Common use of DESCRIPTION OF PROCESSING AND TRANSFERS Clause in Contracts

DESCRIPTION OF PROCESSING AND TRANSFERS. Categories of data subjects: Employees, agents, advisors, consultants, freelancers of the Controller (who are natural persons). Users, Affiliates and other participants authorised by the Controller to access or use the Services in accordance with the terms of the Agreement. Prospects, customers, clients, business partners and vendors of the Controller (who are natural persons) and individuals with whom those end users communicate with by email and/or other messaging media. Employees or contact persons of Controller’s prospects, customers, clients, business partners and vendors. Suppliers and service providers of the Controller. Other individuals to the extent identifiable in the context of emails of their attachments or in archiving content. Categories of Personal Data: The Controller may submit Personal Data to the Services, the extent of which is determined and controlled by the Controller. The Personal Data includes but is not limited to: ● Personal details, first name, surname, user names, passwords, email addresses, employee ID, structure location (department, team etc.), manager name and ID, IP address and digital signature of Users. ● Personal Data derived from the Users use of the Services such as records and business intelligence information. ● Personal Data within email and messaging content which identifies or may reasonably be used to identify data subjects. ● Metadata including sent, to, from, date, time, subject, which may include Personal Data. ● E-Learning course materials on risk assessment. ● Photographs uploaded via risk assessment. ● File attachments that may contain Personal Data. ● Survey, feedback and assessment responses relating to risk assessment. ● Information offered by users as part of support enquiries. ● Other data added by the Controller from time to time. Sensitive Data: Personal data transferred includes but is not limited to the following special categories of data: ● Data concerning health, where this is provided by the end-user in response to a risk assessment. The frequency of the processing and transfer (e.g. whether the data is transferred on a one-off or continuous basis): Continuous basis for the duration of the Agreement. Nature of the processing: Processing operations include but are not limited to: provision of training courses, risk assessment questionnaires and learning management services to employees, contractors and users of the Services to monitor and evaluate risk assessment in the workplace in compliance with rules and regulations applicable to the Controller’s business. Purpose(s) of the data transfer and further processing: Personal Data is transferred to sub-contractors who need to process some of the Personal Data in order to provide their services to the Processor as part of the Services provided by the Processor to the Controller. The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period: Unless agreed otherwise in writing, for the duration of the Agreement, subject to clause 14 of the DPA. For transfers to (Sub-) processors, also specify subject matter, nature and duration of the processing: The Sub-processor list accessed via xxxxx://xxx.xxxxxxxxxxxxxxx.xxx/docs sets out the Personal Data processed by each Sub-processor and the services provided by each Sub-processor.

DESCRIPTION OF PROCESSING AND TRANSFERS. Categories of data subjects: Employees, agents, advisors, consultants, freelancers of the Controller (who are natural persons). Users, Affiliates and other participants authorised by the Controller to access or use the Services in accordance with the terms of the Agreement. Prospects, customers, clients, business partners and vendors of the Controller (who are natural persons) and individuals with whom those end users communicate with by email and/or other messaging media. Employees or contact persons of Controller’s prospects, customers, clients, business partners and vendors. Suppliers and service providers of the Controller. Other individuals to the extent identifiable in the context of emails of their attachments or in archiving content. Categories of Personal Data: The Controller may submit Personal Data to the Services, the extent of which is determined and controlled by the Controller. The Personal Data includes but is not limited to: ● Personal details, first name, surname, user names, passwords, email addresses, employee ID, structure location (department, team etc.), manager name and ID, IP address and digital signature of Users. ● Personal Data derived from the Users use of the Services such as records and business intelligence information. ● Personal Data within email and messaging content which identifies or may reasonably be used to identify data subjects. ● Metadata including sent, to, from, date, time, subject, which may include Personal Data. ● E-Learning course materials on risk assessment. ● Photographs uploaded via risk assessment. ● File attachments that may contain Personal Data. ● Survey, feedback and assessment responses relating to risk assessment. ● Information offered by users as part of support enquiries. ● Other data added by the Controller from time to time. Sensitive Data: Personal data transferred includes but is not limited to the following special categories of data: ● Data concerning health, where this is provided by the end-user in response to a risk assessment. The frequency of the processing and transfer (e.g. whether the data is transferred on a one-off or continuous basis): Continuous basis for the duration of the Agreement. Nature of the processing: Processing operations include but are not limited to: provision of training courses, risk assessment questionnaires and learning management services to employees, contractors and users of the Services to monitor and evaluate risk assessment in the workplace in compliance with rules and regulations applicable to the Controller’s business. Purpose(s) of the data transfer and further processing: Personal Data is transferred to sub-contractors who need to process some of the Personal Data in order to provide their services to the Processor as part of the Services provided by the Processor to the Controller. The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period: Unless agreed otherwise in writing, for the duration of the Agreement, subject to clause 14 of the DPA. For transfers to (Sub-) processors, also specify subject matter, nature and duration of the processing: The Sub-processor list accessed via xxxxx://xxx.xxxxxxxxxxxxxxx.xxx/docs sets out the Personal Data processed by each Sub-processor and the services provided by each Sub-processor.

DESCRIPTION OF PROCESSING AND TRANSFERS. Categories of data subjectsData Subjects: Employees, agents, advisors, consultants, freelancers of the Controller (who are natural persons). Users, Affiliates and other participants authorised by the Controller to access or use the Services in accordance with the terms of the Agreement. Prospects, customers, clients, business partners and vendors of the Controller (who are natural persons) and individuals with whom those end users communicate with by email and/or other messaging media. Employees or contact persons of Controller’s prospects, customers, clients, business partners and vendors. Suppliers and service providers of the Controller. Other individuals to the extent identifiable in the context of emails of their attachments or in archiving content. Categories of Personal Data: The Controller may submit Personal Data to the Services, the extent of which is determined and controlled by the Controller. The Personal Data includes but is not limited to: ● • Personal details, first name, middle name and surname, user names, passwords, email addresses, employee ID, structure location (department, team etc.), manager role in the company and company name and IDcompany address of users of the Services. • Unique identifiers such as username, IP address and digital signature of Usersaccount number or password. ● • Personal Data derived from the Users a user’s use of the Services such as records and business intelligence information. ● • Personal Data within email and messaging content which identifies or may reasonably be used to identify individuals. • Meta data subjects. ● Metadata including sent, to, from, date, time, subject, which may include Personal Data. ● E-Learning course materials on risk assessment• Geolocation based upon IP address. ● Photographs uploaded via risk assessment• Financial data required for invoicing such as VAT number and credit card information. ● File • Consumption data. • User avatars. • Email attachments that may contain Personal Data. ● • Uploaded documents and files that may contain Personal Data. • Survey, feedback and assessment responses relating to risk assessmentmessages. ● • Information offered by users of the Services as part of support enquiries. ● • Other data added by the Controller from time to time. Sensitive Data: Personal No sensitive data will be processed or transferred includes but is and shall not limited to be contained in the following special categories content of data: ● Data concerning healthor attachments to, where this is provided by the end-user in response to a risk assessmentemails. The frequency of the processing and transfer (e.g. whether the data is transferred on a one-off or continuous basis): Continuous basis for the duration of the Agreement. Nature of the processing: Processing operations include but are not limited to: provision processing of training courses, risk assessment questionnaires all documents and learning management services translations uploaded to employees, contractors and users of the Services by users to monitor provided translation management software and evaluate risk assessment in the workplace in compliance with rules and regulations applicable to the Controller’s businesstranslation services. Purpose(s) of the data transfer and further processing: Personal Data is transferred to sub-contractors who need to process some of the Personal Data in order to provide their services to the Processor as part of the Services provided by the Processor to the Controller. The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period: Unless agreed otherwise in writing, for the duration of the Agreement, subject to clause 14 of the DPA. For transfers to (Sub-) processors, also specify subject matter, nature and duration of the processing: The Sub-processor list accessed via xxxxx://xxx.xxxxxxxxxxxxxxx.xxx/docs published at: xxxxx://xxxxxxx.xxx/legal/sub-processor-list sets out the Personal Data processed by each Sub-processor and the services provided by each Sub-processor.