it has in place Protective Measures, Measures which are have been reviewed and approved by the Controller as appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), Event having taken account of the: : (i) nature of the data to be protected; ; (ii) harm that might result from a Data Loss Event; ; (iii) state of technological development; and and (iv) cost of implementing any measures; ; (c) ensure that : : (i) the Processor Personnel do not process Personal Data except in accordance with this Agreement contract (and in particular Schedule 7delivery of the Service); ; (ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they: (A) are aware of and comply with the Processor’s duties under this Xxxxxx; (B) are subject to appropriate confidentiality undertakings with the Processor or any Sub- processor; (C) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Controller or as otherwise permitted by this Call Off Contract; and (D) have undergone adequate training in the use, care, protection and handling of Personal Data; (d) not transfer Personal Data outside of the EU unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled: (i) the Controller or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Controller; (ii) the Data Subject has enforceable rights and effective legal remedies; (iii) the Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavors to assist the Controller in meeting its obligations); and (iv) the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing of the Personal Data; (e) at the written direction of the Controller, delete or return Personal Data (and any copies of it) to the Controller on termination of the contract unless the Processor is required by Law to retain the Personal Data. 6.5.4 Subject to Clause 6.5.6, the Processor shall notify the Controller immediately if it: (a) receives a Data Subject Access Request (or purported Data Subject Access Request); (b) receives a request to rectify, block or erase any Personal Data; (c) receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; (d) receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under contract; (e) receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or (f) becomes aware of a Data Loss Event. 6.5.5 The Processor’s obligation to notify under Clause 6.5.4 shall include the provision of further information to the Controller in phases, as details become available. 6.5.6 Taking into account the nature of the processing, the Processor shall provide the Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under Clause 6.5.4 (and insofar as possible within the timescales reasonably required by the Controller) including by promptly providing: (a) the Controller with full details and copies of the complaint, communication or request; (b) such assistance as is reasonably requested by the Controller to enable the Controller to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation; (c) the Controller, at its request, with any Personal Data it holds in relation to a Data Subject; (d) assistance as requested by the Controller following any Data Loss Event; (e) assistance as requested by the Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Controller with the Information Commissioner's Office.

Data Protection. The Parties acknowledge that for i. With respect to the purposes of the Data Protection Legislationrights and obligations under this written arrangement, the Customer is and Developer (the Controller Parties) acknowledge that they jointly process Personal Data as set out in Schedule 1 to perform their obligations governed by this Agreement in respect of their respective roles, and the Supplier relationship between the Customer and Developer is the Processor unless otherwise specified in Contract Schedule 7one of joint controllers. ii. The only processing that Parties shall comply at all times with and assist each other in complying with their respective responsibilities for compliance with the Processor is authorised to do is listed in Contract Schedule 7 by the Controller and may not be determined by the Processor. The Processor shall notify the Controller immediately if it considers that any obligations of the Controller's instructions infringe the all Data Protection LegislationLaws in connection with the processing of Personal Data only as set out in Schedule 1 as updated in writing between the Parties from time to time, unless required to process the Personal Data for any other purpose by applicable Law in which case, where legally permitted, the Customer or Developer must inform the other of this legal requirement before processing. iii. The Processor shall provide all reasonable assistance Each Party agrees to the Controller their respective responsibilities and duties regarding processing as set out in the preparation of any Schedule 1 including to: a. comply with data protection by design and data protection by default obligations under Data Protection Impact Assessment prior to commencing any processing. Such assistance mayLaw, at the discretion of the Controllerincluding, include: a systematic description of the envisaged processing operations where required, legitimate interest assessments and the purpose of the processing; an assessment of the necessity data protection impact assessments and proportionality of associated consultation with data subjects, other Parties involved with the processing operations in relation and any applicable supervisory authority, to the Services; an assessment of the risks ensure appropriate technical and organisational measures, including appropriate data protection governance and audit compliance, are implemented to safeguard the rights and freedoms of data subjects; b. observe the principles of Data Subjects; and the measures envisaged to address the risksProtection Law, including safeguards, security measures and mechanisms to ensure the protection not retaining any of Personal Data. The Processor shall, in relation Data for longer than is necessary to any Personal Data processed in connection with perform its obligations under this Agreement: process that Agreement and upon the other Party’s reasonable request, securely destroy (unless applicable Laws require continued storage of Personal Data) or return such Personal Data; c. only transfer any Personal Data only outside of the European Economic Area (the “EEA”) relying on Adequacy Decisions by the EU Commission or on appropriate standard contractual clauses ("Standard Contractual Clauses") between the Parties. In the event that the Adequacy Decision granted in accordance respect of the Standard Contractual Clauses is invalidated or suspended, or any supervisory authority requires transfers of personal information pursuant to such Standard Contractual Clauses to be suspended, then the Parties may require to: i. cease data transfers forthwith, and implement an alternative adequacy mechanism (as agreed in writing by the Parties); or ii. return all Personal Data previously transferred and ensure that a senior officer or director of the Customer or Developer certifies to the other that this has been done. d. monitor for, investigate and manage any actual or suspected personal data breach regarding processing activities undertaken by them, to inform the other Party of such personal data breaches without undue delay, and the other Party’s sole and exclusive remedy shall be for the first Party to use reasonable commercial endeavours to resolve the personal data breach; e. comply with Contract Schedule 7and provide information notices to data subjects regarding processing activities undertaken by them, unless including personal data breaches – such notices being available to the Processor is Customer from time to time, as such document may be amended from time to time by the Developer in its sole discretion; f. notify any applicable law enforcement authority (including any applicable supervisory authority) regarding personal data breaches where required relating to processing activities undertaken by them; g. fulfil any data subject rights request pertaining to their Personal Data or assist the other Party in doing so – such requests to be passed to the other Party within two working days in order to fulfil that request; h. notify the other Party without undue delay in writing if it receives from any applicable law enforcement authorities (including any applicable regulators) where permitted to do otherwise so: i. any communication seeking to exercise rights conferred on the data subject by Data Protection Law; ii. If it any complaint or any claim for compensation arising from or relating to the processing of Personal Data as set out in Schedule 1; or iii. any communication from any applicable law enforcement authorities (including any applicable regulators); i. provide such information and such assistance to the other Party as they may reasonably require, and within the timescales reasonably specified by the Parties, to allow the other Party to comply with their data protection by design and data protection by default obligations under Data Protection Law, including, where required, consultation regarding legitimate interest assessments and data protection impact assessments, to ensure appropriate technical and organisational measures, including appropriate data protection governance and audit compliance, are implemented to safeguard the rights and freedoms of data subjects, including such full and prompt information and assistance to the other Party and any applicable law enforcement authorities (including any applicable regulators) in relation to a personal data breach. iv. Each Party shall designate a contact point for data subjects. v. The Parties agree that they shall at no additional cost, keep or cause to be kept such information as is necessary to demonstrate compliance with their respective obligations under this clause (Data Protection} regarding the joint processing of Personal Data as set out in [Annex / Schedule / Appendix X] carried out by the Parties in writing and in electronic form, and shall, upon reasonable notice, make available to the other Party or grant to the other Party and its auditors and agents, and any applicable law enforcement authority (including any applicable supervisory authority), a right of access to, and to take copies of, any information or records kept by the other Party pursuant to this clause (Data Protection) – this information to contain no less than: a. their name and contact details, including those of its Companies, and, where applicable, of their representative, and their data protection officer; b. the details regarding their respective processing set out in Schedule 1; c. a general description of the appropriate technical and organisational measures to protect Personal Data against accidental or unlawful processing, loss, destruction, damage, alteration, or unauthorised disclosure or access, including so required as to allow the Processor shall promptly notify Parties to comply with their obligations under Data Protection Law – in particular: to safeguard against the Controller before processing specific offences: i. for a person knowingly or recklessly to re-identify Personal Data that is de-identified Personal Data without the consent of the controller responsible for de-identifying the personal data. ii. to alter, deface, block, erase, destroy or conceal Personal Data with the intention of preventing disclosure of all or part of the Personal Data unless prohibited by Law; that the person making the request would have been entitled to receive. iii. where transferring Personal Data to a third country or an international organisation, the identification of that third country or international organisation and, in the case of ex- EEA transfers without adequacy, binding corporate rules, code of conduct, data protection seals, or standard contractual clauses, the documentation of appropriate safeguards such as: 1. explicit consent from affected data subjects, or 2. evidence that the transfer is required for the performance or conclusion of the performance of a contract with said data subjects. iv. ensure that it has in place Protective Measures, which are appropriate any staff or personnel (including contractors) authorised to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), having taken account of the: nature of the data to be protected; harm that might result from a Data Loss Event; state of technological development; and cost of implementing any measures; ensure that : the Processor Personnel do not process Personal Data except shall be subject to a binding duty of confidentiality in accordance with respect of such data. vi. The Parties agree to notify each other immediately if, in the opinion of the other Party, the written arrangement for the processing of Personal Data given by the Customer or Developer violates any provision of Data Protection Law. vii. Neither Party must not perform their obligations under this Agreement (and in particular Schedule 7); it takes all reasonable steps such a way as to ensure cause the reliability and integrity other Party to violate any of any Processor Personnel who have access to the Personal their obligations under Data and ensure that they:Protection Law.

Data Protection. Processing 1.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer Purchaser is the Controller and the Supplier is the Processor unless otherwise specified in Contract Schedule 7Processor. The only processing that the Processor Supplier is authorised to do is listed in Contract the Data Processing Schedule 7 by the Controller and may not be determined by the Processor. Supplier. 1.2 The Processor Supplier shall notify the Controller Purchaser immediately if it considers that any of the ControllerPurchaser's instructions infringe the Data Protection Legislation. . 1.3 The Processor Supplier shall provide all reasonable assistance to the Controller Purchaser in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the ControllerPurchaser, include: : (a) a systematic description of the envisaged processing operations and the purpose of the processing; ; (b) an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; (c) an assessment of the risks to the rights and freedoms of Data Subjects; and and (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 1.4 The Processor Supplier shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: Contract: (a) process that Personal Data only in accordance with Contract Schedule 7the Data Processing Schedule, unless the Processor Supplier is required to do otherwise by Law. If it is so required the Processor Supplier shall promptly notify the Controller Purchaser before processing the Personal Data unless prohibited by Law; ; (b) ensure that it has in place Protective Measures, which are have been reviewed and approved by the Purchaser as appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), Event having taken account of the: : (i) nature of the data to be protected; ; (ii) harm that might result from a Data Loss Event; ; (iii) state of technological development; and and (iv) cost of implementing any measures; ; (c) ensure that : that: (i) the Processor Supplier Personnel do not process Personal Data except in accordance with this Agreement Contract (and in particular Schedule 7the Data Processing Schedule); ; (ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Supplier Personnel who have access to the Personal Data and ensure that they: (A) are aware of and comply with the Supplier’s duties under this clause; (B) are subject to appropriate confidentiality undertakings with the Supplier or any Sub-processor; (C) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Purchaser or as otherwise permitted by this Contract; and (D) have undergone adequate training in the use, care, protection and handling of Personal Data; and (d) not transfer Personal Data outside of the EU unless the prior written consent of the Purchaser has been obtained and the following conditions are fulfilled: (i) the Purchaser or the Supplier has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Purchaser; (ii) the Data Subject has enforceable rights and effective legal remedies; (iii) the Supplier complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Purchaser in meeting its obligations); and (iv) the Supplier complies with any reasonable instructions notified to it in advance by the Purchaser with respect to the processing of the Personal Data; (e) at the written direction of the Purchaser, delete or return Personal Data (and any copies of it) to the Purchaser on termination of the Contract unless the Supplier is required by Law to retain the Personal Data.

Data Protection. The Parties parties acknowledge that for the purposes of the Data Protection Legislation, the Customer Authority is the Controller and the Supplier is the Processor unless otherwise specified in Contract Schedule 7Processor. The only processing that the Processor Supplier is authorised to do is listed in Contract Part 2 of Schedule 7 11(Processing, Personal Data and Data Subjects) by the Controller Authority and may not be determined by the ProcessorSupplier. Without prejudice to the generality of clause 40 (Data Protection), the Authority will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to the Supplier for the duration and purposes of this Contract. The Processor Supplier shall notify the Controller Authority immediately if it considers that any of the ControllerAuthority's instructions infringe the Data Protection Legislation. The Processor Supplier shall provide all reasonable assistance to the Controller Authority in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the ControllerAuthority, include: a systematic description of the envisaged processing operations and the purpose of the processing; an assessment of the necessity and proportionality of the processing operations in relation to the Services; an assessment of the risks to the rights and freedoms of Data Subjects; and the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Datapersonal data. The Processor Supplier shall, in relation to any Personal Data processed in connection with its obligations under this AgreementContract: process that Personal Data only on the written instructions of the Authority and in accordance with Contract Part 2 of Schedule 711 (Processing, Personal Data and Data Subjects), unless the Processor Supplier is required to do otherwise by Lawlegislation. If it is so required the Processor Supplier shall promptly notify the Controller Authority before processing the Personal Data unless prohibited by Lawlegislation; ensure that it has in place Protective Measures, which are have been reviewed and approved by the Authority as appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), Event having taken account of the: nature of the data to be protected; harm that might result from a Data Loss Event; state of technological development; and cost of implementing any measures; ensure that : the Processor Supplier Personnel do not process Personal Data except in accordance with this Agreement Contract (and in particular Part 2 of Schedule 711 (Processing, Personal Data and Data Subjects)); it takes all reasonable steps to ensure the reliability and integrity of any Processor Supplier Personnel who have access to the Personal Data and ensure that they:: are aware of and comply with the Supplier’s duties under this Schedule; are subject to appropriate confidentiality undertakings with the Supplier or any Sub-processor; are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority or as otherwise permitted by this Contract; and have undergone adequate training in the use, care, protection and handling of Personal Data; and not transfer Personal Data outside of the EU unless the prior written consent of the Authority has been obtained and the following conditions are fulfilled: the Authority or the Supplier has provided appropriate safeguards in relation to the transfer as determined by the Authority; the Data Subject has enforceable rights and effective legal remedies; the Supplier complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Authority in meeting its obligations); and the Supplier complies with any reasonable instructions notified to it in advance by the Authority with respect to the processing of the Personal Data; at the written direction of the Authority, delete or return Personal Data (and any copies of it) to the Authority on expiry or earlier termination of this Contract unless the Supplier is required by legislation to retain the Personal Data. Subject to paragraph 2.7, the Supplier shall notify the Authority immediately if it: receives a Data Subject Access Request (or purported Data Subject Access Request); receives a request to rectify, block or erase any Personal Data; receives any other request, complaint or communication relating to either party's obligations under the Data Protection Legislation; receives any communication from the Information Commissioner’s Office or any other regulatory authority in connection with Personal Data processed under this Contract; receives a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by legislation; or becomes aware of a Data Loss Event. The Supplier’s obligation to notify under paragraph 2.6 shall include the provision of further information to the Authority in phases, as details become available. Taking into account the nature of the processing, the Supplier shall provide the Authority with full assistance in relation to either party's obligations under Data Protection Legislation and any complaint, communication or request made under paragraph 2.6 (and insofar as possible within the timescales reasonably required by the Authority) including by promptly providing: the Authority with full details and copies of the complaint, communication or request; such assistance as is reasonably requested by the Authority to enable the Authority to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation; the Authority, at its request, with any Personal Data it holds in relation to a Data Subject; assistance as requested by the Authority following any Data Loss Event; assistance as requested by the Authority with respect to any request from the Information Commissioner’s Office, or any consultation by the Authority with the Information Commissioner's Office. The Supplier shall maintain complete and accurate records and information to demonstrate its compliance with this Schedule. The Supplier shall allow for audits of its Data Processing activity by the Authority or the Authority's designated auditor. The Supplier shall designate a Data Protection Officer if required by the Data Protection Legislation. As at the Commencement Date, the Authority does not consent to the Supplier appointing any Sub-processor of Personal Data under this Contract. Any such third-party processing shall require the Authority's prior written consent. If, following the Commencement Date, the Authority does consent in writing to the Supplier appointing a Sub-processor then, before allowing any Sub-processor to process any Personal Data related to this Contract, the Supplier must: notify the Authority in writing of the intended Sub-processor and processing; enter into a written agreement with the Sub-processor which give effect to the terms set out in this Schedule 11 such that they apply to the Sub-processor; and provide the Authority with such information regarding the Sub-processor as the Authority may reasonably require. The Supplier shall remain fully liable for all acts or omissions of any Sub-processor. The Authority may, at any time on not less than 30 Business Days’ notice, revise this Schedule by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Contract). The Supplier shall, and shall procure that all Sub-Contractors shall enter into such further agreements relating to compliance with Data Protection Legislation as the Authority may from time to time reasonably require. The parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Authority may on not less than 30 Working Days’ notice to the Supplier amend this Contract to ensure that it complies with any guidance issued by the Information Commissioner’s Office.

Data Protection. 1.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the Controller and the Supplier is the Processor unless otherwise specified in Contract Schedule 7for historic records and Controller for new referrals. The only processing that the Processor Supplier is authorised to do as Processor is listed in Contract Annex 3 of Schedule 7 by the Controller Customer and may not be determined by the ProcessorSupplier. In collecting and processing Personal Data the Supplier shall comply with all applicable Data Protection Legislation. 1.2 The Processor Supplier shall notify the Controller Customer immediately if it considers that any of the ControllerCustomer's instructions infringe the Data Protection Legislation. . 1.3 The Processor Supplier shall provide all reasonable assistance to the Controller Customer in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the ControllerCustomer, include: : (a) a systematic description of the envisaged processing operations and the purpose of the processing; ; (b) an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; (c) an assessment of the risks to the rights and freedoms of Data Subjects; and and (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 1.4 The Processor Supplier shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: : (a) process that Personal Data only in accordance with Contract Annex 3 of Schedule 7, unless the Processor Supplier is required to do otherwise by Law. If it is so required the Processor Supplier shall promptly notify the Controller Customer before processing the Personal Data unless prohibited by Law; ; (b) ensure that it has in place Protective Measures, which are have been reviewed and approved by the Customer as appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), Event having taken account of the: : (i) nature of the data to be protected; ; (ii) harm that might result from a Data Loss Event; ; (iii) state of technological development; and and (iv) cost of implementing any measures; ; (c) ensure that : : (i) the Processor Supplier’s Personnel do not process Personal Data except in accordance with this Agreement (and in particular Annex 3 Schedule 7); . (ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Supplier Personnel who have access to the Personal Data and ensure that they: (A) are aware of and comply with the Supplier’s duties under this clause; (B) are subject to appropriate confidentiality undertakings with the Supplier or any Sub-processor; (C) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Customer or as otherwise permitted by this Agreement; and (D) have undergone adequate training in the use, care, protection and handling of Personal Data; and (d) not transfer Personal Data outside of the EU unless the prior written consent of the Customer has been obtained and the following conditions are fulfilled: (i) the Customer or the Supplier has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Customer; (ii) the Data Subject has enforceable rights and effective legal remedies; (iii) the Supplier complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Customer in meeting its obligations); and (iv) the Supplier complies with any reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data; (e) at the written direction of the Customer, where Supplier acts as Processor, delete or return Personal Data (and any copies of it) to the Customer on termination of the Agreement unless the Supplier is required by Law to retain the Personal Data. 1.5 Subject to clause 1.6, the Supplier shall notify the Customer without undue delay if it: (a) receives a Data Subject Access Request (or purported Data Subject Access Request); (b) receives a request to rectify, block or erase any Personal Data; (c) receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; (d) receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Agreement; (e) receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or (f) becomes aware of a Data Loss Event. 1.6 The Supplier’s obligation to notify under clause 1.5 shall include the provision of further information to the Customer in phases, as details become available. In relation to clause 1.5(f) the Supplier shall also provide such assistance as may be required by the Customer including, without limitation: (a) conducting or supporting the Customer in such investigations or analysis that the Customer requires in relation to the Data Loss Event; and (b) implementing any actions or remedial measures necessary to restore the security of compromised Personal Data; and (c) assisting the Customer to make any notification to any relevant supervisory authority and affected Data Subjects. 1.7 Taking into account the nature of the processing, both Parties shall provide with such reasonable and appropriate assistance as required of the relevant Party under Data Protection Legislation in relation to the other Party's obligations under Data Protection Legislation and any complaint, communication or request made under clause 1.5 (and insofar as possible within the timescales reasonably required by either party) including, where applicable, by promptly providing: (a) the other party with full details and copies of the complaint, communication or request; (b) such assistance as is reasonably requested by the other party to enable the other party to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation; (c) the Customer, at its request, with any Personal Data it holds in relation to a Data Subject, where Supplier is a Processor; (d) assistance as requested by the other party following any Data Loss Event; (e) assistance as requested by the other party with respect to any request from the Information Commissioner’s Office, or any consultation by either party with the Information Commissioner's Office. 1.8 The Supplier shall maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Supplier employs fewer than 250 staff, unless: (a) the Customer determines that the processing is not occasional; (b) the Customer determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; and (c) the Customer determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects.

Data Protection. 1.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer [ORG A] is the Controller and the Supplier [ORG B] is the Processor unless otherwise specified in Contract Schedule 7[X]. The only processing that the Processor is authorised to do is listed in Contract Schedule 7 [X] by the Controller and may not be determined by the Processor. . 1.2 The Processor shall notify the Controller immediately if it considers that any of the Controller's instructions infringe the Data Protection Legislation. . 1.3 The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller, include: : (a) a systematic description of the envisaged processing operations and the purpose of the processing; ; (b) an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; (c) an assessment of the risks to the rights and freedoms of Data Subjects; and and (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 1.4 The Processor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: : (a) process that Personal Data only in accordance with Contract Schedule 7[X], unless the Processor is required to do otherwise by Law. If it is so required the Processor shall promptly notify the Controller before processing the Personal Data unless prohibited by Law; ; (b) ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), having taken account of the: : (i) nature of the data to be protected; ; (ii) harm that might result from a Data Loss Event; ; (iii) state of technological development; and and (iv) cost of implementing any measures; ; (c) ensure that : : (i) the Processor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 7X); ; (ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they: (A) are aware of and comply with the Processor’s duties under this clause; (B) are subject to appropriate confidentiality undertakings with the Processor or any Sub-processor; (C) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Controller or as otherwise permitted by this Agreement; and (D) have undergone adequate training in the use, care, protection and handling of Personal Data; and (d) not transfer Personal Data outside of the EU unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled: (i) the Controller or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Controller; (ii) the Data Subject has enforceable rights and effective legal remedies; (iii) the Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and (iv) the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing of the Personal Data; (e) at the written direction of the Controller, delete or return Personal Data (and any copies of it) to the Controller on termination of the Agreement unless the Processor is required by Law to retain the Personal Data. 1.5 Subject to clause 1.6, the Processor shall notify the Controller immediately if it: (a) receives a Data Subject Request (or purported Data Subject Request); (b) receives a request to rectify, block or erase any Personal Data; (c) receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; (d) receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Agreement; (e) receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or (f) becomes aware of a Data Loss Event. 1.6 The Processor’s obligation to notify under clause 1.5 shall include the provision of further information to the Controller in phases, as details become available. 1.7 Taking into account the nature of the processing, the Processor shall provide the Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under clause 1.5 (and insofar as possible within the timescales reasonably required by the Controller) including by promptly providing: (a) the Controller with full details and copies of the complaint, communication or request; (b) such assistance as is reasonably requested by the Controller to enable the Controller to comply with a Data Subject Request within the relevant timescales set out in the Data Protection Legislation; (c) the Controller, at its request, with any Personal Data it holds in relation to a Data Subject; (d) assistance as requested by the Controller following any Data Loss Event; (e) assistance as requested by the Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Controller with the Information Commissioner's Office. 1.8 The Processor shall maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Processor employs fewer than 250 staff, unless: (a) the Controller determines that the processing is not occasional; (b) the Controller determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; or (c) the Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects. 1.9 The Processor shall allow for audits of its Data Processing activity by the Controller or the Controller’s designated auditor. 1.10 Each Party shall designate its own data protection officer if required by the Data Protection Legislation. 1.11 Before allowing any Sub-processor to process any Personal Data related to this Agreement, the Processor must: (a) notify the Controller in writing of the intended Sub-processor and processing; (b) obtain the written consent of the Controller; (c) enter into a written agreement with the Sub-processor which give effect to the terms set out in this clause [X] such that they apply to the Sub-processor; and (d) provide the Controller with such information regarding the Sub-processor as the Controller may reasonably require. 1.12 The Processor shall remain fully liable for all acts or omissions of any of its Sub- processors. 1.13 The Controller may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Agreement). 1.14 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Controller may on not less than 30 Working Days’ notice to the Processor amend this agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office. 1.15 Where the Parties include two or more Joint Controllers as identified in Schedule [X] in accordance with GDPR Article 26, those Parties shall enter into a Joint Controller Agreement based on the terms outlined in Schedule [Y] in replacement of Clauses 1.1-1.14 for the Personal Data under Joint Control.

Data Protection. 1.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the Controller and the Supplier Contractor is the Processor unless otherwise specified in Contract Schedule 7Appendix 1. The only processing that the Processor is authorised to do is listed in Contract Schedule 7 Appendix 1 by the Controller and may not be determined by the Processor. . 1.2 Controller warrants that it has taken all necessary steps to achieve compliance with Data Protection Legislation. 1.3 Without prejudice to the generality of paragraph 1.2, Controller warrants that where Controller supplies Personal Data to Processor, Controller has provided any requisite notice and has a valid legal basis to collect, obtain and share the Personal Data with Processor and to allow Processor to process the Personal Data in accordance with Schedule 1. 1.4 The Processor shall notify the Controller immediately if it considers that any of the Controller's instructions infringe the Data Protection Legislation. . 1.5 The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller, include: : (a) a systematic description of the envisaged processing operations and the purpose of the processing; ; (b) an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; (c) an assessment of the risks to the rights and freedoms of Data Subjects; and and (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 1.6 The Processor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: : (a) process that Personal Data only in accordance with Contract Schedule 7Appendix 1, unless the Processor is required to do otherwise by Law. If it is so required required, the Processor shall promptly notify the Controller before processing the Personal Data unless prohibited by Law; ; (b) ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), having taken account of the: : (i) nature of the data to be protected; ; (ii) harm that might result from a Data Loss Event; ; (iii) state of technological development; and and (iv) cost of implementing any measures; ; (c) ensure that : that: (i) the Processor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 7Appendix 1); ; (ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they: (A) are aware of and comply with the Processor’s duties under this clause; (B) are subject to appropriate confidentiality undertakings with the Processor or any Sub-processor; (C) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Controller or as otherwise permitted by this Agreement; and (D) have undergone adequate training in the use, care, protection and handling of Personal Data; and (d) not transfer Personal Data outside of the EU unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled: (i) the Controller or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Controller; (ii) the Data Subject has enforceable rights and effective legal remedies; (iii) the Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and (iv) the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing of the Personal Data; (e) at the written direction of the Controller, delete or return Personal Data (and any copies of it) to the Controller on termination of the Agreement unless the Processor is required by Law to retain the Personal Data. 1.7 Subject to clause 1.6, the Processor shall notify the Controller immediately if it: (a) receives a Data Subject Request (or purported Data Subject Request); (b) receives a request to rectify, block or erase any Personal Data; (c) receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; (d) receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Agreement; (e) receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or (f) becomes aware of a Data Loss Event.

Data Protection. 20.1 The Parties parties acknowledge that for the purposes of the Data Protection Legislation, the Customer nature of the activity carried out by each of them in relation to their respective obligations under this DPS Agreement will determine the status of each party under the Data Protection Legislation. A party may act as: 20.1.1 Controller (where the other party acts as the Processor); 20.1.2 Processor (where the other party acts as the Controller); 20.1.3 Joint Controller (where both parties are considered to jointly control the same Personal Data); and 20.1.4 Independent Controller of the Personal Data where the other party is also Controller of the Controller same Personal Data in its own right (but there is no element of joint control); and the Supplier parties shall set out in Schedule 12 (Processing Personal Data) which scenario or scenarios are intended to apply under this DPS Agreement. 20.2 Where a party is a Processor, the Processor unless otherwise specified in Contract Schedule 7. The only processing that the Processor it is authorised to do is listed in Contract Schedule 7 12 (Processing Personal Data) by the Controller and may not be determined by the Processor. Controller. 20.3 The Processor shall notify the Controller immediately if it considers that any of the Controller's ’s instructions infringe the Data Protection Legislation. . 20.4 The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller, include: : 20.4.1 a systematic description of the envisaged processing operations and the purpose of the processing; ; 20.4.2 an assessment of the necessity and proportionality of the processing operations in relation to the Services; requirements of the Administering Authority hereunder; 20.4.3 an assessment of the risks to the rights and freedoms of Data Subjects; and and 20.4.4 the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 20.5 The Processor shall, in relation to any Personal Data processed in connection with its obligations under this DPS Agreement: : 20.5.1 process that Personal Data only in accordance with Contract Schedule 712 (Processing Personal Data), unless the Processor is required to do otherwise by Law. If it is so required the Processor shall promptly notify the Controller Contracting Authority before processing the Personal Data unless prohibited by Law; ; 20.5.2 ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, Measures which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), ) having taken account of the: : (a) nature of the data to be protected; ; (b) harm that might result from a Data Loss Event; ; (c) state of technological development; and and (d) cost of implementing any measures; ; 20.5.3 ensure that : that: (i) the Processor Personnel do not process Personal Data except in accordance with this DPS Agreement (and in particular Schedule 712 (Processing Personal Data); ); (ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they: (A) are aware of and comply with the Processor’s duties under this Clause and Clauses 17 (Confidentiality) and 19 (Freedom of Information); (B) are subject to appropriate confidentiality undertakings with the Processor or any Sub-processor; (C) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Controller or as otherwise permitted by this DPS Agreement; and (D) have undergone adequate training in the use, care, protection and handling of Personal Data; 20.5.4 not transfer Personal Data outside of the UK unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled: (a) the Controller or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or DPA 2018 Section 75) as determined by the Controller; (b) the Data Subject has enforceable rights and effective legal remedies; (c) the Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and (d) the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing of the Personal Data; and 20.5.5 at the written direction of the Controller, delete or return Personal Data (and any copies of it) to the Controller on termination of this DPS Agreement unless the Processor is required by Law to retain the Personal Data. 20.6 Subject to Clause 20.7 (Data Protection), the Processor shall notify the Controller immediately if it: 20.6.1 receives a Data Subject Request (or purported Data Subject Request); 20.6.2 receives a request to rectify, block or erase any Personal Data; 20.6.3 receives any other request, complaint or communication relating to either party's obligations under the Data Protection Legislation; 20.6.4 receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this DPS Agreement; 20.6.5 receives a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or 20.6.6 becomes aware of a Data Loss Event. 20.7 The Processor’s obligation to notify under Clause 20.6 (Data Protection) shall include the provision of further information to the Controller in phases, as details become available. 20.8 Taking into account the nature of the processing, the Processor shall provide the Controller with reasonable assistance in relation to either party's obligations under Data Protection Legislation and any complaint, communication or request made under Clause 20.6 (Data Protection) (and insofar as possible within the timescales reasonably required by the Controller) including by promptly providing: 20.8.1 the Controller with full details and copies of the complaint, communication or request; 20.8.2 such assistance as is reasonably requested by the Controller to enable it to comply with a Data Subject Request within the relevant timescales set out in the Data Protection Legislation; 20.8.3 the Controller, at its request, with any Personal Data it holds in relation to a Data Subject; 20.8.4 assistance as requested by the Controller following any Data Loss Event; and/or 20.8.5 assistance as requested by the Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Controller with the Information Commissioner's Office. 20.9 The Processor shall maintain complete and accurate records and information to demonstrate its compliance with this Clause. This requirement does not apply where the Processor employs fewer than 250 staff, unless: 20.9.1 the Controller determines that the processing is not occasional; 20.9.2 the Controller determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; or 20.9.3 the Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects. 20.10 The Processor shall allow for Audits of its Data Processing activity by the Controller or the Controller’s designated auditor. 20.11 The parties shall designate a Data Protection Officer if required by the Data Protection Legislation. 20.12 Before allowing any Sub-processor to process any Personal Data related to this DPS Agreement, the Processor must: 20.12.1 notify the Controller in writing of the intended Sub-processor and processing; 20.12.2 obtain the written consent of the Controller; 20.12.3 enter into a written agreement with the Sub-processor which give effect to the terms set out in this Clause 20 (Data Protection) such that they apply to the Sub- processor; and 20.12.4 provide the Controller with such information regarding the Sub-processor as the Controller may reasonably require. 20.13 The Processor shall remain fully liable for all acts or omissions of any of its Sub-processors. 20.14 The Contracting Authority may, at any time on not less than thirty (30) Working Days’ notice, revise this Clause by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this DPS Agreement). 20.15 The parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Contracting Authority may on not less than thirty (30) Working Days’ notice to the Provider amend this DPS Agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office. 20.16 In the event that the parties are Joint Controllers in respect of Personal Data under this DPS Agreement, the parties shall implement Clauses that are necessary to comply with GDPR Article 26 based on the terms set out in Annex 1 to Schedule 12 (Processing Personal Data). 20.17 With respect to Personal Data provided by one party to the other party for which each party acts as Controller but which is not under the Joint Control of the parties, each party undertakes to comply with the applicable Data Protection Legislation in respect of their processing of such Personal Data as Controller. 20.18 Each party shall process the Personal Data in compliance with its obligations under the Data Protection Legislation and not do anything to cause the other party to be in breach of it. 20.19 Where a party has provided Personal Data to the other party in accordance with Clause 20.17 (Data Protection), the recipient of the Personal Data will provide all such relevant documents and information relating to its data protection policies and procedures as the other party may reasonably require. 20.20 The parties shall be responsible for their own compliance with Articles 13 and 14 GDPR in respect of the processing of Personal Data for the purposes of this DPS Agreement. 20.21 The parties shall only provide Personal Data to each other: 20.21.1 to the extent necessary to perform the respective obligations under this DPS Agreement; and 20.21.2 in compliance with the Data Protection Legislation (including by ensuring all required fair processing information has been given to affected Data Subjects); and 20.21.3 where it has recorded it in Schedule 12 (Processing Personal Data). 20.22 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, each party shall, with respect to its processing of Personal Data as independent Controller, implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1)(a), (b), (c) and (d) of the GDPR, and the measures shall, at a minimum, comply with the requirements of the Data Protection Legislation, including Article 32 of the GDPR. 20.23 A party processing Personal Data for the purposes of this DPS Agreement shall maintain a record of its processing activities in accordance with Article 30 GDPR and shall make the record available to the other party upon reasonable request. 20.24 Where a party receives a request by any Data Subject to exercise any of their rights under the Data Protection Legislation in relation to the Personal Data provided to it by the other party pursuant to this DPS Agreement (the Request Recipient): 20.24.1 the other party shall provide any information and/or assistance as reasonably requested by the Request Recipient to help it respond to the request or correspondence, at the cost of the Request Recipient; or 20.24.2 where the request or correspondence is directed to the other party and/or relates to the other party's Processing of the Personal Data, the Request Recipient will: (a) promptly, and in any event within five (5) Working Days of receipt of the request or correspondence, inform the other party that it has received the same and shall forward such request or correspondence to the other party; and (b) provide any information and/or assistance as reasonably requested by the other party to help it respond to the request or correspondence in the timeframes specified by Data Protection Legislation. 20.25 Each party shall promptly notify the other party upon it becoming aware of any Personal Data Breach relating to Personal Data provided by the other party pursuant to this DPS Agreement and shall: 20.25.1 do all such things as reasonably necessary to assist the other party in mitigating the effects of the Personal Data Breach; 20.25.2 implement any measures necessary to restore the security of any compromised Personal Data; 20.25.3 work with the other party to make any required notifications to the Information Commissioner’s Office and affected Data Subjects in accordance with the Data Protection Legislation (including the timeframes set out therein); and 20.25.4 not do anything which may damage the reputation of the other party or that party's relationship with the relevant Data Subjects, save as required by Law. 20.26 Personal Data provided by one party to the other party may be used exclusively to exercise rights and obligations under this DPS Agreement as specified in Schedule 12 (Processing Personal Data). 20.27 Personal Data shall not be retained or processed for longer than is necessary to perform each Party’s obligations under this DPS Agreement which is specified in Schedule 12 (Processing Personal Data). 20.28 Notwithstanding the general application of Clauses 20.2 – 20.15 (Data Protection) to Personal Data, where the Provider is required to exercise its regulatory and/or legal obligations in respect of Personal Data, it shall act as an Independent Controller of Personal Data in accordance with Clause 20.16 – 20.27 (Data Protection).

Data Protection. 12.1 The Parties parties acknowledge that for the purposes of the Data Protection Legislation, the Customer Funder is the Controller and the Supplier Recipient is the Processor unless otherwise specified in Contract Schedule 7Processor. The only processing that the Processor Recipient is authorised to do is listed in Contract Schedule 7 9 by the Controller Funder and may not be determined by the Processor. Recipient. 12.2 The Processor Recipient shall notify the Controller Funder immediately if it considers that any of the ControllerFunder's instructions infringe the Data Protection Legislation. . 12.3 The Processor Recipient shall provide all reasonable assistance to the Controller Funder in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the ControllerFunder, include: : (a) a systematic description of the envisaged processing operations and the purpose of the processing; ; (b) an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; (c) an assessment of the risks to the rights and freedoms of Data Subjects; and and (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 12.4 The Processor Recipient shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: : (a) process that Personal Data only in accordance with Contract Schedule 79, unless the Processor Recipient is required to do otherwise by Law. If it is so required the Processor Recipient shall promptly notify the Controller Funder before processing the Personal Data unless prohibited by Law; ; (b) ensure that it has in place Protective Measures, which are as appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), Event having taken account of the: : (i) nature of the data to be protected; ; (ii) harm that might result from a Data Loss Event; ; (iii) state of technological development; and and (iv) cost of implementing any measures; ; (c) ensure that : : (i) the Processor Recipient Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 79); ; (ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Recipient Personnel who have access to the Personal Data and ensure that they: (A) are aware of and comply with the Recipient’s duties under this clause; (B) are subject to appropriate confidentiality undertakings with the Recipient or any Sub-processor; (C) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Funder or as otherwise permitted by this Agreement; and (D) have undergone adequate training in the use, care, protection and handling of Personal Data; and (d) not transfer Personal Data outside of the EU unless the prior written consent of the Funder has been obtained and the following conditions are fulfilled: (i) the Funder or the Recipient has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Funder; (ii) the Data Subject has enforceable rights and effective legal remedies; (iii) the Recipient complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Funder in meeting its obligations); and (iv) the Recipient complies with any reasonable instructions notified to it in advance by the Funder with respect to the processing of the Personal Data; (e) at the written direction of the Funder, delete or return Personal Data (and any copies of it) to the Funder on termination of the Agreement unless the Recipient is required by Law to retain the Personal Data. 12.5 Subject to clause 12.6, the Recipient shall notify the Funder immediately if it: (a) receives a Data Subject Access Request (or purported Data Subject Access Request); (b) receives a request to rectify, block or erase any Personal Data; (c) receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; (d) receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Agreement; (e) receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or (f) becomes aware of a Data Loss Event. 12.6 The Recipient’s obligation to notify under clause 12.5 shall include the provision of further information to the Funder in phases, as details become available. 12.7 Taking into account the nature of the processing, the Recipient shall provide the Funder with full assistance in relation to either party's obligations under Data Protection Legislation and any complaint, communication or request made under clause 12.5 (and insofar as possible within the timescales reasonably required by the Funder) including by promptly providing: (a) the Funder with full details and copies of the complaint, communication or request; (b) such assistance as is reasonably requested by the Funder to enable the Funder to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation; (c) the Funder, at its request, with any Personal Data it holds in relation to a Data Subject; (d) assistance as requested by the Funder following any Data Loss Event; (e) assistance as requested by the Funder with respect to any request from the Information Commissioner’s Office, or any consultation by the Funder with the Information Commissioner's Office. 12.8 The Recipient shall maintain complete, up-to-date and accurate records at all times and information to demonstrate its compliance with this clause. This requirement does not apply where the Recipient employs fewer than 250 staff, unless: (a) the Funder determines that the processing is not occasional; (b) the Funder determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; and (c) the Funder determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects. 12.9 The Recipient shall allow for audits of its Data Processing activity by the Funder or the Funder’s designated auditor The Funder is entitled, on giving at least three Working 12.10 The Recipient shall designate a data protection officer if required by the data protection legislation 12.11 Before allowing any Sub-processor to process any Personal Data related to this Agreement, the Recipient must: (a) notify the Funder in writing of the intended Sub-processor and processing; (b) obtain the written consent of the Funder; (c) enter into a written agreement with the Sub-processor which give effect to the terms set out in this clause 12 such that they apply to the Sub-processor; and (d) provide the Funder with such information regarding the Sub-processor as the Funder may reasonably require. 12.12 The Recipient shall remain fully liable for all acts or omissions of any Sub-processor. 12.13 The Funder may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Agreement). 12.14 The parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Funder may on not less than 30 Working Days’ notice to the Recipient amend this agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Officer. 12.15 The Recipient shall undertake all of the above processing activities at its own expense and at no extra cost to the Funder. 12.16 The Funder retention and disposal schedule as provided will be followed by the Recipient where appropriate and relevant; no decisions on retention or disposal are to be made by the Recipient unless it is part of detailed Processing under this Agreement. 12.17 The Recipient shall without undue delay inform the Funder if any Personal Data is lost or destroyed or becomes damaged, corrupted, or unusable. The Recipient will make regular backups of the Personal Data and will restore such Personal Data at its own expense.

Data Protection. 21.1. The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer Authority is the Controller and the Supplier Service Provider is the Processor unless otherwise specified in Contract Schedule 7Processor. The only processing that the Processor Service Provider is authorised to do is listed in Contract Schedule 7 4 by the Controller Authority and may not be determined by the ProcessorService Provider. 21.2. The Processor Service Provider shall notify the Controller Authority immediately if it considers that any of the ControllerAuthority's instructions infringe the Data Protection Legislation. 21.3. The Processor Service Provider shall provide all reasonable assistance to the Controller Authority in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the ControllerAuthority, include: : a. a systematic description of the envisaged processing operations and the purpose of the processing; ; b. an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; c. an assessment of the risks to the rights and freedoms of Data Subjects; and and d. the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. 21.4. The Processor Service Provider shall carry out its own Data Protection Impact Assessment prior to commencing any processing under this Agreement where required under the Data Protection Legislation and otherwise as may be appropriate to ensure the security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, and shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: : a. process that Personal Data only in accordance with Contract Schedule 74, unless the Processor Service Provider is required to do otherwise by Law. If it is so required the Processor Service Provider shall promptly notify the Controller Authority before processing the Personal Data unless prohibited by Law; ; b. ensure that it has in place Protective Measures, which are have been reviewed and approved by the Authority as appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), Event having taken account of the: : i. nature of the data to be protected; ; ii. harm that might result from a Data Loss Event; ; iii. state of technological development; and and iv. cost of implementing any measures; ; c. ensure that : : i. the Processor Service Provider’s Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 74); ; ii. it takes all reasonable steps to ensure the reliability and integrity of any Processor Service Provider’s Personnel who have access to the Personal Data and ensure that they: A. are aware of and comply with the Service Provider’s duties under this Clause; B. are subject to appropriate confidentiality undertakings with the Service Provider or any Sub-Processor; C. are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Authority or as otherwise permitted by this Agreement; and D. have undergone adequate training in the use, care, protection and handling of Personal Data; and d. not transfer Personal Data outside of the EU unless the prior written consent of the Authority has been obtained and the following conditions are fulfilled: i. the Authority or the Service Provider has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Authority; ii. the Data Subject has enforceable rights and effective legal remedies; iii. the Service Provider complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Authority in meeting its obligations); and iv. the Service Provider complies with any reasonable instructions notified to it in advance by the Authority with respect to the processing of the Personal Data; e. at the written direction of the Authority, and at the Service Provider’s sole cost, delete or return Personal Data (and any copies of it) to the Authority on termination of the Agreement unless the Service Provider is required by Law to retain the Personal Data. 21.5. Subject to Clause 21.6, the Service Provider shall notify the Authority immediately if it: a. receives a Data Subject Access Request (or purported Data Subject Access Request); b. receives a request to rectify, block or erase any Personal Data; c. receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; d. receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Agreement; e. receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or f. becomes aware of a Data Loss Event. 21.6. The Service Provider’s obligation to notify under Clause 21.5shall include the provision of further information to the Authority in phases, as details become available. 21.7. Taking into account the nature of the processing, the Service Provider shall provide the Authority with full assistance in relation to either Party's obligations under Data Protection Legislation including any complaint, communication or request made under Clause 21.5 (and insofar as possible within the timescales reasonably required by the Authority) including by promptly providing: a. the Authority with full details and copies of the complaint, communication or request; b. such assistance as is reasonably requested by the Authority to enable the Authority to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation; c. the Authority, at its request, with any Personal Data it holds in relation to a Data Subject; d. assistance as requested by the Authority following any Data Loss Event including but not limited to all information and findings relating to any internal or external investigation into the Data Loss Event; e. assistance as requested by the Authority with respect to any request from the Information Commissioner’s Office, or any consultation by the Authority with the Information Commissioner's Office. 21.8. The Service Provider shall maintain complete and accurate records and information to demonstrate its compliance with this Clause 21. This requirement does not apply where the Service Provider employs fewer than 250 staff, unless: a. the Authority determines that the processing is not occasional; b. the Authority determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; and c. the Authority determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects. 21.9. The Service Provider shall allow for audits of its Data Processing activity by the Authority or the Authority’s designated auditor. 21.10. The Service Provider shall designate a Data Protection Officer if required by the Data Protection Legislation. 21.11. Before allowing any Sub-Processor to process any Personal Data related to this Agreement, the Service Provider must: a. notify the Authority in writing of the intended Sub-Processor and processing;

Data Protection. 1.1. The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer Council is the Controller and the Supplier Contractor is the Processor unless otherwise specified in Contract Schedule 7Processor. The only processing that the Processor Contractor is authorised to do is listed in Contract Schedule 7 schedule 1A below by the Controller Council and may not be determined by the ProcessorContractor. 1.2. The Processor Contractor shall notify the Controller Council immediately if it considers that any of the Controller's Council’s instructions infringe the Data Protection Legislation. 1.3. The Processor Contractor shall provide all reasonable assistance to the Controller Council in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance mayassistance, at the discretion of the ControllerCouncil, include: a : (a) systematic description of the envisaged envisage processing operations and the purpose of the processing; ; (b) an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; (c) an assessment of the risks to the rights and freedoms of Data Subjects; and and (d) the measures envisaged to address the risks, including safeguards, security measures measures, and mechanisms to ensure the protection of Personal Data. 1.4. The Processor Contractor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: : (a) process that Personal Data only in accordance with Contract Schedule 7, schedule 1A below unless the Processor Contractor is required to do otherwise by Law. If it is so required the Processor Contractor shall promptly notify the Controller Council before processing the Personal Data unless prohibited by Law; ; (b) ensure that it has in place Protective Measures, which are have been reviewed and approved by the Council as appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), Event having taken account of the: : (i) nature of the data to be protected; ; (ii) harm that might result from a Data Loss Event; ; (iii) state of technological development; and and (iv) cost of implementing any measures; ; (c) ensure that : that: (i) the Processor Contractor Personnel do not process Personal Data except accept in accordance with this Agreement Contract (and in particular Schedule 7schedule 1A); ; (ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Contractor Personnel who have access to the Personal Data and ensure that they: (A) are aware of and comply with the Contractor’s duties under this clause; (B) are subject to appropriate confidentiality undertakings with the Contractor or any Sub- processor; (C) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Council or as otherwise permitted by this Contract; and (D) have undergone adequate training in the use, care, protection and handling of Personal Data; and (d) not transfer Personal Data outside of the EU unless the prior written consent of the Council has been obtained and the following conditions are fulfilled: (e) the Council or the Contractor has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 47) as determined by the Council; (f) the Data Subject has enforceable rights and effective legal remedies; (g) the Contractor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist) the Council in meeting its obligations); and (h) the Contractor complies with any reasonable instructions notified to it in advance by the Council with respect to the processing of the Personal Data; (i) at the written direction of the Council, delete or return Personal Data and any copies of it to the Council on termination of the Contract unless the Contractor is required by Law to retain the Personal Data. 1.5. Subject to clause 1.6, the Contractor shall notify the Council immediately if it: (a) receives a Data Subject Access Request (or purported Data Subject Access Request); (b) receives a request to rectify, block or erase any Personal Data; (c) receives any other request, complaint or communication relating to either Party’s obligations under the Data Protection Legislation; (d) receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Agreement; (e) receives a request from any third party for disclosure of Personal data where compliance with such request is required or purported to be required by Law; or (f) becomes aware of a Data Loss Event. 1.6. The Contractor’s obligation to notify under clause 1.5 shall include the provision of further information to the Council in phases as details become available.

Data Protection. 2.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is we are the Controller and you are the Supplier is the Processor unless otherwise specified in Contract Schedule 7Processor. The only processing that the Processor is authorised to do is listed in Contract Schedule 7 Appendix 1 by the Controller and may not be determined by the Processor. The term “processing” and any associated terms are to be read in accordance with Article 4 of the UK GDPR. 2.2 The Processor shall notify the Controller immediately if it considers that any of the Controller's instructions infringe the Data Protection Legislation. The . 2.3 If the Controller considers a Data Protection Impact Assessment (DPIA) is needed, the Processor shall provide all reasonable assistance to the Controller in preparing the preparation of any Data Protection Impact Assessment DPIA prior to commencing any processing. Such assistance may, at the discretion of the Controller, include: a systematic description of the envisaged processing operations and the purpose of the processing; an assessment of the necessity and proportionality of the processing operations in relation to the Services; an assessment of the risks to the rights and freedoms of Data Subjects; and the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 2.4 The Processor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: : a. process that Personal Data only in accordance with Contract Schedule 7Appendix 1, unless the Processor is required to do otherwise by Law. If it is so required the Processor shall promptly notify the Controller before processing the Personal Data unless prohibited by Law; ; b. ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure reject. In the event of the Controller reasonably rejecting Protective Measures put in place by the Processor, the Processor must propose alternative Protective Measures to the satisfaction of the Controller. Failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), having taken . Protective Measures must take account of the: : (i) nature of the data to be protected; ; (ii) harm that might result from a Data Loss Event; ; (iii) state of technological development; and and (iv) cost of implementing any measures; ; c. ensure that : that: (i) the Processor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 7Appendix 1); ; (ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they: (A) are aware of and comply with the Processor’s duties under this clause; (B) are subject to appropriate confidentiality undertakings with the Processor or any Sub-processor; (C) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Controller or as otherwise permitted by this Agreement; and (D) have undergone adequate training in the use, care, protection and handling of Personal Data; and d. not transfer Personal Data outside of the UK unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled: (i) the destination country has been recognised as adequate by the UK government in accordance with Article 45 UK GDPR or section 74 of the DPA 2018; (ii) the Controller or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with UK GDPR Article 46 or section 75 DPA 2018) as determined by the Controller; (iii) the Data Subject has enforceable rights and effective legal remedies; (iv) the Processor complies with its obligations under Data Protection Legislation by providing an appropriate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and (v) the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing of the Personal Data; e. at the written direction of the Controller, delete or return Personal Data (and any copies of it) to the Controller on termination of the Agreement unless the Processor is required by Law to retain the Personal Data. 2.5 Subject to paragraph 2.6, the Processor shall notify the Controller immediately if it: a. receives a Data Subject Request (or purported Data Subject Request); b. receives a request to rectify, block or erase any Personal Data; c. receives any other request, complaint or communication relating to either Party's obligations under Data Protection Legislation; d. receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Agreement; e. receives a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or f. becomes aware of a Data Loss Event. 2.6 The Processor’s obligation to notify under paragraph 2.5 shall include the provision of further information to the Controller, as details become available. 2.7 Taking into account the nature of the processing, the Processor shall provide the Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under paragraph 2.5 (and insofar as possible within the timescales reasonably required by the Controller. 2.8 The Processor shall maintain complete and accurate records and information to demonstrate its compliance with this clause. 2.9 The Processor shall allow for audits of its Data Processing activity by the Controller or the Controller’s designated auditor. 2.10 Before allowing any Sub-processor to process any Personal Data related to this Agreement, the Processor must: a. notify the Controller in writing of the intended Sub-processor and processing;

Data Protection. 13.1. The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is you are the Controller and we are the Supplier is the Processor Processor, unless otherwise specified in Contract Schedule 71. The only processing that the Processor is authorised to do is listed in Contract Schedule 7 1 by the Controller and may not be determined by the Processor. 13.2. The Processor shall notify the Controller immediately if it considers that any of the Controller's instructions infringe the Data Protection Legislation (provided the Processor is not responsible to the Controller for providing legal advice in respect of the Data Protection Legislation, and shall not be liable if any such notification turns out to be incorrect). 13.3. The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller, include: : 13.3.1. a systematic description of the envisaged processing operations and the purpose of the processing; ; 13.3.2. an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; 13.3.3. an assessment of the risks to the rights and freedoms of Data Subjects; and and 13.3.4. the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. 13.4. The Processor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: Contract: 13.4.1. process that Personal Data only in accordance with Contract Schedule 71, unless the Processor is required to do otherwise by Law. If it is so required the Processor shall promptly notify the Controller before processing the Personal Data unless prohibited by Law; ; 13.4.2. ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), having taken account of the: nature of the data to be protected; harm that might result from a Data Loss Event; state of technological development; and cost of implementing any measures; ensure that : the Processor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 7); it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they:

Data Protection. 2.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer Authority is the Controller and the Supplier Provider is the Processor unless otherwise specified in Contract Schedule 7Appendix 1 to this Data Processor Schedule. The only processing that the Processor is authorised to do is listed in Contract Appendix 1 to this Data Processor Schedule 7 by the Controller and may not be determined by the Processor. . 2.2 The Processor shall notify the Controller immediately if it considers that any of the Controller's instructions infringe the Data Protection Legislation. . 2.3 The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller, include: : (a) a systematic description of the envisaged processing operations and the purpose of the processing; ; (b) an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; (c) an assessment of the risks to the rights and freedoms of Data Subjects; and and (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 2.4 The Processor shall, in relation to any Personal Data processed in connection with its obligations under this the Agreement: : (a) process that Personal Data only in accordance with Contract Schedule 7Appendix 1 to this Data Processor Schedule, unless the Processor is required to do otherwise by Law. If it is so required the Processor shall promptly notify the Controller before processing the Personal Data unless prohibited by Law; ; (b) ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), having taken account of the: : (i) nature of the data to be protected; ; (ii) harm that might result from a Data Loss Event; ; (iii) state of technological development; and and (iv) cost of implementing any measures; ; (c) ensure that : that: (i) the Processor Personnel Staff do not process Personal Data except in accordance with the Agreement, including the terms of this Agreement Data Processor Schedule and Appendix 1 to it; (and in particular Schedule 7); ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel Staff who have access to the Personal Data and ensure that they: (A) are aware of and comply with the Processor’s duties under this paragraph; (B) are subject to appropriate confidentiality undertakings with the Processor or any Sub-processor; (C) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Controller or as otherwise permitted by the Agreement; and (D) have undergone adequate training in the use, care, protection and handling of Personal Data; and (d) not transfer Personal Data outside of the EU unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled: (i) the Controller or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Controller; (ii) the Data Subject has enforceable rights and effective legal remedies; (iii) the Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and (iv) the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing of the Personal Data; (e) at the written direction of the Controller, delete or return Personal Data (and any copies of it) to the Controller on termination of the Agreement unless the Processor is required by Law to retain the Personal Data. 2.5 Subject to paragraph 2.6, the Processor shall notify the Controller immediately if it: (a) receives a Data Subject Request (or purported Data Subject Request); (b) receives a request to rectify, block or erase any Personal Data; (c) receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; (d) receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under the Agreement; (e) receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or (f) becomes aware of a Data Loss Event. 2.6 The Provider will provide all reasonable assistance to the Controller in investigating and mitigating any potential or confirmed Data Loss Event. 2.7 The Processor’s obligation to notify under paragraph 2.5 shall include the provision of further information to the Controller in phases, as details become available. 2.8 Taking into account the nature of the processing, the Processor shall provide the Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under paragraph 2.5 (and insofar as possible within the timescales reasonably required by the Controller) including by promptly providing: (a) the Controller with full details and copies of the complaint, communication or request; (b) such assistance as is reasonably requested by the Controller to enable the Controller to comply with a Data Subject Request within the relevant timescales set out in the Data Protection Legislation; (c) the Controller, at its request, with any Personal Data it holds in relation to a Data Subject; (d) assistance as requested by the Controller following any Data Loss Event; (e) assistance as requested by the Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Controller with the Information Commissioner's Office. 2.9 The Processor shall maintain complete and accurate records and information to demonstrate its compliance with this paragraph. This requirement does not apply where the Processor employs fewer than 250 staff, unless: (a) the Controller determines that the processing is not occasional; (b) the Controller determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; or (c) the Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects. 2.10 The Processor shall allow for audits of its Data Processing activity by the Controller or the Controller’s designated auditor. 2.11 Each Party shall designate its own data protection officer if required by the Data Protection Legislation. 2.12 Before allowing any Sub-processor to process any Personal Data related to the Agreement, the Processor must: (a) notify the Controller in writing of the intended Sub-processor and processing; (b) obtain the written consent of the Controller; (c) enter into a written agreement with the Sub-processor which give effect to the terms set out in this paragraph 2.11 such that they apply to the Sub-processor; and (d) provide the Controller with such information regarding the Sub-processor as the Controller may reasonably require. 2.13 The Processor shall remain fully liable for all acts or omissions of any of its Sub- processors. 2.14 The Controller may, at any time on not less than 30 Working Days’ notice, revise this paragraph by replacing it with any applicable controller to processor standard paragraphs or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to the Agreement). 2.15 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Controller may on not less than 30 Working Days’ notice to the Processor amend the Agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office. 1. The contact details of the Controller’s Data Protection Officer are: Xxxxxxxx Xxxxxxxx, Data Protection Officer, Town Hall, Xxxxxx. Xxxxxxxx.xxxxxxxx@xxxxxx.xxx.xx 2. The contact details of the Processor’s Data Protection Officer are:

Data Protection. The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer Client is the Controller and the Supplier Consultant is the Processor unless otherwise specified in Contract Schedule 7Schedule[X]. The only processing that the Processor is authorised to do is listed in Contract Schedule 7 [X] by the Controller and may not be determined by the Processor. The Processor shall notify the Controller immediately if it considers that any of the Controller's instructions infringe the Data Protection Legislation. The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller, include: a systematic description of the envisaged processing operations and the purpose of the processing; an assessment of the necessity and proportionality of the processing operations in relation to the Services; an assessment of the risks to the rights and freedoms of Data Subjects; and the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. The Processor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: process that Personal Data only in accordance with Contract Schedule 7[ X ], unless the Processor is required to do otherwise by Law. If it is so required the Processor shall promptly notify the Controller before processing the Personal Data unless prohibited by Law; ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), having Measures),having taken account of the: nature of the data to be protected; harm that might result from a Data Loss Event; state of technological development; and cost of implementing any measures; ensure that : the Processor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 7X); it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they:: are aware of and comply with the Processor's duties under this clause; are subject to appropriate confidentiality undertakings with the Processor or any Sub- processor; are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Controller or as otherwise permitted by this Agreement; and have undergone adequate training in the use, care, protection and handling of Personal Data; and not transfer Personal Data outside of the UK unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled: the Controller or the Processor has provided appropriate safeguards in relation to the transfer (in accordance with the Data Protection Legislation) as determined by the Controller; the Data Subject has enforceable rights and effective legal remedies; the Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing of the Personal Data; at the written direction of the Controller, delete or return Personal Data (and any copies of it) to the Controller on termination of the Agreement unless the Processor is required by Law to retain the Personal Data.

Data Protection. 16.1 The Parties parties acknowledge that for the purposes of the Data Protection Legislation, the Customer HCC is the Controller and the Supplier Service Provider is the Processor unless otherwise specified in Contract Schedule 73. The only processing that the Processor is authorised to do is listed in Contract Schedule 7 3 by the Controller and may not be determined by the Processor. . 16.2 The Processor shall notify the Controller immediately if it considers that any of the Controller's instructions infringe the Data Protection Legislation. . 16.3 The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller, include: : (a) a systematic description of the envisaged processing operations and the purpose of the processing; ; (b) an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; (c) an assessment of the risks to the rights and freedoms of Data Subjects; and and (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 16.4 The Processor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: : (a) process that Personal Data only in accordance with Contract Schedule 73, unless the Processor is required to do otherwise by Law. If it is so required the Processor shall promptly notify the Controller before processing the Personal Data unless prohibited by Law; ; (b) ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), having taken account of the: : (i) nature of the data to be protected; ; (ii) harm that might result from a Data Loss Event; ; (iii) state of technological development; and and (iv) cost of implementing any measures; ; (c) ensure that : that: (i) the Processor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 73); ; (ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they: (A) are aware of and comply with the Processor’s duties under this clause 16; (B) are subject to appropriate confidentiality undertakings with the Processor or any Sub-processor; (C) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any Third Party unless directed in writing to do so by the Controller or as otherwise permitted by this Agreement; and (D) have undergone adequate training in the use, care, protection and handling of Personal Data; and (d) not transfer Personal Data outside of the EU unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled: (i) the Controller or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Controller; (ii) the Data Subject has enforceable rights and effective legal remedies; (iii) the Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and (iv) the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing of the Personal Data; (e) at the written direction of the Controller, delete or return Personal Data (and any copies of it) to the Controller on termination, cancellation or expiry of this Agreement unless the Processor is required by Law to retain the Personal Data. 16.5 Subject to clause 16.6, the Processor shall notify the Controller immediately if it: (a) receives a Data Subject Request (or purported Data Subject Request); (b) receives a request to rectify, block or erase any Personal Data; (c) receives any other request, complaint or communication relating to either party's obligations under the Data Protection Legislation; (d) receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Agreement; (e) receives a request from any Third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or (f) becomes aware of a Data Loss Event. 16.6 The Processor’s obligation to notify under clause 16.5 shall include the provision of further information to the Controller in phases, as details become available. 16.7 Taking into account the nature of the processing, the Processor shall provide the Controller with full assistance in relation to either party's obligations under Data Protection Legislation and any complaint, communication or request made under clause 16.5 (and insofar as possible within the timescales reasonably required by the Controller) including by promptly providing: (a) the Controller with full details and copies of the complaint, communication or request; (b) such assistance as is reasonably requested by the Controller to enable the Controller to comply with a Data Subject Request within the relevant timescales set out in the Data Protection Legislation; (c) the Controller, at its request, with any Personal Data it holds in relation to a Data Subject; (d) assistance as requested by the Controller following any Data Loss Event; (e) assistance as requested by the Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Controller with the Information Commissioner's Office. 16.8 The Processor shall maintain complete and accurate records and information to demonstrate its compliance with this clause 16. This requirement does not apply where the Processor employs fewer than 250 staff, unless: (a) the Controller determines that the processing is not occasional; (b) the Controller determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; or (c) the Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects. 16.9 The Processor shall allow for audits of its Data Processing activity by the Controller or the Controller’s designated auditor. 16.10 Each party shall designate its own data protection officer if required by the Data Protection Legislation. 16.11 Before allowing any Sub-processor to process any Personal Data related to this Agreement, the Processor must: (a) notify the Controller in writing of the intended Sub-processor and processing; (b) obtain the written consent of the Controller; (c) enter into a written agreement with the Sub-processor which gives effect to the terms set out in this clause 16 such that they apply to the Sub-processor; and (d) provide the Controller with such information regarding the Sub-processor as the Controller may reasonably require. 16.12 The Processor shall remain fully liable for all acts or omissions of any of its Sub- processors. 16.13 The Controller may, at any time on not less than 30 Business Days’ notice, revise this clause 16 by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Agreement). 16.14 The parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Controller may on not less than 30 Business Days’ notice to the Processor amend this Agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office.

Data Protection. 20.1 The Parties parties acknowledge that for the purposes of the Data Protection Legislation, the Customer nature of the activity carried out by each of them in relation to their respective obligations under this DPS Agreement will determine the status of each party under the Data Protection Legislation. A party may act as: 20.1.1 Controller (where the other party acts as the Processor); 20.1.2 Processor (where the other party acts as the Controller); 20.1.3 Joint Controller (where both parties are considered to jointly control the same Personal Data); and 20.1.4 Independent Controller of the Personal Data where the other party is also Controller of the Controller same Personal Data in its own right (but there is no element of joint control); and the Supplier parties shall set out in Schedule 12 (Processing Personal Data) which scenario or scenarios are intended to apply under this DPS Agreement. 20.2 Where a party is a Processor, the Processor unless otherwise specified in Contract Schedule 7. The only processing that the Processor it is authorised to do is listed in Contract Schedule 7 12 (Processing Personal Data) by the Controller and may not be determined by the Processor. Controller. 20.3 The Processor shall notify the Controller immediately if it considers that any of the Controller's ’s instructions infringe the Data Protection Legislation. . 20.4 The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller, include: : 20.4.1 a systematic description of the envisaged processing operations and the purpose of the processing; ; 20.4.2 an assessment of the necessity and proportionality of the processing operations in relation to the Services; requirements of the Administering Authority hereunder; 20.4.3 an assessment of the risks to the rights and freedoms of Data Subjects; and and 20.4.4 the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 20.5 The Processor shall, in relation to any Personal Data processed in connection with its obligations under this DPS Agreement: : 20.5.1 process that Personal Data only in accordance with Contract Schedule 712 (Processing Personal Data), unless the Processor is required to do otherwise by Law. If it is so required the Processor shall promptly notify the Controller Contracting Authority before processing the Personal Data unless prohibited by Law; ; 20.5.2 ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, Measures which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), ) having taken account of the: : (a) nature of the data to be protected; ; (b) harm that might result from a Data Loss Event; ; (c) state of technological development; and and (d) cost of implementing any measures; ; 20.5.3 ensure that : that: (i) the Processor Personnel do not process Personal Data except in accordance with this DPS Agreement (and in particular Schedule 712 (Processing Personal Data); ); (ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they: (A) are aware of and comply with the Processor’s duties under this Xxxxxx and Clauses 17 (Confidentiality) and 19 (Freedom of Information); (B) are subject to appropriate confidentiality undertakings with the Processor or any Sub-processor; (C) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Controller or as otherwise permitted by this DPS Agreement; and (D) have undergone adequate training in the use, care, protection and handling of Personal Data; 20.5.4 not transfer Personal Data outside of the UK unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled: (a) the Controller or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or DPA 2018 Section 75) as determined by the Controller; (b) the Data Subject has enforceable rights and effective legal remedies; (c) the Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and (d) the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing of the Personal Data; and 20.5.5 at the written direction of the Controller, delete or return Personal Data (and any copies of it) to the Controller on termination of this DPS Agreement unless the Processor is required by Law to retain the Personal Data. 20.6 Subject to Clause 20.7 (Data Protection), the Processor shall notify the Controller immediately if it: 20.6.1 receives a Data Subject Request (or purported Data Subject Request); 20.6.2 receives a request to rectify, block or erase any Personal Data; 20.6.3 receives any other request, complaint or communication relating to either party's obligations under the Data Protection Legislation; 20.6.4 receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this DPS Agreement; 20.6.5 receives a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or 20.6.6 becomes aware of a Data Loss Event. 20.7 The Processor’s obligation to notify under Clause 20.6 (Data Protection) shall include the provision of further information to the Controller in phases, as details become available. 20.8 Taking into account the nature of the processing, the Processor shall provide the Controller with reasonable assistance in relation to either party's obligations under Data Protection Legislation and any complaint, communication or request made under Clause 20.6 (Data Protection) (and insofar as possible within the timescales reasonably required by the Controller) including by promptly providing: 20.8.1 the Controller with full details and copies of the complaint, communication or request; 20.8.2 such assistance as is reasonably requested by the Controller to enable it to comply with a Data Subject Request within the relevant timescales set out in the Data Protection Legislation; 20.8.3 the Controller, at its request, with any Personal Data it holds in relation to a Data Subject; 20.8.4 assistance as requested by the Controller following any Data Loss Event; and/or 20.8.5 assistance as requested by the Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Controller with the Information Commissioner's Office. 20.9 The Processor shall maintain complete and accurate records and information to demonstrate its compliance with this Clause. This requirement does not apply where the Processor employs fewer than 250 staff, unless: 20.9.1 the Controller determines that the processing is not occasional; 20.9.2 the Controller determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; or 20.9.3 the Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects. 20.10 The Processor shall allow for Audits of its Data Processing activity by the Controller or the Controller’s designated auditor. 20.11 The parties shall designate a Data Protection Officer if required by the Data Protection Legislation. 20.12 Before allowing any Sub-processor to process any Personal Data related to this DPS Agreement, the Processor must: 20.12.1 notify the Controller in writing of the intended Sub-processor and processing; 20.12.2 obtain the written consent of the Controller; 20.12.3 enter into a written agreement with the Sub-processor which give effect to the terms set out in this Clause 20 (Data Protection) such that they apply to the Sub- processor; and 20.12.4 provide the Controller with such information regarding the Sub-processor as the Controller may reasonably require. 20.13 The Processor shall remain fully liable for all acts or omissions of any of its Sub-processors. 20.14 The Contracting Authority may, at any time on not less than thirty (30) Working Days’ notice, revise this Clause by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this DPS Agreement). 20.15 The parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Contracting Authority may on not less than thirty (30) Working Days’ notice to the Provider amend this DPS Agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office. 20.16 In the event that the parties are Joint Controllers in respect of Personal Data under this DPS Agreement, the parties shall implement Clauses that are necessary to comply with GDPR Article 26 based on the terms set out in Annex 1 to Schedule 12 (Processing Personal Data). 20.17 With respect to Personal Data provided by one party to the other party for which each party acts as Controller but which is not under the Joint Control of the parties, each party undertakes to comply with the applicable Data Protection Legislation in respect of their processing of such Personal Data as Controller. 20.18 Each party shall process the Personal Data in compliance with its obligations under the Data Protection Legislation and not do anything to cause the other party to be in breach of it. 20.19 Where a party has provided Personal Data to the other party in accordance with Clause 20.17 (Data Protection), the recipient of the Personal Data will provide all such relevant documents and information relating to its data protection policies and procedures as the other party may reasonably require. 20.20 The parties shall be responsible for their own compliance with Articles 13 and 14 GDPR in respect of the processing of Personal Data for the purposes of this DPS Agreement. 20.21 The parties shall only provide Personal Data to each other: 20.21.1 to the extent necessary to perform the respective obligations under this DPS Agreement; and 20.21.2 in compliance with the Data Protection Legislation (including by ensuring all required fair processing information has been given to affected Data Subjects); and 20.21.3 where it has recorded it in Schedule 12 (Processing Personal Data). 20.22 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, each party shall, with respect to its processing of Personal Data as independent Controller, implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1)(a), (b), (c) and (d) of the GDPR, and the measures shall, at a minimum, comply with the requirements of the Data Protection Legislation, including Article 32 of the GDPR. 20.23 A party processing Personal Data for the purposes of this DPS Agreement shall maintain a record of its processing activities in accordance with Article 30 GDPR and shall make the record available to the other party upon reasonable request. 20.24 Where a party receives a request by any Data Subject to exercise any of their rights under the Data Protection Legislation in relation to the Personal Data provided to it by the other party pursuant to this DPS Agreement (the Request Recipient): 20.24.1 the other party shall provide any information and/or assistance as reasonably requested by the Request Recipient to help it respond to the request or correspondence, at the cost of the Request Recipient; or 20.24.2 where the request or correspondence is directed to the other party and/or relates to the other party's Processing of the Personal Data, the Request Recipient will: (a) promptly, and in any event within five (5) Working Days of receipt of the request or correspondence, inform the other party that it has received the same and shall forward such request or correspondence to the other party; and (b) provide any information and/or assistance as reasonably requested by the other party to help it respond to the request or correspondence in the timeframes specified by Data Protection Legislation. 20.25 Each party shall promptly notify the other party upon it becoming aware of any Personal Data Breach relating to Personal Data provided by the other party pursuant to this DPS Agreement and shall: 20.25.1 do all such things as reasonably necessary to assist the other party in mitigating the effects of the Personal Data Breach; 20.25.2 implement any measures necessary to restore the security of any compromised Personal Data; 20.25.3 work with the other party to make any required notifications to the Information Commissioner’s Office and affected Data Subjects in accordance with the Data Protection Legislation (including the timeframes set out therein); and 20.25.4 not do anything which may damage the reputation of the other party or that party's relationship with the relevant Data Subjects, save as required by Law. 20.26 Personal Data provided by one party to the other party may be used exclusively to exercise rights and obligations under this DPS Agreement as specified in Schedule 12 (Processing Personal Data). 20.27 Personal Data shall not be retained or processed for longer than is necessary to perform each Party’s obligations under this DPS Agreement which is specified in Schedule 12 (Processing Personal Data). 20.28 Notwithstanding the general application of Clauses 20.2 – 20.15 (Data Protection) to Personal Data, where the Provider is required to exercise its regulatory and/or legal obligations in respect of Personal Data, it shall act as an Independent Controller of Personal Data in accordance with Clause 20.16 – 20.27 (Data Protection).

Data Protection. 1.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer Authority is the Controller and the Supplier Grant Recipient is the Processor unless otherwise specified in Contract Schedule 7this Annex 8. The only processing that the Processor is authorised to do is listed in Contract Schedule 7 Part 1 of Annex 8 by the Controller and may not be determined by the Processor. . 1.2 The Processor shall notify the Controller immediately if it considers that any of the Controller's instructions infringe the Data Protection Legislation. . 1.3 The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller, include: : (a) a systematic description of the envisaged processing operations and the purpose of the processing; ; (b) an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; (c) an assessment of the risks to the rights and freedoms of Data Subjectsdata subjects; and and (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 1.4 The Processor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: these Conditions: (a) process that Personal Data only in accordance with Contract Schedule 7this Annex 8, unless the Processor is required to do otherwise by Law. If it is so required required, the Processor shall promptly notify the Controller before processing the Personal Data unless prohibited by Law; ; (b) ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), having taken account of the: : (i) nature of the data to be protected; ; (ii) harm that might result from a Data Loss Event; ; (iii) state of technological development; and and (iv) cost of implementing any measures; ; (c) ensure that : that: (i) the Processor Personnel do not process Personal Data except in accordance with this Agreement these Conditions (and in particular Schedule 7); Part 1 of Annex 8); (ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they: (A) are aware of and comply with the Processor’s duties under this paragraph; (B) are subject to appropriate confidentiality undertakings with the Processor or any sub-processor; (C) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any Third Party unless directed in writing to do so by the Controller or as otherwise permitted by these Conditions; and (D) have undergone adequate training in the use, care, protection and handling of Personal Data; and (d) not transfer Personal Data outside of the EU unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled: (i) the Controller or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Controller; (ii) the Data Subject has enforceable rights and effective legal remedies; (iii) the Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and (iv) the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing of the Personal Data; (e) at the written direction of the Controller, delete or return Personal Data (and any copies of it) to the Controller on termination of the Agreement unless the Processor is required by Law to retain the Personal Data. 1.5 Subject to paragraph 1.6, the Processor shall notify the Controller immediately if it: (a) receives a Data Subject Request (or purported Data Subject Request); (b) receives a request to rectify, block or erase any Personal Data; (c) receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; (d) receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under these Conditions; (e) receives a request from any Third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or (f) becomes aware of a Data Loss Event. 1.6 The Processor’s obligation to notify under paragraph 1.5 shall include the provision of further information to the Controller in phases, as details become available. 1.7 Taking into account the nature of the processing, the Processor shall provide the Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under paragraph 1.5 (and insofar as possible within the timescales reasonably required by the Controller) including by promptly providing: (a) the Controller with full details and copies of the complaint, communication or request; (b) such assistance as is reasonably requested by the Controller to enable the Controller to comply with a Data Subject Request within the relevant timescales set out in the Data Protection Legislation; (c) the Controller, at its request, with any Personal Data it holds in relation to a Data Subject; (d) assistance as requested by the Controller following any Data Loss Event; (e) assistance as requested by the Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Controller with the Information Commissioner's Office. 1.8 The Processor shall maintain complete and accurate records and information to demonstrate its compliance with this paragraph. This requirement does not apply where the Processor employs fewer than 250 staff, unless: (a) the Controller determines that the processing is not occasional; (b) the Controller determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; or (c) the Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects. 1.9 The Processor shall allow for audits of its Data Processing activity by the Controller or the Controller’s designated auditor. 1.10 Each Party shall designate its own data protection officer if required by the Data Protection Legislation. 1.11 Before allowing any Sub-processor to process any Personal Data related to these Conditions, the Processor must: (a) notify the Controller in writing of the intended Sub-processor and processing; (b) obtain the written consent of the Controller; (c) enter into a written agreement with the Sub-processor which give effect to the terms set out in this paragraph 1.11 such that they apply to the Sub-processor; and (d) provide the Controller with such information regarding the Sub-processor as the Controller may reasonably require. 1.12 The Processor shall remain fully liable for all acts or omissions of any of its Sub-processors. 1.13 The Controller may, at any time on not less than 30 Working Days’ notice, revise this paragraph by replacing it with any applicable controller to processor standard paragraphs or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to these Conditions). 1.14 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Controller may on not less than 30 Working Days’ notice to the Processor amend these Conditions to ensure that it complies with any guidance issued by the Information Commissioner’s Office. 1.15 Where the Parties include two or more Joint Controllers as identified in Part 1 of Annex 8 in accordance with GDPR Article 26, those Parties shall enter into a Joint Controller Agreement based on the terms outlined in Part 2 of Annex 8 in replacement of paragraphs 1.1-1.14 for the Personal Data under Joint Control. This Xxxxx shall be completed by the Controller, who may take account of the view of the Processors, however the final decision as to the content of this Annex shall be with the Controller at its absolute discretion. 1. The contact details of the Controller’s Data Protection Officer are: [Insert Contact details]

Data Protection. 5.1 Each party shall for the duration of the provision of the Services by the Supplier to the Customer comply with the provisions of the Data Protection Legislation and shall not do or permit anything to be done which might cause or otherwise result in breach of the same. 5.2 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the Controller and the Supplier is the Processor unless otherwise specified in Contract Schedule 7Processor. The only processing that the Processor Supplier is authorised to do is listed in Contract Schedule 7 determined by the Controller Customer and may not be determined by the Processor. Supplier. 5.3 The Processor Supplier shall notify the Controller Customer immediately if it considers that any of the ControllerCustomer's instructions infringe the Data Protection Legislation. . 5.4 The Processor Supplier shall provide all reasonable assistance to the Controller Customer in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the ControllerCustomer, include: : a) a systematic description of the envisaged processing operations and the purpose of the processing; ; b) an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; c) an assessment of the risks to the rights and freedoms of Data Subjects; and and d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 5.5 The Processor Supplier shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: : (a) process that Personal Data only in accordance with Contract Schedule 7the Customer’s written instructions, unless the Processor Supplier is required to do otherwise by Law. If it is so required the Processor Supplier shall promptly notify the Controller Customer before processing the Personal Data unless prohibited by Law; ; (b) ensure that it has in place Protective Measures, which are have been reviewed and approved by the Customer as appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), Event having taken account of the: : (i) nature of the data to be protected; ; (ii) harm that might result from a Data Loss Event; ; (iii) state of technological development; and and (iv) cost of implementing any measures; ensure that : the Processor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 7); it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they:;

Data Protection. 19.1 The Lessor shall, and shall procure that all staff shall, comply with any notification requirements under DPA and all Parties shall duly observe all their obligations under the DPA which arise in connection with the Agreement. 19.2 It is not envisaged that for the purposes of management that there will be any provision of Personal Data to the Lessor by Lessee for processing. This Clause does not seek to limit or obviate the responsibilities of the Lessee or the Lessor to Personal Data. 19.3 Whilst it is not envisaged that there will be any provision of Personal Data by Xxxxxx to the Lessor, should this situation alter then the following Clauses 19.4 – 19.17 apply. 19.4 All Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer Lessee is the Controller and the Supplier Lessor is the Processor unless otherwise specified in Contract Schedule 7Processor. The only processing that the Processor Lessor is authorised to do is listed undertake will be notified in Contract Schedule 7 writing by the Controller and Xxxxxx. Changes to processing may not be determined by the Processor. Lessor. 19.5 The Processor Lessor shall notify the Controller Xxxxxx immediately if it considers that any of the ControllerXxxxxx's instructions infringe the Data Protection Legislation. DPA. 19.6 The Processor Lessor shall provide all reasonable assistance to the Controller Lessee in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the ControllerLessee, include: a : (a) systematic description of the envisaged processing operations and the purpose of the processing; ; (b) an assessment of the necessity and proportionality of the processing operations in relation to the Services; this Agreement; (c) an assessment of the risks to the rights and freedoms of Data Subjects; and and (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 19.7 The Processor Lessor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: : (a) process that Personal Data only in accordance with Contract Schedule 7, ensuring delivery of Goods unless the Processor Lessor is required to do otherwise by Law. If it is so required the Processor Lessor shall promptly notify the Controller Lessee before processing the Personal Data unless prohibited by Law; ; (b) ensure that it has in place Protective Measures, which are have been reviewed and approved by Xxxxxx as appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), Event having taken account of the: : (i) nature of the data to be protected; ; (ii) harm that might result from a Data Loss Event; ; (iii) state of technological development; and and (iv) cost of implementing any measures; ; (c) ensure that : that: (i) the Processor Personnel employees do not process Personal Data except in accordance with this Agreement (and in particular Schedule 7particularly for the purposes of delivery of Goods); ; (ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel employees who have access to the Personal Data and ensure that they: (A) are aware of and comply with the Lessor’s duties under this clause; (B) are subject to appropriate confidentiality undertakings with the Lessor or any Sub-processor; (C) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by Xxxxxx or as otherwise permitted by this Agreement; and (D) have undergone adequate training in the use, care, protection and handling of Personal Data; and (d) not transfer Personal Data outside of the United Kingdom unless the prior written consent of Xxxxxx has been obtained and the following conditions are fulfilled: (i) The Lessor has provided appropriate safeguards in relation to the transfer (whether in accordance with UK GDPR Article 46 or LED Article

Data Protection. 13.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the Controller and the Supplier Contractor is the Processor unless otherwise specified in Contract Schedule 7specified. The only processing that the Processor is authorised to do is listed in Contract Schedule 7 by the Controller and may not be determined by the Processor. . 13.2 The Processor shall notify the Controller immediately if it considers that any of the Controller's instructions infringe the Data Protection Legislation. . 13.3 The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller, include: : 13.3.1 a systematic description of the envisaged processing operations and the purpose of the processing; ; 13.3.2 an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; 13.3.3 an assessment of the risks to the rights and freedoms of Data Subjects; and and 13.3.4 the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 13.4 The Processor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: : 13.4.1 process that Personal Data only in accordance with Contract Schedule 7the Controllers instructions, unless the Processor is required to do otherwise by Law. If it is so required required, the Processor shall promptly notify the Controller before processing the Personal Data unless prohibited by Law; ; 13.4.2 ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), having taken account of the: : 13.4.2.1 nature of the data to be protected; ; 13.4.2.2 harm that might result from a Data Loss Event; ; 13.4.2.3 state of technological development; and and 13.4.2.4 cost of implementing any measures; ensure that : the Processor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 7); it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they:;

Data Protection. 38.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer DFE is the Controller and the Supplier Contractor is the Processor unless otherwise specified in Contract Schedule 7Processor. The only processing that the Processor Contractor is authorised to do is listed in Contract Schedule 7 11 by the Controller DFE and may not be determined by the Processor. Contractor. 38.2 The Processor Contractor shall notify the Controller DFE immediately if it considers that any of the ControllerDFE's instructions infringe the Data Protection Legislation. . 38.3 The Processor Contractor shall provide all reasonable assistance to the Controller DFE in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the ControllerDFE, include: : (a) a systematic description of the envisaged processing operations and the purpose of the processing; ; (b) an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; (c) an assessment of the risks to the rights and freedoms of Data Subjects; and and (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 38.4 The Processor Contractor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: Contract: (a) process that Personal Data only in accordance with Contract Schedule 711, unless the Processor Contractor is required to do otherwise by Law. If it is so required the Processor Contractor shall promptly notify the Controller DFE before processing the Personal Data unless prohibited by Law; ; (b) ensure that it has in place Protective Measures, which are have been reviewed and approved by the DFE as appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), Event having taken account of the: : (i) nature of the data to be protected; ; (ii) harm that might result from a Data Loss Event; ; (iii) state of technological development; and and (iv) cost of implementing any measures; ; (c) ensure that : the Processor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 7); it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that theythat:

Data Protection. 3.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer School is the Controller and the Supplier Processor is the Processor unless otherwise specified in Contract Schedule 7Processor. The only processing that the Processor is authorised to do by the School is listed in Contract Schedule 7 by the Controller One and may not be determined by the Processor. . 3.2 The Processor shall notify the Controller School immediately if it considers that any of the ControllerSchool's instructions infringe the Data Protection Legislation. . 3.3 The Processor shall provide all reasonable assistance to the Controller School in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the ControllerSchool, include: : (a) a systematic description of the envisaged processing operations and the purpose of the processing; ; (b) an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; (c) an assessment of the risks to the rights and freedoms of Data Subjects; and and (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 3.4 The Processor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: : (a) process that Personal Data only in accordance with Contract Schedule 7, One unless the Processor is required to do otherwise by Law. If it is so required required, the Processor shall promptly notify the Controller School before processing the Personal Data unless prohibited by Law; ; (b) ensure that it has in place Protective Measures, which are have been reviewed and approved by the School as appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), Event having taken account of the: : i. nature of the data to be protected; ; ii. harm that might result from a Data Loss Event; ; iii. state of technological development; and and iv. cost of implementing any measures; ; (c) ensure that : the Processor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 7); it takes One (d) take all reasonable steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they: i. are aware of and comply with the Processor’s duties under this clause; ii. are subject to appropriate confidentiality undertakings with the Processor or any Sub- processor; iii. are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the School or as otherwise permitted by this Agreement; and iv. have undergone adequate training in the use, care, protection and handling of Personal Data; and (e) not transfer Personal Data outside of the EU unless the following conditions are fulfilled: i. the School or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the School; ii. the Data Subject has enforceable rights and effective legal remedies; iii. the Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the School in meeting its obligations); and (f) at the written direction of the School, delete Personal Data (and any copies of it) to the School on termination of the Agreement unless the Processor is required by Law to retain the Personal Data. 3.5 The Processor shall notify the School immediately if it: (a) receives a Data Subject Access Request (or purported Data Subject Access Request); (b) receives a request to rectify, block or erase any Personal Data; (c) receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; (d) receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Agreement; (e) receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or (f) becomes aware of a Data Loss Event. 3.6 The Processor’s obligation to notify under clause 3.5 shall include the provision of further information to the School in phases, as details become available. 3.7 Taking into account the nature of the processing, the Processor shall provide the School with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under clause 3.5 (and insofar as possible within the timescales reasonably required by the School) including by promptly providing: (a) the School with full details and copies of the complaint, communication or request; (b) such assistance as is reasonably requested by the School to enable the School to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation; (c) the School, at its request, with any Personal Data it holds in relation to a Data Subject; (d) assistance as requested by the School following any Data Loss Event; (e) assistance as requested by the School with respect to any request from the Information Commissioner’s Office, or any consultation by the School with the Information Commissioner's Office. 3.8 The Processor shall maintain complete and accurate records and information to demonstrate its compliance with clause 3.5. This requirement does not apply where the Processor employs fewer than 250 staff, unless: (a) the School determines that the processing is not occasional; (b) the School determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; and (c) the School determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects. 3.9 The Processor shall make available to the controller all information necessary to demonstrate compliance with the obligations laid down in this agreement and will contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller. 3.10 The Processor shall designate a data protection officer if required by the Data Protection Legislation. 3.11 The School hereby authorizes Processor to engage the Sub-processors listed at xxx.xxxxxxxx.xx/xxxxxxxxxxxxx. Processor must enter into a written agreement with all Sub-processors. Processor must obtain sufficient guarantees from all Sub-processors that they will implement appropriate technical and organizational measures in such a manner that the Processing will meet the requirements of Data Protection Law and this DPA. 3.12 The Processor shall inform the School of any intended changes concerning the addition or replacement of sub- processors, thereby giving the School the opportunity to object to such changes. The School must not act unreasonably in objecting to any proposed subprocessors. 3.13 The Processor shall remain fully liable for all acts or omissions of any Sub-processor.

Data Protection. 1.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer Education Body [“the Customer”] is the Controller and the Supplier Wisdom Canvas Ltd is the Processor unless otherwise specified in Contract Schedule 7Processor. The only processing Processing that the Processor Supplier is authorised to do is listed in Contract Schedule 7 Table A of this Protocol by the Controller Customer and may not be determined by the Processor. Supplier. 1.2 The Processor Supplier shall notify the Controller Customer immediately if it considers that any of the ControllerCustomer's instructions infringe the Data Protection Legislation. . 1.3 The Processor Supplier shall provide all reasonable assistance to the Controller Customer in the preparation of any Data Protection Impact Assessment prior to commencing any processingProcessing. Such assistance may, at the discretion of the ControllerCustomer, include: : 1.3.1 a systematic description of the envisaged processing Processing operations and the purpose of the processing; Processing; 1.3.2 an assessment of the necessity and proportionality of the processing Processing operations in relation to the Services; ; 1.3.3 an assessment of the risks to the rights and freedoms of Data Subjects; and and 1.3.4 the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 1.4 The Processor Supplier shall, in relation to any Personal Data processed Processed in connection with its obligations under this Agreement: Contract: 1.4.1 process that Personal Data only in accordance with Contract Schedule 7Table A of this Protocol, unless the Processor Supplier is required to do otherwise by Law. If it is so required the Processor Supplier shall promptly notify the Controller Customer before processing Processing the Personal Data unless prohibited by Law; ; 1.4.2 notify the Customer immediately of any changes or required updates to permissions and systems access. This includes, for example, where members of staff leave, are suspended or are on an extended period of absence, like maternity leave; 1.4.3 ensure that it has in place Protective Measures, which are have been reviewed and approved by the Customer as appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), Event having taken account of the: : (i) nature of the data to be protected; ; (ii) harm that might result from a Data Loss Event; ; (iii) state of technological development; and and (iv) cost of implementing any measures; ; 1.4.4 ensure that : : (i) the Processor Supplier Personnel do not process Process Personal Data except in accordance with this Agreement Contract (and in particular Schedule 7Table A of this Protocol); ; (ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Supplier Personnel who have access to the Personal Data and ensure that they: (A) are aware of and comply with the Supplier’s duties under this Protocol; (B) are subject to appropriate confidentiality undertakings with the Supplier or any Sub-processor; (C) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Customer or as otherwise permitted by this Contract; and (D) have undergone adequate training in the use, care, protection and handling of Personal Data; 1.4.5 not transfer Personal Data outside of the EU unless the prior written consent of the Customer has been obtained and the following conditions are fulfilled: (i) the Customer or the Supplier has provided appropriate safeguards in relation to the transfer (whether in accordance with Article 46 of the GDPR or Article 37 of the Law Enforcement Directive (Directive (EU) 2016/680)) as determined by the Customer; (ii) the Data Subject has enforceable rights and effective legal remedies; (iii) the Supplier complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Customer in meeting its obligations); and (iv) the Supplier complies with any reasonable instructions notified to it in advance by the Customer with respect to the Processing of the Personal Data; 1.4.6 at the written direction of the Customer, delete or return Personal Data (and any copies of it) to the Customer on termination or expiry of the Contract unless the Supplier is required by Law to retain the Personal Data. 1.5 Subject to Clause 1.6 of this Protocol, the Supplier shall notify the Customer immediately if it: 1.5.1 receives a Data Subject Access (or purported Data Subject Access Request), Freedom of Information or Environmental Information Regulation (EIR) request; 1.5.2 receives a request to rectify, block or erase any Personal Data; 1.5.3 receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; 1.5.4 receives any communication from the Information Commissioner or any other regulatory Customer in connection with Personal Data Processed under this Contract; 1.5.5 receives a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or

Data Protection. 23.1.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the Controller and the Supplier Contractor is the Processor unless otherwise specified in Contract Schedule 7Processor. The only processing that the Processor Contractor is authorised to do is listed in Contract Schedule 7 A by the Controller Customer and may not be determined by the Processor. Contractor. 23.1.2 The Processor Contractor shall notify the Controller Customer immediately if it considers that any of the ControllerCustomer's instructions infringe the Data Protection Legislation. . 23.1.3 The Processor Contractor shall provide all reasonable assistance to the Controller Customer in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the ControllerCustomer, include: : (a) a systematic description of the envisaged processing operations and the purpose of the processing; ; (b) an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; (c) an assessment of the risks to the rights and freedoms of Data Subjects; and and (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 23.1.4 The Processor Contractor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: : (a) process that Personal Data only in accordance with Contract Schedule 7A, unless the Processor Contractor is required to do otherwise by Law. If it is so required the Processor Contractor shall promptly notify the Controller Customer before processing the Personal Data unless prohibited by Law; ; (b) ensure that it has in place Protective Measures, which are have been reviewed and approved by the Customer as appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), Event having taken account of the: : (i) nature of the data to be protected; ; (ii) harm that might result from a Data Loss Event; ; (iii) state of technological development; and and (iv) cost of implementing any measures; ; (c) ensure that : : (i) the Processor Contractor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 7A); ; (ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Contractor Personnel who have access to the Personal Data and ensure that they: (A) are aware of and comply with the Contractor’s duties under this clause; (B) are subject to appropriate confidentiality undertakings with the Contractor or any Sub-processor; (C) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Customer or as otherwise permitted by this Agreement; and (D) have undergone adequate training in the use, care, protection and handling of Personal Data; and (d) not transfer Personal Data outside of the EU unless the prior written consent of the Customer has been obtained and the following conditions are fulfilled: (i) the Customer or the Contractor has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or 23.1.5 LED Article 37) as determined by the Customer;

Data Protection. 1.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the Controller and the Supplier Contractor is the Processor unless otherwise specified in Contract Schedule 71. The only processing that the Processor is authorised to do is listed in Contract Schedule 7 1 by the Controller and may not be determined by the Processor. . 1.2 Controller warrants that it has taken all necessary steps to achieve compliance with Data Protection Legislation. 1.3 Without prejudice to the generality of paragraph 1.2, Controller warrants that where Controller supplies Personal Data to Processor, Controller has provided any requisite notice and has a valid legal basis to collect, obtain and share the Personal Data with Processor and to allow Processor to process the Personal Data in accordance with Schedule 1. 1.4 The Processor shall notify the Controller immediately if it considers that any of the Controller's instructions infringe the Data Protection Legislation. . 1.5 The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller, include: : (a) a systematic description of the envisaged processing operations and the purpose of the processing; ; (b) an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; (c) an assessment of the risks to the rights and freedoms of Data Subjects; and and (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 1.6 The Processor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: : (a) process that Personal Data only in accordance with Contract Schedule 71, unless the Processor is required to do otherwise by Law. If it is so required required, the Processor shall promptly notify the Controller before processing the Personal Data unless prohibited by Law; ; (b) ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), having taken account of the: : (i) nature of the data to be protected; ; (ii) harm that might result from a Data Loss Event; ; (iii) state of technological development; and and (iv) cost of implementing any measures; ; (c) ensure that : that: (i) the Processor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 71); ; (ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they: (A) are aware of and comply with the Processor’s duties under this clause; (B) are subject to appropriate confidentiality undertakings with the Processor or any Sub-processor; (C) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Controller or as otherwise permitted by this Agreement; and (D) have undergone adequate training in the use, care, protection and handling of Personal Data; and (d) not transfer Personal Data outside of the UK unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled: (i) the Controller or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Controller; (ii) the Data Subject has enforceable rights and effective legal remedies; (iii) the Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and (iv) the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing of the Personal Data; (e) at the written direction of the Controller, delete or return Personal Data (and any copies of it) to the Controller on termination of the Agreement unless the Processor is required by Law to retain the Personal Data. 1.7 Subject to clause 1.6, the Processor shall notify the Controller immediately if it: (a) receives a Data Subject Request (or purported Data Subject Request); (b) receives a request to rectify, block or erase any Personal Data; (c) receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; (d) receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Agreement; (e) receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or (f) becomes aware of a Data Loss Event. 1.8 The Processor’s obligation to notify under clause 1.5 shall include the provision of further information to the Controller in phases, as details become available. 1.9 Taking into account the nature of the processing, the Processor shall provide the Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under clause 1.5 (and insofar as possible within the timescales reasonably required by the Controller) including by promptly providing: (a) the Controller with full details and copies of the complaint, communication or request; (b) such assistance as is reasonably requested by the Controller to enable the Controller to comply with a Data Subject Request within the relevant timescales set out in the Data Protection Legislation; (c) the Controller, at its request, with any Personal Data it holds in relation to a Data Subject; (d) assistance as requested by the Controller following any Data Loss Event; (e) assistance as requested by the Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Controller with the Information Commissioner's Office. 1.10 The Processor shall maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Processor employs fewer than 250 staff, unless: (a) the Controller determines that the processing is not occasional; (b) the Controller determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; or (c) the Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects. 1.11 The Processor shall allow for audits of its Data Processing activity by the Controller or the Controller’s designated auditor. 1.12 Each Party shall designate its own data protection officer if required by the Data Protection Legislation. 1.13 Before allowing any Sub-processor to process any Personal Data related to this Agreement, the Processor must: (a) notify the Controller in writing of the intended Sub-processor and processing; (b) obtain the written consent of the Controller; (c) enter into a written agreement with the Sub-processor which give effect to the terms set out in this clause 1.11 such that they apply to the Sub-processor; and (d) provide the Controller with such information regarding the Sub-processor as the Controller may reasonably require. 1.14 The Processor shall remain fully liable for all acts or omissions of any of its Sub-processors. 1.15 The Controller may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Agreement). 1.16 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Controller may on not less than 30 Working Days’ notice to the Processor amend this agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office. 1.17 IN NO EVENT WILL CONTRACTOR’S AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THIS DATA PROTECTION AGREEMENT ARISING OUT OF OR RELATED TO BREACH OF CONTRACT, TORT (INCLUDING NEGLIGENCE) OR OTHERWISE, EXCEED £500,000. IN NO EVENT WILL CONTRACTOR BE LIABLE TO THE CUSTOMER FOR ANY INDIRECT, SPECIAL, PUNITIVE, EXEMPLARY, INCIDENTAL OR CONSEQUENTIAL DAMAGES OF ANY KIND, INCLUDING, WITHOUT LIMITATION, LOST PROFITS, HOWEVER ARISING, WHETHER IN CONTRACT, TORT, OR OTHERWISE, REGARDING THESE DATA PROTECTION TERMS, EVEN IF SUCH PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. The contact details of the Controller’s Data Protection Officer shall be provided to the Processor upon execution of the Data Sharing Agreement.

Data Protection. 21.1 The expiry or earlier termination of the Contract shall not affect the continuing rights and obligations of the Service Provider and the Council under this clause. The Parties acknowledge that for the purposes of the Data Protection Legislation, they shall be the Customer Controller of their respective orders (and where necessary shall both be Controllers) and the Service Provider is the Controller and the Supplier is the Processor unless otherwise specified in Contract Schedule 7Processor. The only processing that the Processor Service Provider is authorised to do by the Council is listed in Contract Schedule 7 by the Controller 4 to this clause and may not be determined by the Processor. Service Provider. 21.2 The Processor Service Provider shall notify the Controller Council immediately if it considers that any of the ControllerCouncil's instructions infringe the Data Protection Legislation. . 21.3 The Processor Service Provider shall provide all reasonable assistance to the Controller Council in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller, Council include: : 21.3.1 a systematic description of the envisaged processing operations and the purpose of the processing; ; 21.3.2 an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; 21.3.3 an assessment of the risks to the rights and freedoms of Data Subjects; and and 21.3.4 the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 21.4 The Processor Service Provider shall, in relation to any Personal Data processed in connection with its obligations under this the Agreement: : 21.4.1 process that Personal Data only in accordance with Contract Schedule 74 of this Agreement, unless the Processor Service Provider is required to do otherwise by Law. If it is so required required, the Processor Service Provider shall promptly notify the Controller Council before processing the Personal Data unless prohibited by Law; ; 21.4.2 ensure that it has in place Protective Measures, which are have been reviewed and approved by the as appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), Event having taken account of the: : (i) nature of the data to be protected; ; (ii) harm that might result from a Data Loss Event; ; (iii) state of technological development; and and (iv) cost of implementing any measures; ; 21.4.3 ensure that : that: (i) the Processor Service Provider Personnel do not process Personal Data except in accordance with this the Agreement (and in particular Schedule 74 to this Agreement); ; (ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Service Provider Personnel who have access to the Personal Data and ensure that they: (a) are aware of and comply with the Service Provider's duties under this clause (b) are subject to appropriate confidentiality undertakings with the Service Provider or any Sub-processor (c) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the or as otherwise permitted by this Agreement; and (d) have undergone adequate training in the use, care, protection and handling of Personal Data; and 21.4.4 not transfer Personal Data outside of the EU unless the prior written consent of the has been obtained and the following conditions are fulfilled: (i) the Council or the Service Provider has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Council ; (ii) the data subject has enforceable rights and effective legal remedies enforceable in the territory to which the Personal Data is to be transferred ; (iii) the Service Provider complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Council in meeting its obligations); and (iv) the Service Provider complies with any reasonable instructions notified to it in advance by the with respect to the processing or the Personal Data; 21.4.5 at the written direction of the Council, delete or return Personal Data (and any copies of it) to the on termination of this Agreement unless the Service Provider is required by Law to retain the Personal Data. 21.5 The Service Provider shall notify the Council immediately if it: 21.5.1 receives a Data Subject Access Request (or purported Data Subject Access Request); 21.5.2 receives a request to rectify, block or erase any Personal Data; 21.5.3 receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; 21.5.4 receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Agreement; 21.5.5 receives a request from any third party for disclosure of Personal Data, or 21.5.6 becomes aware of a Data Loss Event 21.6 The Service Provider's obligation to notify under clause 1.5 shall include the provision of further information to the Council in phases, as details become available. 21.7 Taking into account the nature of the processing, the Service Provider shall provide the Council with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under clause 21.5 (and insofar as possible within the timescales reasonably required by the Council) including by promptly providing: 21.7.1 such assistance as is reasonably requested by the Council to enable the Council to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation; 21.7.2 the Council, at its request, with any Personal Data it holds in relation to a Data Subject; 21.7.3 assistance as requested by the Council following any Data Loss Event; 21.7.4 assistance as requested by the Council with respect to any request from the Information Commissioner's Office, or any consultation by the Council with the Information Commissioner's Office. 21.8 The Service Provider shall maintain complete and accurate records and information to demonstrate its compliance with the clause. This requirement does not apply where the Service Provider employs fewer than 250 staff, unless: 21.8.1 the Council determines that the processing is not occasional; 21.8.2 the Council determines the processing includes special categories or data as referred to Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; and 21.8.3 the Council determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects. 21.9 The Contactor shall allow for audits of its Data Processing activity by the Council or the Council's designated auditor. 21.10 The Service Provider shall designate a data protection officer if required by the Data Protection Legislation. 21.11 Before allowing any Sub-processor to process Personal Data related to this Agreement, the Service Provider must: 21.11.1 notify the Council in writing of the intended Sub-processor and processing; 21.11.2 obtain the written consent of the Council; 21.11.3 enter into a written agreement with the Sub-processor which gives effect to the terms set out in this clause such that they apply to the Sub-processor; and 21.11.4 provide the Council with such information regarding the Sub- processor as the Council may reasonably require. 21.12 The Service Provider shall remain fully liable for all acts or omissions of any Sub-processor. 21.13 The Council may, at any time on not less than 30 Working Days' notice, revise this clause by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Agreement). 21.14 The Parties agree to take account of any guidance issued by the Information Commissioner's Office. The Council may on not less than 30 Working Days' notice to the Service Provider amend this agreement to ensure that it complies with any guidance issued by the Information Commissioner's Office. 21.15 Upon termination of the Contract the Service Provider shall: 21.15.1 cease processing Personal Data on behalf of the Council ; and 21.15.2 at the Council’s request, either forthwith return to the all copies of the Personal Data which it is processed on behalf of the Council , or destroy the same within 14 days of being requested to do so by the Council . 21.16 The Service Provider shall ensure that all personnel do not publish, disclose or divulge any of the Personal Data to any third party, unless directed in writing by the to do so. 21.17 The Service Provider shall fully indemnify the Council, its employees or agents against the cost of dealing with any claims made in respect of any information subject to Data Protection Legislation, which claims would not have arisen but for some act, omission or negligence on the part of the Service Provider, his employees or agents in the provision of the Services.

Data Protection. 1.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer Authority is the Controller and the Supplier is the Processor unless otherwise specified in Contract Schedule 7Processor. The only processing Processing that the Processor Supplier is authorised to do is listed in Contract Schedule 7 Table A of this Protocol by the Controller Authority and may not be determined by the Processor. Supplier. 1.2 The Processor Supplier shall notify the Controller Authority immediately if it considers that any of the ControllerAuthority's instructions infringe the Data Protection Legislation. . 1.3 The Processor Supplier shall provide all reasonable assistance to the Controller Authority in the preparation of any Data Protection Impact Assessment prior to commencing any processingProcessing. Such assistance may, at the discretion of the ControllerAuthority, include: : 1.3.1 a systematic description of the envisaged processing Processing operations and the purpose of the processing; Processing; 1.3.2 an assessment of the necessity and proportionality of the processing Processing operations in relation to the Services; ; 1.3.3 an assessment of the risks to the rights and freedoms of Data Subjects; and and 1.3.4 the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 1.4 The Processor Supplier shall, in relation to any Personal Data processed Processed in connection with its obligations under this Agreement: Contract: 1.4.1 process that Personal Data only in accordance with Contract Schedule 7Table A of this Protocol, unless the Processor Supplier is required to do otherwise by Law. If it is so required the Processor Supplier shall promptly notify the Controller Authority before processing Processing the Personal Data unless prohibited by Law; ; 1.4.2 ensure that it has in place Protective Measures, which are have been reviewed and approved by the Authority as appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), Event having taken account of the: : (i) nature of the data to be protected; ; (ii) harm that might result from a Data Loss Event; ; (iii) state of technological development; and and (iv) cost of implementing any measures; ; 1.4.3 ensure that : that: (i) the Processor Supplier Personnel do not process Process Personal Data except in accordance with this Agreement Contract (and in particular Schedule 7Table A of this Protocol); ; (ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Supplier Personnel who have access to the Personal Data and ensure that they: (A) are aware of and comply with the Supplier’s duties under this Protocol; (B) are subject to appropriate confidentiality undertakings with the Supplier or any Sub-processor; (C) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority or as otherwise permitted by this Contract; and (D) have undergone adequate training in the use, care, protection and handling of Personal Data; 1.4.4 not transfer Personal Data outside of the EU unless the prior written consent of the Authority has been obtained and the following conditions are fulfilled: (i) the Authority or the Supplier has provided appropriate safeguards in relation to the transfer (whether in accordance with Article 46 of the GDPR or Article 37 of the Law Enforcement Directive (Directive (EU) 2016/680)) as determined by the Authority; (ii) the Data Subject has enforceable rights and effective legal remedies; (iii) the Supplier complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Authority in meeting its obligations); and (iv) the Supplier complies with any reasonable instructions notified to it in advance by the Authority with respect to the Processing of the Personal Data; 1.4.5 at the written direction of the Authority, delete or return Personal Data (and any copies of it) to the Authority on termination or expiry of the Contract unless the Supplier is required by Law to retain the Personal Data. 1.5 Subject to Clause 1.6 of this Protocol, the Supplier shall notify the Authority immediately if it: 1.5.1 receives a Data Subject Access Request (or purported Data Subject Access Request); 1.5.2 receives a request to rectify, block or erase any Personal Data; 1.5.3 receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; 1.5.4 receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data Processed under this Contract; 1.5.5 receives a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or

Data Protection. 1.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer Authority is the Controller and the Supplier Service Provider is the Processor unless otherwise specified in Contract Schedule 7Processor. The only processing that the Processor Service Provider is authorised to do is listed in Contract Schedule 7 A by the Controller Authority and may not be determined by the Processor. Service Provider. 1.2 The Processor Service Provider shall notify the Controller Authority immediately if it considers that any of the ControllerAuthority's instructions infringe the Data Protection Legislation. . 1.3 The Processor Service Provider shall provide all reasonable assistance to the Controller Authority in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the ControllerAuthority, include: : (a) a systematic description of the envisaged processing operations and the purpose of the processing; ; (b) an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; (c) an assessment of the risks to the rights and freedoms of Data Subjects; and and (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. 1.4 The Processor Service Provider shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: : (a) process that Personal Data only in accordance with Contract Schedule 7A, unless the Processor Service Provider is required to do otherwise by Law. If it is so required the Processor Service Provider shall promptly notify the Controller Authority before processing the Personal Data unless prohibited by Law; ; (b) ensure that it has in place Protective Measures, which are have been reviewed and approved by the Authority as appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), Event having taken account of the: : (i) nature of the data to be protected; ; (ii) harm that might result from a Data Loss Event; ; (iii) state of technological development; and and (iv) cost of implementing any measures; ; (c) ensure that : that: (i) the Processor Service Provider’s Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 7A); ; (ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Service Provider’s Personnel who have access to the Personal Data and ensure that they: (A) are aware of and comply with the Service Provider’s duties under this Clause; (B) are subject to appropriate confidentiality undertakings with the Service Provider or any Sub-Processor; (C) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Authority or as otherwise permitted by this Agreement; and (D) have undergone adequate training in the use, care, protection and handling of Personal Data; and (d) not transfer Personal Data outside of the EU unless the prior written consent of the Authority has been obtained and the following conditions are fulfilled: (i) the Authority or the Service Provider has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Authority; (ii) the Data Subject has enforceable rights and effective legal remedies; (iii) the Service Provider complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Authority in meeting its obligations); and (iv) the Service Provider complies with any reasonable instructions notified to it in advance by the Authority with respect to the processing of the Personal Data; (e) at the written direction of the Authority, and at the Service Provider’s sole cost, delete or return Personal Data (and any copies of it) to the Authority on termination of the Agreement unless the Service Provider is required by Law to retain the Personal Data. 1.5 Subject to Clause 1.6, the Service Provider shall notify the Authority immediately if it: (a) receives a Data Subject Access Request (or purported Data Subject Access Request); (b) receives a request to rectify, block or erase any Personal Data; (c) receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; (d) receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Agreement; (e) receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or (f) becomes aware of a Data Loss Event. 1.6 The Service Provider’s obligation to notify under Clause 1.5 shall include the provision of further information to the Authority in phases, as details become available. 1.7 Taking into account the nature of the processing, the Service Provider shall provide the Authority with full assistance in relation to either Party's obligations under Data Protection Legislation including any complaint, communication or request made under Clause 1.5 (and insofar as possible within the timescales reasonably required by the Authority) including by promptly providing: (a) the Authority with full details and copies of the complaint, communication or request; (b) such assistance as is reasonably requested by the Authority to enable the Authority to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation; (c) the Authority, at its request, with any Personal Data it holds in relation to a Data Subject; (d) assistance as requested by the Authority following any Data Loss Event; (e) assistance as requested by the Authority with respect to any request from the Information Commissioner’s Office, or any consultation by the Authority with the Information Commissioner's Office. 1.8 The Service Provider shall maintain complete and accurate records and information to demonstrate its compliance with this Clause. This requirement does not apply where the Service Provider employs fewer than 250 staff, unless: (a) the Authority determines that the processing is not occasional; (b) the Authority determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; and (c) the Authority determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects. 1.9 The Service Provider shall allow for audits of its Data Processing activity by the Authority or the Authority’s designated auditor. 1.10 The Service Provider shall designate a Data Protection Officer if required by the Data Protection Legislation. 1.11 Before allowing any Sub-Processor to process any Personal Data related to this Agreement, the Service Provider must: (a) notify the Authority in writing of the intended Sub-Processor and processing; (b) obtain the written consent of the Authority; (c) enter into a written agreement with the Sub-Processor which give effect to the terms set out in this Clause 1 such that they apply to the Sub-Processor; and (d) provide the Authority with such information regarding the Sub- Processor as the Authority may reasonably require. 1.12 The Service Provider shall remain fully liable for all acts or omissions of any Sub-Processor. 1.13 The Service Provider may, at any time on not less than 30 Working Days’ notice, revise this Clause by replacing it with any applicable controller to processor standard Clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Agreement). 1.14 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Authority may on not less than 30 Working Days’ notice to the Service Provider amend this agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office. 1. The Service Provider shall comply with any further written instructions with respect to processing by the Authority.

Data Protection. 4.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer DfE is the Controller and the Supplier Requester is the Processor unless otherwise specified in Contract Schedule 7processor. The only processing that the Processor Requester is authorised to do is listed in Contract Schedule 7 1 by the Controller DFE and may not be determined by the ProcessorRequester whether under the Related Agreement or this Agreement. To the extent that there is any conflict or inconsistency between the Related Agreement and this Agreement, the terms of this Agreement shall prevail. 4.2 The Processor Requester shall notify the Controller DfE immediately if it the Requester considers that any of the ControllerDfE's instructions infringe the Data Protection Legislation. . 4.3 The Processor Requester shall provide all reasonable assistance to the Controller DfE in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the ControllerDfE, include: : 4.3.1 a systematic description of the envisaged processing operations and the purpose of the processing; ; 4.3.2 an assessment of the necessity and proportionality of the processing operations in relation to the Services; relevant services; 4.3.3 an assessment of the risks to the rights and freedoms of Data Subjectsdata subjects; and and 4.3.4 the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. the DfE Data Extracts. 4.4 The Processor Requester shall, in relation to any Personal its processing of the DfE Data processed in connection with its obligations under this Agreement: Extracts: 4.4.1 process that Personal the DfE Data Extracts only in accordance with Contract Schedule 71, unless the Processor Requester is required to do otherwise by Law. If it is so required the Processor Requester shall promptly notify the Controller DfE before processing the Personal DfE Data Extracts unless prohibited by Law; ; 4.4.2 ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Controller DfE may reasonably reject (but failure to reject shall not amount to approval by the Controller DfE of the adequacy of the Protective Measures), having taken account of the: : 4.4.2.1 nature of the data to be protected; ; 4.4.2.2 harm that might result from a Data Loss Event; ; 4.4.2.3 state of technological development; and and 4.4.2.4 cost of implementing any measures; ; 4.4.3 ensure that : that: 4.4.3.1 the Processor Personnel Permitted Users do not process Personal the DfE Data Extracts except in accordance with this Agreement (and in particular Schedule 7); Agreement; 4.4.3.2 it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel Permitted User who have access to the Personal DfE Data Extracts and ensure that they: 4.4.3.2.1 are aware of and comply with the Requester Agreement; 4.4.3.2.2 are subject to appropriate confidentiality undertakings with the Requester or any Sub-Processor; 4.4.3.2.3 are informed of the confidential nature of the DfE Data Extracts and do not publish, disclose or divulge any of the DfE Data Extracts to any third party unless directed in writing to do so by the DfE or as otherwise permitted by this Agreement; 4.4.3.2.4 have undergone adequate training in the use, care, protection and handling of the DfE Data Extracts. 4.4.4 not transfer the DfE Data Extracts outside of the EU or the United Kingdom unless the prior written consent of the DfE has been obtained and the following conditions are fulfilled: 4.4.4.1 the DfE or the Requester has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the DfE; 4.4.4.2 the data subject has enforceable rights and effective legal remedies; 4.4.4.3 the Requester complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any the DfE Data Extracts that is transferred (or, if it is not so bound, uses its best endeavours to assist the DfE in meeting its obligations); and 4.4.4.4 the Requester complies with any reasonable instructions notified to it in advance by the DfE with respect to the processing of the DfE Data Extracts; 4.4.5 on termination of this Agreement, destroy the DfE Data Extracts (and any copies of it) unless the Requester is required by Law to retain the DfE Data Extracts. 4.5 Subject to clause 4.6, the Requester shall notify the DfE immediately if it: 4.5.1 receives a Data Subject Request (or purported Data Subject Request); 4.5.2 receives a request to rectify, block or erase any the DfE Data Extracts; 4.5.3 receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; 4.5.4 receives any communication from the Commissioner or any other regulatory authority in connection with the DfE Data Extracts processed under this Agreement; 4.5.5 receives a request from any third party for disclosure of the DfE Data Extracts where compliance with such request is required or purported to be required by Law; or 4.5.6 becomes aware of a Data Loss Event. 4.6 The Requester under clause 4.5 shall include the provision of further information to the DfE in phases, as details become available. 4.7 Taking into account the nature of the processing, the Requester shall provide the DfE with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under clause 4.5 (and insofar as possible within the timescales reasonably required by the DfE) including by promptly providing: 4.7.1 the DfE with full details and copies of the complaint, communication or request; 4.7.2 such assistance as is reasonably requested by the DfE to enable the DfE to comply with a Data Subject Request within the relevant timescales set out in the Data Protection Legislation; 4.7.3 the DfE, at its request, with any personal data it holds in relation to a Data Subject; 4.7.4 assistance as requested by the DfE following any Data Loss Event; and 4.7.5 assistance as requested by the DfE with respect to any request from the Information Commissioner's Office. 4.8 The Requester shall maintain complete and accurate records and information to demonstrate its compliance with this clause. 4.9 For this purpose of this Agreement, each Party shall designate its own Data Protection Officer. 4.10 Before allowing any Sub-Processor to process any the DfE Data Extracts related to this Agreement, the Requester must: 4.10.1 notify the DfE in writing of the intended Sub-Processor and processing; 4.10.2 obtain the written consent of the DfE; 4.10.3 enter into a written agreement with the Sub-Processor which give effect to the terms set out in this Clause 4 such that they apply to the Sub-Processor; and 4.10.4 provide the DfE with such information regarding the Sub-Processor as the DFE may reasonably require. 4.11 The Requester shall remain fully liable for all acts or omissions of any of its Sub-Processors. replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Agreement). 4.13 The Requester agrees to take account of any guidance issued by the Information Requester amend this Agreement to ensure that it complies with any guidance issued by the 4.14 The Requester agrees that data within the DfE Data Extracts includes, and shall be treated as, personal data regardless of whether the Requester, or any third party, considers that there is a risk of any particular individual being identified from that data. 4.15 Where the DfE Data Extracts contains information relating to the racial or ethnic origin, physical or mental health, sexual orientation, gender identity, religion/belief, biometric information, trade union membership, political or philosophical beliefs of an individual these are special categories of personal data or are required to be treated as special categories of personal data under this Agreement. 4.16 The Requester shall not link the DfE Data Extracts to any other data without the prior written approval of the DfE unless such linking is included within Schedule 1. Any application to link the DfE Data Extracts to other data shall be made in writing to the DfE in accordance with clause 15.

Data Protection. The Parties acknowledge that for 14.1 Each party shall comply with the purposes provisions of the Data Protection LegislationAct 1998 (and any subsequent amendment or re-enactment) (“the Act”), which definitions and interpretations shall apply to this clause. Where necessary to enable Linea to deliver the Customer Services, Linea shall have the Client’s authority to process personal data on the Client’s behalf in accordance with this clause. Linea shall take appropriate technical and organisational measures designed to protect against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data and shall act only on the Client’s instructions and shall comply at all times with the seventh principle in Part 1 of Schedule 1 to the Act as if applicable to Linea directly. 14.2 The Parties will comply with the Data Protection Legislation and agree that the Client is the Controller and the Supplier Linea is the Processor unless otherwise specified in Contract Schedule 7. The only processing that Processor. 14.3 Linea will assist the Processor is authorised to do is listed in Contract Schedule 7 by the Controller and may not be determined by the Processor. The Processor shall notify the Controller immediately if it considers that any of the Controller's instructions infringe the Data Protection Legislation. The Processor shall provide all reasonable assistance to the Controller in Client with the preparation of any Data Protection Impact Assessment prior to Assessments required by the Data Protection Legislation before commencing any processing. Such assistance may, at the discretion Processing (including provision of the Controller, include: a systematic description of the envisaged processing operations detailed information and the purpose of the processing; an assessment of the necessity and proportionality of the processing operations assessments in relation to the Services; an assessment of the Processing operations, risks to the rights and freedoms of Data Subjects; measures) and the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. The Processor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: process that Personal Data only in accordance with Contract Schedule 7, unless the Processor is required to do otherwise by Law. If it is so required the Processor shall promptly will notify the Controller before processing Client immediately if it considers that the Personal Client’s instructions infringe the Data unless prohibited by Law; ensure that it has Protection Legislation. 14.4 Linea have in place Protective Measures, Measures (details of which are appropriate can be provided on request) to protect guard against a Data Loss Event, which takes into account the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), having taken account of the: nature of the data to be protected; data, the harm that might result from a Data Loss Event; result, the state of technological development; technology and the cost of implementing any the measures; . 14.5 Linea will ensure that : the Processor Personnel do not its Staff only process Personal Data except in accordance with this Agreement (Contract and in particular Schedule 7); it takes take all reasonable steps to ensure the reliability and integrity of any Processor Supplier Personnel who have with access to Personal Data, including by ensuring they: i) are aware of and comply with Linea’s obligations under this Clause; ii) are subject to appropriate confidentiality undertakings with Linea iii) are informed of the confidential nature of the Personal Data and don’t publish, disclose or divulge it to any third party unless directed by the Client or in accordance with this Call-Off Contract iv) are given training in the use, protection and handling of Personal Data. 14.6 Linea will not transfer Personal Data outside of the European Union unless the prior written consent of the Client has been obtained, which shall be dependent on such a transfer satisfying relevant Data Protection Legislation requirements. 14.7 Linea will delete or return Client’s Personal Data (including copies) if requested in writing by the Client at the End or Expiry of this Contract, unless required to retain the Personal Data by Law. 14.8 Linea will notify the Client without undue delay if it receives any communication from a third party relating to the Parties’ obligations under the Data Protection Legislation, or it becomes aware of a Data Loss Event, and will provide the Client with full and ongoing assistance in relation to each Party’s obligations under the Data Protection Legislation, and insofar as this is possible, in accordance with any timescales reasonably required by the Client 14.9 Linea will maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where Linea employs fewer than 250 staff, unless: i) the Client determines that the Processing is not occasional; ii) the Client determines the Processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; and iii) the Client determines that the Processing is likely to result in a risk to the rights and freedoms of Data Subjects. 14.10 Before allowing any Sub-processor to Process any Personal Data related to this Contract, Linea must: i. notify the Client in writing of the proposed Sub-processor(s) and obtain its written consent; ii. ensure that they:it has entered into a written agreement with the Sub-processor(s) which gives effect to obligations set out in this Clause such that they apply to the Sub-processor(s); and iii. inform the Client of any additions to, or replacements of the notified Sub- processors and the Client shall either i) provide its written consent or ii) object. 33.10 The Client may at any time put forward a Variation request to amend this Call-Off Contract to ensure that it complies with any guidance issued by the Information Commissioner’s Office.

Data Protection. The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer Authority is the Controller and the Supplier Grant Recipient is the Processor unless otherwise specified in Contract Schedule 7this Annex 12. The only processing that the Processor is authorised to do is listed in Contract Schedule 7 Part 1 of Annex 12 by the Controller and may not be determined by the Processor. The Processor shall notify the Controller immediately if it considers that any of the Controller's instructions infringe the Data Protection Legislation. The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller, include: a systematic description of the envisaged processing operations and the purpose of the processing; an assessment of the necessity and proportionality of the processing operations in relation to the Services; an assessment of the risks to the rights and freedoms of Data Subjectsdata subjects; and the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. The Processor shall, in relation to any Personal Data processed in connection with its obligations under this Agreementthese Conditions: process that Personal Data only in accordance with Contract Schedule 7this Annex 12, unless the Processor is required to do otherwise by Law. If it is so required the Processor shall promptly notify the Controller before processing the Personal Data unless prohibited by Law; ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), having taken account of the: nature of the data to be protected; harm that might result from a Data Loss Event; state of technological development; and cost of implementing any measures; ensure that : the Processor Personnel do not process Personal Data except in accordance with this Agreement these Conditions (and in particular Schedule 7Part 1 of Annex 12); it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they:: are aware of and comply with the Processor’s duties under this paragraph; are subject to appropriate confidentiality undertakings with the Processor or any sub-processor; are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any Third Party unless directed in writing to do so by the Controller or as otherwise permitted by these Conditions; and have undergone adequate training in the use, care, protection and handling of Personal Data; and not transfer Personal Data outside of the EU (which for the purposes of this limb (d) shall be deemed to include the UK) unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled: the Controller or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or DPA 2018 Section 75) as determined by the Controller; the Data Subject has enforceable rights and effective legal remedies; the Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing of the Personal Data; at the written direction of the Controller, delete or return Personal Data (and any copies of it) to the Controller on termination of the Agreement unless the Processor is required by Law to retain the Personal Data. Subject to paragraph 1.6, the Processor shall notify the Controller immediately if it: receives a Data Subject Request (or purported Data Subject Request); receives a request to rectify, block or erase any Personal Data; receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under these Conditions; receives a request from any Third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or becomes aware of a Data Loss Event. The Processor’s obligation to notify under paragraph 1.5 shall include the provision of further information to the Controller in phases, as details become available. Taking into account the nature of the processing, the Processor shall provide the Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under paragraph 1.5 (and insofar as possible within the timescales reasonably required by the Controller) including by promptly providing: the Controller with full details and copies of the complaint, communication or request; such assistance as is reasonably requested by the Controller to enable the Controller to comply with a Data Subject Request within the relevant timescales set out in the Data Protection Legislation; the Controller, at its request, with any Personal Data it holds in relation to a Data Subject; assistance as requested by the Controller following any Data Loss Event; assistance as requested by the Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Controller with the Information Commissioner's Office. The Processor shall maintain complete and accurate records and information to demonstrate its compliance with this paragraph. This requirement does not apply where the Processor employs fewer than 250 staff, unless: the Controller determines that the processing is not occasional; the Controller determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; or the Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects. The Processor shall allow for audits of its Data Processing activity by the Controller or the Controller’s designated auditor. Each Party shall designate its own data protection officer if required by the Data Protection Legislation. Before allowing any Sub-processor to process any Personal Data related to these Conditions, the Processor must: notify the Controller in writing of the intended Sub-processor and processing; obtain the written consent of the Controller; enter into a written agreement with the Sub-processor which give effect to the terms set out in this paragraph 1.11 such that they apply to the Sub-processor; and provide the Controller with such information regarding the Sub-processor as the Controller may reasonably require. The Processor shall remain fully liable for all acts or omissions of any of its Sub-processors. The Authority may, at any time on not less than 30 Working Days’ notice, revise this paragraph by replacing it with any applicable controller to processor standard paragraphs or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to these Conditions). The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Controller may on not less than 30 Working Days’ notice to the Processor amend these Conditions to ensure that it complies with any guidance issued by the Information Commissioner’s Office. Where the Parties include two or more Joint Controllers in respect of Personal Data under this Grant Funding Agreement as identified in Part 1 of Annex 12 in accordance with GDPR Article 26, those Parties shall enter into a Joint Controller Agreement based on the terms outlined in Part 2 of Annex 12 in replacement of paragraphs 1.1 to 1.14 for the Personal Data under Joint Control. In the event that both Parties are Controllers of the Personal Data, the Parties agree: that without any further action being required they have entered into the Standard Contractual Clauses in the European Commission's decision 2004/915/EC set out in Part 4 to Annex 12 in respect of data transfers by the Grant Recipient outside of the EEA: that, where no other appropriate safeguard or exemption applies, the Personal Data subject to this Grant Funding Agreement (and to which Chapter V of the GDPR applies) will be transferred in accordance with those Standard Contractual Clauses as of the date the Parties entered into those Standard Contractual Clauses; to use best endeavours to complete the annexes to the Standard Contractual Clauses promptly and at their own cost for the purpose of giving full effect to them; and that if there is any conflict between this Grant Funding Agreement and the Standard Contractual Clauses the terms of the Standard Contractual Clauses shall apply. In the event that the Grant Recipient is a Controller of Personal Data and the Authority is a Processor, the Parties agree: that without any further action being required they have entered into the standard contractual clauses in the European Commission's decision 2010/87/EU set out in Part 5 of Annex 12 in respect of data transfers by the Grant Recipient outside of the EEA; that, where no other appropriate safeguard or exemption applies, the Personal Data subject to this Grant Funding Agreement (and to which Chapter V of the GDPR applies) will be transferred in accordance with those Standard Contractual Clauses as of the date the Parties entered into those Standard Contractual Clauses; to use best endeavours to complete the annexes to the Standard Contractual Clauses promptly and at their own cost for the purpose of giving full effect to them; and that if there is any conflict between this Grant Funding Agreement and the Standard Contractual Clauses the terms of the Standard Contractual Clauses shall apply. In the event that (i) the European Commission updates, amends, substitutes, adopts or publishes new standard contractual clauses from time to time and (ii) the European Commission has not adopted an adequacy decision for the UK before the European Commission decision regarding such new Standard Contractual Clauses becomes effective, the Parties agree: that the most up to date Standard Contractual Clauses from time to time shall be automatically incorporated in place of those in Part 4 or 5 of Annex 12 (as the context requires); that where no other appropriate safeguard or exemption applies, that the Personal Data subject to this Grant Funding Agreement (and to which Chapter V of the GDPR applies) will be transferred in accordance with the relevant form of the most up to date Standard Contractual Clauses as of the date the European Commission decision regarding such new Standard Contractual Clauses becomes effective; to use best endeavours to complete any part of the most up to date Standard Contractual Clauses that a Party must complete promptly and at their own cost for the purpose of giving full effect to them; and that if there is any conflict between this Grant Funding Agreement and the most up to date Standard Contractual Clauses the terms of the most up to date Standard Contractual Clauses shall apply. This Annex shall be completed by the Controller, who may take account of the view of the Processors, however the final decision as to the content of this Annex shall be with the Controller at its absolute discretion. The contact details of the Controller’s Data Protection Officer are: [Insert Contact details] The contact details of the Processor’s Data Protection Officer are: [Insert Contact details] The Processor shall comply with any further written instructions with respect to processing by the Controller. Any such further instructions shall be incorporated into this Annex. Identity of the Controller and Processor The Parties acknowledge that for the purposes of the Data Protection Legislation, the Authority is the Controller and the Grant Recipient is the Processor in accordance with paragraph 1.1. Subject matter of the processing Duration of the processing Nature and purposes of the processing Type of Personal Data being Processed Categories of Data Subject Plan for return and destruction of the data once the processing is complete UNLESS requirement under union or member state law to preserve that type of data

Data Protection. The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the Controller and the Supplier Consultant is the Processor unless otherwise specified in Contract Schedule 7Processor. The only processing that the Processor Consultant is authorised to do is listed in Contract Schedule 7 3 by the Controller Customer and may not be determined by the ProcessorConsultant. The Processor Consultant shall notify the Controller Customer immediately if it considers that any of the ControllerCustomer's instructions infringe the Data Protection Legislation. The Processor Consultant shall provide all reasonable assistance to the Controller Customer in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the ControllerCustomer, include: a systematic description of the envisaged processing operations and the purpose of the processing; an assessment of the necessity and proportionality of the processing operations in relation to the Services; an assessment of the risks to the rights and freedoms of Data Subjects; and the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. The Processor Consultant shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: process that Personal Data only in accordance with Contract Schedule 7A, unless the Processor Consultant is required to do otherwise by Lawlaw. If it is so required the Processor Consultant shall promptly notify the Controller Customer before processing the Personal Data unless prohibited by Lawlaw; ensure that it has in place Protective Measures, which are have been reviewed and approved by the Customer as appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), Event having taken account of the: nature of the data to be protected; harm that might result from a Data Loss Event; state of technological development; and cost of implementing any measures; ensure that that: the Processor Consultant Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 7A); it takes all reasonable steps to ensure the reliability and integrity of any Processor Consultant Personnel who have access to the Personal Data and ensure that they: are aware of and comply with the Consultant’s duties under this clause; are subject to appropriate confidentiality undertakings with the Consultant or any Sub-processor; are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Customer or as otherwise permitted by this Agreement; and have undergone adequate training in the use, care, protection and handling of Personal Data; and not transfer Personal Data outside of the EU unless the prior written consent of the Customer has been obtained and the following conditions are fulfilled: the Customer or the Consultant has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Customer; the Data Subject has enforceable rights and effective legal remedies; the Consultant complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Customer in meeting its obligations); and the Consultant complies with any reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data; at the written direction of the Customer, delete or return Personal Data (and any copies of it) to the Customer on termination of the Agreement unless the Consultant is required by Law to retain the Personal Data. Subject to clause 6.6, the Consultant shall notify the Customer immediately if it:

Data Protection. 13.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the Controller and the Supplier Contractor is the Processor unless otherwise specified in Contract Schedule 7Processor. The only processing that the Processor Contractor is authorised to do is listed in Contract Schedule 7 [X] by the Controller Customer and may not be determined by the Processor. Contractor. 13.2 The Processor Contractor shall notify the Controller Customer immediately if it considers that any of the ControllerCustomer's instructions infringe the Data Protection Legislation. . 13.3 The Processor Contractor shall provide all reasonable assistance to the Controller Customer in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the ControllerCustomer, include: : (a) a systematic description of the envisaged processing operations and the purpose of the processing; ; (b) an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; (c) an assessment of the risks to the rights and freedoms of Data Subjects; and and (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. 13.4 The Processor Contractor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: : (a) process that Personal Data only in accordance with Contract Schedule 7[X], unless the Processor Contractor is required to do otherwise by Law. If it is so required the Processor shall promptly notify the Controller before processing the Personal Data unless prohibited by Law; ; (b) ensure that it has in place Protective Measures, which are have been reviewed and approved by the Customer as appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), Event having taken taking account of the: : (i) nature of the data to be protected; ; (ii) harm that might result from a Data Loss Event; ; (iii) state of technological development; and and (iv) cost of implementing any measures; (c) ensure that : that: (i) the Processor Contractor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 7X); ; (ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Contractor Personnel who have access to the Personal Data and ensure that they: (A) are aware of and comply with the Contractor’s duties under this clause; (B) are subject to appropriate confidentiality undertakings with the Contractor or any Sub-processor; (C) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Customer or as otherwise permitted by this Agreement; and (D) have undergone adequate training in the use, care, protection and handling of Personal Data; and

Data Protection. 1.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the Controller and the Supplier is the Processor unless otherwise specified in Contract Schedule 7. The only processing that the Processor Blueteq Ltd is authorised to do is listed in Contract Schedule 7 by the Controller and may not be determined by the Processor. The Processor 1. 1.2 Blueteq Ltd shall notify the Controller Customer immediately if it considers that any of the ControllerCustomer's instructions infringe the Data Protection Legislation. The Processor . 1.3 Blueteq Ltd shall provide all reasonable assistance to the Controller Customer in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the ControllerCustomer, include: : i. a systematic description of the envisaged processing operations and the purpose of the processing; ; ii. an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; iii. an assessment of the risks to the rights and freedoms of Data Subjects; and and iv. the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. The Processor . 1.4 Blueteq Ltd shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: : i. process that Personal Data only in accordance with Contract Schedule 71, unless the Processor Blueteq Ltd is required to do otherwise by Law. If it is so required the Processor Blueteq Ltd shall promptly notify the Controller Customer before processing the Personal Data unless prohibited by Law; . ii. ensure that it has in place Protective Measures, which are have been reviewed and approved by the Customer as appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), Event having taken account of the: : a. nature of the data to be protected; ; b. harm that might result from a Data Loss Event; ; c. state of technological development; and and d. cost of implementing any measures; . iii. ensure that : the Processor Personnel : a. Blueteq Ltd personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 71); . b. it takes all reasonable steps to ensure the reliability and integrity of any Processor Blueteq Ltd Personnel who have access to the Personal Data and ensure that they: i. are aware of and comply with Blueteq Ltd’s duties under this clause; ii. are subject to appropriate confidentiality undertakings with Blueteq Ltd or any Sub-processor; iii. are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Customer or as otherwise permitted by this Agreement; and iv. have undergone adequate training in the use, care, protection and handling of Personal Data; and v. not transfer Personal Data outside of the UK unless the prior written consent of the Customer has been obtained and the following conditions are fulfilled: a. the Customer or Blueteq Ltd has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Customer; b. the Data Subject has enforceable rights and effective legal remedies; c. Blueteq Ltd complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Customer in meeting its obligations); and d. Blueteq Ltd complies with any reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data; e. at the written direction of the Customer, delete or return Personal Data (and any copies of it) to the Customer on termination of the Agreement unless Blueteq Ltd is required by Law to retain the Personal Data. 1.5 Subject to clause 1.6, Blueteq Ltd shall notify the Customer immediately if it: i. receives a Data Subject Access Request (or purported Data Subject Access Request); ii. receives a request to rectify, block or erase any Personal Data; iii. receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; iv. receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Agreement; receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; v. becomes aware of a Data Loss Event. 1.6 Blueteq Ltd’s obligation to notify under clause 1.5 shall include the provision of further information to the Customer in phases, as details become available. 1.7 Taking into account the nature of the processing, Blueteq Ltd shall provide the Customer with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under clause 1.5 (and insofar as possible within the timescales reasonably required by the Customer) including by promptly providing: i. the Customer with full details and copies of the complaint, communication or request; ii. such assistance as is reasonably requested by the Customer to enable the Customer to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation; iii. the Customer, at its request, with any Personal Data it holds in relation to a Data Subject; iv. assistance as requested by the Customer following any Data Loss Event; v. assistance as requested by the Customer with respect to any request from the Information Commissioner’s Office, or any consultation by the Customer with the Information Commissioner's Office. vi. Blueteq Ltd shall maintain complete and accurate records and information to demonstrate its compliance with this clause. 1.8 Blueteq Ltd shall allow for audits of its Data Processing activity by the Customer or the Customer’s designated auditor. 1.9 Blueteq Ltd shall have a designated Data Protection Officer/Information Governance Lead. 1.10 Before allowing any Sub-processor to process any Personal Data related to this Agreement, Blueteq Ltd must: i. notify the Customer in writing of the intended Sub-processor and processing; ii. obtain the written consent of the Customer; iii. enter into a written agreement with the Sub-processor which give effect to the terms set out in this clause such that they apply to the Sub-processor; and iv. provide the Customer with such information regarding the Sub-processor as the Customer may reasonably require. 1.11 Blueteq Ltd shall remain fully liable for all acts or omissions of any Sub-processor. 1.12 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. This agreement may be amended to ensure that it complies with any guidance issued by the Information Commissioner’s Office by following the process laid down in the Section “Changing the Terms of this Agreement” of the License Agreement.

Data Protection. 1.1 The Parties acknowledge Examiner acknowledges that for in performing the purposes Services, he or she may process Personal Data on behalf of the Institute (“Institute Data”). In such circumstances, the Examiner acknowledges that the Institute is the controller and the Examiner is a processor of such Institute Data, as each term is defined in Data Protection LegislationLaw. The Examiner agrees that: (a) the Examiner shall process the Institute Data referred to in Recital C above, and such other Personal Data as the parties may agree in writing from time to time, on behalf of the Institute in the context of, and for so long as he or she is, performing the Services to the Institute. The obligations and rights of the Institute shall be as set out in this Data Processing Agreement; (b) the Examiner shall process such Institute Data in accordance with the documented instructions of the Institute; (c) the Examiner shall use all reasonable endeavours to maintain the confidentiality of the Institute Data; (d) the Examiner shall maintain reasonable security measures to ensure compliance with the data security obligations under Data Protection Law, and in line with the Guidelines for External Examiner on GDPR as provided to all Examiners. From time to time, and without prejudice to the Examiner’s obligation under this Clause 1.1(d), the Customer Institute may circulate guidance on the additional security measures which should be taken; (e) the Examiner shall not engage any sub-processors to undertake the processing of Institute Data on its behalf (in respect of which the Institute is the Controller controller); (f) the Examiner shall, at the request and cost of the Supplier is Institute (which costs shall be agreed in advance), assist the Processor unless otherwise specified Institute in Contract Schedule 7. The only processing that ensuring compliance with applicable obligations in respect of security of Institute Data, data protection impact assessments and prior consultation requirements under Data Protection Law; (g) the Processor is authorised Examiner shall: (i) make available to do is listed the Institute all information necessary to demonstrate compliance with the obligations laid down in Contract Schedule 7 this Data Processing Agreement; and (ii) allow for and assist with audits, including inspections, conducted by the Controller and may not be determined Institute or another party mandated by the Processor. The Processor Institute, in order to ensure compliance with the obligations laid down in this Data Processing Agreement, including his or her data security obligations under Data Protection Law; (h) the Examiner shall inform the Institute immediately if, in his or her opinion, he or she receives an instruction from the Institute which infringes Data Protection Law; (i) the Examiner shall notify the Controller immediately if it considers that Institute without undue delay, and in any event within twenty-four (72) hours, after becoming aware of the Controller's instructions infringe the Data Protection Legislation. The Processor shall provide all reasonable assistance any breach of security leading to the Controller accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Institute Data transmitted, stored or otherwise processed, in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller, include: a systematic description of the envisaged processing operations and the purpose of the processing; an assessment of the necessity and proportionality of the processing operations in relation to the Services; an assessment of the risks to the rights and freedoms of Data Subjects; and the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. The Processor shall, particular in relation to any Personal Data processed in connection loss of or damage to an examination script, and shall provide the Institute with its obligations under this Agreement: process that Personal Data only in accordance with Contract Schedule 7, unless the Processor is such co-operation and assistance as may reasonably be required to do otherwise by Law. If it is so required mitigate against the Processor effects of, and comply with any reporting obligations which may apply in respect of, any such breach; and (j) no Institute Data shall promptly notify be transferred outside of the Controller before processing the Personal Data unless prohibited by Law; ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval European Economic Area by the Controller Examiner without the prior written consent of the adequacy Institute. 1.2 For the purposes of the Protective Measures), having taken account of the: nature of the data to be protected; harm that might result from a this Data Loss Event; state of technological development; and cost of implementing any measures; ensure that : the Processor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 7); it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that theyProcessing Agreement:

Data Protection. The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the Controller and the Supplier is the Processor unless otherwise specified in Contract Schedule 7Processor. The only processing that the Processor Supplier is authorised to do is listed in Contract Call Off Schedule 7 18 by the Controller Customer and may not be determined by the ProcessorSupplier. The Processor Supplier shall notify the Controller Customer immediately if it considers that any of the ControllerCustomer's instructions infringe the Data Protection Legislation. The Processor Supplier shall provide all reasonable assistance to the Controller Customer in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the ControllerCustomer, include: a systematic description of the envisaged processing operations and the purpose of the processing; an assessment of the necessity and proportionality of the processing operations in relation to the Services; an assessment of the risks to the rights and freedoms of Data Subjects; and the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. The Processor Supplier shall, in relation to any Personal Data processed in connection with its obligations under this AgreementCall-Off Contract: process that Personal Data only in accordance with Contract Call Off Schedule 7, 18 unless the Processor Supplier is required to do otherwise by Law. If it is so required the Processor Supplier shall promptly notify the Controller Customer before processing the Personal Data unless prohibited by Law; ensure that it has in place Protective Measures, which are have been reviewed and approved by the Customer as appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), Event having taken account of the: nature of the data to be protected; harm that might result from a Data Loss Event; state of technological development; and cost of implementing any measures; ensure that : the Processor Supplier Personnel do not process Personal Data except in accordance with this Agreement Call-Off Contract (and in particular Call Off Schedule 7)18; it takes all reasonable steps to ensure the reliability and integrity of any Processor Supplier Personnel who have access to the Personal Data and ensure that they:: are aware of and comply with the Supplier’s duties under this clause; are subject to appropriate confidentiality undertakings with the Supplier or any Sub-processor; are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Customer or as otherwise permitted by this Call-Off Contract; and have undergone adequate training in the use, care, protection and handling of Personal Data; and not transfer Personal Data outside of the European Economic Area unless the prior written consent of the Customer has been obtained and the following conditions are fulfilled: the Customer or the Supplier has provided appropriate safeguards in relation to the transfer; the Data Subject has enforceable rights and effective legal remedies; the Supplier complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and the Supplier complies with any reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data; at the written direction of the Customer, delete or return Personal Data (and any copies of it) to the Customer on termination of the Call-Off Contract unless the Supplier is required by Law to retain the Personal Data. Subject to clause 34.7.6, the Supplier shall notify the Customer immediately if it: receives a Data Subject Access Request (or purported Data Subject Access Request); receives a request to rectify, block or erase any Personal Data; receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; receives any communication from the Information Commissioner or any other regulatory Customer in connection with Personal Data processed under this Call-Off Contract; receives a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or becomes aware of a Data Loss Event. The Supplier’s obligation to notify under clause 34.7.5 shall include the provision of further information to the Customer in phases, as details become available. Taking into account the nature of the processing, the Supplier shall provide the Customer with full assistance in relation to either party's obligations under Data Protection Legislation and any complaint, communication or request made under Clause 34.7.5 (and insofar as possible within the timescales reasonably required by the Customer) including by promptly providing: the Customer with full details and copies of the complaint, communication or request; such assistance as is reasonably requested by the Customer to enable the Customer to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation; the Customer, at its request, with any Personal Data it holds in relation to a Data Subject; assistance as requested by the Customer following any Data Loss Event; assistance as requested by the Customer with respect to any request from the Information Commissioner’s Office, or any consultation by the Customer with the Information Commissioner's Office. The Supplier shall maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Supplier employs fewer than 250 staff, unless: the Customer determines that the processing is not occasional; the Customer determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; and the Customer determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects. The Supplier shall allow for audits of its Data Processing activity by the Customer or the Customer’s designated auditor. The Supplier shall designate a Data Protection Officer if required by the Data Protection Legislation. Before allowing any Sub-processor to process any Personal Data related to this Call-Off Contract, the Supplier must: notify the Customer in writing of the intended Sub-processor and processing; obtain the written consent of the Customer; enter into a written agreement with the Sub-processor which give effect to the terms set out in this clause 34.7 such that they apply to the Sub-processor; and provide the Customer with such information regarding the Sub-processor as the Customer may reasonably require. The Supplier shall remain fully liable for all acts or omissions of any Sub-processor. The Customer may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Call-Off Contract). The Parties agree to take account of any non-mandatory guidance issued by the Information Commissioner’s Office publishes guidance. The Customer may on not less than 30 Working Days’ notice to the Supplier amend this Call-Off Contract to ensure that it complies with any guidance issued by the Information Commissioner’s Officer.

Data Protection. The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer Authority is the Controller and the Supplier is the Processor unless otherwise specified in Contract Schedule 7Processor. The only processing that the Processor Supplier is authorised to do is listed in Contract Framework Schedule 7 21 by the Controller Authority and may not be determined by the ProcessorSupplier. The Processor Supplier shall notify the Controller Authority immediately if it considers that any of the ControllerAuthority's instructions infringe the Data Protection Legislation. The Processor Supplier shall provide all reasonable assistance to the Controller Authority in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the ControllerAuthority, include: a systematic description of the envisaged processing operations and the purpose of the processing; an assessment of the necessity and proportionality of the processing operations in relation to the Servicesoperations; an assessment of the risks to the rights and freedoms of Data Subjects; and the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. Data The Processor Supplier shall, in relation to any Personal Data processed in connection with its obligations under this Framework Agreement: process that Personal Data only in accordance with Contract Framework Schedule 7, 21 unless the Processor Supplier is required to do otherwise by Law. If it is so required the Processor Supplier shall promptly notify the Controller Authority before processing the Personal Data unless prohibited by Law; ensure that it has in place Protective Measures, which are have been reviewed and approved by the Authority as appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), Event having taken account of the: nature of the data to be protected; harm that might result from a Data Loss Event; state of technological development; and cost of implementing any measuresmeasures ensure that; ensure that : the Processor Supplier Personnel do not process Personal Data except in accordance with this Framework Agreement (and in particular Framework Schedule 721); it takes all reasonable steps to ensure the reliability and integrity of any Processor Supplier Personnel who have access to the Personal Data and ensure that they:; i are aware of and comply with the Supplier’s duties under this clause; ii are subject to appropriate confidentiality undertakings with the Supplier or any Sub-processor; iii are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority or as otherwise permitted by this Framework Agreement; and iv have undergone adequate training in the use, care, protection and handling of Personal Data; and not transfer Personal Data outside of the European Economic Area unless the prior written consent of the Authority has been obtained and the following conditions are fulfilled: the Authority or the Supplier has provided appropriate safeguards in relation to the transfer; the Data Subject has enforceable rights and effective legal remedies; the Supplier complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and the Supplier complies with any reasonable instructions notified to it in advance by the Authority with respect to the processing of the Personal Data; at the written direction of the Authority, delete or return Personal Data (and any copies of it) to the Authority on termination of the Framework Agreement unless the Supplier is required by Law to retain the Personal Data Subject to clause 24.5.6, the Supplier shall notify the Authority immediately if it: receives a Data Subject Access Request (or purported Data Subject Access Request); receives a request to rectify, block or erase any Personal Data; receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Framework Agreement; receives a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or becomes aware of a Data Loss Event. The Supplier’s obligation to notify under clause 24.5.5 shall include the provision of further information to the Authority in phases, as details become available. Taking into account the nature of the processing, the Supplier shall provide the Authority with full assistance in relation to either party's obligations under Data Protection Legislation and any complaint, communication or request made under Clause 24.5.5 (and insofar as possible within the timescales reasonably required by the Authority) including by promptly providing: the Authority with full details and copies of the complaint, communication or request; such assistance as is reasonably requested by the Authority to enable the Authority to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation; the Authority, at its request, with any Personal Data it holds in relation to a Data Subject; assistance as requested by the Authority following any Data Loss Event; assistance as requested by the Authority with respect to any request from the Information Commissioner’s Office, or any consultation by the Authority with the Information Commissioner's Office. The Supplier shall maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Supplier employs fewer than 250 staff, unless: the Authority determines that the processing is not occasional; the Authority determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; and the Authority determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects. The Supplier shall allow for audits of its Data Processing activity by the Authority or the Authority’s designated auditor. The Supplier shall designate a Data Protection Officer if required by the Data Protection Legislation. 1 Before allowing any Sub-processor to process any Personal Data related to this Framework Agreement, the Supplier must: notify the Authority in writing of the intended Sub-processor and processing; obtain the written consent of the Authority; enter into a written agreement with the Sub-processor which give effect to the terms set out in this clause 24.5 such that they apply to the Subprocessor; and provide the Authority with such information regarding the Sub-processor as the Authority may reasonably require. The Supplier shall remain fully liable for all acts or omissions of any Sub-processor. The Authority may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Framework Agreement). The Parties agree to take account of any non-mandatory guidance issued by the Information Commissioner’s Office publishes guidance. The Authority may on not less than 30 Working Days’ notice to the Supplier amend this agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Officer. “

Data Protection. 12.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, Legislation that the Customer is the Controller and the Supplier CardioScan Ltd is the Processor unless otherwise specified in Contract Schedule 7Processor. The only processing that the Processor is authorised to do is listed set out in Contract Appendix 1 of Schedule 7 2, which is attached to and forms part of this Agreement, by the Controller and may not be determined by the Processor. The Processor . 12.2 CardioScan shall notify the Controller immediately Customer without undue delay if it considers that any of the Controller's Customer’s instructions infringe the Data Protection Legislation. The Processor . 12.3 CardioScan shall provide all reasonable assistance to the Controller Customer in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the ControllerCustomer, include: : 12.3.1 a systematic description of the envisaged processing operations and the purpose of the processing; ; 12.3.2 an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; 12.3.3 an assessment of the risks to the rights and freedoms of Data Subjects; and and 12.3.4 the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. The Processor . 12.4 CardioScan shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: : 12.4.1 process that Personal Data only in accordance with Contract Appendix 1 of Schedule 72, unless the Processor CardioScan is required to do otherwise by Law. If it is so required the Processor required, CardioScan shall promptly notify the Controller Customer before processing the Personal Data unless prohibited by Law; ; 12.4.2 ensure that it has all measures in place Protective Measures, which Appendix 2 of Schedule 2 are appropriate adhered to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), having taken account and met at all times of the: (a) the nature of the data to be protected; ; (b) the harm and risks that might result from a Data Loss Event; state ; (c) assessment of technological development; the technical and non-technical controls to mitigate these risks; (d) the cost of implementing any measures; ensure measures if required; (e) ensuring that : the Processor CardioScan Personnel do not process Personal Data except in accordance with this Agreement (Agreement, and in particular Appendix 1 of Schedule 7); it takes 2; (f) taking all reasonable steps further detailed in Appendix 2 of Schedule 2, both technical and non- technical to ensure the reliability and integrity of any Processor CardioScan Personnel who have access to the Personal Data and ensure that they: (i) are aware of and comply with XxxxxxXxxx’s duties under this clause; (ii) are subject to appropriate confidentiality undertakings with CardioScan or any Sub-processor. This includes but is not limited to commercially sensitive information and Personal Data; (iii) are informed of the confidential nature of the Personal Data and commercially sensitive information and do not publish, disclose or divulge any of the Personal Data or commercially sensitive information to any third Party unless directed in writing to do so by the Customer or as otherwise permitted by this Agreement; (iv) have undergone adequate annual training in the use, care, protection and handling of Personal Data and are assessed as competent to undertake the processing activity or activities; (v) keep Personal Data and commercially sensitive information confidential for the length of the Agreement and ensure that once the Agreement has ended or terminated that Personal Data and commercially sensitive information is kept confidential indefinitely; (vi) at the written direction of the Customer, delete or return the Personal Data (and any copies of it) to the Customer on termination of the Agreement unless CardioScan is required by Law to retain the Personal Data. 12.5 Subject to clause 12.6 of this Schedule 3, CardioScan shall notify the Customer within two (2) Business Days if it: 12.5.1 receives a request to rectify, block or erase or transfer any Personal Data by the Data Subject; 12.5.2 receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Agreement; 12.5.3 receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or 12.5.4 becomes aware of a Data Loss Event. 12.6 CardioScan’s obligation to notify under clause 12.5 of this Schedule 3 shall include the provision of further information to the Customer in phases, as details become available. 12.7 Taking into account the nature of the processing, CardioScan shall provide the Customer with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under clause 12.5 of this Schedule 3 (and insofar as possible within the timescales reasonably required by the Customer) including by promptly providing: 12.7.1 the Customer with full details and copies of the complaint, communication, Data Loss Event or request; 12.7.2 such assistance as is reasonably requested by the Customer to enable the Customer to comply with an Individual Rights Request within the relevant timescales set out in the Data Protection Legislation; 12.7.3 the Customer, at its request, with any Personal Data it holds in relation to a Data Subject; 12.7.4 reasonable assistance as requested by the Customer following any Data Loss Event; 12.7.5 reasonable assistance as requested by the Customer with respect to any request from the Information Commissioner’s Office, or any consultation by the Customer with the Information Commissioner's Office. 12.8 CardioScan shall allow for audits of its Data Processing activity by the Customer or the Customer’s designated auditor on five (5) Business Days’ notice. 12.9 CardioScan when ensuring that it has in place such Protective Measures, having been reviewed and approved by the Customer, shall following the reasonable request of the Customer supply such evidence as requested by the Customer within twenty-eight (28) days. 12.10 CardioScan shall designate a Data Protection Officer or where not required by Law, authorised responsible officer whose 12.11 Subject to clauses 12.12 and 12.13 below CardioScan may transfer Personal Data to a Sub-processor outside of the European Economic Area (EEA) subject to the following conditions being fulfilled: 12.11.1 the Customer or CardioScan has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37); 12.11.2 the Data Subject has enforceable rights and effective legal remedies; 12.11.3 CardioScan complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Customer in meeting its obligations); 12.11.4 CardioScan complies with any reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data; 12.11.5 CardioScan notifies the Customer prior to any transformation of the Personal Data which is not part of this agreed processing but occurs due to the transfer of Personal Data from CardioScan to or from another organisation party to this Agreement. 12.12 CardioScan shall not engage a Sub-processor for carrying out any Processing activities in respect of Personal Data except with the prior written agreement of the Customer and then only after entering into a binding agreement with each Sub-Processor that imposes the same obligations in respect of Processing Personal data as a set out in this Agreement. CardioScan shall remain responsible for compliance of any such Sub-Processor with the requirements of this Agreement.‌ 12.13 Specifically, the Customer hereby consents to the CardioScan engaging the following Sub-processors:‌ i) Amazon Web Services (‘AWS’) and XxxxxxxxxxXxxxxx.xx to store the data on servers located in the cloud in England ; and ii) CardioScan Services Pty Ltd, an Australian registered company that is located in Melbourne, Australia, and 100% owner of CardioScan to process Personal Data related to this Agreement in particular for the purposes of analysing the Personal Data; and subject to CardioScan: 12.13.1 Signing the EU Standard Contractual Clauses (SCC) in Schedule 2 with the Customer. Whilst the most relevant SCC strictly apply between a Controller in the EU and a Processor established outside the EU, the Parties agree, and after consultation with the lead supervisory authority (‘LSA’) that the Controller/Processor SCC are the most closely appropriate European Commission SCC for safeguarding the transfer of the Personal Data outside the EU by CardioScan as the Processor to Sub-processor 12.13.2 Entering into a written agreement with each Sub-processor which gives effect to the terms set out in this clause 1 of Schedule 2 such that they apply to the sub-processor; and 12.13.3 Providing the Customer with such information regarding each Sub-processor as the Customer may reasonably require. 12.14 CardioScan shall remain fully liable for all acts or omissions of any Sub-processor. 12.15 The Customer may, at any time on not less than thirty (30) Business Days’ notice, revise clause 12 of this Schedule 3 (Data Protection) by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Agreement). 12.16 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Customer may on not less than thirty (30) Business Days’ notice to CardioScan amend this Agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office. 12.17 At the choice of the Customer, XxxxxxXxxx shall return or destroy all Personal Data to the Customer and delete any existing copies at the end of the provision of the Services. 12.18 CardioScan warrants that it shall: 12.18.1 Process the Personal Data in compliance with Law; and 12.18.2 Take appropriate technical and organisational measures against Data Breach. 12.19 CardioScan agrees to indemnify and keep indemnified and defend at its own expense the Customer against all costs, claims, damages or expenses (including without limitation fines and penalties imposed by the Information Commissioner Office) incurred by the Customer or for which the Customer may become liable due to any failure by CardioScan or its employees or agents to comply with any of its obligations under clause 12 of this Schedule 3 (Data Protection) and shall be subject to the liability cap set out in clause 14 of this Schedule 3. 12.20 The Customer agrees to indemnify and keep indemnified and defend at its own expense CardioScan against all costs, claims, damages, fines, penalties or expenses (including without limitation fines and penalties imposed by the Information Commissioner Office) incurred by CardioScan or for which the CardioScan may become liable, due to any failure by the Customer or its employees or agents to comply with any of its obligations under clause 12 of this Schedule 3 (Data Protection).

Data Protection. 8.1 The Parties parties acknowledge that for the purposes of the Data Protection Legislation, the Customer Council is the Controller and the Supplier Consultant is the Processor unless otherwise specified in Contract Schedule 7Processor. The only processing that the Processor Consultant is authorised to do is listed in Contract Schedule 7 5 by the Controller Council and may not be determined by the Processor. Consultant. 8.2 The Processor Consultant shall notify the Controller Council immediately if it considers that any of the ControllerCouncil's instructions infringe the Data Protection Legislation. . 8.3 The Processor Consultant shall provide all reasonable assistance to the Controller Council in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the ControllerCouncil, include: : (a) a systematic description of the envisaged processing operations and the purpose of the processing; ; (b) an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; (c) an assessment of the risks to the rights and freedoms of Data Subjects; and and (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 8.4 The Processor Consultant shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: : (a) process that Personal Data only in accordance with Contract Schedule 75, unless the Processor Consultant is required to do otherwise by Law. If it is so required the Processor Consultant shall promptly notify the Controller Council before processing the Personal Data unless prohibited by Law; ; (b) ensure that it has in place Protective Measures, which are as appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), Event having taken account of the: : (i) nature of the data to be protected; ; (ii) harm that might result from a Data Loss Event; ; (iii) state of technological development; and and (iv) cost of implementing any measures; ; (c) ensure that : : (i) the Processor Consultant Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 7); 5; (ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Contractor Personnel who have access to the Personal Data and ensure that they: (A) are aware of and comply with the Consultant’s duties under this clause; (B) are subject to appropriate confidentiality undertakings with the Consultant or any Sub-processor; (C) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Council or as otherwise permitted by this Agreement; and (D) have undergone adequate training in the use, care, protection and handling of Personal Data; and (d) not transfer Personal Data outside of the EU unless the prior written consent of the Council has been obtained and the following conditions are fulfilled: (i) the Council or the Consultant has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Council; (ii) the Data Subject has enforceable rights and effective legal remedies; (iii) the Consultant complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Council in meeting its obligations); and (iv) the Consultant complies with any reasonable instructions notified to it in advance by the Council with respect to the processing of the Personal Data; (e) at the written direction of the Council, delete or return Personal Data (and any copies of it) to the Council on termination of the Agreement unless the Consultant is required by Law to retain the Personal Data. 8.5 Subject to clause 8.6, the Consultant shall notify the Council immediately if it: (a) receives a Data Subject Access Request (or purported Data Subject Access Request); (b) receives a request to rectify, block or erase any Personal Data; (c) receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; (d) receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Agreement; (e) receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or (f) becomes aware of a Data Loss Event. 8.6 The Consultant’s obligation to notify under clause 8.5 shall include the provision of further information to the Council in phases, as details become available. 8.7 Taking into account the nature of the processing, the Consultant shall provide the Council with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under Clause 8.5 (and insofar as possible within the timescales reasonably required by the Council) including by promptly providing: (a) the Council with full details and copies of the complaint, communication or request; (b) such assistance as is reasonably requested by the Council to enable the Council to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation; (c) the Council, at its request, with any Personal Data it holds in relation to a Data Subject; (d) assistance as requested by the Council following any Data Loss Event; (e) assistance as requested by the Council with respect to any request from the Information Commissioner’s Office, or any consultation by the Council with the Information Commissioner's Office. 8.8 The Consultant shall maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Consultant employs fewer than 250 staff, unless: (a) the Council determines that the processing is not occasional; (b) the Council determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; and (c) the Council determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects. 8.9 The Consultant shall allow for audits of its Data Processing activity by the Council or the Council’s designated auditor The Council is entitled, on giving at least three days' notice to the Consultant, to inspect or appoint representatives to inspect all facilities, equipment, documents and electronic data relating to the processing of Personal Data under this Agreement by the Consultant. The requirement to give notification in advance will not apply if the Council believes that the Consultant is in breach of any of its obligations under this Agreement. The Consultant shall designate a data protection officer if required by the Data Protection Legislation. 8.10 The Consultant shall designate a data protection officer if required by the data protection legislation 8.11 Before allowing any Sub-processor to process any Personal Data related to this Agreement, the Consultant must: (a) notify the Council in writing of the intended Sub-processor and processing; (b) obtain the written consent of the Council; (c) enter into a written agreement with the Sub-processor which give effect to the terms set out in this clause 8 such that they apply to the Sub-processor; and (d) provide the Council with such information regarding the Sub-processor as the Council may reasonably require. 8.12 The Consultant shall remain fully liable for all acts or omissions of any Sub-processor. 8.13 The Council may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Agreement). 8.14 The parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Council may on not less than 30 Working Days’ notice to the Consultant amend this agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Officer. 8.15 The Consultant shall undertake all of the above processing activities at its own expense and at no extra cost to the Council. 8.16 The Council retention and disposal schedule as provided in Schedule 5 will be followed by the Consultant where appropriate and relevant; no decisions on retention or disposal are to be made by the Consultant unless it is part of detailed Processing under this Agreement. 8.17 The Consultant shall without undue delay inform the Council if any Personal Data is lost or destroyed or becomes damaged, corrupted, or unusable. The Consultant will make regular backups of the Personal Data and will restore such Personal Data at its own expense.

Data Protection. The Parties 34.1 Both parties agree that they will comply with their respective obligations under the Data Protection Legislation and the terms of this Agreement and in particular each party shall designate a data protection officer if required by Data Protection Legislation and shall maintain complete and accurate records and information to demonstrate its compliance with Data Protection Legislation and this clause. 34.2 Both parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the each will have responsibilities as a Controller, a joint Controller and as a Processor for Personal Data under this Agreement. 34.3 Insofar that each party has responsibility as a Controller and/or joint Controller, both parties will ensure that a Data Sharing Agreement is completed and signed by both parties. 34.4 To the Supplier is extent that either party acts as a Processor on behalf of the Processor unless otherwise specified in Contract Schedule 7. The only processing that other, the Processor is authorised to do is listed in Contract Schedule 7 by the Controller and may not be determined by the Processor. remainder of this clause shall apply. 34.5 The Processor shall notify the Controller immediately if it considers that any of the Controller's ’s instructions infringe the Data Protection Legislation. . 34.6 The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller, include: : 34.6.1 a systematic description of the envisaged processing operations and the purpose of the processing; ; 34.6.2 an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; 34.6.3 an assessment of the risks to the rights and freedoms of Data Subjects; and and 34.6.4 the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 34.7 The Processor shall, in relation to any Personal Data processed on behalf of the Controller in connection with its obligations under this Agreement: : 34.7.1 process that Personal Data only with the Controllers prior agreement and in accordance with Contract Schedule 7, the written instructions of the Controller unless the Processor is required to do otherwise by Law. If it is so required the Processor shall promptly notify the Controller before processing the Personal Data unless prohibited by Law; ; 34.7.2 ensure that it has in place Protective Measures, which are have been reviewed and approved by the Controller as appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), Event having taken account of the: : (i) nature of the data to be protected; ; (ii) harm that might result from a Data Loss Event; ; (iii) state of technological development; and and (iv) cost of implementing any measures; ; 34.7.3 ensure that : that: (i) the Processor Personnel do not process Personal Data except in accordance with this Agreement and any additional agreement between the two parties. (and in particular Schedule 7); ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they: ● are aware of and comply with the Processors duties under this Clause; ● are subject to appropriate confidentiality undertakings with the Processor or any Sub-processor; ● are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Controller or as otherwise permitted by this Agreement; and ● have undergone adequate training. 34.7.4 not transfer Personal Data outside of the UK unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled: (i) the Controller or the Processor has provided appropriate safeguards in relation to the transfer (in accordance with ‘Data Protection Legislation) as determined by the Controller; (ii) the Data Subject has enforceable rights and effective legal remedies; (iii) the Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and (iv) the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing of the personal Data; 34.7.5 at the written direction of the Controller, delete or return Personal Data (and any copies of it) to the Controller on termination of the Agreement unless the Processor is required by law to retain the Personal Data. 34.8 Subject to clause 34.8, the Processor shall notify the Controller immediately (and in any event, within 24 hours) of becoming aware if it: (i) receives a Data Subject Access Request (or purported Data Subject Access Request); (ii) receives a request to rectify, block or erase any Personal Data; (iii) receives any other request, complaint or communication relating to either Party’s obligations under the Data Protection Legislation; (iv) receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Agreement; (v) receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or (vi) becomes aware of a Data Loss Event. 34.9 The Processor’s obligation to notify under clause 34.7 shall include the provision of further information to the Controller in phases, as details become available. 34.10 Taking into account the nature of the processing, the Processor shall provide the Controller with full assistance in relation to either Party’s obligations under Data Protection Legislation and any complaint, communication or request made under clause 34.8 (and insofar as possible within the timescales reasonably required by the Controller) including by promptly providing: (i) the Controller with full details and copies of the complaint, communication or Request; (ii) such assistance as is reasonably requested by the Controller to enable the Controller to comply with a Data Subject Access Request within the relevant timescales set out in Data Protection Legislation; (iii) the Controller, at its request, with any Personal Data it holds in relation to a Data Subject; (iv) assistance as requested by the Controller following any Data Loss Event; (v) assistance as requested by the Controller with respect to any request from the Information Commissioner's Office or any consultation by the Controller with the Information Commissioner’s Office. 34.11 The Processor shall allow for audits of its Data Processing activity by the Controller or the Controller’s designated auditor. 34.12 Before allowing any Sub-processor to process any Personal Data related to this Agreement, the Processor must: (i) notify the Controller in writing of the intended Sub-processor and processing; (ii) obtain the written consent of the Controller; (iii) enter into a written agreement with the Sub-processor which give effect to the terms that apply to the Sub-processor; (iv) provide the Controller with such information regarding the Sub-processor as the Controller may reasonably require. 34.13 The Processor shall remain fully liable for all acts or omissions of any Sub- Processor. 34.14 The Controller may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Agreement). 34.15 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Controller may on not less than 30 Working Days’ Notice to the Processor amend this Agreement to ensure that it complies with any Guidance issued by the Information Commissioner’s Office.

Data Protection. 13.1 This clause 13 (Data Protection) applies in case Xxxxxxx’x performance of the services incorporates processing of Personal Data by Trimble on behalf of the Customer. Both parties will comply with all applicable requirements of the Data Protection Legislation. This Agreement is an addition to, and does not relieve, remove or replace, a party’s obligations under the Data Protection Legislation. 13.2 The Parties parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the controller and the Trimble is the processor (where Controller and Processor have the Supplier is the Processor unless otherwise specified meanings as defined in Contract Schedule 7. The only processing that the Processor is authorised to do is listed in Contract Schedule 7 by the Controller and may not be determined by the Processor. The Processor shall notify the Controller immediately if it considers that any of the Controller's instructions infringe the Data Protection Legislation). The Processor shall provide all reasonable assistance to Agreement and Schedule sets out the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance mayscope, at the discretion of the Controller, include: a systematic description of the envisaged processing operations nature and the purpose of processing by Trimble, the processing; an assessment of the necessity and proportionality duration of the processing operations and the types of personal data (as defined in relation the Data Protection Legislation, “Personal Data”) and categories of data subject. 13.3 Without prejudice to the Services; an assessment generality of clause 13.1, the Customer will ensure that it fulfills all necessary requirements to enable lawful transfer of the risks Personal Data to Trimble for the duration and purposes of this agreement. 13.4 Without prejudice to the rights and freedoms generality of Data Subjects; and the measures envisaged to address the risksclause 13.1, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. The Processor Trimble shall, in relation to any Personal Data processed in connection with the performance by Trimble of its obligations under this Agreement: : (a) process that Personal Data only on the written instructions of the Customer subject to Art. 28 (3) GDPR. Instructions may be handled as a change request at the cost of Customer. Provider shall immediately inform the Customer if, in accordance with Contract Schedule 7its opinion, unless the Processor is required to do otherwise by Law. If it is so required the Processor shall promptly notify the Controller before processing the Personal an instruction infringes Data unless prohibited by Law; Protection Legislation; (b) ensure that it has in place Protective Measuresappropriate technical and organizational measures, which are reviewed and approved by the Customer (for Xxxxxxx’x list of measures see the Schedule). Such measures shall ensure a level of security appropriate to protect against a Data Loss Event, which the Controller may reasonably reject risks presented by processing and are subject to change depending on Provider`s recurring risk assessments; (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), having taken account of the: nature of the data to be protected; harm that might result from a Data Loss Event; state of technological development; and cost of implementing any measures; c) ensure that : the Processor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 7); it takes all reasonable steps to ensure the reliability and integrity personnel or any other person acting on behalf of any Processor Personnel Trimble who have access to and/or process Personal Data are obliged to keep the Personal Data confidential and ensure any natural person acting under the authority of Trimble who has access to personal data does not process them except on instructions from the Customer; (d) may transfer Personal Data outside of the European Economic Area. In case of transfer outside the European Economic Area, Trimble ensures that they:the transfer is only to (a) countries for which the European Commission has decided that they have an adequate level of data protection or (b) use European Commission standard contractual clauses 2010/87/EU; (e) assist the Customer, at the Customer’s cost, in responding to any request from a data subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; (f) assist the Customer by providing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Customer’s obligation to respond to requests for exercising the data subject’s rights pursuant to Data Protection Regulation; (g) notify the Customer without undue delay on becoming aware of a Personal Data breach; (h) at the written direction of the Customer, delete or return Personal Data and copies thereof to the Customer on termination of the agreement unless required by Applicable Law to store the Personal Data; and (i) maintain complete and accurate records and information to demonstrate its compliance with this clause and the Data Protection Regulation and allow for audits by the Customer or the Customer’s designated auditor. (j) be entitled to collect, use, process anonymous and aggregate data of the use of the services pursuant to the Agreement, that is not personally identifiable with the Customer nor data subjects and use such data for any Xxxxxxx’x internal business purpose, and for the improvement and/or the development of other products or service capabilities. 13.5 Trimble shall not engage a third-party processor without prior specific or general written authorization of the Customer. The Customer consents to Trimble appointing the parties named in the Schedule as third-party processors of Personal Data under this Agreement. Trimble confirms that it has entered or (as the case may be) will enter with the third-party processor into a written agreement in which he imposes on that other processor the obligations as set out in this clause. Trimble informs the Customer of any intended changes concerning the addition or replacement of other processors. The Customer has the right to object to such changes. As between the Customer and Trimble, Trimble shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this clause. 13.6 Either party may, at any time on not less than 30 days’ notice, revise this clause by replacing it with any applicable controller to processor standard clauses or similar terms forming party of an applicable certification scheme (which shall apply when replaced by attachment to this agreement). 13.7 Each party’s and its affiliates’ liability arising out of or related to this clause and processing of Customer’s Personal Data, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and its affiliates under the Agreement. For the avoidance of doubt, Provider's and its affiliates’ total liability for all claims from the Customer and its affiliates arising out of or related to the Agreement and this clause shall apply in the aggregate for all claims under the Agreement.

Data Protection. The Parties acknowledge parties shall comply with the provisions and obligations imposed on them by the Data Protection Laws at all times when processing Personal Data in connection with this Agreement, which processing shall be in respect of the types of Personal Data, categories of Data Subjects, nature and purposes, and duration, set out in Schedule 3. 7.1 Each party shall maintain records of all processing operations under its responsibility that contain at least the minimum information required by the Data Protection Laws, and shall make such information available to any DP Regulator on request. 7.2 The data controller shall: (a) ensure that any instructions it issues to the data processor shall comply with the Data Protection Laws; and (b) have sole responsibility for the accuracy, quality and legality of Personal Data and the means by which the data controller acquired Personal Data shall establish the legal basis for processing under Data Protection Laws, including providing all notices and obtaining all consents as may be required under Data Protection Laws in order for the data processor to process the Personal Data as otherwise contemplated by this Agreement. 7.3 To the extent the Supplier receives from, or processes any Personal Data on behalf of, the Customer, the Supplier shall: (a) process such Personal Data (i) only in accordance with the Customer's written instructions from time to time (including those set out in this Agreement) provided such instructions are lawful and unless it is otherwise required by applicable law (in which case, unless such law prohibits such notification on important grounds of public interest, the Supplier shall notify the Customer of the relevant legal requirement before processing the Personal Data), and (ii) only for the duration of this Agreement; (b) take commercially reasonable steps to ensure its personnel who are authorised to have access to such Personal Data, and ensure that any such personnel are committed to confidentiality or are under an appropriate statutory obligation of confidentiality when processing such Personal Data; (c) taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the Processing, implement technical and organisational measures and procedures to ensure an level of security for such Personal Data appropriate to the risk, including the risks of accidental, unlawful or unauthorised destruction, loss, alteration, disclosure, dissemination or access; (d) unless the transfer is based on an "adequacy decision", is otherwise "subject to appropriate safeguards" or if a "derogation for specific situations" applies, each within the meanings given to them in Articles 45, 46 and 49 of the GDPR respectively, not transfer, access or process such Personal Data outside the European Union without the prior written consent of the Customer (not to be unreasonably withheld or delayed), unless such transfer is to the Customer or an Authorised User; (e) inform the Customer without undue delay upon becoming aware of any such Personal Data (while within the Supplier's or its subcontractors' or affiliates' possession or control) being subject to a personal data breach (as defined in Article 4 of GDPR); (f) not disclose any Personal Data to any Data Subject or to a third party other than at the written request of the Customer or as expressly provided for in this Agreement; (g) except for Personal Data of which the data processor is also a data controller and except as required by law or in order to defend any actual or possible legal claims, as the Customer so directs, take reasonable steps to return or irretrievably delete all Personal Data on termination or expiry of this Agreement, and not make any further use of such Personal Data; (h) provide to the Customer and any DP Regulator all information and assistance reasonably necessary to demonstrate or ensure compliance with the obligations in this clause 7 and/or the Data Protection Laws; (i) permit the Customer or its representatives to access any relevant premises, personnel or records of the Supplier on reasonable notice to audit and otherwise verify compliance with this clause 7, subject to the following requirements: (i) the Customer may perform such audits no more than once per year or more frequently if required by Data Protection Laws; (ii) the Customer may use a third party to perform the audit on its behalf, provided such third party executes a confidentiality agreement acceptable to the Supplier before the audit; (iii) audits must be conducted during regular business hours, subject to the Supplier's policies, and may not unreasonably interfere with the Supplier's business activities; (iv) the Customer must provide the Supplier with any audit reports generated in connection with any audit at no charge unless prohibited by applicable law. The Customer may use the audit reports only for the purposes of meeting its audit requirements under Data Protection Laws and/or confirming compliance with the requirements of this clause 7. The audit reports shall be confidential; (v) to request an audit, the Customer must first submit a detailed audit plan to the Supplier at least 6 (six) weeks in advance of the proposed audit date. The audit must describe the proposed scope, duration and start date of the audit. The Supplier will review the audit plan and inform the Customer of any concerns or questions (for example, any request for information that could compromise the Supplier's confidentiality obligations or its security, privacy, employment or other relevant policies). The Supplier will work cooperatively with the Customer to agree a final audit plan; (vi) nothing in this clause 17.5(d)(vii) shall require the Supplier to breach any duties of confidentiality owed to any of its clients, employees or Third Party Providers; and (vii) all audits are at the Customer's sole cost and expense; (j) take such steps as are reasonably required to assist the Customer in ensuring compliance with its obligations under Articles 30 to 36 (inclusive) of GDPR; (k) notify the Customer as soon as reasonably practicable if it receives a request from a Data Subject to exercise its rights under the Data Protection Legislation, the Customer is the Controller and the Supplier is the Processor unless otherwise specified in Contract Schedule 7. The only processing that the Processor is authorised to do is listed in Contract Schedule 7 by the Controller and may not be determined by the Processor. The Processor shall notify the Controller immediately if it considers that any of the Controller's instructions infringe the Data Protection Legislation. The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller, include: a systematic description of the envisaged processing operations and the purpose of the processing; an assessment of the necessity and proportionality of the processing operations Laws in relation to the Services; an assessment of the risks to the rights and freedoms of Data Subjects; and the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of that person's Personal Data. The Processor shall, ; and (l) provide the Customer with reasonable co-operation and assistance in relation to any request made by a Data Subject to exercise its rights under the Data Protection Laws in relation to that person's Personal Data processed provided that the Customer shall be responsible for the Supplier's costs and expenses arising from such co-operation and assistance. 7.4 If either party receives any complaint, notice or communication which relates directly or indirectly to the processing of Personal Data by the other party or to either party's compliance with the Data Protection Laws, it shall as soon as reasonably practicable notify the other party and it shall provide the other party with commercially reasonable co-operation and assistance in relation to any such complaint, notice or communication. 7.5 The Supplier shall not engage Third Party Providers including any advisers, contractors, or auditors to Process Personal Data. 7.6 Where Personal Data is Processed by the Supplier under or in connection with this Agreement on behalf of the Customer as the data controller, the Customer agrees that the Supplier may disclose the Personal Data to the Supplier's employees, sub-contractors (including Third Party Providers), agents, Affiliates and Affiliate employees as the Supplier reasonably considers necessary for the performance of its obligations under this Agreement: process that Personal Data only in accordance , for compliance with Contract Schedule 7, unless the Processor applicable law and is required to do otherwise by Lawdefend any actual or possible legal claims. If it is so required the Processor The Supplier shall promptly notify the Controller before processing the Personal Data unless prohibited by Law; ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), having taken account of the: nature of the data to be protected; harm that might result from a Data Loss Event; state of technological development; and cost of implementing any measures; ensure that : the Processor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 7); it takes all take reasonable steps to ensure the reliability and integrity of any Processor Personnel person who have has access to the Personal Data and ensure that they:such persons are aware of the Supplier's obligations under this Agreement. 7.7 The Customer shall, prior to inputting any Personal Data in respect of its pupils, students or clients into the Software, provide a copy of the Supplier Privacy Policy to all Data Subjects in respect of whom the Customer inputs Personal Data into the Software.

Data Protection. 1.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer Authority is the Controller and the Supplier Grant Recipient is the Processor unless otherwise specified in Contract Schedule 7this Annex 8. The only processing that the Processor is authorised to do is listed in Contract Schedule 7 Part 1 of Annex 8 by the Controller and may not be determined by the Processor. . 1.2 The Processor shall notify the Controller immediately if it considers that any of the Controller's instructions infringe the Data Protection Legislation. . 1.3 The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller, include: : (a) a systematic description of the envisaged processing operations and the purpose of the processing; ; (b) an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; (c) an assessment of the risks to the rights and freedoms of Data Subjectsdata subjects; and and (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 1.4 The Processor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: these Conditions: (a) process that Personal Data only in accordance with Contract Schedule 7this Annex 8, unless the Processor is required to do otherwise by Law. If it is so required the Processor shall promptly notify the Controller before processing the Personal Data unless prohibited by Law; ; (b) ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), having taken account of the: : (i) nature of the data to be protected; ; (ii) harm that might result from a Data Loss Event; ; (iii) state of technological development; and and (iv) cost of implementing any measures; ; (c) ensure that : : (i) the Processor Personnel do not process Personal Data except in accordance with this Agreement these Conditions (and in particular Schedule 7); Part 1 of Annex 8); (ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they: (A) are aware of and comply with the Processor’s duties under this paragraph; (B) are subject to appropriate confidentiality undertakings with the Processor or any sub-processor; (C) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any Third Party unless directed in writing to do so by the Controller or as otherwise permitted by these Conditions; and (D) have undergone adequate training in the use, care, protection and handling of Personal Data; and (d) not transfer Personal Data outside of the EU (which for the purposes of this limb (d) shall be deemed to include the UK) unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled: (i) the Controller or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with UK GDPR Article 46 or DPA 2018 Section 75) as determined by the Controller; (ii) the Data Subject has enforceable rights and effective legal remedies; (iii) the Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and (iv) the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing of the Personal Data; (e) at the written direction of the Controller, delete or return Personal Data (and any copies of it) to the Controller on termination of the Agreement unless the Processor is required by Law to retain the Personal Data. 1.5 Subject to paragraph 1.6, the Processor shall notify the Controller immediately if it: (a) receives a Data Subject Request (or purported Data Subject Request); (b) receives a request to rectify, block or erase any Personal Data; (c) receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; (d) receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under these Conditions; (e) receives a request from any Third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or (f) becomes aware of a Data Loss Event. 1.6 The Processor’s obligation to notify under paragraph 1.5 shall include the provision of further information to the Controller in phases, as details become available. 1.7 Taking into account the nature of the processing, the Processor shall provide the Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under paragraph 1.5 (and insofar as possible within the timescales reasonably required by the Controller) including by promptly providing: (a) the Controller with full details and copies of the complaint, communication or request; (b) such assistance as is reasonably requested by the Controller to enable the Controller to comply with a Data Subject Request within the relevant timescales set out in the Data Protection Legislation; (c) the Controller, at its request, with any Personal Data it holds in relation to a Data Subject; (d) assistance as requested by the Controller following any Data Loss Event; (e) assistance as requested by the Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Controller with the Information Commissioner's Office. 1.8 The Processor shall maintain complete and accurate records and information to demonstrate its compliance with this paragraph. This requirement does not apply where the Processor employs fewer than 250 staff, unless: (a) the Controller determines that the processing is not occasional; (b) the Controller determines the processing includes special categories of data as referred to in Article 9(1) of the UK GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the UK GDPR; or (c) the Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects. 1.9 The Processor shall allow for audits of its Data Processing activity by the Controller or the Controller’s designated auditor. 1.10 Each Party shall designate its own data protection officer if required by the Data Protection Legislation. 1.11 Before allowing any Sub-processor to process any Personal Data related to these Conditions, the Processor must: (a) notify the Controller in writing of the intended Sub-processor and processing; (b) obtain the written consent of the Controller; (c) enter into a written agreement with the Sub-processor which give effect to the terms set out in this paragraph 1.11 such that they apply to the Sub-processor; and (d) provide the Controller with such information regarding the Sub-processor as the Controller may reasonably require. 1.12 The Processor shall remain fully liable for all acts or omissions of any of its Sub-processors. 1.13 The Authority may, at any time on not less than 30 Working Days’ notice, revise this paragraph by replacing it with any applicable controller to processor standard paragraphs or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to these Conditions). 1.14 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Controller may on not less than 30 Working Days’ notice to the Processor amend these Conditions to ensure that it complies with any guidance issued by the Information Commissioner’s Office. 1.15 Where the Parties include two or more Joint Controllers in respect of Personal Data under this Grant Funding Agreement as identified in Part 1 of Annex 8 in accordance with UK GDPR Article 26, those Parties shall enter into a Joint Controller Agreement based on the terms outlined in Part 2 of Annex 8 in replacement of paragraphs 1.1 to 1.14 for the Personal Data under Joint Control. This Annex shall be completed by the Controller, who may take account of the view of the Processors, however the final decision as to the content of this Annex shall be with the Controller at its absolute discretion. 1. The contact details of the Controller’s Data Protection Officer are: [Insert Contact details]

Data Protection. The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer School is the Controller and the Supplier Processor is the Processor unless otherwise specified in Contract Schedule 7Processor. The only processing that the Processor is authorised to do by the School is listed in Contract Schedule 7 by the Controller One and may not be determined by the Processor. The Processor shall notify the Controller School immediately if it considers that any of the ControllerSchool's instructions infringe the Data Protection Legislation. The Processor shall provide all reasonable assistance to the Controller School in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the ControllerSchool, include: a systematic description of the envisaged processing operations and the purpose of the processing; an assessment of the necessity and proportionality of the processing operations in relation to the Services; an assessment of the risks to the rights and freedoms of Data Subjects; and the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. The Processor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: process that Personal Data only in accordance with Contract Schedule 7, One unless the Processor is required to do otherwise by Law. If it is so required the Processor shall promptly notify the Controller School before processing the Personal Data unless prohibited by Law; ensure that it has in place Protective Measures, which are have been reviewed and approved by the School as appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), Event having taken account of the: nature of the data to be protected; harm that might result from a Data Loss Event; state of technological development; and cost of implementing any measures; ensure that : the Processor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 7); it takes One take all reasonable steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they:: are aware of and comply with the Processor’s duties under this clause; are subject to appropriate confidentiality undertakings with the Processor or any Sub-processor; are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the School or as otherwise permitted by this Agreement; and have undergone adequate training in the use, care, protection and handling of Personal Data; and not transfer Personal Data outside of the EU unless the prior written consent of the School has been obtained and the following conditions are fulfilled: the School or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the School; the Data Subject has enforceable rights and effective legal remedies; the Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the School in meeting its obligations); and the Processor complies with any reasonable instructions notified to it in advance by the School with respect to the processing of the Personal Data; at the written direction of the School, delete or return Personal Data (and any copies of it) to the School on termination of the Agreement unless the Processor is required by Law to retain the Personal Data. The Processor shall notify the School immediately if it: receives a Data Subject Access Request (or purported Data Subject Access Request); receives a request to rectify, block or erase any Personal Data; receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Agreement; receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or becomes aware of a Data Loss Event. The Processor’s obligation to notify under clause 1.5 shall include the provision of further information to the School in phases, as details become available. Taking into account the nature of the processing, the Processor shall provide the School with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under clause 1.5 (and insofar as possible within the timescales reasonably required by the School) including by promptly providing: the School with full details and copies of the complaint, communication or request; such assistance as is reasonably requested by the School to enable the School to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation; the School, at its request, with any Personal Data it holds in relation to a Data Subject; assistance as requested by the School following any Data Loss Event; assistance as requested by the School with respect to any request from the Information Commissioner’s Office, or any consultation by the School with the Information Commissioner's Office. The Processor shall maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Processor employs fewer than 250 staff, unless: the School determines that the processing is not occasional; the School determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; and the School determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects. The Processor shall allow for audits of its Data Processing activity by the School or the School’s designated auditor. The Processor shall designate a data protection officer if required by the Data Protection Legislation. Before allowing any Sub-processor to process any Personal Data related to this Agreement, the Processor must: notify the School in writing of the intended Sub-processor and processing; obtain the written consent of the School; enter into a written agreement with the Sub-processor which give effect to the terms set out in this Agreement such that they apply to the Sub-processor; and provide the School with such information regarding the Sub-processor as the School may reasonably require. The Processor shall remain fully liable for all acts or omissions of any Sub-processor. The School may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Agreement). The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The School may on not less than 30 Working Days’ notice to the Processor amend this agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office.

Data Protection. 19.1 The Lessor shall, and shall procure that all staff shall, comply with any notification requirements under DPA and all Parties shall duly observe all their obligations under the DPA which arise in connection with the Agreement. 19.2 It is not envisaged that for the purposes of management that there will be any provision of Personal Data to the Lessor by Lessee for processing. This Clause does not seek to limit or obviate the responsibilities of the Lessee or the Lessor to Personal Data. 19.3 Whilst it is not envisaged that there will be any provision of Personal Data by Lessee to the Lessor, should this situation alter then the following Clauses 19.4 – 19.17 apply. 19.4 All Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer Lessee is the Controller and the Supplier Lessor is the Processor unless otherwise specified in Contract Schedule 7Processor. The only processing that the Processor Lessor is authorised to do is listed undertake will be notified in Contract Schedule 7 writing by the Controller and Lessee. Changes to processing may not be determined by the Processor. Lessor. 19.5 The Processor Lessor shall notify the Controller Lessee immediately if it considers that any of the ControllerLessee's instructions infringe the Data Protection Legislation. DPA. 19.6 The Processor Lessor shall provide all reasonable assistance to the Controller Lessee in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the ControllerLessee, include: a : (a) systematic description of the envisaged processing operations and the purpose of the processing; ; (b) an assessment of the necessity and proportionality of the processing operations in relation to the Services; this Agreement; (c) an assessment of the risks to the rights and freedoms of Data Subjects; and and (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 19.7 The Processor Lessor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: : (a) process that Personal Data only in accordance with Contract Schedule 7, ensuring delivery of Goods unless the Processor Lessor is required to do otherwise by Law. If it is so required the Processor Lessor shall promptly notify the Controller Lessee before processing the Personal Data unless prohibited by Law; ; (b) ensure that it has in place Protective Measures, which are have been reviewed and approved by Lessee as appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), Event having taken account of the: : (i) nature of the data to be protected; ; (ii) harm that might result from a Data Loss Event; ; (iii) state of technological development; and and (iv) cost of implementing any measures; ; (c) ensure that : that: (i) the Processor Personnel employees do not process Personal Data except in accordance with this Agreement (and in particular Schedule 7particularly for the purposes of delivery of Goods); ; (ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel employees who have access to the Personal Data and ensure that they: (A) are aware of and comply with the Lessor’s duties under this clause; (B) are subject to appropriate confidentiality undertakings with the Lessor or any Sub-processor; (C) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by Lessee or as otherwise permitted by this Agreement; and (D) have undergone adequate training in the use, care, protection and handling of Personal Data; and (d) not transfer Personal Data outside of the United Kingdom unless the prior written consent of Lessee has been obtained and the following conditions are fulfilled: (i) The Lessor has provided appropriate safeguards in relation to the transfer (whether in accordance with UK GDPR Article 46 or LED Article

Data Protection. The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the Controller and the Supplier Contractor is the Processor unless otherwise specified in Contract Schedule 7Processor. The only processing that the Processor Contractor is authorised to do is listed in Contract Schedule 7 [X] by the Controller Customer and may not be determined by the Processor. Contractor The Processor Contractor shall notify the Controller Customer immediately if it considers that any of the ControllerCustomer's instructions infringe the Data Protection Legislation. The Processor Contractor shall provide all reasonable assistance to the Controller Customer in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the ControllerCustomer, include: a systematic description of the envisaged processing operations and the purpose of the processing; an assessment of the necessity and proportionality of the processing operations in relation to the Services; an assessment of the risks to the rights and freedoms of Data Subjects; and the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. The Processor Contractor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: process that Personal Data only in accordance with Contract Schedule 7[X], unless the Processor Contractor is required to do otherwise by Law. If it is so required the Processor Contractor shall promptly notify the Controller Customer before processing the Personal Data unless prohibited by Law; ensure that it has in place Protective Measures, which are have been reviewed and approved by the Customer as appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), Event having taken account of the: nature of the data to be protected; harm that might result from a Data Loss Event; state of technological development; and cost of implementing any measures; ensure that that: the Processor Contractor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 7X); it takes all reasonable steps to ensure the reliability and integrity of any Processor Contractor Personnel who have access to the Personal Data and ensure that they:: are aware of and comply with the Contractor’s duties under this clause; are subject to appropriate confidentiality undertakings with the Contractor or any Sub-processor; are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Customer or as otherwise permitted by this Agreement; and have undergone adequate training in the use, care, protection and handling of Personal Data; and not transfer Personal Data outside of the EU unless the prior written consent of the Customer has been obtained and the following conditions are fulfilled: the Customer or the Contractor has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Customer; the Data Subject has enforceable rights and effective legal remedies; the Contractor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Customer in meeting its obligations); and the Contractor complies with any reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data; at the written direction of the Customer, delete or return Personal Data (and any copies of it) to the Customer on termination of the Agreement unless the Contractor is required by Law to retain the Personal Data. Subject to clause 1.6, the Contractor shall notify the Customer immediately if it: receives a Data Subject Access Request (or purported Data Subject Access Request); receives a request to rectify, block or erase any Personal Data; receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Agreement; receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or becomes aware of a Data Loss Event. The Contractor’s obligation to notify under clause 13.5 shall include the provision of further information to the Customer in phases, as details become available. Taking into account the nature of the processing, the Contractor shall provide the Customer with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under clause 13.5 (and insofar as possible within the timescales reasonably required by the Customer) including by promptly providing: the Customer with full details and copies of the complaint, communication or request; such assistance as is reasonably requested by the Customer to enable the Customer to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation; the Customer, at its request, with any Personal Data it holds in relation to a Data Subject; assistance as requested by the Customer following any Data Loss Event; assistance as requested by the Customer with respect to any request from the Information Commissioner’s Office, or any consultation by the Customer with the Information Commissioner's Office. The Contractor shall maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Contractor employs fewer than 250 staff, unless: the Customer determines that the processing is not occasional; the Customer determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; and the Customer determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects. The Contractor shall allow for audits of its Data Processing activity by the Customer or the Customer’s designated auditor. The Contractor shall designate a data protection officer if required by the Data Protection Legislation. Before allowing any Sub-processor to process any Personal Data related to this Agreement, the Contractor must: notify the Customer in writing of the intended Sub-processor and processing; obtain the written consent of the Customer; enter into a written agreement with the Sub-processor which give effect to the terms set out in this clause [X] such that they apply to the Sub-processor; and provide the Customer with such information regarding the Sub-processor as the Customer may reasonably require. The Contractor shall remain fully liable for all acts or omissions of any Sub-processor. The Customer may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Agreement). The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Customer may on not less than 30 Working Days’ notice to the Contractor amend this agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office.

Data Protection. 10.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer Council is the Controller and the Supplier Company is the Processor unless otherwise specified in Contract Schedule 7Processor. The only processing that the Processor Company is authorised to do is listed in Contract Schedule 7 3 by the Controller Council and may not be determined by the Processor. Company. 10.2 The Processor Company shall notify the Controller Council immediately if it considers that any of the Controller's Council’s instructions infringe the Data Protection Legislation. . 10.3 The Processor Company shall provide all reasonable assistance to the Controller Council in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller, company include: : 10.3.1 a systematic description of the envisaged processing operations and the purpose of the processing; ; 10.3.2 an assessment of the necessity and proportionality of the processing operations in relation to the Services; services; 10.3.3 an assessment of the risks to the rights and freedoms of Data Subjects; and and 10.3.4 the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 10.4 The Processor Company shall, in relation to any Personal Data processed in connection with its obligations under this the Agreement: : 10.4.1 process that Personal Data only in accordance with Contract Schedule 73, unless the Processor Company is required to do otherwise by Law. If it is so required the Processor Company shall promptly notify the Controller Council before processing the Personal Data unless prohibited by Law; ; 10.4.2 ensure that it has in place Protective Measures, which are have been reviewed and approved by the Council as appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), Event having taken account of the: : 10.4.2.1 nature of the data to be protected; ; 10.4.2.2 harm that might result from a Data Loss Event; ; 10.4.2.3 state of technological development; and and 10.4.2.4 cost of implementing any measures; . 10.5 ensure that that: the Processor The Company Personnel do not process Personal Data except in accordance with this the Agreement (and in particular Schedule 73 and clause 7.7); it 10.6 In relation to Company Personnel, the Company shall takes all reasonable steps to ensure the reliability and integrity of any Processor Company Personnel who have access to the Personal Data and ensure that they: 10.6.1 are aware of and comply with the Company’s duties under this clause 10.6.2 are subject to appropriate confidentiality undertakings with the Company or any Sub-processor 10.6.3 are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Council or as otherwise permitted by this Agreement; and 10.6.4 have undergone adequate training in the use, care, protection and handling of Personal Data; and 10.7 The Company shall not transfer Personal Data outside of the EU unless the prior written consent of the Council has been obtained and the following conditions are fulfilled: 10.7.1 the Council or the Company has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Council; 10.7.2 the data subject has enforceable rights and effective legal remedies; 10.7.3 the Company complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Council in meeting its obligations); and 10.7.4 the Company complies with any reasonable instructions notified to it in advance by the Council with respect to the processing or the Personal Data; 10.7.5 at the written direction of the Council, delete or return Personal Data (and any copies of it) to the Council on termination of the Agreement unless the Company is required by Law to retain the Personal Data. 10.8 Subject to clause 9.6 the Company shall notify the Council immediately if it: 10.8.1 receives a Data Subject Access Request (or purported Data Subject Access Request); 10.8.2 receives a request to rectify, block or erase and Personal Data; 10.8.3 receives any other request, complaint or communication relating to either Party’s obligations under the Data Protection Legislation; 10.8.4 receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Agreement; 10.8.5 receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or 10.8.6 becomes aware of a Data Loss Event 10.9 The Company’s obligation to notify under clause 10.8 shall include the provision of further information to the Council in phases, as details become available. 10.10 Taking into account the nature of the processing, the Company shall provide the Council with full assistance in relation to either Party’s obligations under Data Protection Legislation and any complaint, communication or request made under clause 10.8 (and insofar as possible within the timescales reasonably required by the Council) including by promptly providing: 10.10.1 such assistance as is reasonably requested by the Council to enable the Council to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation; 10.10.2 the Council, at its request, with any Personal Data it holds in relation to a Data Subject; 10.10.3 assistance as requested by a Council following any Data Loss Event; and 10.10.4 assistance as requested by the Council with respect to any request from the Information Commissioner’s Office, or any consultation by the Council with the Information Commissioner’s Office. 10.11 The Company shall maintain complete and accurate records and information to demonstrate its compliance with the clause. This requirement does not apply where the Company employs fewer than 250 staff, unless: 10.11.1 the Council determines that the processing is not occasional; 10.11.2 the Council determines the processing includes special categories or data as referred to Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; and 10.11.3 the Council determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects. 10.12 The Company shall allow for audits of its Data Processing activity by the Council or the Council’s designated auditor. 10.13 The Company shall designate a data protection officer if required by the Data Protection Legislation. 10.14 Before allowing any Sub-processor to process Personal Data related to this Agreement, the Company must: 10.14.1 notify the Council in writing of the intended Sub-processor and processing; 10.14.2 obtain the written consent of the Council; 10.14.3 enter into a written agreement with the Sub-processor which gives effect to the terms set out in this clause such that they apply to the Sub-processor; and 10.14.4 provide the Council with such information regarding the Sub-processor as the Council may reasonably require. 10.15 The Company shall remain fully liable for all acts or omissions of any Sub-processor. 10.16 The Company may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Agreement). 10.17 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Council may on not less than 30 Working Days’ notice to the Company amend this agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office. 10.18 Upon termination of the Contract the Company shall: 10.18.1 cease processing Personal Data on behalf of the Council; and 10.18.2 at the Council’s request, either forthwith return to the Council all copies of the Personal Data which it is processed on behalf of the Council, or destroy the same within 14 days of being requested to do so by the Council. 10.19 The Company shall ensure that all personnel do not publish, disclose or divulge any of the Personal Data to any third party, unless directed in writing by the Council to do so.

Data Protection. The Parties parties acknowledge that for the purposes of the Data Protection Legislation, the Customer Council is the Controller and the Supplier Contractor is the Processor unless otherwise specified in Contract Schedule 7Processor. The only processing that the Processor Contractor is authorised to do is listed in Contract the GDPR Schedule 7 by the Controller Council and may not be determined by the ProcessorContractor. The Processor Contractor shall notify the Controller Council immediately if it considers that any of the ControllerCouncil's instructions infringe the Data Protection Legislation. The Processor Contractor shall provide all reasonable assistance to the Controller Council in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the ControllerCouncil, include: a systematic description of the envisaged processing operations and the purpose of the processing; an assessment of the necessity and proportionality of the processing operations in relation to the Services; an assessment of the risks to the rights and freedoms of Data Subjects; and the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. The Processor Contractor shall, in relation to any Personal Data processed in connection with its obligations under this AgreementContract: process that Personal Data only in accordance with Contract Schedule 7the GDPR Schedule, unless the Processor Contractor is required to do otherwise by Law. If it is so required required, the Processor Contractor shall promptly notify the Controller Council before processing the Personal Data Data, unless prohibited by Law; ensure that it has in place Protective Measures, which are have been reviewed and approved by the Council as appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), Event having taken account of the: nature of the data to be protected; harm that might result from a Data Loss Event; state of technological development; and cost of implementing any measures; ensure that that: the Processor Contractor Personnel do not process Personal Data except in accordance with this Agreement Contract (and in particular Schedule 7particular, the GDPR Schedule); it takes all reasonable steps to ensure the reliability and integrity of any Processor Contractor Personnel who have access to the Personal Data and ensure that they:: are aware of and comply with the Contractor’s duties under this clause; are subject to appropriate confidentiality undertakings with the Contractor or any Sub-processor; are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Council or as otherwise permitted by this Contract; and have undergone adequate training in the use, care, protection and handling of Personal Data. not transfer Personal Data outside of the EU unless the prior written consent of the Council has been obtained and the following conditions are fulfilled: the Council or the Contractor has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Council; the Data Subject has enforceable rights and effective legal remedies; the Contractor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Council in meeting its obligations); and the Contractor complies with any reasonable instructions notified to it in advance by the Council with respect to the processing of the Personal Data; at the written direction of the Council, delete or return Personal Data (and any copies of it) to the Council on termination of the Contract unless the Contractor is required by Law to retain the Personal Data. Subject to clause 26.6, the Contractor shall notify the Council immediately if it: receives a Data Subject Access Request (or purported Data Subject Access Request); receives a request to rectify, block or erase any Personal Data; receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Contract; receives a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or becomes aware of a Data Loss Event. The Contractor’s obligation to notify under clause 26.5shall include the provision of further information to the Council in phases, as details become available. Taking into account the nature of the processing, the Contractor shall provide the Council with full assistance in relation to either party's obligations under Data Protection Legislation and any complaint, communication or request made under clause 26.5(and insofar as possible within the timescales reasonably required by the Council) including by promptly providing: the Council with full details and copies of the complaint, communication or request; such assistance as is reasonably requested by the Council to enable the Council to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation; the Council, at its request, with any Personal Data it holds in relation to a Data Subject; assistance, as requested by the Council, following any Data Loss Event; assistance, as requested by the Council, with respect to any request from the Information Commissioner’s Office, or any consultation by the Council with the Information Commissioner's Office. The Contractor shall maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Contractor employs fewer than 250 staff, unless: the Council determines that the processing is not occasional; the Council determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR, or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; and the Council determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects. The Contractor shall allow for audits of its Data Processing activity by the Council or the Council’s designated auditor. The Contractor shall designate a data protection officer if required by the Data Protection Legislation. Before allowing any Sub-processor to process any Personal Data related to this Contract, the Contractor must: notify the Council in writing of the intended Sub-processor and processing; obtain the written consent of the Council; enter into a written agreement with the Sub-processor which give effect to the terms set out in this clause, such that they apply to the Sub-processor; and provide the Council with such information regarding the Sub-processor as the Council may reasonably require. The Contractor shall remain fully liable for all acts or omissions of any Sub- processor. The Council may, at any time on not less than 30 Working Days’ notice, revise this clause 26 by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Contract). The parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Council may, on not less than 30 Working Days’ notice to the Contractor, amend this Contract to ensure that it complies with any guidance issued by the Information Commissioner’s Office. The parties agree that any term or condition of the Contract that attempts to limit the liability of the Contractor under this Contract with respect to any claims it may receive from the Council following any fine, damages, costs or any other claim imposed on the Council from the Information Commissioner’s Office (the “ICO”) (or such successor organisation or regulator thereof) (the “ICO Losses”) or arising from any claim made against the Council by a third party arising out of or in connection with the Contractor’s breach of this clause 26 shall have no effect, and, accordingly, notwithstanding any other terms or conditions of the Contract, the Contractor shall indemnify the Council in full for any Losses incurred by the Council as a result of the Contractor’s breach of its obligations under this clause 26.

Data Protection. a) The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer Council is the Data Controller and the Supplier TBCT is the Processor unless otherwise specified in Contract Schedule 7Data Processor. The only processing that the Processor TBCT is authorised to do is listed in Contract Schedule 7 [E] by the Controller Council and may not be determined by the Processor. The Processor TBCT. b) TBCT shall notify the Controller Council immediately if it considers that any of the Controller's instructions infringe the Data Protection Legislation. The Processor the c) TBCT shall provide all reasonable assistance to the Controller Council in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the ControllerCouncil, include: a : i) A systematic description of the envisaged processing operations and the purpose of the processing; an ; ii) An assessment of the necessity and proportionality of the processing operations in relation to the Services; an ; iii) An assessment of the risks to the rights and freedoms of Data Subjects; and the Subjects and iv) The measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. The Processor . d) TBCT shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: process : i) Process that Personal Data only in accordance with Contract Schedule 7[E], unless the Processor Contractor is required to do otherwise by Law. If it is so required the Processor TBCT shall promptly notify the Controller Council before processing the Personal Data unless prohibited by Law; ensure ; ii) Ensure that it has in place Protective Measures, which are have been reviewed and approved by the Council as appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), Event having taken account of the: nature  Nature of the data to be protected; harm  Harm that might result from a Data Loss Event; state  State of technological development; and cost  Cost of implementing any measures; ensure . iii) Ensure that : the Processor  TBCT Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 7E); it  It takes all reasonable steps to ensure the reliability and integrity of any Processor of its Personnel who have access to the Personal Data and ensure that they: a) Are aware of and comply with the duties of TBCT under this clause; b) Are subject to appropriate confidentiality undertakings with TBCT or any Sub-processor; c) Are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Council or as otherwise permitted by this Agreement; and d) Have undergone adequate training in the use, care, protection and handling of Personal Data; and e) Not transfer Personal Data outside of the EU unless the prior written consent of the Council has been obtained and the following conditions are fulfilled: i) The Council or TBCT has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Council; ii) The Data Subject has enforceable rights and effective legal remedies; iii) TBCT complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Council in meeting its obligations); and iv) TBCT complies with any reasonable instructions notified to it in advance by the Council with respect to the processing of the Personal Data; f) At the written direction of the Council, delete or return Personal Data (and any copies of it) to the Council on termination of the Agreement unless TBCT is required by Law to retain the Personal Data. g) Subject to clause 1.6, TBCT shall notify the Council immediately if it: i) Receives a Data Subject Access Request (or purported Data Subject Access Request); ii) Receives a request to rectify, block or erase any Personal Data; iii) Receives any other request, complaint or communication relating to either Party's obligations under Data Protection Legislation; iv) Receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Agreement; v) Receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; vi) Or becomes aware of a Data Loss Event. h) TBCTs obligation to notify under clause (10-g) shall include the provision of further information to the Customer in phases, as details become available. i) Taking into account the nature of the processing, TBCT shall provide the Council with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under clause 10.5 (and insofar as possible within the timescales reasonably required by the Council) including by promptly providing: i) The Council with full details and copies of the complaint, communication or request; ii) Such assistance as is reasonably requested by the Council to enable the Council to comply with a Data Subject Access Request within the relevant timescales set out in Data Protection Legislation; iii) The Council, at its request, with any Personal Data it holds in relation to a Data Subject; iv) Assistance as requested by the Council following any Data Loss Event; v) Assistance as requested by the Council with respect to any request from the Information Commissioners Office, or any consultation by the Council with the Information Commissioner's Office. j) TBCT shall maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where TBCT employs fewer than 250 staff, unless: i) The Council determines that the processing is not occasional; ii) The Council determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; and iii) The Council determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects. k) TBCT shall allow for audits of its Data Processing activity by the Council or their designated auditor. l) TBCT shall designate a data protection officer if required by Data Protection Legislation. m) Before allowing any Sub-processor to process any Personal Data related to this Agreement, TBCT must: i) Notify the Council in writing of the intended Sub-processor and processing; ii) Obtain the written consent of the Council; iii) Enter into a written agreement with the Sub-processor which give effect to the terms set out in clauses 10.1-10.14 inclusive such that they apply to the Sub-processor; and iv) Provide the Council with such information regarding the Sub-processor as the Council may reasonably require. n) TBCT shall remain fully liable for all acts or omissions of any Sub-processor. o) TBCT may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Agreement). p) The Parties agree to take account of any guidance issued by the Information Commissioners Office. The Council may on not less than 30 Working Days’ notice to TBCT amend this agreement to ensure that it complies with any guidance issued by the Information Commissioners Office.

Data Protection. 1.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer Authority is the Controller and the Supplier Grant Recipient is the Processor unless otherwise specified in Contract Schedule 7this Annex 8. The only processing that the Processor is authorised to do is listed in Contract Schedule 7 Part 1 of Annex 8 by the Controller and may not be determined by the Processor. . 1.2 The Processor shall notify the Controller immediately if it considers that any of the Controller's instructions infringe the Data Protection Legislation. . 1.3 The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller, include: : (a) a systematic description of the envisaged processing operations and the purpose of the processing; ; (b) an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; (c) an assessment of the risks to the rights and freedoms of Data Subjectsdata subjects; and and (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 1.4 The Processor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: these Conditions: (a) process that Personal Data only in accordance with Contract Schedule 7this Annex 8, unless the Processor is required to do otherwise by Law. If it is so required the Processor shall promptly notify the Controller before processing the Personal Data unless prohibited by Law; ; (b) ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), having taken account of the: : (i) nature of the data to be protected; ; (ii) harm that might result from a Data Loss Event; ; (iii) state of technological development; and and (iv) cost of implementing any measures; ; (c) ensure that : : (i) the Processor Personnel do not process Personal Data except in accordance with this Agreement these Conditions (and in particular Schedule 7); Part 1 of Annex 8); (ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they: (A) are aware of and comply with the Processor’s duties under this paragraph; (B) are subject to appropriate confidentiality undertakings with the Processor or any sub-processor; (C) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any Third Party unless directed in writing to do so by the Controller or as otherwise permitted by these Conditions; and (D) have undergone adequate training in the use, care, protection and handling of Personal Data; and (d) not transfer Personal Data outside of the EU (which for the purposes of this limb (d) shall be deemed to include the UK) unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled: (i) the Controller or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or DPA 2018 Section 75) as determined by the Controller; (ii) the Data Subject has enforceable rights and effective legal remedies; (iii) the Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and (iv) the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing of the Personal Data; (e) at the written direction of the Controller, delete or return Personal Data (and any copies of it) to the Controller on termination of the Agreement unless the Processor is required by Law to retain the Personal Data. 1.5 Subject to paragraph 1.6, the Processor shall notify the Controller immediately if it: (a) receives a Data Subject Request (or purported Data Subject Request); (b) receives a request to rectify, block or erase any Personal Data; (c) receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; (d) receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under these Conditions; (e) receives a request from any Third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or (f) becomes aware of a Data Loss Event. 1.6 The Processor’s obligation to notify under paragraph 1.5 shall include the provision of further information to the Controller in phases, as details become available. 1.7 Taking into account the nature of the processing, the Processor shall provide the Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under paragraph 1.5 (and insofar as possible within the timescales reasonably required by the Controller) including by promptly providing: (a) the Controller with full details and copies of the complaint, communication or request; (b) such assistance as is reasonably requested by the Controller to enable the Controller to comply with a Data Subject Request within the relevant timescales set out in the Data Protection Legislation; (c) the Controller, at its request, with any Personal Data it holds in relation to a Data Subject; (d) assistance as requested by the Controller following any Data Loss Event; (e) assistance as requested by the Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Controller with the Information Commissioner's Office. 1.8 The Processor shall maintain complete and accurate records and information to demonstrate its compliance with this paragraph. This requirement does not apply where the Processor employs fewer than 250 staff, unless: (a) the Controller determines that the processing is not occasional; (b) the Controller determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; or (c) the Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects. 1.9 The Processor shall allow for audits of its Data Processing activity by the Controller or the Controller’s designated auditor. 1.10 Each Party shall designate its own data protection officer if required by the Data Protection Legislation. 1.11 Before allowing any Sub-processor to process any Personal Data related to these Conditions, the Processor must: (a) notify the Controller in writing of the intended Sub-processor and processing; (b) obtain the written consent of the Controller; (c) enter into a written agreement with the Sub-processor which give effect to the terms set out in this paragraph 1.11 such that they apply to the Sub-processor; and (d) provide the Controller with such information regarding the Sub-processor as the Controller may reasonably require. 1.12 The Processor shall remain fully liable for all acts or omissions of any of its Sub-processors. 1.13 The Authority may, at any time on not less than 30 Working Days’ notice, revise this paragraph by replacing it with any applicable controller to processor standard paragraphs or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to these Conditions). 1.14 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Controller may on not less than 30 Working Days’ notice to the Processor amend these Conditions to ensure that it complies with any guidance issued by the Information Commissioner’s Office. 1.15 Where the Parties include two or more Joint Controllers in respect of Personal Data under this Grant Funding Agreement as identified in Part 1 of Annex 8 in accordance with GDPR Article 26, those Parties shall enter into a Joint Controller Agreement based on the terms outlined in Part 2 of Annex 8 in replacement of paragraphs 1.1 to 1.14 for the Personal Data under Joint Control. This Xxxxx shall be completed by the Controller, who may take account of the view of the Processors, however the final decision as to the content of this Annex shall be with the Controller at its absolute discretion. 1. The contact details of the Controller’s Data Protection Officer are: [Insert Contact details]

Data Protection. 16.1 The Parties parties acknowledge that for the purposes of the Data Protection Legislation, the Customer HCC is the Controller and the Supplier Service Provider is the Processor unless otherwise specified in Contract Schedule 73. The only processing that the Processor is authorised to do is listed in Contract Schedule 7 3 by the Controller and may not be determined by the Processor. . 16.2 The Processor shall notify the Controller immediately if it considers that any of the Controller's instructions infringe the Data Protection Legislation. . 16.3 The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller, include: : (a) a systematic description of the envisaged processing operations and the purpose of the processing; ; (b) an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; (c) an assessment of the risks to the rights and freedoms of Data Subjects; and and (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 16.4 The Processor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: : (a) process that Personal Data only in accordance with Contract Schedule 73, unless the Processor is required to do otherwise by Law. If it is so required the Processor shall promptly notify the Controller before processing the Personal Data unless prohibited by Law; ; (b) ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), having taken account of the: : (i) nature of the data to be protected; ; (ii) harm that might result from a Data Loss Event; ; (iii) state of technological development; and and (iv) cost of implementing any measures; ; (c) ensure that : that: (i) the Processor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 73); ; (ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they: (A) are aware of and comply with the Processor’s duties under this clause 16; (B) are subject to appropriate confidentiality undertakings with the Processor or any Sub-processor; (C) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any Third Party unless directed in writing to do so by the Controller or as otherwise permitted by this Agreement; and (D) have undergone adequate training in the use, care, protection and handling of Personal Data; and (d) not transfer Personal Data outside of the EU unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled: (i) the Controller or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Controller; (ii) the Data Subject has enforceable rights and effective legal remedies; (iii) the Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and (iv) the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing of the Personal Data; (e) at the written direction of the Controller, delete or return Personal Data (and any copies of it) to the Controller on termination, cancellation or expiry of this Agreement unless the Processor is required by Law to retain the Personal Data. 16.5 Subject to clause 16.6, the Processor shall notify the Controller immediately if it: (a) receives a Data Subject Request (or purported Data Subject Request); (b) receives a request to rectify, block or erase any Personal Data; (c) receives any other request, complaint or communication relating to either party's obligations under the Data Protection Legislation; (d) receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Agreement; (e) receives a request from any Third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or (f) becomes aware of a Data Loss Event. 16.6 The Processor’s obligation to notify under clause 16.5 shall include the provision of further information to the Controller in phases, as details become available. 16.7 Taking into account the nature of the processing, the Processor shall provide the Controller with full assistance in relation to either party's obligations under Data Protection Legislation and any complaint, communication or request made under clause 16.5 (and insofar as possible within the timescales reasonably required by the Controller) including by promptly providing: (a) the Controller with full details and copies of the complaint, communication or request; (b) such assistance as is reasonably requested by the Controller to enable the Controller to comply with a Data Subject Request within the relevant timescales set out in the Data Protection Legislation; (c) the Controller, at its request, with any Personal Data it holds in relation to a Data Subject; (d) assistance as requested by the Controller following any Data Loss Event; (e) assistance as requested by the Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Controller with the Information Commissioner's Office. 16.8 The Processor shall maintain complete and accurate records and information to demonstrate its compliance with this clause 16. This requirement does not apply where the Processor employs fewer than 250 staff, unless: (a) the Controller determines that the processing is not occasional; (b) the Controller determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; or (c) the Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects. 16.9 The Processor shall allow for audits of its Data Processing activity by the Controller or the Controller’s designated auditor. 16.10 Each party shall designate its own data protection officer if required by the Data Protection Legislation. 16.11 Before allowing any Sub-processor to process any Personal Data related to this Agreement, the Processor must: (a) notify the Controller in writing of the intended Sub-processor and processing; (b) obtain the written consent of the Controller; (c) enter into a written agreement with the Sub-processor which gives effect to the terms set out in this clause 16 such that they apply to the Sub-processor; and (d) provide the Controller with such information regarding the Sub-processor as the Controller may reasonably require. 16.12 The Processor shall remain fully liable for all acts or omissions of any of its Sub-processors. 16.13 The Controller may, at any time on not less than 30 Business Days’ notice, revise this clause 16 by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Agreement). 16.14 The parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Controller may on not less than 30 Business Days’ notice to the Processor amend this Agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office.

Data Protection. The Parties acknowledge 19.1 To the extent that for in relation to the purposes delivery of the Services the Authority is the Data Protection LegislationController and that the Contractor is the Data Processor, the Customer is the Controller and the Supplier is the Processor unless otherwise specified in Contract Schedule 7. The only processing Processing that the Processor Contractor is authorised to do is as listed in Contract Table 1 in Schedule 7 1 or as otherwise instructed by the Controller Authority and may not be determined by the Processor. Contractor. 19.2 The Processor Contractor shall notify the Controller Authority immediately if it considers that any of the Controller's Authority’s instructions infringe the Data Protection Legislation. 19.3 The Processor Contractor shall provide all reasonable assistance to the Controller Authority in the preparation of any Data Protection Impact Assessment prior to commencing any processingProcessing. Such assistance may, at the discretion of the ControllerAuthority, include: : a) a systematic description of the envisaged processing Processing operations and the purpose of the processing; Processing; b) an assessment of the necessity and proportionality of the processing Processing operations in relation to the Services; ; c) an assessment of the risks to the rights and freedoms of the Data Subjects; and and d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of the Personal Data. . 19.4 The Processor Contractor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: process that Contract: a) Process the Personal Data only in accordance with Contract Schedule 7the instructions of the Authority, unless the Processor Contractor is required to do otherwise by Law. If it is so required required, the Processor Contractor shall promptly notify the Controller Authority before processing Processing the Personal Data unless notification is prohibited by Law; ensure ; b) Ensure that it has in place Protective Measures, which are have been reviewed and approved by the Authority as appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), Event having taken account of the:  nature of the data to be protected;  harm that might result from a Data Loss Event;  state of technological development; and  cost of implementing any measures; ensure that . c) Ensure that: the Processor  The Contractor Personnel do not process Process Personal Data except in accordance with this Agreement (and in particular Schedule 7)Contract; it  It takes all reasonable steps to ensure the reliability and integrity of any Processor Contractor Personnel who have access to the Personal Data and ensure including making sure that they: A. Are aware of and comply with the Contractors duties under this clause 19 (Data Protection); B. Are subject to appropriate confidentiality undertakings with the Contractor or any Sub-Processor; C. Are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to a third party unless directed in writing to do so by the Authority or as otherwise permitted by this Contract; and D. Have undergone adequate training in the use, care, protection and handling of Personal Data. d) Not transfer Personal Data outside of the EEA unless the prior written consent of the Authority has been obtained (unless the transfer is required by EU or member state law to which the Contractor is subject, and if this is the case then the Contractor shall inform the Authority of that legal requirement before Processing that Personal Data, unless that law prohibits such information being provided on important grounds of public interest) and the following conditions are fulfilled:  The Authority or the Contractor has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Authority;  The Contractor complies with its obligations under the Data Protection Legislation by providing and adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Authority in meeting its obligations); and  The Contractor complies with any reasonable instructions notified to it in advance by the Authority with respect to the Processing of the Personal Data. e) Subject to any alternative notification by the Authority pursuant to clause 27 (Consequences of Termination), delete or return Personal Data in accordance with the Personal Data processing plan in Table 1of Schedule 1 (Services). 19.5 The Contractor shall notify the Authority without undue delay upon becoming aware of a Personal Data Breach or circumstances that are likely to give rise to a Personal Data Breach (except where statutory guidance indicates that a Personal Data Breach is not required to be notified by a Data Processor to a Data Controller), providing the Authority with sufficient information and in a timescale which allows the Authority to meet its obligations to report a Personal Data Breach within 72 hours under Article 33 of the GDPR. Such notification shall as a minimum: a) describe the nature of the Personal Data Breach, the categories and numbers of Data Subjects concerned, and the categories and numbers of Personal Data records concerned; b) communicate the name and contact details of the data protection officer or other relevant contact from whom more information may be obtained; c) describe the likely consequences of the Personal Data Breach; and d) describe the measures taken or proposed to be taken to address the Personal Data Breach, 19.6 The Contractor shall notify the Authority (within five (5) Working Days) if it receives: a) a request from a Data Subject to have access to that person's Personal Data; b) a request to rectify any inaccurate Personal Data; c) a request to have any Personal Data erased; d) a request to obtain a portable copy of part of the Personal Data, or to transfer such a copy to any third party; e) an objection to any processing of Personal Data; f) a complaint or request relating to the Authority's obligations under the Data Protection Legislation; g) any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Contract; or h) a request from a third party for disclosure of Personal Data processed under this Contract where compliance with such request is required or purported to be required by Law. 19.7 The Contractor’s obligation to notify under clauses 19.5 and 19.6 shall include the provision of further information to the Authority in phases, as such information becomes available. 19.8 The Contractor shall provide the Authority with full cooperation and assistance in relation to any complaint or request made in relation to either party’s obligations under the Data Protection Legislation and any complaint, communication or request made under clause

Data Protection. The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer Authority is the Controller and the Supplier Grant Recipient is the Processor unless otherwise specified in Contract Schedule 7this Annex 8. The only processing that the Processor is authorised to do is listed in Contract Schedule 7 Part 1 of Annex 8 by the Controller and may not be determined by the Processor. The Processor shall notify the Controller immediately if it considers that any of the Controller's instructions infringe the Data Protection Legislation. The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller, include: a systematic description of the envisaged processing operations and the purpose of the processing; an assessment of the necessity and proportionality of the processing operations in relation to the Services; an assessment of the risks to the rights and freedoms of Data Subjectsdata subjects; and the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. The Processor shall, in relation to any Personal Data processed in connection with its obligations under this Agreementthese Conditions: process that Personal Data only in accordance with Contract Schedule 7this Annex 8, unless the Processor is required to do otherwise by Law. If it is so required required, the Processor shall promptly notify the Controller before processing the Personal Data unless prohibited by Law; ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), having taken account of the: nature of the data to be protected; harm that might result from a Data Loss Event; state of technological development; and cost of implementing any measures; ensure that that: the Processor Personnel do not process Personal Data except in accordance with this Agreement these Conditions (and in particular Schedule 7)Part 1 of Annex 8); it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they:: are aware of and comply with the Processor’s duties under this paragraph; are subject to appropriate confidentiality undertakings with the Processor or any sub-processor; are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any Third Party unless directed in writing to do so by the Controller or as otherwise permitted by these Conditions; and have undergone adequate training in the use, care, protection and handling of Personal Data; and not transfer Personal Data outside of the EU unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled: the Controller or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Controller; the Data Subject has enforceable rights and effective legal remedies; the Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing of the Personal Data; at the written direction of the Controller, delete or return Personal Data (and any copies of it) to the Controller on termination of the Agreement unless the Processor is required by Law to retain the Personal Data. Subject to paragraph 1.6, the Processor shall notify the Controller immediately if it: receives a Data Subject Request (or purported Data Subject Request); receives a request to rectify, block or erase any Personal Data; receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under these Conditions; receives a request from any Third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or becomes aware of a Data Loss Event. The Processor’s obligation to notify under paragraph 1.5 shall include the provision of further information to the Controller in phases, as details become available. Taking into account the nature of the processing, the Processor shall provide the Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under paragraph 1.5 (and insofar as possible within the timescales reasonably required by the Controller) including by promptly providing: the Controller with full details and copies of the complaint, communication or request; such assistance as is reasonably requested by the Controller to enable the Controller to comply with a Data Subject Request within the relevant timescales set out in the Data Protection Legislation; the Controller, at its request, with any Personal Data it holds in relation to a Data Subject; assistance as requested by the Controller following any Data Loss Event; assistance as requested by the Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Controller with the Information Commissioner's Office. The Processor shall maintain complete and accurate records and information to demonstrate its compliance with this paragraph. This requirement does not apply where the Processor employs fewer than 250 staff, unless: the Controller determines that the processing is not occasional; the Controller determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; or the Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects. The Processor shall allow for audits of its Data Processing activity by the Controller or the Controller’s designated auditor. Each Party shall designate its own data protection officer if required by the Data Protection Legislation. Before allowing any Sub-processor to process any Personal Data related to these Conditions, the Processor must: notify the Controller in writing of the intended Sub-processor and processing; obtain the written consent of the Controller; enter into a written agreement with the Sub-processor which give effect to the terms set out in this paragraph 1.11 such that they apply to the Sub-processor; and provide the Controller with such information regarding the Sub-processor as the Controller may reasonably require. The Processor shall remain fully liable for all acts or omissions of any of its Sub-processors. The Controller may, at any time on not less than 30 Working Days’ notice, revise this paragraph by replacing it with any applicable controller to processor standard paragraphs or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to these Conditions). The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Controller may on not less than 30 Working Days’ notice to the Processor amend these Conditions to ensure that it complies with any guidance issued by the Information Commissioner’s Office. Where the Parties include two or more Joint Controllers as identified in Part 1 of Annex 8 in accordance with GDPR Article 26, those Parties shall enter into a Joint Controller Agreement based on the terms outlined in Part 2 of Annex 8 in replacement of paragraphs 1.1-1.14 for the Personal Data under Joint Control. This Annex shall be completed by the Controller, who may take account of the view of the Processors, however the final decision as to the content of this Annex shall be with the Controller at its absolute discretion. The contact details of the Controller’s Data Protection Officer are: [Insert Contact details] The contact details of the Processor’s Data Protection Officer are: [Insert Contact details] The Processor shall comply with any further written instructions with respect to processing by the Controller. Any such further instructions shall be incorporated into this Annex. Identity of the Controller and Processor The Parties acknowledge that for the purposes of the Data Protection Legislation, the Authority is the Controller and the Grant Recipient is the Processor in accordance with paragraph 1.1. Subject matter of the processing Duration of the processing Nature and purposes of the processing Type of Personal Data being Processed Categories of Data Subject Plan for return and destruction of the data once the processing is complete UNLESS requirement under union or member state law to preserve that type of data

Data Protection. 12.1 The Parties shall comply with the Data Protection Legislation and shall both duly observe all their obligations under the DPA and GDPR which arise in connection with this Agreement. 12.2 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the Controller and the Supplier is the Processor unless otherwise specified in Contract Schedule 7Processor. The only processing that the Processor Supplier is authorised to do is listed in Contract Schedule 7 3 of this agreement by the Controller Customer and may not be determined by the Processor. Supplier. 12.3 The Processor Supplier shall notify the Controller Customer immediately if it considers that any of the ControllerCustomer's instructions infringe the Data Protection Legislation. . 12.4 The Processor Supplier shall provide all reasonable assistance to the Controller Customer in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the ControllerCustomer, include: : (a) a systematic description of the envisaged processing operations and the purpose of the processing; ; (b) an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; (c) an assessment of the risks to the rights and freedoms of Data Subjects; and and (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 12.5 The Processor Supplier shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: agreement: (a) process that Personal Data only in accordance with Contract Schedule 73, unless the Processor Supplier is required to do otherwise by Law. If it is so required the Processor Supplier shall promptly notify the Controller Customer before processing the Personal Data unless prohibited by Law; ; (b) ensure that it has in place Protective Measures, which are have been reviewed and approved by the Customer as appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), Event having taken account of the: : (i) nature of the data to be protected; ; (ii) harm that might result from a Data Loss Event; ; (iii) state of technological development; and and (iv) cost of implementing any measures; ; (c) ensure that : the Processor Personnel that: (i) The Supplier’s personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 73); ; (ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel Supplier personnel who have access to the Personal Data and ensure that they: (A) are aware of and comply with the Supplier’s duties under this clause; (B) are subject to appropriate confidentiality undertakings with the Supplier or any Sub-processor; (C) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Customer or as otherwise permitted by this agreement; and (D) have undergone adequate training in the use, care, protection and handling of Personal Data; and (d) not transfer Personal Data outside of the EU unless the prior written consent of the Customer has been obtained and the following conditions are fulfilled: (i) the Customer or the Supplier has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Customer; (ii) the Data Subject has enforceable rights and effective legal remedies; (iii) the Supplier complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Customer in meeting its obligations); and (iv) the Supplier complies with any reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data; (e) at the written direction of the Customer, delete or return Personal Data (and any copies of it) to the Customer on termination of the Agreement unless the Supplier is required by Law to retain the Personal Data. 12.6 Subject to clause 12.7, the Supplier shall notify the Customer immediately if it: (a) receives a Data Subject Access Request (or purported Data Subject Access Request); (b) receives a request to rectify, block or erase any Personal Data; (c) receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; (d) receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this agreement; (e) receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or (f) becomes aware of a Data Loss Event. 12.7 The Supplier’s obligation to notify under clause 12.6 shall include the provision of further information to the Customer in phases, as details become available. 12.8 Taking into account the nature of the processing, the Supplier shall provide the Customer with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under clause 12.6 (and insofar as possible within the timescales reasonably required by the Customer) including by promptly providing: (a) the Customer with full details and copies of the complaint, communication or request; (b) such assistance as is reasonably requested by the Customer to enable the Customer to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation; (c) the Customer, at its request, with any Personal Data it holds in relation to a Data Subject; (d) assistance as requested by the Customer following any Data Loss Event; (e) assistance as requested by the Customer with respect to any request from the Information Commissioner’s Office, or any consultation by the Customer with the Information Commissioner's Office. 12.9 The Supplier shall maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Supplier employs fewer than 250 staff, unless: (a) the Customer determines that the processing is not occasional; (b) the Customer determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; and (c) the Customer determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects. 12.10 The Supplier shall allow for audits of its Data Processing activity by the Customer or the Customer’s designated auditor. 12.11 The Supplier shall designate a data protection officer if required by the Data Protection Legislation. 12.12 Before allowing any Sub-processor to process any Personal Data related to this Agreement, the Supplier must: (a) notify the Customer in writing of the intended Sub-processor and processing; (b) obtain the written consent of the Customer; (c) enter into a written agreement with the Sub-processor which give effect to the terms set out in this clause 12 such that they apply to the Sub-processor; and (d) provide the Customer with such information regarding the Sub-processor as the Customer may reasonably require. 12.13 The Supplier shall remain fully liable for all acts or omissions of any Sub-processor.

Data Protection. 8.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer Client is the Controller and the Supplier Consultant Company is the Processor unless otherwise specified in Contract Schedule 7. Processor. 8.2 The only processing that the Processor is authorised to do is listed in Contract Schedule 7 4 by the Controller and may not be determined by the Processor. . 8.3 The Processor shall notify the Controller immediately if it considers that any of the Controller's instructions infringe the Data Protection Legislation. . 8.4 The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller, include: : a. a systematic description of the envisaged processing operations and the purpose of the processing; . b. an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; c. an assessment of the risks to the rights and freedoms of Data Subjects; and and d. the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 8.5 The Processor shall carry out its own Data Protection Impact Assessment prior to commencing any processing under this Agreement where required under the Data Protection Legislation and otherwise as may be appropriate to ensure the security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, and shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: : a. process that Personal Data only in accordance with Contract Schedule 74, unless the Processor is required to do otherwise by Law. If it is so required the Processor shall promptly notify the Controller before processing the Personal Data unless prohibited by Law; ; b. ensure that it has in place Protective Measures, which are have been reviewed and approved by the Controller as appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), Event having taken account of the: : i. nature of the data to be protected; ; ii. harm that might result from a Data Loss Event; ; iii. state of technological development; and and iv. cost of implementing any measures; ; c. ensure that : that: i. the Processor Processor’s Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 74); ; ii. it takes all reasonable steps to ensure the reliability and integrity of any Processor Processor’s Personnel who have access to the Personal Data and ensure that they: A. are aware of and comply with the Processor’s duties under this Xxxxxx; B. are subject to appropriate confidentiality undertakings with the Processor or any Sub- Processor; C. are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Controller or as otherwise permitted by this Agreement; and D. have undergone adequate training in the use, care, protection and handling of Personal Data; and d. not transfer Personal Data outside of the UK unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled: i. the Controller or the Processor has provided appropriate safeguards in relation to the transfer as determined by the Controller; ii. the Data Subject has enforceable rights and effective legal remedies; iii. the Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and iv. the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing of the Personal Data; e. at the written direction of the Controller, and at the Service Processor’s sole cost, delete or return Personal Data (and any copies of it) to the Controller on termination of the Agreement unless the Processor is required by Law to retain the Personal Data. 8.6 Subject to Clause 8.7, the Processor shall notify the Controller immediately if it: a. receives a Data Subject Access Request (or purported Data Subject Access Request); b. receives a request to rectify, block or erase any Personal Data; c. receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; d. receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Agreement; e. receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or f. becomes aware of a Data Loss Event. 8.7 The Processor’s obligation to notify under Clause 8.6 shall include the provision of further information to the Controller in phases, as details become available. 8.8 Taking into account the nature of the processing, the Processor shall provide the Controller with full assistance in relation to either Party's obligations under Data Protection Legislation including any complaint, communication or request made under Clause 8.6 (and insofar as possible within the timescales reasonably required by the Controller) including by promptly providing: a. the Controller with full details and copies of the complaint, communication or request; b. such assistance as is reasonably requested by the Controller to enable the Controller to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation; c. the Controller, at its request, with any Personal Data it holds in relation to a Data Subject; d. assistance as requested by the Controller following any Data Loss Event including but not limited to all information and findings relating to any internal or external investigation into the Data Loss Event; e. assistance as requested by the Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Controller with the Information Commissioner's Office. 8.9 The Processor shall maintain complete and accurate records and information to demonstrate its compliance with this Clause 8. This requirement does not apply where the Processor employs fewer than 250 staff, unless: a. the Controller determines that the processing is not occasional; b. the Controller determines the processing includes special categories of data or Personal Data relating to criminal convictions and offences as referred to in the UK GDPR; and c. the Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects. 8.10 The Processor shall allow for audits of its Data Processing activity by the Controller or the Controller’s designated auditor. 8.11 The Processor shall designate a Data Protection Officer if required by the Data Protection Legislation. 8.12 Before allowing any Sub-Processor to process any Personal Data related to this Agreement, the Processor must: a. notify the Controller in writing of the intended Sub-Processor and processing;

Data Protection. ‌ The Parties acknowledge that for parties shall comply with the purposes of provisions and obligations imposed on them by the Data Protection LegislationLaws at all times when processing Personal Data in connection with this Agreement, the Customer is the Controller and the Supplier is the Processor unless otherwise specified which processing shall be in Contract Schedule 7. The only processing that the Processor is authorised to do is listed in Contract Schedule 7 by the Controller and may not be determined by the Processor. The Processor shall notify the Controller immediately if it considers that any respect of the Controller's instructions infringe types of Personal Data, categories of Data Subjects, nature and purposes, and duration, set out in Schedule 3. 7.1 Each party shall maintain records of all processing operations under its responsibility that contain at least the minimum information required by the Data Protection Legislation. Laws, and shall make such information available to any DP Regulator on request. 7.2 The Processor shall provide all reasonable assistance data controller shall: (a) ensure that any instructions it issues to the Controller in data processor shall comply with the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance mayLaws; and (b) have sole responsibility for the accuracy, at the discretion quality and legality of the Controller, include: a systematic description of the envisaged processing operations Personal Data and the purpose of means by which the processing; an assessment of data controller acquired Personal Data shall establish the necessity and proportionality of the legal basis for processing operations in relation to the Services; an assessment of the risks to the rights and freedoms of under Data Subjects; and the measures envisaged to address the risksProtection Laws, including safeguardsproviding all notices and obtaining all consents as may be required under Data Protection Laws in order for the data processor to process the Personal Data as otherwise contemplated by this Agreement. 7.3 To the extent the Supplier receives from, security measures and mechanisms to ensure the protection of Personal Data. The Processor shall, in relation to or processes any Personal Data processed in connection with its obligations under this Agreement: on behalf of, the Customer, the Supplier shall: (a) process that such Personal Data (i) only in accordance with Contract Schedule 7the Customer's written instructions from time to time (including those set out in this Agreement) provided such instructions are lawful and unless it is otherwise required by applicable law (in which case, unless such law prohibits such notification on important grounds of public interest, the Processor is required to do otherwise by Law. If it is so required the Processor Supplier shall promptly notify the Controller Customer of the relevant legal requirement before processing the Personal Data unless prohibited by Law; ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective MeasuresData), having taken account and (ii) only for the duration of the: nature of the data to be protected; harm that might result from a Data Loss Event; state of technological development; and cost of implementing any measures; ensure that : the Processor Personnel do not process Personal Data except in accordance with this Agreement Agreement; (and in particular Schedule 7); it takes all b) take commercially reasonable steps to ensure the reliability and integrity of any Processor Personnel its personnel who are authorised to have access to the such Personal Data Data, and ensure that they:any such personnel are committed to confidentiality or are under an appropriate statutory obligation of confidentiality when processing such Personal Data; (c) taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the Processing, implement technical and organisational measures and procedures to ensure an level of security for such Personal Data appropriate to the risk, including the risks of accidental, unlawful or unauthorised destruction, loss, alteration, disclosure, dissemination or access; (d) unless the transfer is based on an "adequacy decision", is otherwise "subject to appropriate safeguards" or if a "derogation for specific situations" applies, each within the meanings given to them in Articles 45, 46 and 49 of the GDPR respectively, not transfer, access or process such Personal Data outside the European Union without the prior written consent of the Customer (not to be unreasonably withheld or delayed), unless such transfer is to the Customer or an Authorised User; Supplier's or its subcontractors' or affiliates' possession or control) being subject to a personal data breach (as defined in Article 4 of GDPR);

Data Protection. 19.1 The Parties parties acknowledge that for the purposes of the Data Protection Legislation, the Customer HCC is the Controller and the Supplier Service Provider is the Processor unless otherwise specified in Contract Schedule 74. The only processing that the Processor is authorised to do is listed in Contract Schedule 7 4 by the Controller and may not be determined by the Processor. . 19.2 The Processor shall notify the Controller immediately if it considers that any of the Controller's instructions infringe the Data Protection Legislation. . 19.3 The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller, include: : (a) a systematic description of the envisaged processing operations and the purpose of the processing; ; (b) an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; (c) an assessment of the risks to the rights and freedoms of Data Subjects; and and (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 19.4 The Processor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: : (a) process that Personal Data only in accordance with Contract Schedule 74, unless the Processor is required to do otherwise by Law. If it is so required the Processor shall promptly notify the Controller before processing the Personal Data unless prohibited by Law; ; (b) ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), having taken account of the: : (i) nature of the data to be protected; ; (ii) harm that might result from a Data Loss Event; ; (iii) state of technological development; and and (iv) cost of implementing any measures; ; (c) ensure that : that: (i) the Processor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 74); ; (ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they: (A) are aware of and comply with the Processor’s duties under this clause 19; (B) are subject to appropriate confidentiality undertakings with the Processor or any Sub-processor; (C) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any Third Party unless directed in writing to do so by the Controller or as otherwise permitted by this Agreement; and (D) have undergone adequate training in the use, care, protection and handling of Personal Data; and (d) not transfer Personal Data outside of the EU unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled: (i) the Controller or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Controller; (ii) the Data Subject has enforceable rights and effective legal remedies; (iii) the Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and (iv) the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing of the Personal Data; (e) at the written direction of the Controller, delete or return Personal Data (and any copies of it) to the Controller on termination, cancellation or expiry of this Agreement unless the Processor is required by Law to retain the Personal Data.

Data Protection. 11.1. The Provider shall ensure that the Services comply with the requirements of the Data Protection Legislation governing the collection, store and/or use of Personal Data. 11.2. The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer Provider is the Controller and the Supplier Local Authority is the Processor unless otherwise specified in Contract Schedule 7Processor. The only processing that the Processor Local Authority is authorised to do is listed in Contract the Data Processing Schedule 7 by the Controller Provider and may not be determined by the ProcessorLocal Authority. 11.3. The Processor Provider shall comply at all times with all requirements under the Data Protection Legislation and both Parties shall duly observe all their obligations under the Data Protection Legislation, which arise in connection with this Agreement. 11.4. Whenever the Provider collects and shares Personal Data, it shall issue a Privacy Notice (“PN”) to the Data Subject, stating what Personal Data is being shared, and for what purpose. Where the Data Subject is a Child, the PN must be issued to the Parent of the Child. 11.5. The Local Authority shall notify the Controller immediately Provider as soon as reasonably practicable if it considers that any of the Controller's Providers instructions infringe the Data Protection Legislation. 11.6. The Processor Local Authority shall provide all reasonable assistance to the Controller Provider in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the ControllerProvider, include: : 11.6.1. a systematic description of the envisaged processing operations and the purpose of the processing; ; 11.6.2. an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; 11.6.3. an assessment of the risks to the rights and freedoms of Data Subjects; and and 11.6.4. the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. 11.7. The Processor Local Authority shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: : 11.7.1. process that Personal Data only in accordance with Contract Schedule 7the Data Processing Schedule, unless the Processor Local Authority is required to do otherwise by Law. If it is so required required, the Processor Local Authority shall promptly notify the Controller Provider before processing the Personal Data Data, unless prohibited by Law; ; 11.7.2. ensure that it has in place Protective Measures, which are Measures as appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), Event having taken account of the: : (a) nature of the data to be protected; ; (b) harm that might result from a Data Loss Event; ; (c) state of technological development; and and (d) cost of implementing any measures; ; 11.7.3. ensure that : that: (a) the Processor Local Authority Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 7particular, the Data Processing Schedule); ; (b) it takes all reasonable steps to ensure the reliability and integrity of any Processor Local Authority Personnel who have access to the Personal Data and ensure that they: i. are aware of and comply with the Local Authority’s duties under this clause; ii. are subject to appropriate confidentiality undertakings with the Local Authority or any Sub-processor; iii. are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Provider or as otherwise permitted by this Agreement; and iv. have undergone adequate training in the use, care, protection and handling of Personal Data. 11.7.4. not transfer Personal Data outside of the EU unless the prior written consent of the Provider has been obtained and the following conditions are fulfilled: (a) the Local Authority or the Provider has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Provider; (b) the Data Subject has enforceable rights and effective legal remedies; (c) the Local Authority complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Provider in meeting its obligations); and (d) the Local Authority complies with any reasonable instructions notified to it in advance by the Provider with respect to the processing of the Personal Data. 11.7.5. at the written direction of the Provider, delete or return Personal Data (and any copies of it) to the Provider on termination of the Agreement unless the Local Authority is required by Law to retain the Personal Data. 11.8. Subject to clause 11.9, the Local Authority shall notify the Provider immediately if it: 11.8.1. receives a Data Subject Access Request (or purported Data Subject Access Request); 11.8.2. receives a request to rectify, block or erase any Personal Data; 11.8.3. receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; 11.8.4. receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Agreement; 11.8.5. receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or 11.8.6. becomes aware of a Data Loss Event. 11.9. The Local Authority’s obligation to notify under 11.8 shall include the provision of further information to the Provider in phases, as details become available. 11.10. Taking into account the nature of the processing, the Local Authority shall provide the Provider with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under clause 11.8 (and insofar as possible within the timescales reasonably required by the Provider) including by promptly providing: 11.10.1. the Provider with full details and copies of the complaint, communication or request; 11.10.2. such assistance as is reasonably requested by the Provider to enable the Provider to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation; 11.10.3. the Provider, at its request, with any Personal Data it holds in relation to a Data Subject; 11.10.4. assistance, as requested by the Provider, following any Data Loss Event; 11.10.5. assistance, as requested by the Provider, with respect to any request from the Information Commissioner’s Office, or any consultation by the Provider with the Information Commissioner's Office. 11.11. The Local Authority shall maintain complete accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Local Authority employs fewer than 250 staff, unless: 11.11.1. the Provider determines that the processing is not occasional; 11.11.2. the Provider determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR, or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; and 11.11.3. the Provider determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects. 11.12. The Local Authority shall allow for audits of its Data Processing activity by the Provider or the Provider’s designated auditor. 11.13. The Local Authority shall designate a data protection officer if required by the Data Protection Legislation. 11.14. Before allowing any Sub-processor to process any Personal Data related to this Agreement, the Local Authority must: 11.14.1. notify the Provider in writing of the intended Sub-processor and processing; 11.14.2. obtain the written consent of the Provider; 11.14.3. enter into a written agreement with the Sub-processor which give effect to the terms set out in this clause, such that they apply to the Sub-processor; and 11.14.4. provide the Provider with such information regarding the Sub-processor as the Provider may reasonably require. 11.15. The Local Authority shall remain fully liable for all acts or omissions of any Sub- processor. 11.16. Either Party may, at any time on not less than 30 Working Days’ notice, with the consent of the other Party not to be unreasonably withheld or delayed, revise this clause 11 by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Agreement). 11.17. The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Local Authority may, on not less than 30 Working Days’ notice to the Provider, amend this Agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office. 11.18. The Provider shall indemnify the Local Authority against all Losses suffered or incurred by the Local Authority arising out of or in connection with the Provider’s breach of its obligations under this clause 11, including without limitation, any third party demand, fines, penalties, claim or action, or any breach of contract, negligence, fraud, wilful misconduct, breach of statutory duty or non-compliance with any part of the Data Protection Legislation by the Provider, its employees, servants, agents or its sub-contractors. 11.19. The Local Authority’s total aggregate liability arising under this Agreement in respect of any breach of this clause 11 shall be limited to £1,000,000 (one million pounds GBP). This limitation applies regardless of the form of action whether in contract or in tort, including without limitation negligence, or otherwise.

Data Protection. 1.1 [The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer Authority is the Controller and the Supplier Grant Recipient is the Processor unless otherwise specified in Contract Schedule 7. this Annex 8.] [TO BE DETERMINED BASED ON GRANT RECIPIENT’S APPLICATION] The only processing that the Processor is authorised to do is listed in Contract Annex 8 Part 1: Schedule 7 of Processing, Personal Data and Data Subjects by the Controller and may not be determined by the Processor. . 1.2 The Processor shall notify the Controller immediately if it considers that any of the Controller's instructions infringe the Data Protection Legislation. . 1.3 The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller, include: : (a) a systematic description of the envisaged processing operations and the purpose of the processing; ; (b) an assessment of the necessity and proportionality of the processing operations in relation to the Services; Funded Activities; (c) an assessment of the risks to the rights and freedoms of Data Subjects; and and (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 1.4 The Processor shall, in relation to any Personal Data processed in connection with its obligations under this Grant Funding Agreement: : (a) process that Personal Data only in accordance with Contract Annex 8 Part 1: Schedule 7of Processing, Personal Data and Data Subjects, unless the Processor is required to do otherwise by Law. If it is so required the Processor shall promptly notify the Controller before processing the Personal Data unless prohibited by Law; ; (b) ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), having taken account of the: : (i) nature of the data to be protected; ; (ii) harm that might result from a Data Loss Event; ; (iii) state of technological development; and and (iv) cost of implementing any measures; ; (c) ensure that : : (i) the Processor Personnel do not process Personal Data except in accordance with this Grant Funding Agreement (and in particular Annex 8 Part 1: Schedule 7of Processing, Personal Data and Data Subjects); ; (ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they: (A) are aware of and comply with the Processor’s duties under this clause; (B) are subject to appropriate confidentiality undertakings with the Processor or any Sub-processor; (C) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Controller or as otherwise permitted by this Grant Funding Agreement; and (D) have undergone adequate training in the use, care, protection and handling of Personal Data; and (d) where the Personal Data is subject to the UK GDPR, not transfer Personal Data outside of the UK unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled: (i) the transfer is in accordance with Article 45 of the UK GDPR or DPA 2018 Section 17A; or (ii) the Controller or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with Article 46 of the UK GDPR or DPA 2018 Section 17C ) as determined by the Controller which could include relevant parties entering into the International Data Transfer Agreement or International Data Transfer Agreement Addendum to the European Commission’s Standard Contractual Clauses published by the Information Commissioner’s Office from time to time under section 119A(1) of the DPA 2018 as well as any additional measures determined by the Controller; (iii) the Data Subject has enforceable rights and effective legal remedies; (iv) the Processor complies with its obligations under Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and (v) the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing of the Personal Data;

Data Protection. 13.1 This clause 13 (Data Protection) applies in case Xxxxxxx’x performance of the services incorporates processing of Personal Data by Trimble on behalf of the Customer. Both parties will comply with all applicable requirements of the Data Protection Legislation. This Agreement is an addition to, and does not relieve, remove or replace, a Party’s obligations under the Data Protection Legislation. 13.2 The Parties parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the controller and the Trimble is the processor (where Controller and Processor have the Supplier is the Processor unless otherwise specified meanings as defined in Contract Schedule 7. The only processing that the Processor is authorised to do is listed in Contract Schedule 7 by the Controller and may not be determined by the Processor. The Processor shall notify the Controller immediately if it considers that any of the Controller's instructions infringe the Data Protection Legislation). The Processor shall provide all reasonable assistance to Agreement and Schedule sets out the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance mayscope, at the discretion of the Controller, include: a systematic description of the envisaged processing operations nature and the purpose of processing by Trimble, the processing; an assessment of the necessity and proportionality duration of the processing operations and the types of personal data (as defined in relation the Data Protection Legislation, “Personal Data”) and categories of data subject. 13.3 Without prejudice to the Services; an assessment generality of clause 13.1, the Customer will ensure that it fulfills all necessary requirements to enable lawful transfer of the risks Personal Data to Trimble for the duration and purposes of this agreement. 13.4 Without prejudice to the rights and freedoms generality of Data Subjects; and the measures envisaged to address the risksclause 13.1, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. The Processor Trimble shall, in relation to any Personal Data processed in connection with the performance by Trimble of its obligations under this Agreement: : (a) process that Personal Data only on the written instructions of the Customer subject to Art. 28 (3) GDPR. Instructions may be handled as a change request at the cost of Customer. Provider shall immediately inform the Customer if, in accordance with Contract Schedule 7its opinion, unless the Processor is required to do otherwise by Law. If it is so required the Processor shall promptly notify the Controller before processing the Personal an instruction infringes Data unless prohibited by Law; Protection Legislation; (b) ensure that it has in place Protective Measuresappropriate technical and organizational measures, which are reviewed and approved by the Customer (for Xxxxxxx’x list of measures see the Schedule). Such measures shall ensure a level of security appropriate to protect against a Data Loss Event, which the Controller may reasonably reject risks presented by processing and are subject to change depending on Provider`s recurring risk assessments; (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), having taken account of the: nature of the data to be protected; harm that might result from a Data Loss Event; state of technological development; and cost of implementing any measures; c) ensure that : the Processor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 7); it takes all reasonable steps to ensure the reliability and integrity personnel or any other person acting on behalf of any Processor Personnel Trimble who have access to and/or process Personal Data are obliged to keep the Personal Data confidential and ensure any natural person acting under the authority of Trimble who has access to personal data does not process them except on instructions from the Customer; (d) may transfer Personal Data outside of the European Economic Area. In case of transfer outside the European Economic Area, Trimble ensures that they:the transfer is only to (a) countries for which the European Commission has decided that they have an adequate level of data protection or (b) use European Commission standard contractual clauses 2010/87/EU; (e) assist the Customer, at the Customer’s cost, in responding to any request from a data subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; (f) assist the Customer by providing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Customer’s obligation to respond to requests for exercising the data subject’s rights pursuant to Data Protection Regulation; (g) notify the Customer without undue delay on becoming aware of a Personal Data breach; (h) at the written direction of the Customer, delete or return Personal Data and copies thereof to the Customer on termination of the agreement unless required by Applicable Law to store the Personal Data; and (i) maintain complete and accurate records and information to demonstrate its compliance with this clause and the Data Protection Regulation and allow for audits by the Customer or the Customer’s designated auditor. (j) be entitled to collect, use, process anonymous and aggregate data of the use of the services pursuant to the Agreement, that is not personally identifiable with the Customer nor data subjects and use such data for any Xxxxxxx’x internal business purpose, and for the improvement and/or the development of other products or service capabilities. 13.5 Trimble shall not engage a third-party processor without prior specific or general written authorization of the Customer. The Customer consents to Trimble appointing the parties named in the Schedule as third-party processors of Personal Data under this Agreement. Trimble confirms that it has entered or (as the case may be) will enter with the third-party processor into a written agreement in which he imposes on that other processor the obligations as set out in this clause. Trimble informs the Customer of any intended changes concerning the addition or replacement of other processors. The Customer has the right to object to such changes. As between the Customer and Trimble, Trimble shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this clause. 13.6 Either Party may, at any time on not less than 30 days’ notice, revise this clause by replacing it with any applicable controller to processor standard clauses or similar terms forming Party of an applicable certification scheme (which shall apply when replaced by attachment to this agreement). 13.7 Each Party’s and its affiliates’ liability arising out of or related to this clause and processing of Customer’s Personal Data, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of the Agreement, and any reference in such section to the liability of a Party means the aggregate liability of that Party and its affiliates under the Agreement. For the avoidance of doubt, Provider's and its affiliates’ total liability for all claims from the Customer and its affiliates arising out of or related to the Agreement and this clause shall apply in the aggregate for all claims under the Agreement.

Data Protection. The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer Authority is the Controller and the Supplier Grant Recipient is the Processor unless otherwise specified in Contract Schedule 7this Annex 8. The only processing that the Processor is authorised to do is listed in Contract Schedule 7 Part 1A of Annex 8 by the Controller and may not be determined by the Processor. The Processor shall notify the Controller immediately if it considers that any of the Controller's instructions infringe the Data Protection Legislation. The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller, include: a systematic description of the envisaged processing operations and the purpose of the processing; an assessment of the necessity and proportionality of the processing operations in relation to the Services; an assessment of the risks to the rights and freedoms of Data Subjectsdata subjects; and the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. The Processor shall, in relation to any Personal Data processed in connection with its obligations under this Agreementthese Conditions: process that Personal Data only in accordance with Contract Schedule 7this Annex 8, unless the Processor is required to do otherwise by Law. If it is so required the Processor shall promptly notify the Controller before processing the Personal Data unless prohibited by Law; ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), having taken account of the: nature of the data to be protected; harm that might result from a Data Loss Event; state of technological development; and cost of implementing any measures; ensure that : the Processor Personnel do not process Personal Data except in accordance with this Agreement these Conditions (and in particular Schedule 7)Part 1 of Annex 8); it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they:: are aware of and comply with the Processor’s duties under this paragraph; are subject to appropriate confidentiality undertakings with the Processor or any Sub-processor; are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any Third Party unless directed in writing to do so by the Controller or as otherwise permitted by these Conditions; and have undergone adequate training in the use, care, protection and handling of Personal Data; and where the Personal Data is subject to the UK GDPR, not transfer the Personal Data outside of the UK unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled: the transfer is in accordance with Article 45 of the UK GDPR or DPA 2018 Section 17A; or the Controller or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with Article 46 of the UK GDPR or DPA 2018 Section 17C ) as determined by the Controller which could include relevant parties entering into the International Data Transfer Agreement or International Data Transfer Agreement Addendum to the European Commission’s Standard Contractual Clauses published by the Information Commissioner’s Office from time to time under section 119A(1) of the DPA 2018 as well as any additional measures determined by the Controller; the Data Subject has enforceable rights and effective legal remedies; the Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing of the Personal Data; where the Personal Data is subject to EU GDPR, not transfer such Personal Data outside of the European Union unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled: the transfer is in accordance with Article 45 of the EU GDPR; or the Processor has provided appropriate safeguards in relation to the transfer in accordance with Article 46 of the EU GDPR as determined by the Controller which could include relevant parties entering into Standard Contractual Clauses in the European Commission’s decision 2021/914/EU or such updated version of such Standard Contractual Clauses as are published by the European Commission from time to time as well as any additional measures determined by the Controller; the Data Subject has enforceable rights and effective legal remedies; the Processor complies with its obligations under the EU GDPR by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing of the Personal Data; and at the written direction of the Controller, delete or return Personal Data (and any copies of it) to the Controller on termination of the Grant Funding Agreement unless the Processor is required by Law to retain the Personal Data. Subject to paragraph 1.6, the Processor shall notify the Controller immediately if it: receives a Data Subject Request (or purported Data Subject Request); receives a request to rectify, block or erase any Personal Data; receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under these Conditions; receives a request from any Third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or becomes aware of a Data Loss Event. The Processor’s obligation to notify under paragraph 1.5 shall include the provision of further information to the Controller in phases, as details become available. Taking into account the nature of the processing, the Processor shall provide the Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under paragraph 1.5 (and insofar as possible within the timescales reasonably required by the Controller) including by promptly providing: the Controller with full details and copies of the complaint, communication or request; such assistance as is reasonably requested by the Controller to enable the Controller to comply with a Data Subject Request within the relevant timescales set out in the Data Protection Legislation; the Controller, at its request, with any Personal Data it holds in relation to a Data Subject; assistance as requested by the Controller following any Data Loss Event; assistance as requested by the Controller with respect to any request from the Information Commissioner’s Office or any other regulatory authority, or any consultation by the Controller with the Information Commissioner's Office or any other regulatory authority. The Processor shall maintain complete and accurate records and information to demonstrate its compliance with this paragraph. This requirement does not apply where the Processor employs fewer than 250 staff, unless: the Controller determines that the processing is not occasional; the Controller determines the processing includes special categories of data as referred to in Article 9(1) of the UK GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the UK GDPR; or the Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects. The Processor shall allow for audits of its Data Processing activity by the Controller or the Controller’s designated auditor. Each Party shall designate its own data protection officer if required by the Data Protection Legislation. Before allowing any Sub-processor to process any Personal Data related to this Grant Funding Agreement, the Processor must: notify the Controller in writing of the intended Sub-processor and processing; obtain the written consent of the Controller; enter into a written agreement with the Sub-processor which give effect to the terms set out in this paragraph 1.11 such that they apply to the Sub-processor; and provide the Controller with such information regarding the Sub-processor as the Controller may reasonably require. The Processor shall remain fully liable for all acts or omissions of any of its Sub-processors. The Authority may, at any time on not less than 30 Working Days’ notice, revise this paragraph by replacing it with any applicable controller to processor standard paragraphs or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to these Conditions). The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Controller may on not less than 30 Working Days’ notice to the Processor amend these Conditions to ensure that it complies with any guidance issued by the Information Commissioner’s Office. Where the Parties include two or more Joint Controllers in respect of Personal Data under this Grant Funding Agreement as identified in Part 1 of Annex 8 in accordance with Article 26 of the UK GDPR, those Parties shall enter into a Joint Controller Agreement based on the terms outlined in Part 2 of Annex 8 in replacement of paragraphs 1.1 to 1.14 for the Personal Data under Joint Control. This Xxxxx shall be completed by the Controller, who may take account of the view of the Processors, however the final decision as to the content of this Annex shall be with the Controller at its absolute discretion. The contact details of the Controller’s Data Protection Officer are: [Insert Contact details] The contact details of the Processor’s Data Protection Officer are: [Insert Contact details] The Processor shall comply with any further written instructions with respect to processing by the Controller. Any such further instructions shall be incorporated into this Annex.

Data Protection. The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer WRWA is the Controller and the Supplier Consultant is the Processor unless otherwise specified in Contract Schedule 7Processor. The only processing that the Processor Consultant is authorised to do is listed that permitted by Data Protection Legislation in Contract Schedule 7 by order to perform the Controller and may not be determined by the ProcessorServices under this Contract. The Processor Consultant shall notify the Controller WRWA immediately if it considers that any of the ControllerWRWA's instructions infringe the Data Protection Legislation. The Processor Consultant shall provide all reasonable assistance to the Controller WRWA in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the ControllerWRWA, include: a systematic description of the envisaged processing operations and the purpose of the processing; an assessment of the necessity and proportionality of the processing operations in relation to the Services; an assessment of the risks to the rights and freedoms of Data Subjects; and the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. The Processor Consultant shall, in relation to any Personal Data processed in connection with its obligations under this AgreementContract: process that Personal Data only in accordance with Contract Schedule 7the performance of the Services under this Contract, unless the Processor Consulant is required to do otherwise by Law. If it is so required the Processor Consultant shall promptly notify the Controller WRWA before processing the Personal Data unless prohibited by Law; ensure that it has in place Protective Measures, which are have been reviewed and approved by WRWA as appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), Event having taken account of the: nature of the data to be protected; harm that might result from a Data Loss Event; state of technological development; and cost of implementing any measures; ensure that : the Processor Personnel its employees, Project Team and Key Subconsultants do not process Personal Data except in accordance with this Agreement (and in particular Schedule 7)Contract; it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel Of its employees, Project Team and Key Subconsultants who have access to the Personal Data and ensure that they: are aware of and comply with the Consultant’s duties under this Clause 20; are subject to appropriate confidentiality undertakings with the Consultant or any Sub-processor; are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by WRWA or as otherwise permitted by this Contract; and have undergone adequate training in the use, care, protection and handling of Personal Data; and not transfer Personal Data outside of the EU unless the prior written consent of WRWA has been obtained and the following conditions are fulfilled: WRWA or the Consultant has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46) as determined by WRWA; the Data Subject has enforceable rights and effective legal remedies; the Consultant complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist WRWA in meeting its obligations); and the Consultant complies with any reasonable instructions notified to it in advance by WRWA with respect to the processing of the Personal Data; at the written direction of XXXX, delete or return Personal Data (and any copies of it) to WRWA on termination of the Agreement unless this Consultant is required by Law to retain the Personal Data. Subject to clause 20.7, the Consultant shall notify WRWA immediately if it:

Data Protection. 1.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer Authority is the Controller and the Supplier Grant Recipient is the Processor unless otherwise specified in Contract Schedule 7. Annex A. The only processing that the Processor is authorised to do is listed in Contract Schedule 7 Annex A by the Controller and may not be determined by the Processor. . 1.2 The Processor shall notify the Controller immediately if it considers that any of the Controller's instructions infringe the Data Protection Legislation. . 1.3 The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller, include: : (a) a systematic description of the envisaged processing operations and the purpose of the processing; ; (b) an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; (c) an assessment of the risks to the rights and freedoms of Data Subjects; and and (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 1.4 The Processor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: these Conditions: (a) process that Personal Data only in accordance with Contract Schedule 7Annex A, unless the Processor is required to do otherwise by Law. If it is so required the Processor shall promptly notify the Controller before processing the Personal Data unless prohibited by Law; ; (b) ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), having taken account of the: : (i) nature of the data to be protected; ; (ii) harm that might result from a Data Loss Event; ; (iii) state of technological development; and and (iv) cost of implementing any measures; ; (c) ensure that : : (i) the Processor Personnel do not process Personal Data except in accordance with this Agreement these Conditions (and in particular Schedule 7Part 1 of Annex A); ; (ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they:

Data Protection. 14.1 Both Parties shall comply with all applicable requirements of the Data Protection Legislation. This clause 14 is in addition to, and does not relieve, remove or replace, a Party's obligations under the Data Protection Legislation. Each Party shall bear its own costs in relation to compliance with this clause 14 and the Data Protection Legislation. 14.2 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the Controller and the Supplier Veritau is the Processor unless otherwise specified in Contract Schedule 7Processor. The only processing that the Processor Veritau is authorised to do is listed in Contract Schedule 7 A by the Controller Customer and may not be determined by the Processor. The Processor Veritau. 14.3 Veritau shall notify the Controller Customer immediately if it considers that any of the Controller's Customer’s instructions infringe the Data Protection Legislation. The Processor . 14.4 Veritau shall provide all reasonable assistance to the Controller Customer in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the ControllerCustomer, include: : (a) a systematic description of the envisaged processing operations and the purpose of the processing; ; (b) an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; (c) an assessment of the risks to the rights and freedoms of Data Subjects; and and (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. The Processor . 14.5 Veritau shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: : (a) process that Personal Data only in accordance with Contract Schedule 7A, unless the Processor Veritau is required to do otherwise by Law. If it is so required the Processor Veritau shall promptly notify the Controller Customer before processing the Personal Data unless prohibited by Law; ; (b) ensure that it has in place Protective Measures, which are have been reviewed and approved by the Customer as appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), Event having taken account of the: : (i) nature of the data to be protected; ; (ii) harm that might result from a Data Loss Event; ; (iii) state of technological development; and and (iv) cost of implementing any measures; ; (c) ensure that : that: (i) the Processor Personnel Staff do not process Personal Data except in accordance with this Agreement (and in particular Schedule 7A); ; (ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel Staff who have access to the Personal Data and ensure that they: (A) are aware of and comply with Veritau’s duties under this clause 14; (B) are subject to appropriate confidentiality undertakings with Veritau or any Sub-processor; (C) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Customer or as otherwise permitted by this Agreement; and (D) have undergone adequate training in the use, care, protection and handling of Personal Data; (d) not transfer Personal Data outside of the EU unless the prior written consent of the Customer has been obtained and the following conditions are fulfilled: (i) the Customer or Veritau has provided appropriate safeguards in relation to the transfer (whether in accordance with UK GDPR Article 46 or LED Article 37) as determined by the Customer; (ii) the Data Subject has enforceable rights and effective legal remedies; (iii) Veritau complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Customer in meetings its obligations); and (iv) Veritau complies with any reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data; (e) at the written direction of the Customer, delete or return Personal Data (and any copies of it) to the Customer on termination of the Agreement unless Veritau is required by Law to retain the Personal Data. 14.6 Subject to clause 14.7, Veritau shall notify the Customer immediately if it: (a) receives a Data Subject Access Request (or purported Data Subject Access Request); (b) receives a request to rectify, block or erase any Personal Data: (c) receives any other request, complaint or communication relating to either Party’s obligations under the Data Protection Legislation; (d) receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Agreement; (e) receives a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or (f) becomes aware of a Data Loss Event. 14.7 Veritau’s obligation to notify under clause 14.6 shall include the provision of further information to the Customer in phases, as details become available. 14.8 Taking into account the nature of the processing, Veritau shall provide to the Customer with full assistance in relation to either Party’s obligations under Data Protection Legislation and any complaint, communication or request made under clause 14.6 (and insofar as possible within the timescales reasonably required by the Customer) including by promptly providing: (a) the Customer with full details and copies of the complaint, communication or request; (b) such assistance as is reasonably requested by the Customer to enable the Customer to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation; (c) the Customer, at its request, with any Personal Data it holds in relation to a Data Subject; (d) assistance as requested by the Customer following any Data Loss Event; and (e) assistance as requested by the Customer with respect to any request from the Information Commissioner’s Office, or any consultation by the Customer with the Information Commissioner’s Office. 14.9 Veritau shall maintain complete and accurate records and information to demonstrate its compliance with this clause 14 and maintain a record of all categories of processing activities carried out on behalf of a controller where: (a) the Customer determines that the processing is not occasional; (b) the Customer determines the processing includes special categories of data as referred to in Article 9(1) of the UK GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the UK GDPR; and (c) the Customer determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects. 14.10 Veritau shall allow for audits of its data processing activity and premises by the Customer or the Customer’s designated auditor. 14.11 Veritau shall comply with the instructions of the Customer to enable the audits referred to in clause 14.10 to be carried out and Veritau shall provide to the Customer and/or their designated auditor, all reasonable assistance that they require in connection with any audits, including making available to the Customer all information necessary to demonstrate compliance with its obligations under this Agreement and the Data Protection Legislation. 14.12 Veritau shall designate a data protection officer if required by the Data Protection Legislation. 14.13 Before allowing any Sub-processor to process any Personal Data related to this Agreement, Veritau must: (a) notify the Customer in writing of the intended Sub-processor and processing; (b) obtain the written consent of the Customer; (c) enter into a written agreement with the Sub-processor which give effect to the terms set out in this clause 14 such that they apply to the Sub-processor; and (d) provide the Customer with such information regarding the Sub- processor as the Customer may reasonably require. 14.14 Veritau shall remain fully liable for all acts or omissions of any Sub-processor. 14.15 Veritau shall indemnify the Customer for any damage, cost or losses (including legal costs) incurred by the Customer in connection with any third party claim made or threatened against the Customer in connection with the loss, unauthorised disclosure or breach of the Data Protection Legislation by Veritau or any Sub-processor in relation to any Personal Data which Veritau is processing on behalf of the Customer in connection with this Agreement. This indemnity shall not apply to the extent Veritau’s act or omission was as a result of the express instruction of the Customer. 14.16 Veritau may, at any time on not less than thirty (30) Working Days’ notice, revise this clause 14 by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Agreement). 14.17 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Customer may on not less than thirty (30) Working Days’ notice to Veritau amend this Agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office.

Data Protection. The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer CCS is the Controller and the Supplier is the Processor unless otherwise specified in Contract Schedule 7Processor. The only processing Processing that the Processor Supplier is authorised to do is listed in Contract Framework Schedule 7 20 by the Controller CCS and may not be determined by the ProcessorSupplier. The Processor Supplier shall notify the Controller CCS immediately if it considers that any of the ControllerCCS's instructions infringe the Data Protection Legislation. The Processor Supplier shall provide all reasonable assistance to the Controller CCS in the preparation of any Data Protection Impact Assessment prior to commencing any processingProcessing. Such assistance may, at the discretion of the ControllerCSS, include: a systematic description of the envisaged processing Processing operations and the purpose of the processingProcessing; an assessment of the necessity and proportionality of the processing operations in relation to the ServicesProcessing operations; an assessment of the risks to the rights and freedoms of Data Subjects; and the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. The Processor Supplier shall, in relation to any Personal Data processed Processed in connection with its obligations under this Framework Agreement: process that Personal Data only in accordance with Contract Framework Schedule 7, 20 unless the Processor Supplier is required to do otherwise by Law. If it is so required the Processor Supplier shall promptly notify the Controller CCS before processing Processing the Personal Data unless prohibited by Law; ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Controller CCS may reasonably reject (but failure to reject shall not amount to approval by the Controller CCS of the adequacy of the Protective Measures), having taken account of the: nature of the data to be protected; harm that might result from a Data Loss Event; state of technological development; and cost of implementing any measures; ensure that that: the Processor Supplier Personnel do not process Process Personal Data except in accordance with this Framework Agreement (and in particular Schedule 7Framework 20); it takes all reasonable steps to ensure the reliability and integrity of any Processor Supplier Personnel who have access to the Personal Data and ensure that they:: are aware of and comply with the Supplier’s duties under this Xxxxxx; are subject to appropriate confidentiality undertakings with the Supplier or any Sub- processor; are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by CCS or as otherwise permitted by this Framework Agreement; and have undergone adequate training in the use, care, protection and handling of Personal Data; and not transfer Personal Data outside of the EU unless the prior written consent of CCS has been obtained and the following conditions are fulfilled: CCS or the Supplier has provided appropriate safeguards in relation to the transfer in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by CCS; the Data Subject has enforceable rights and effective legal remedies; the Supplier complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist CCS in meeting its obligations); the Supplier complies with any reasonable instructions notified to it in advance by CCS with respect to the Processing of the Personal Data; and in respect of any Processing in, or transfer of Personal Data to, any Restricted Country permitted in accordance with this Clause 25.5.3, the Supplier shall, when requested by CCS, promptly enter into an agreement with CCS including or on such provisions as the Standard Contractual Clauses and/or such variation as a regulator or CCS might require which terms shall, in the event of any conflict, take precedence over those in this Clause 25.5.3, and the Supplier shall comply with any reasonable instructions notified to it in advance by CCS with respect to the transfer of the Personal Data; and at the written direction of CCS, delete or return Personal Data (and any copies of it) to CCS on termination of the Framework Agreement unless the Supplier is required by Law to retain the Personal Data. Subject to Clause 25.5.6, the Supplier shall notify CCS immediately if it: receives a Data Subject Access Request (or purported Data Subject Access Request); receives a request to rectify, block or erase any Personal Data; receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; receives a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; becomes aware of a Data Loss Event; or receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data Processed under this Framework Agreement. The Supplier’s obligation to notify under Clause 25.5.4 shall include the provision of further information to CCS in phases, as details become available. Taking into account the nature of the Processing, the Supplier shall provide CCS with full assistance in relation to either party's obligations under Data Protection Legislation and any complaint, communication or request made under Clause 25.5.5 (and insofar as possible within the timescales reasonably required by CCS) including by promptly providing: CCS with full details and copies of the complaint, communication or request; such assistance as is reasonably requested by CCS to enable CCS to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation; CCS, at its request, with any Personal Data it holds in relation to a Data Subject; assistance as requested by CCS following any Data Loss Event; assistance as requested by CCS with respect to any request from the Information Commissioner’s Office, or any consultation by CCS with the Information Commissioner's Office. The Supplier shall maintain complete and accurate records and information to demonstrate its compliance with this Clause 25.5 (Data Protection). This requirement does not apply where the Supplier employs fewer than 250 staff, unless CCS determines: that the processing is not occasional; the processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; and that the processing is likely to result in a risk to the rights and freedoms of Data Subjects. The Supplier shall allow for audits of its Data Processing activity by CCS or CCS’s designated auditor. The Parties shall designate a Data Protection Officer if required by the Data Protection Legislation. Before allowing any Sub-processor to Process any Personal Data related to this Framework Agreement, the Supplier must: notify CCS in writing of the intended Sub-processor and Processing; obtain the written consent of CCS; enter into a written agreement with the Sub-processor which give effect to the terms set out in this Clause 25.5 (Data Protection) such that they apply to the Sub-processor; and provide CCS with such information regarding the Sub-processor as CCS may reasonably require. The Supplier shall remain fully liable for all acts or omissions of any Sub- processor. CCS may, at any time on not less than 30 Working Days’ notice, revise this Clause 25.5 (Data Protection) by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Framework Agreement). The Parties agree The Parties agree to take account of any non-mandatory guidance issued by the Information Commissioner’s Office publishes guidance. CCS may on not less than 30 Working Days’ notice to the Supplier amend this Framework Agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Officer.

Data Protection. 6.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the Controller and the Supplier Contractor is the Processor unless otherwise specified in Contract Schedule 7Processor. The only processing that the Processor Contractor is authorised to do is listed in Contract Schedule 7 by the Controller 1 and may not be determined by the Processor. Contractor. 6.2 The Processor Contractor shall notify the Controller Customer immediately if it considers that any of the ControllerCustomer's instructions infringe the Data Protection Legislation. . 6.3 The Processor Contractor shall provide all reasonable assistance to the Controller Customer in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the ControllerCustomer, include: : (a) a systematic description of the envisaged processing operations and the purpose of the processing; ; (b) an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; (c) an assessment of the risks to the rights and freedoms of Data Subjects; and and (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 6.4 The Processor Contractor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: : (a) process that Personal Data only in accordance with Contract Schedule 71, unless the Processor Contractor is required to do otherwise by Law. If it is so required the Processor Contractor shall promptly notify the Controller Customer before processing the Personal Data unless prohibited by Law; ; (b) ensure that it has in place Protective Measures, which are have been reviewed and approved by the Customer as appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), Event having taken account of the: : (i) nature of the data to be protected; ; (ii) harm that might result from a Data Loss Event; ; (iii) state of technological development; and and (iv) cost of implementing any measures; ; (c) ensure that : that: (i) the Processor Contractor Personnel do not process Personal Data except in accordance with this Agreement and the Customer’s written instructions; (and in particular Schedule 7); ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Contractor Personnel who have access to the Personal Data and ensure that they:

Data Protection. 17.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer CITB is the Controller and the Supplier ATO is the Processor unless otherwise specified in Contract Schedule 7Processor. The only processing that the Processor ATO is authorised to do in connection with this Agreement is listed in Contract Schedule 7 Annex A by the Controller CITB and may not be determined by the Processor. ATO. 17.2 The Processor ATO shall notify the Controller CITB immediately if it considers that any of the ControllerCITB's instructions infringe the Data Protection Legislation. . 17.3 The Processor ATO shall provide all reasonable assistance to the Controller CITB in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the ControllerCITB, include: : (a) a systematic description of the envisaged processing operations and the purpose of the processing; ; (b) an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; (c) an assessment of the risks to the rights and freedoms of Data Subjects; and and (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 17.4 The Processor ATO shall, in relation to any Personal Data processed in connection with its obligations the ATO’s Obligations under this Agreement: : (a) process that Personal Data only in accordance with Contract Schedule 7Annex A, unless the Processor ATO is required to do otherwise by Law. If it is so required the Processor ATO shall promptly notify the Controller CITB before processing the Personal Data unless prohibited by Law; ; (b) ensure that it has in place Protective Measures, which are have been reviewed and approved by CITB as appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), Event having taken account of the: : (i) nature of the data to be protected; ; (ii) harm that might result from a Data Loss Event; ; (iii) state of technological development; and and (iv) cost of implementing any measures; ; (c) ensure that : that: (i) the Processor ATO Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 7Annex A); ; (ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor ATO Personnel who have access to the Personal Data and ensure that they: (A) are aware of and comply with the ATO’s duties under this clause; (B) are subject to appropriate confidentiality undertakings with the ATO or any Sub-processor; (C) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by CITB or as otherwise permitted by this Agreement; and (D) have undergone adequate training in the use, care, protection and handling of Personal Data; and (d) not transfer Personal Data outside of the EU unless the prior written consent of CITB has been obtained and the following conditions are fulfilled: (i) CITB or the ATO has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article

Data Protection. 1.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the Controller and the Supplier Contractor is the Processor unless otherwise specified in Contract Schedule 7Appendix 1. The only processing that the Processor is authorised to do is listed in Contract Schedule 7 Appendix 1 by the Controller and may not be determined by the Processor. . 1.2 The Processor shall notify the Controller immediately if it considers that any of the Controller's instructions infringe the Data Protection Legislation. . 1.3 The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller, include: : (a) a systematic description of the envisaged processing operations and the purpose of the processing; ; (b) an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; (c) an assessment of the risks to the rights and freedoms of Data Subjects; and and (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 1.4 The Processor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: : (a) process that Personal Data only in accordance with Contract Schedule 7Appendix 1, unless the Processor is required to do otherwise by Law. If it is so required required, the Processor shall promptly notify the Controller before processing the Personal Data unless prohibited by Law; ; (b) ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), having taken account of the: : (i) nature of the data to be protected; ; (ii) harm that might result from a Data Loss Event; ; (iii) state of technological development; and and (iv) cost of implementing any measures; ; (c) ensure that : that: (i) the Processor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 7Appendix 1); ; (ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they: (A) are aware of and comply with the Processor’s duties under this clause; (B) are subject to appropriate confidentiality undertakings with the Processor or any Sub-processor; (C) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Controller or as otherwise permitted by this Agreement; and (D) have undergone adequate training in the use, care, protection and handling of Personal Data; and (d) not transfer Personal Data outside of the EU unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled: (i) the Controller or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Controller; (ii) the Data Subject has enforceable rights and effective legal remedies; (iii) the Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and (iv) the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing of the Personal Data; (e) at the written direction of the Controller, delete or return Personal Data (and any copies of it) to the Controller on termination of the Agreement unless the Processor is required by Law to retain the Personal Data. 1.5 Subject to clause 1.6, the Processor shall notify the Controller immediately if it: (a) receives a Data Subject Request (or purported Data Subject Request); (b) receives a request to rectify, block or erase any Personal Data; (c) receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; (d) receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Agreement; (e) receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or (f) becomes aware of a Data Loss Event. 1.6 The Processor’s obligation to notify under clause 1.5 shall include the provision of further information to the Controller in phases, as details become available. 1.7 Taking into account the nature of the processing, the Processor shall provide the Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under clause 1.5 (and insofar as possible within the timescales reasonably required by the Controller) including by promptly providing: (a) the Controller with full details and copies of the complaint, communication or request; (b) such assistance as is reasonably requested by the Controller to enable the Controller to comply with a Data Subject Request within the relevant timescales set out in the Data Protection Legislation; (c) the Controller, at its request, with any Personal Data it holds in relation to a Data Subject; (d) assistance as requested by the Controller following any Data Loss Event; (e) assistance as requested by the Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Controller with the Information Commissioner's Office.

Data Protection. 2.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer School is the Controller and the Supplier Provider is the Processor unless Processor. Unless otherwise specified agreed in Contract Schedule 7. The writing, the Data Processing Operations is the only processing that the Processor Provider is authorised to do is listed in Contract Schedule 7 by the Controller and may not be determined by the Processor. School. 2.2 The Processor Provider shall notify the Controller School immediately if it considers that any of the Controller's School’s instructions infringe the Data Protection Legislation. . 2.3 The Processor Provider shall provide all reasonable assistance to the Controller School in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the ControllerSchool, include: : (i) a systematic description of the envisaged processing operations and the purpose of the processing; ; (ii) an assessment of the necessity and proportionality of the processing operations in relation to the Services; ; (iii) an assessment of the risks to the rights and freedoms of Data Subjects; and and (iv) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. . 2.4 The Processor Provider shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: : (a) process that Personal Data only in accordance with Contract Schedule 7the Data Processing Operations, unless the Processor Provider is required to do otherwise by Law. If it is so required the Processor Provider shall promptly notify the Controller School before processing the Personal Data unless prohibited by Law; ; (b) ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Controller School may reasonably reject (but failure to reject shall not amount to approval by the Controller School of the adequacy of the Protective Measures), having taken account of the: : (i) nature of the data to be protected; ; (ii) harm that might result from a Data Loss Event; ; (iii) state of technological development; and and (iv) cost of implementing any measures; ; (c) ensure that : that: (i) the Processor Provider Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 7the Data Processing Operations); ; (ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Provider Personnel who have access to the Personal Data and ensure that they: (A) are aware of and comply with the Provider’s duties under this clause; (B) are subject to appropriate confidentiality undertakings with the Provider or any Sub-processor; (C) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the School or as otherwise permitted by this Agreement; and (D) have undergone adequate training in the use, care, protection and handling of Personal Data; and (d) not transfer Personal Data outside of the EU unless the prior written consent of the School has been obtained and the following conditions are fulfilled: (i) the School or the Provider has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the School; (ii) the Data Subject has enforceable rights and effective legal remedies; (iii) the Provider complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist THE SCHOOL in meeting its obligations); and (iv) the Provider complies with any reasonable instructions notified to it in advance by the School with respect to the processing of the Personal Data; (e) at the written direction of the School, delete or return Personal Data (and any copies of it) to the School on termination of the Agreement unless the Provider is required by Law to retain the Personal Data. 2.5 Subject to clause 2.6, the Provider shall provide written notice to the School’s School Business Manager (e-mail: xxxxxxxxxx@xxxxxxx.xxxxx.xxx.xx) immediately if it: (a) receives a Data Subject Request (or purported Data Subject Request); (b) receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; (c) receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Agreement; (d) receives a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or (e) becomes aware of a Data Loss Event. 2.6 The Provider’s obligation to notify under clause 2.5 shall include the provision of further information to the School in phases, as details become available. 2.7 Taking into account the nature of the processing, the Provider shall provide the School with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under clause 2.5 (and insofar as possible within the timescales reasonably required by the School) including by promptly providing: (a) the School with full details and copies of the complaint, communication or request; (b) such assistance as is reasonably requested by the School to enable the School to comply with a Data Subject Request within the relevant timescales set out in the Data Protection Legislation; (c) the School, at its request, with any Personal Data it holds in relation to a Data Subject; (d) assistance as requested by the School following any Data Loss Event; (e) assistance as requested by the School with respect to any request from the Information Commissioner’s Office, or any consultation by the School with the Information Commissioner's Office. 2.8 The Provider shall maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Provider employs fewer than 250 staff, unless: (a) the School determines that the processing is not occasional; (b) the School determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; and (c) the School determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects. 2.9 The Provider shall allow for audits of its Data Processing activity by the School or the School’s designated auditor. 2.10 The Provider shall designate a data protection officer if required by the Data Protection Legislation. 2.11 Before allowing any Sub-processor to process any Personal Data related to this Agreement, the Provider must: (a) notify the School in writing of the intended Sub-processor and processing; (b) obtain the written consent of the School; (c) enter into a written agreement with the Sub-processor which give effect to the terms set out in this clause 2 such that they apply to the Sub-processor; and (d) provide the School with such information regarding the Sub-processor as the School may reasonably require. 2.12 The Provider shall remain fully liable for all acts or omissions of any Sub- processor. 2.13 Either Party may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (in either case in accordance with Articles 28(6), 28(7), and 28(8) of the GDPR which shall apply when incorporated by attachment to this Agreement). 2.14 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The School may on not less than 30 Working Days’ notice to the Provider amend this Agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office. 2.15 The Provider shall indemnify the School against all liabilities, costs, expenses, damages, and losses (and all other reasonable professional costs and expenses) suffered or incurred by the School arising out of or in connection with: (a) any breach of the obligations contained within this clause 2 (Data Protection); or (b) any failure to comply with its obligations as a Processor under the Data Protection Legislation.

Data Protection. The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer Authority is the Controller and the Supplier Contractor is the Processor unless otherwise specified in Contract Schedule 7Processor. The only processing that the Processor Contractor is authorised to do is listed in Annex 1 of this Contract Schedule 7 by the Controller Authority and may not be determined by the ProcessorContractor. The Processor Contractor shall notify the Controller Authority immediately if it considers that any of the ControllerAuthority's instructions infringe the Data Protection Legislation. The Processor Contractor shall provide all reasonable assistance to the Controller Authority in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the ControllerAuthority, include: a systematic description of the envisaged processing operations and the purpose of the processing; an assessment of the necessity and proportionality of the processing operations in relation to the Services; an assessment of the risks to the rights and freedoms of Data Subjects; and the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. The Processor Contractor shall, in relation to any Personal Data processed in connection with its obligations under this AgreementContract: process that Personal Data only in accordance with Contract Schedule 7Annex 1, unless the Processor Contractor is required to do otherwise by Law. If it is so required the Processor Contractor shall promptly notify the Controller Authority before processing the Personal Data unless prohibited by Law; ensure that it has in place Protective Measures, which are as appropriate to protect against a Data Loss Event, which the Controller Authority may reasonably reject (but failure to reject shall not amount to approval by the Controller Authority of the adequacy of the Protective Measures), having taken account of the: nature of the data to be protected; harm that might result from a Data Loss Event; state of technological development; and cost of implementing any measures; The review and approval of the Protective Measures by the Authority shall not relieve the Contractor of its obligations under the Data Protection Legislation, and the Contractor acknowledges that it is solely responsible for determining whether such Protective Measures are sufficient for it to have met its obligations under the Data Protection Legislation. ensure that that: the Processor Contractor Personnel do not process Personal Data except in accordance with this Agreement (Contract and in particular Schedule 7)Annex 1; it takes all reasonable steps to ensure the reliability and integrity of any Processor Contractor Personnel who have access to the Personal Data and ensure that they:: are aware of and comply with the Contractor’s duties under this Condition; are subject to appropriate confidentiality undertakings with the Contractor or any Sub-Processor; are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Authority or as otherwise permitted by this Contract; and have undergone adequate training in the use, care, protection and handling of Personal Data; not transfer Personal Data outside of the UK unless the prior written consent of the Authority has been obtained and provided the following conditions are fulfilled: the Authority or the Contractor has provided appropriate safeguards in relation to the transfer in accordance with guidance issued by the UK Government or body appointed by the Government and approved by the Authority; the Data Subject has enforceable rights and effective legal remedies; the Contractor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Authority in meeting its obligations); and the Contractor complies with any reasonable instructions notified to it in advance by the Authority with respect to the processing of the Personal Data. Subject to clause (6) below, the Contractor shall notify the Authority immediately if it: receives a Data Subject Request (or purported Data Subject Request); receives a request to rectify, block or erase any Personal Data; receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Contract; receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or becomes aware of a Data Loss Event. The Contractor’s obligation to notify under clause (5) of this Condition shall include the provision of further information to the Authority in phases, as details become available. Taking into account the nature of the processing, the Contractor shall provide the Authority with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under Condition 12(5) (and insofar as possible within the timescales reasonably required by the Authority) including by promptly providing: the Authority with full details and copies of the complaint, communication or request; such assistance as is reasonably requested by the Authority to enable the Authority to comply with a Data Subject Request within the relevant timescales set out in the Data Protection Legislation; the Authority, at its request, with any Personal Data it holds in relation to a Data Subject; assistance as requested by the Authority following any Data Loss Event; and assistance as requested by the Authority with respect to any request from the Information Commissioner’s Office, or any consultation by the Authority with the Information Commissioner's Office. The Contractor shall maintain complete and accurate records and information to demonstrate its compliance with this Condition. This requirement does not apply where the Contractor employs fewer than 250 staff, unless: the Authority determines that the processing is not occasional; the Authority determines the processing includes special categories of data as referred to in Article 9(1) of the UK GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the UK GDPR; and the Authority determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects. The Contractor shall allow for audits of its Data Processing activity by the Authority or the Authority’s designated auditor. The Contractor shall designate a Data Protection Officer if required by the Data Protection Legislation. Before allowing any Sub-Processor to process any Personal Data related to this Contract, the Contractor must: notify the Authority in writing of the intended Sub-Processor and processing; obtain the written consent of the Authority; enter into a written agreement with the Sub-Processor which give effect to the terms set out in this Condition 12 such that they apply to the Sub-Processor; and provide the Authority with such information regarding the Sub-Processor as the Authority may reasonably require. The Contractor shall remain fully liable for all acts or omissions of any of its Sub-Processors. The Authority may, at any time on not less than 30 Working Days’ notice, revise this Condition 12 by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Contract). The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Authority may on not less than 30 Working Days’ notice to the Contractor amend this Contract to ensure that it complies with any guidance issued by the Information Commissioner’s Office. If the Contractor fails to comply with any provision of this Condition 12, the Authority may terminate the Contract immediately in which event the provisions of Condition 33 shall apply. The Contractor shall indemnify and keep indemnified the Authority against all claims and proceedings, and all costs and expenses incurred by it in connection therewith, made or brought against the Authority by any person in respect of the Data Protection Legislation or equivalent applicable legislation in any other country which claims would not have arisen but for some act, omission, misrepresentation or negligence on the part of the Contractor, its subcontractors and/or its Sub-Processors and hold it harmless against all costs, fines, losses and liability whatsoever incurred by it arising out of any action or inaction on its part in relation to any of its obligations as set out in this Contract which results in the Authority being in breach of its obligations under the Data Protection Legislation or equivalent applicable legislation in any other country. Upon expiry or earlier termination of this Contract for whatever reason, the Contractor shall, unless otherwise specified in Annex 1 or required by Law, immediately cease any processing of the Personal Data on the Authority’s behalf and at the written direction of the Authority: provide the Authority with a complete and uncorrupted version of the Personal Data in electronic form (or such other format as reasonably required by the Authority); and delete the Personal Data (and any copies of it) including from any computers, storage devices and storage media that are to be retained by the Contractor after the expiry of the Contract. The Contractor will certify to the Authority that it has completed such deletion. Where the Contractor is required to collect any Personal Data on behalf of the Authority, it shall ensure that it provides the relevant Data Subjects from whom the Personal Data are collected with a privacy notice in a form to be agreed with the Authority. Bribery and Corruption The Contractor shall not, and shall ensure that its Contractor Personnel do not: offer or promise, to any person employed or engaged by or on behalf of the Authority, any financial or other advantage as an inducement or reward for the improper performance of a function or activity, or for showing or not showing favour or disfavour to any person in relation to this Contract or any other contract with the Authority; agree to receive or accept any financial or other advantage as an inducement or reward for any improper performance of a function or activity in relation to this Contract or any other contract with the Authority; or enter into the Contract or any other contract with the Authority or any other department or office of Her Majesty's Government in connection with which commission has been paid, or agreed to be paid by the Contractor or on the Contractor’s behalf, or to the Contractor’s knowledge, unless, before the Contract is made, particulars of any such commission and the terms and conditions of any agreement for the payment thereof, have been disclosed in writing to any person duly authorised by the Authority to act as its representative for the purpose of this Condition. Nothing contained in this Condition shall prevent the Contractor paying such commission or bonuses to the Contractor’s own staff in accordance with their agreed contracts of employment. Any breach of this Condition by the Contractor, or by any person employed or engaged by the Contractor or acting on the Contractor’s behalf (whether with or without the Contractor’s knowledge), or any act or omission by the Contractor, or by such other person, in contravention of the Bribery Act 2010 or any other anti-corruption law, in relation to this Contract or any other contract with the Authority, shall entitle the Authority to terminate the Contract with immediate effect by notice in writing and to recover from the Contractor the amount of any loss resulting from such termination, and the amount of the value of any such gift, consideration or commission as the Authority shall think fit. In any dispute, difference or question arising in respect of: the interpretation of this Condition (except so far as the same may relate to the amount recoverable from the Contractor under clause (3) of this Condition in respect of any loss resulting from such determination of the Contract); or the right of the Authority to determine the Contract; or the amount or value of any gift, consideration or commission, the decision of the Authority shall be final and conclusive.

Data Protection. The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the Controller and the Supplier Contractor is the Processor unless otherwise specified in Contract Schedule 7. A. The only processing that the Processor is authorised to do is listed in Contract Schedule 7 A by the Controller and may not be determined by the Processor. The Processor shall notify the Controller immediately if it considers that any of the Controller's instructions infringe the Data Protection Legislation. The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller, include: a systematic description of the envisaged processing operations and the purpose of the processing; an assessment of the necessity and proportionality of the processing operations in relation to the Services; an assessment of the risks to the rights and freedoms of Data Subjects; and the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. The Processor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: process that Personal Data only in accordance with Contract Schedule 7A, unless the Processor is required to do otherwise by Law. If it is so required the Processor shall promptly notify the Controller before processing the Personal Data unless prohibited by Law; ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), having taken account of the: nature of the data to be protected; harm that might result from a Data Loss Event; state of technological development; and cost of implementing any measures; ensure Ensure that : the Processor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule 7A); it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they:: are aware of and comply with the Processor’s duties under this clause; are subject to appropriate confidentiality undertakings with the Processor or any Sub-processor; are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Controller or as otherwise permitted by this Agreement; and have undergone adequate training in the use, care, protection and handling of Personal Data; and not transfer Personal Data outside of the EU unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled: the Controller or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Controller; the Data Subject has enforceable rights and effective legal remedies; the Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing of the Personal Data; at the written direction of the Controller, delete or return Personal Data (and any copies of it) to the Controller on termination of the Agreement unless the Processor is required by Law to retain the Personal Data. Subject to clause 13.6, the Processor shall notify the Controller immediately if it: receives a Data Subject Request (or purported Data Subject Request); receives a request to rectify, block or erase any Personal Data; receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Agreement; receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or becomes aware of a Data Loss Event. The Processor’s obligation to notify under clause 13.5 shall include the provision of further information to the Controller in phases, as details become available. Taking into account the nature of the processing, the Processor shall provide the Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under clause 13.5 (and insofar as possible within the timescales reasonably required by the Controller) including by promptly providing: the Controller with full details and copies of the complaint, communication or request; such assistance as is reasonably requested by the Controller to enable the Controller to comply with a Data Subject Request within the relevant timescales set out in the Data Protection Legislation; the Controller, at its request, with any Personal Data it holds in relation to a Data Subject; assistance as requested by the Controller following any Data Loss Event; assistance as requested by the Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Controller with the Information Commissioner's Office. The Processor shall maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Processor employs fewer than 250 staff, unless: the Controller determines that the processing is not occasional; the Controller determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; or the Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects. The Processor shall allow for audits of its Data Processing activity by the Controller or the Controller’s designated auditor. Each Party shall designate its own data protection officer if required by the Data Protection Legislation. Before allowing any Sub-processor to process any Personal Data related to this Agreement, the Processor must: notify the Controller in writing of the intended Sub-processor and processing; obtain the written consent of the Controller; enter into a written agreement with the Sub-processor which give effect to the terms set out in this clause 13 such that they apply to the Sub-processor; and provide the Controller with such information regarding the Sub-processor as the Controller may reasonably require. The Processor shall remain fully liable for all acts or omissions of any of its Sub-processors. The Controller may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Agreement). The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Controller may on not less than 30 Working Days’ notice to the Processor amend this agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office. Where the Parties include two or more Joint Controllers as identified in Schedule A in accordance with GDPR Article 26, those Parties shall enter into a Joint Controller Agreement based on the terms outlined in Schedule B in replacement of Clauses 13.1-13.14 for the Personal Data under Joint Control Liability.