Common use of General Data Protection Regulation Clause in Contracts

General Data Protection Regulation. 22.1 2Connect will process data that may contain personally identifiable information on behalf of the Data Controller (customer) only when there is no reasonable alternative method of delivering the services contracted to the Customer. 22.2 Both parties will comply with all applicable requirements of the General Data Protection Regulation. This clause 22 is in addition to, and does not relieve, remove or replace, a party’s obligations under the data Protection Legislation 22.3 The parties acknowledge that for the purposes of the General Data Protection Regulation, the Customer is the data controller and 2Connect is the data processor (where Data Controller and Data Processor have the meanings as defined in the General Data Protection Regulation). 22.4 2Connect’s lawful rationale for processing Personal Data is Legitimate Interest when that interest is in the delivery of services to our customers (or enquiries into potential delivery of services to potential customers) who may hold, as data controllers, personal information on data subjects and request we process this on their behalf in the delivery of the agreed services. 22.5 Without prejudice to the generality of Clause 22.2 2Connect shall, in relation to any Personal Data processed in connection with the performance by 2Connect of its obligations under this Contract: 22.5.1 Only process personal data when there is no reasonable alternative method of delivering the contracted services to the Customer or 2Connect is required by laws of any member of the European Union or by the laws of the European Union applicable to 2Connect to process Personal Data (Applicable Laws). Where 2Connect is relying on laws of a member of the European Union or European Union laws the basis for processing Personal Date, 2Connect shall promptly notify the Customer of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit 2Connect from so notifying the Customer; 22.5.2 Ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it); 22.5.3 Ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential as per 18.2 22.5.4 Do not transfer any Personal Data outside of the European Economic Area unless the prior written consent of the Customer has been obtained and the following conditions are fulfilled: 22.5.4.1 The Customer or 2Connect has provided appropriate safeguards in relation to the transfer; 22.5.4.2 The data subject has enforceable rights and effective legal remedies; 22.5.4.3 2Connect complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any personal data that is transferred; and 22.5.4.4 2Connect complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data; 22.5.5 Assist the Data controller (Customer), in responding to any request from a Data Subject and in ensuring compliance with its obligations under the General Data Protection Regulation with respect to security, breach notifications, impact assessments, audits and consultations with supervisory authorities or regulators; 22.5.6 Notify the Data controller (Customer) without undue delay on becoming aware of a Personal Data breach; 22.5.7 At the written direction of the Data controller (Customer), provide comprehensive information of stored Personal Data and provide evidence it has been deleted or modified to become unidentifiable to the Data controller (Customer) on termination of the Contract unless required by Applicable Law to store the Personal Data; and 22.5.8 Maintain complete and accurate records and information to demonstrate its compliance with this Clause. 22.6 2Connect will not appoint any 3rd party to process personal information under the (data) control of the customer without providing assurances on the security of the 3rd party and without seeking written consent from the Data controller (customer) to do so . 22.7 2Connect may revise this Clause, replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme or approved form of processing arrangement (which shall apply when replaced by attachment to this Contract). 22.8 2Connect’s Privacy Policy is available upon request and can be found at:

General Data Protection Regulation. 22.1 2Connect Stratus will process data that may contain personally identifiable information on behalf of the Data Controller (customer) only when there is no reasonable alternative method of delivering the services contracted to the Customer. 22.2 Both parties will comply with all applicable requirements of the General Data Protection Regulation. This clause 22 is in addition to, and does not relieve, remove or replace, a party’s obligations under the data Protection Legislation 22.3 The parties acknowledge that for the purposes of the General Data Protection Regulation, the Customer is the data controller and 2Connect Stratus is the data processor (where Data Controller and Data Processor have the meanings as defined in the General Data Protection Regulation). 22.4 2ConnectXxxxxxx’s lawful rationale for processing Personal Data is Legitimate Interest when that interest is in the delivery of services to our customers (or enquiries into potential delivery of services to potential customers) who may hold, as data controllers, personal information on data subjects and request we process this on their behalf in the delivery of the agreed services. 22.5 Without prejudice to the generality of Clause 22.2 2Connect Stratus shall, in relation to any Personal Data processed in connection with the performance by 2Connect Xxxxxxx of its obligations under this Contract: 22.5.1 Only process personal data when there is no reasonable alternative method of delivering the contracted services to the Customer or 2Connect Stratus is required by laws of any member of the European Union or by the laws of the European Union applicable to 2Connect Stratus to process Personal Data (Applicable Laws). Where 2Connect Xxxxxxx is relying on laws of a member of the European Union or European Union laws the basis for processing Personal Date, 2Connect Stratus shall promptly notify the Customer of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit 2Connect Stratus from so notifying the Customer; 22.5.2 Ensure ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it); 22.5.3 Ensure ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential as per 18.2 22.5.4 Do do not transfer any Personal Data outside of the European Economic Area unless the prior written consent of the Customer has been obtained and the following conditions are fulfilled: 22.5.4.1 The the Customer or 2Connect Stratus has provided appropriate safeguards in relation to the transfer; 22.5.4.2 The the data subject has enforceable rights and effective legal remedies; 22.5.4.3 2Connect Stratus complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any personal data Personal Data that is transferred; and 22.5.4.4 2Connect Xxxxxxx complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data; 22.5.5 Assist assist the Data controller (Customer), in responding to any request from a Data Subject and in ensuring compliance with its obligations under the General Data Protection Regulation with respect to security, breach notifications, impact assessments, audits and consultations with supervisory authorities or regulators; 22.5.6 Notify notify the Data controller (Customer) without undue delay on becoming aware of a Personal Data breach; 22.5.7 At at the written direction of the Data controller (Customer), provide comprehensive information of stored Personal Data and provide evidence it has been deleted or modified to become unidentifiable to the Data controller (Customer) on termination of the Contract unless required by Applicable Law to store the Personal Data; and 22.5.8 Maintain maintain complete and accurate records and information to demonstrate its compliance with this Clause. 22.6 2Connect Xxxxxxx will not appoint any 3rd party to process personal information under the (data) control of the customer without providing assurances on the security of the 3rd party and without seeking written consent from the Data controller (customer) to do so so. 22.7 2Connect Stratus may revise this Clause, replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme or approved form of processing arrangement (which shall apply when replaced by attachment to this Contract). 22.8 2Connect’s Privacy Policy is available upon request and can be found at:

General Data Protection Regulation. 22.1 2Connect Aspire will process data that may contain personally identifiable information on behalf of the Data Controller (customer) only when there is no reasonable alternative method of delivering the services contracted to the Customer. 22.2 Both parties will comply with all applicable requirements of the General Data Protection Regulation. This clause 22 is in addition to, and does not relieve, remove or replace, a party’s obligations under the data Protection Legislation 22.3 The parties acknowledge that for the purposes of the General Data Protection Regulation, the Customer is the data controller and 2Connect Aspire is the data processor (where Data Controller and Data Processor have the meanings as defined in the General Data Protection Regulation).as 22.4 2ConnectAspire’s lawful rationale for processing Personal Data is Legitimate Interest when that interest is in the delivery of services to our customers (or enquiries into potential delivery of services to potential customers) who may hold, as data controllers, personal information on data subjects and request we process this on their behalf in the delivery of the agreed services. 22.5 Without prejudice to the generality of Clause 22.2 2Connect Aspire shall, in relation to any Personal Data processed in connection with the performance by 2Connect Aspire of its obligations under this Contract: 22.5.1 Only process personal data when there is no reasonable alternative method of delivering the contracted services to the Customer or 2Connect Aspire is required by laws of any member of the European Union or by the laws of the European Union applicable to 2Connect Aspire to process Personal Data (Applicable Laws). Where 2Connect Aspire is relying on laws of a member of the European Union or European Union laws the basis for processing Personal Date, 2Connect Aspire shall promptly notify the Customer of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit 2Connect Aspire from so notifying the Customer; 22.5.2 Ensure ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it); 22.5.3 Ensure ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential as per 18.2 22.5.4 Do do not transfer any Personal Data outside of the European Economic Area unless the prior written consent of the Customer has been obtained and the following conditions are fulfilled: 22.5.4.1 The the Customer or 2Connect Aspire has provided appropriate safeguards in relation to the transfer; 22.5.4.2 The the data subject has enforceable rights and effective legal remedies; 22.5.4.3 2Connect Aspire complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any personal data Personal Data that is transferred; and 22.5.4.4 2Connect Aspire complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data; 22.5.5 Assist assist the Data controller (Customer), in responding to any request from a Data Subject and in ensuring compliance with its obligations under the General Data Protection Regulation with respect to security, breach notifications, impact assessments, audits and consultations with supervisory authorities or regulators; 22.5.6 Notify notify the Data controller (Customer) without undue delay on becoming aware of a Personal Data breach; 22.5.7 At at the written direction of the Data controller (Customer), provide comprehensive information of stored Personal Data and provide evidence it has been deleted or modified to become unidentifiable to the Data controller (Customer) on termination of the Contract unless required by Applicable Law to store the Personal Data; and 22.5.8 Maintain maintain complete and accurate records and information to demonstrate its compliance with this Clause. 22.6 2Connect Aspire will not appoint any 3rd party to process personal information under the (data) control of the customer without providing assurances on the security of the 3rd party and without seeking written consent from the Data controller (customer) to do so so. 22.7 2Connect Aspire may revise this Clause, replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme or approved form of processing arrangement (which shall apply when replaced by attachment to this Contract). 22.8 2ConnectAspire’s Privacy Policy is available upon request and can be found at:below. Privacy Policy Aspire provide a wide variety of services to a wide range of organisations, in doing so we process data, a lot of data, some of which may contain personal information about the employees and customers of the organisations we provide services to.

General Data Protection Regulation. 22.1 2Connect Aspire will process data that may contain personally identifiable information on behalf of the Data Controller (customer) only when there is no reasonable alternative method of delivering the services contracted to the Customer. 22.2 Both parties will comply with all applicable requirements of the General Data Protection Regulation. This clause 22 is in addition to, and does not relieve, remove or replace, a party’s obligations under the data Protection Legislation 22.3 The parties acknowledge that for the purposes of the General Data Protection Regulation, the Customer is the data controller and 2Connect Aspire is the data processor (where Data Controller and Data Processor have the meanings as defined in the General Data Protection Regulation).as 22.4 2ConnectAspire’s lawful rationale for processing Personal Data is Legitimate Interest when that interest is in the delivery of services to our customers (or enquiries into potential delivery of services to potential customers) who may hold, as data controllers, personal information on data subjects and request we process this on their behalf in the delivery of the agreed services. 22.5 Without prejudice to the generality of Clause 22.2 2Connect Aspire shall, in relation to any Personal Data processed in connection with the performance by 2Connect Aspire of its obligations under this Contract: 22.5.1 Only process personal data when there is no reasonable alternative method of delivering the contracted services to the Customer or 2Connect Aspire is required by laws of any member of the European Union or by the laws of the European Union applicable to 2Connect Aspire to process Personal Data (Applicable Laws). Where 2Connect Aspire is relying on laws of a member of the European Union or European Union laws the basis for processing Personal Date, 2Connect Aspire shall promptly notify the Customer of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit 2Connect Aspire from so notifying the Customer; 22.5.2 Ensure ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it); 22.5.3 Ensure ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential as per 18.2 22.5.4 Do do not transfer any Personal Data outside of the European Economic Area unless the prior written consent of the Customer has been obtained and the following conditions are fulfilled: 22.5.4.1 The the Customer or 2Connect Aspire has provided appropriate safeguards in relation to the transfer; 22.5.4.2 The the data subject has enforceable rights and effective legal remedies; 22.5.4.3 2Connect Aspire complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any personal data Personal Data that is transferred; and 22.5.4.4 2Connect Aspire complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data; 22.5.5 Assist assist the Data controller (Customer), in responding to any request from a Data Subject and in ensuring compliance with its obligations under the General Data Protection Regulation with respect to security, breach notifications, impact assessments, audits and consultations with supervisory authorities or regulators; 22.5.6 Notify notify the Data controller (Customer) without undue delay on becoming aware of a Personal Data breach; 22.5.7 At at the written direction of the Data controller (Customer), provide comprehensive information of stored Personal Data and provide evidence it has been deleted or modified to become unidentifiable to the Data controller (Customer) on termination of the Contract unless required by Applicable Law to store the Personal Data; and 22.5.8 Maintain maintain complete and accurate records and information to demonstrate its compliance with this Clause. 22.6 2Connect Aspire will not appoint any 3rd party to process personal information under the (data) control of the customer without providing assurances on the security of the 3rd party and without seeking written consent from the Data controller (customer) to do so so. 22.7 2Connect Aspire may revise this Clause, replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme or approved form of processing arrangement (which shall apply when replaced by attachment to this Contract). 22.8 2ConnectAspire’s Privacy Policy is available upon request and can be found at:here

General Data Protection Regulation. 22.1 2Connect will process data that may contain personally identifiable information on behalf of the Data Controller (customer) only when there is no reasonable alternative method of delivering the services contracted to the Customer. 22.2 Both parties will comply with all applicable requirements of the General Data Protection Regulation. This clause 22 is in addition to, and does not relieve, remove or replace, a party’s obligations under the data Protection Legislation 22.3 The parties acknowledge that for the purposes of the General Data Protection Regulation, the Customer is the data controller and 2Connect is the data processor (where Data Controller and Data Processor have the meanings as defined in the General Data Protection Regulation). 22.4 2Connect’s lawful rationale for processing Personal Data is Legitimate Interest lnterest when that interest is in the delivery of services to our customers (or enquiries into potential delivery of services to potential customers) who may hold, as data controllers, personal information on data subjects and request we process this on their behalf in the delivery of the agreed services. 22.5 Without prejudice to the generality of Clause 22.2 2Connect shall, in relation to any Personal Data processed in connection with the performance by 2Connect of its obligations under this Contract: 22.5.1 Only process personal data when there is no reasonable alternative method of delivering the contracted services to the Customer or 2Connect is required by laws of any member of the European Union or by the laws of the European Union applicable to 2Connect to process Personal Data (Applicable Laws). Where 2Connect is relying on laws of a member of the European Union or European Union laws the basis for processing Personal Date, 2Connect shall promptly notify the Customer of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit 2Connect from so notifying the Customer; 22.5.2 Ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it); 22.5.3 Ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential as per 18.2 22.5.4 Do not transfer any Personal Data outside of the European Economic Area unless the prior written consent of the Customer has been obtained and the following conditions are fulfilled: 22.5.4.1 The Customer or 2Connect has provided appropriate safeguards in relation to the transfer; 22.5.4.2 The data subject has enforceable rights and effective legal remedies; 22.5.4.3 2Connect complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any personal data that is transferred; and 22.5.4.4 2Connect complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data; 22.5.5 Assist the Data controller (Customer), in responding to any request from a Data Subject and in ensuring compliance with its obligations under the General Data Protection Regulation with respect to security, breach notifications, impact assessments, audits and consultations with supervisory authorities or regulators; 22.5.6 Notify the Data controller (Customer) without undue delay on becoming aware of a Personal Data breach; 22.5.7 At the written direction of the Data controller (Customer), provide comprehensive information of stored Personal Data and provide evidence it has been deleted or modified to become unidentifiable to the Data controller (Customer) on termination of the Contract unless required by Applicable Law to store the Personal Data; and 22.5.8 Maintain complete and accurate records and information to demonstrate its compliance with this Clause. 22.6 2Connect will not appoint any 3rd 5rd party to process personal information under the (data) control of the customer without providing assurances on the security of the 3rd 5rd party and without seeking written consent from the Data controller (customer) to do so . 22.7 2Connect may revise this Clause, replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme or approved form of processing arrangement (which shall apply when replaced by attachment to this Contract). 22.8 2Connect’s Privacy Policy is available upon request and can be found at: