Common use of Information Obligations and Incident Management Clause in Contracts

Information Obligations and Incident Management. 9.1 When the Data Processor becomes aware of an incident that impacts the Processing of the Personal Data that is the subject of the Service Agreement, it shall promptly notify the Data Controller about the incident, shall at all times cooperate with the Data Controller, and shall follow the Data Controller’s instructions with regard to such incidents, in order to enable the Data Controller to perform a thorough investigation into the incident, to formulate a correct response, and to take suitable further steps in respect of the incident. 9.2 The term “incident” used in Paragraph 9.1 shall be understood to mean in any case: (a) a complaint or a request with respect to the exercise of a data subject’s rights under EU Data Protection Law; (b) an investigation into or seizure of the Personal Data by government officials, or a specific indication that such an investigation or seizure is imminent; (c) any unauthorized or accidental access, processing, deletion, loss or any form of unlawful processing of the Personal Data; (d) any breach of the security and/or confidentiality as set out in Paragraphs 5 and 6 of this Addendum leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, the Personal Data, or any indication of such breach having taken place or being about to take place; (e) where, in the opinion of the Data Processor, implementing an instruction received from the Data Controller would violate applicable laws to which the Data Controller or the Data Processor are subject. 9.3 The Data Processor shall at all times have in place written procedures which enable it to promptly respond to the Data Controller about an incident. Where an incident is reasonably likely to require a data breach notification by the Data Controller under the EU Data Protection Law, the Data Processor shall implement its written procedures in such a way that it is in a position to notify the Data Controller no later than 24 hours of having become aware of such an incident. 9.4 Any notifications made to the Data Controller pursuant to this Article shall be addressed to the Data Protection Officer or other employee of the Data Controller whose contact details are provided during the registration process, and shall contain: (a) a description of the nature of the incident, including where possible the categories and approximate number of data subjects concerned and the categories and approximate number of Personal Data records concerned; (b) the name and contact details of the Data Processor’s data protection officer or another contact point where more information can be obtained; (c) a description of the likely consequences of the incident; and (d) a description of the measures taken or proposed to be taken by the Data Processor to address the incident including, where appropriate, measures to mitigate its possible adverse effects.

Information Obligations and Incident Management. 9.1 7.1 When the Data Processor becomes aware of an incident that impacts the Processing of the Personal Data that is the subject of the Service Services Agreement, it shall promptly notify the Data Controller about the incident, shall at all times cooperate with the Data Controller, and shall follow the Data Controller’s instructions with regard to such incidents, in order to enable the Data Controller to perform a thorough investigation into the incident, to formulate a correct response, and to take suitable further steps in respect of the incident. 9.2 7.2 The term “incident” used in Paragraph 9.1 Section 7.1 shall be understood to mean in any case: (a) 7.2.1 a complaint or a request with respect to the exercise of a data subject’s rights under EU Data Protection Law; (b) 7.2.2 an investigation into or seizure of the Personal Data by government officials, or a specific indication that such an investigation or seizure is imminent; (c) 7.2.3 any unauthorized or accidental access, processing, deletion, loss or any form of unlawful processing of the Personal Data; (d) 7.2.4 any breach of the security and/or confidentiality as set out in Paragraphs 5 Sections 3 and 6 4 of this Data Processing Addendum leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, the Personal Data, or any indication of such breach having taken place or being about to take place; (e) 7.2.5 where, in the opinion of the Data Processor, implementing an instruction received from the Data Controller would violate applicable laws to which the Data Controller or the Data Processor are subject. 9.3 7.3 The Data Processor shall at all times have in place written procedures which enable it to promptly respond to the Data Controller about an incident. Where an the incident is reasonably likely to require a data breach notification by the Data Controller under the applicable EU Data Protection Law, the Data Processor shall implement its written procedures in such a way that it is in a position to notify the Data Controller no later than 24 hours of having become aware of such an incident. 9.4 7.4 Any notifications made to the Data Controller pursuant to this Article Section 7 shall be addressed to the Data Protection Officer or other employee of the Data Controller whose contact details are provided during the registration processin Annex 1 of this Data Processing Addendum, and shall contain: (a) 7.4.1 a description of the nature of the incident, including where possible the categories and approximate number of data subjects concerned and the categories and approximate number of Personal Data records concerned; (b) 7.4.2 the name and contact details of the Data Processor’s data protection officer or another contact point where more information can be obtained; (c) 7.4.3 a description of the likely consequences of the incident; and (d) 7.4.4 a description of the measures taken or proposed to be taken by the Data Processor to address the incident including, where appropriate, measures to mitigate its possible adverse effects.

Information Obligations and Incident Management. 9.1 When the Data Processor becomes aware of an incident that impacts the Processing of the Personal Data that is the subject of the Service Services Agreement, it shall promptly notify the Data Controller about the incident, shall at all times cooperate with the Data Controller, and shall follow the Data Controller’s instructions with regard to such incidents, in order to enable the Data Controller to perform a thorough investigation into the incident, to formulate a correct response, and to take suitable further steps in respect of the incident. 9.2 . The term “incident” used in Paragraph 9.1 Article 7.1 shall be understood to mean in any case: (a) : a complaint or a request with respect to the exercise of a data subject’s rights under EU Data Protection Law; (b) ; an investigation into or seizure of the Personal Data by government officials, or a specific indication that such an investigation or seizure is imminent; (c) ; any unauthorized or accidental access, processing, deletion, loss or any form of unlawful processing of the Personal Data; (d) ; any breach of the security and/or confidentiality as set out in Paragraphs 5 Articles 3 and 6 4 of this Addendum Data Processing Agreement leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, the Personal Data, or any significant indication of such breach having taken place or being about to take place; (e) ; where, in the opinion of the Data Processor, implementing an instruction received from the Data Controller would violate applicable laws to which the Data Controller or the Data Processor are subject. 9.3 . The Data Processor shall at all times have in place written procedures which enable it to promptly respond to the Data Controller about an incident. Where an the incident is reasonably likely to require a data breach notification by the Data Controller under the applicable EU Data Protection Law, the Data Processor shall implement its written procedures in such a way that it is in a position to notify the Data Controller no later than 24 48 hours of having become aware of such an incident. 9.4 . Any notifications made to the Data Controller pursuant to this Article 7 shall be addressed to the Data Protection Officer or other employee of the Data Controller whose contact details are provided during the registration processin Annex 1 of this Data Processing Agreement, and shall contain, to the extent known after reasonable investigation: (a) a description of the nature of the incident, including where possible the categories and approximate number of data subjects concerned and the categories and approximate number of Personal Data records concerned; (b) the name and contact details of the Data Processor’s data protection officer or another contact point where more information can be obtained; (c) a description of the likely consequences of the incident; and (d) a description of the measures taken or proposed to be taken by the Data Processor to address the incident including, where appropriate, measures to mitigate its possible adverse effects.

Information Obligations and Incident Management. 9.1 7.1 When the Data Processor becomes aware of an incident that impacts the Processing of the Personal Data that is the subject of the Service Agreement, it shall promptly notify the Data Controller about the incident, shall at all times cooperate with the Data Controller, and shall follow the Data Controller’s instructions with regard to such incidents, in order to enable the Data Controller to perform a thorough investigation into the incident, to formulate a correct response, and to take suitable further steps in respect of the incident. 9.2 7.2 The term “incident” used in Paragraph 9.1 Article 7.1 shall be understood to mean in any case: (a) a complaint or a request with respect to the exercise of a data subject’s rights under EU Data Protection Law; (b) an investigation into or seizure of the Personal Data by government officials, or a specific indication that such an investigation or seizure is imminent; (c) any unauthorized or accidental access, processing, deletion, loss or any form of unlawful processing of the Personal Data; (d) any breach of the security and/or confidentiality as set out in Paragraphs 5 Articles 3 and 6 4 of this Addendum Data Processing Agreement leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, the Personal Data, or any indication of such breach having taken place or being about to take place; (e) where, in the opinion of the Data Processor, implementing an instruction received from the Data Controller would violate applicable laws to which the Data Controller or the Data Processor are subject. 9.3 7.3 The Data Processor shall at all times have in place written procedures which enable it to promptly respond to the Data Controller about an incident. Where an incident is reasonably likely to require a data breach notification by the Data Controller under the EU Data Protection Law, the Data Processor shall implement its written procedures in such a way that it is in a position to notify the Data Controller no later than 24 hours of having become aware of such an incident. 9.4 7.4 Any notifications made to the Data Controller pursuant to this Article 7 shall be addressed to the Data Protection Officer or other employee of the Data Controller whose contact details are provided during the registration process, and shall contain: (a) a description of the nature of the incident, including where possible the categories and approximate number of data subjects concerned and the categories and approximate number of Personal Data records concerned; (b) the name and contact details of the Data Processor’s data protection officer or another contact point where more information can be obtained; (c) a description of the likely consequences of the incident; and (d) a description of the measures taken or proposed to be taken by the Data Processor to address the incident including, where appropriate, measures to mitigate its possible adverse effects.

Information Obligations and Incident Management. 9.1 When the Data Processor Importer becomes aware of an incident that impacts the Processing of the Personal Data that is the subject of the Service Agreement, it shall promptly notify the Data Controller Exporter about the incident, shall at all times cooperate with the Data ControllerExporter, and shall follow the Data ControllerExporter’s instructions with regard to such incidents, in order to enable the Data Controller Exporter to perform a thorough investigation into the incident, to formulate a correct response, and to take suitable further steps in respect of the incident. 9.2 The term “incident” used in Paragraph 9.1 shall be understood to mean in any case: (a) a complaint or a request with respect to the exercise of a data subject’s rights under EU Data Protection Lawthe UK GDPR; (b) an investigation into or seizure of the Personal Data by government officials, or a specific indication that such an investigation or seizure is imminent; (c) any unauthorized or accidental access, processing, deletion, loss or any form of unlawful processing of the Personal Data; (d) any breach of the security and/or confidentiality as set out in Paragraphs 5 and 6 of this Addendum leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, the Personal Data, or any indication of such breach having taken place or being about to take place; (e) where, in the opinion of the Data ProcessorImporter, implementing an instruction received from the Data Controller Exporter would violate applicable laws to which the Data Controller Exporter or the Data Processor Importer are subject. 9.3 The Data Processor Importer shall at all times have in place written procedures which enable it to promptly respond to the Data Controller Exporter about an incident. Where an incident is reasonably likely to require a data breach notification by the Data Controller Exporter under the EU Data Protection LawUK GDPR, the Data Processor Importer shall implement its written procedures in such a way that it is in a position to notify the Data Controller Exporter no later than 24 hours of having become aware of such an incident. 9.4 Any notifications made to the Data Controller Exporter pursuant to this Article shall be addressed to the Data Protection Officer or other employee of the Data Controller Exporter whose contact details are provided during the registration process, and shall contain: (a) a description of the nature of the incident, including where possible the categories and approximate number of data subjects concerned and the categories and approximate number of Personal Data records concerned; (b) the name and contact details of the Data ProcessorImporter’s data protection officer or another contact point where more information can be obtained; (c) a description of the likely consequences of the incident; and (d) a description of the measures taken or proposed to be taken by the Data Processor Importer to address the incident including, where appropriate, measures to mitigate its possible adverse effects.

Information Obligations and Incident Management. 9.1 When the Data Processor Importer becomes aware of an incident that impacts the Processing of the Personal Data that is the subject of the Service Agreement, it shall promptly notify the Data Controller Exporter about the incident, shall at all times cooperate with the Data ControllerExporter, and shall follow the Data ControllerExporter’s instructions with regard to such incidents, in order to enable the Data Controller Exporter to perform a thorough investigation into the incident, to formulate a correct response, and to take suitable further steps in respect of the incident. 9.2 The term “incident” used in Paragraph 9.1 shall be understood to mean in any case: (a) a complaint or a request with respect to the exercise of a data subject’s rights under EU Data Protection Lawthe UK GDPR; (b) an investigation into or seizure of the Personal Data by government officials, or a specific indication that such an investigation or seizure is imminent; (c) any unauthorized or accidental access, processing, deletion, loss or any form of unlawful processing of the Personal Data; (d) any breach of the security and/or confidentiality as set out in Paragraphs 5 and 6 of this Addendum leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, the Personal Data, or any indication of such breach having taken place or being about to take place; (e) where, in the opinion of the Data ProcessorImporter, implementing an instruction received from the Data Controller Exporter would violate applicable laws to which the Data Controller Exporter or the Data Processor Importer are subject. 9.3 The Data Processor Importer shall at all times have in place written procedures which enable it to promptly respond to the Data Controller Exporter about an incident. Where an incident is reasonably likely to require a data breach notification by the Data Controller Exporter under the EU Data Protection LawUK GDPR, the Data Processor Importer shall implement its written procedures in such a way that it is in a position to notify the Data Controller Exporter no later than 24 hours of having become aware of such an incident. 9.4 Any notifications made to the Data Controller Exporter pursuant to this Article shall be addressed to the Data Protection Officer or other employee of the Data Controller Exporter whose contact details are provided during the registration process, and shall contain: (a) a description of the nature of the incident, including where possible the categories and approximate number of data subjects concerned and the categories and approximate number of Personal Data records concerned; (b) the name and contact details of the Data ProcessorImporter’s data protection officer or another contact point where more information can be obtained; (c) a description of the likely consequences of the incident; and (d) a description of the measures taken or proposed to be taken by the Data Processor Importer to address the incident including, where appropriate, measures to mitigate its possible adverse effects.

Information Obligations and Incident Management. 9.1 7.1 When the Data Processor becomes aware of an incident that impacts the Processing of the Personal Data that is the subject of the Service Services Agreement, it shall promptly notify the Data Controller about the incident, shall at all times cooperate with the Data Controller, and shall follow the Data Controller’s instructions with regard to such incidents, in order to enable the Data Controller to perform a thorough investigation into the incident, to formulate a correct response, and to take suitable further steps in respect of the incident. 9.2 7.2 The term “incident” used in Paragraph 9.1 Section 7.1 shall be understood to mean in any case: (a) 7.2.1 a complaint or a request with respect to the exercise of a data subject’s rights under EU Data Protection Law; (b) 7.2.2 an investigation into or seizure of the Personal Data by government officials, or a specific indication that such an investigation or seizure is imminent; (c) 7.2.3 any unauthorized or accidental access, processing, deletion, loss or any form of unlawful processing of the Personal Data; (d) 7.2.4 any breach of the security and/or confidentiality as set out in Paragraphs 5 Sections 3 and 6 4 of this Addendum Data Processing Agreement leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, the Personal Data, or any indication of such breach having taken place or being about to take place; (e) 7.2.5 where, in the opinion of the Data Processor, implementing an instruction received from the Data Controller would violate applicable laws to which the Data Controller or the Data Processor are subject. 9.3 7.3 The Data Processor shall at all times have in place written procedures which enable it to promptly respond to the Data Controller about an incident. Where an the incident is reasonably likely to require a data breach notification by the Data Controller under the applicable EU Data Protection Law, the Data Processor shall implement its written procedures in such a way that it is in a position to notify the Data Controller no later than 24 hours of having become aware of such an incident. 9.4 7.4 Any notifications made to the Data Controller pursuant to this Article Section 7 shall be addressed to the Data Protection Officer or other employee of the Data Controller whose contact details are provided during the registration processin Annex 1 of this Data Processing Agreement, and shall contain: (a) 7.4.1 a description of the nature of the incident, including where possible the categories and approximate number of data subjects concerned and the categories and approximate number of Personal Data records concerned; (b) 7.4.2 the name and contact details of the Data Processor’s data protection officer or another contact point where more information can be obtained; (c) 7.4.3 a description of the likely consequences of the incident; and (d) 7.4.4 a description of the measures taken or proposed to be taken by the Data Processor to address the incident including, where appropriate, measures to mitigate its possible adverse effects.

Information Obligations and Incident Management. 9.1 7.1 When the Data Processor becomes aware of an incident that impacts the Processing of the Personal Data that is the subject of the Service Agreement, it shall promptly notify the Data Controller about the incident, shall at all times cooperate with the Data Controller, and shall follow the Data Controller’s instructions with regard to such incidents, in order to enable the Data Controller to perform a thorough investigation into the incident, to formulate a correct response, and to take suitable further steps in respect of the incident. 9.2 7.2 The term “incident” used in Paragraph 9.1 Article 7.1 shall be understood to mean in any case: (a) a complaint or a request with respect to the exercise of a data subject’s rights under EU Data Protection Law; (b) an investigation into or seizure of the Personal Data by government officials, or a specific indication that such an investigation or seizure is imminent; (c) any unauthorized or accidental access, processing, deletion, loss or any form of unlawful processing of the Personal Data; (d) any breach of the security and/or confidentiality as set out in Paragraphs 5 Articles 3 and 6 4 of this Addendum Data Processing Agreement leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, the Personal Data, or any indication of such breach having taken place or being about to take place; (e) where, in the opinion of the Data Processor, implementing an instruction received from the Data Controller would violate applicable laws to which the Data Controller or the Data Processor are subject. 9.3 7.3 The Data Processor shall at all times have in place written procedures which enable it to promptly respond to the Data Controller about an incident. Where an incident is reasonably likely to require a data breach notification by the Data Controller under the applicable EU Data Protection Law, the Data Processor shall implement its written procedures in such a way that it is in a position to notify the Data Controller no later than 24 hours of having become aware of such an incident. 9.4 7.4 Any notifications made to the Data Controller pursuant to this Article 7 shall be addressed to the Data Protection Officer or other employee of the Data Controller whose contact details are provided during the registration process, and shall contain: (a) a description of the nature of the incident, including where possible the categories and approximate number of data subjects concerned and the categories and approximate number of Personal Data records concerned; (b) the name and contact details of the Data Processor’s data protection officer or another contact point where more information can be obtained; (c) a description of the likely consequences of the incident; and (d) a description of the measures taken or proposed to be taken by the Data Processor to address the incident including, where appropriate, measures to mitigate its possible adverse effects.

Information Obligations and Incident Management. 9.1 7.1. When the Data Processor becomes aware of an incident that impacts the Processing of the Personal Data that is the subject of the Service Services Agreement, it shall promptly notify the Data Controller about the incident, shall at all times cooperate with the Data Controller, and shall follow the Data Controller’s instructions with regard to such incidents, in order to enable the Data Controller to perform a thorough investigation into the incident, to formulate a correct response, and to take suitable further steps in respect of the incident. 9.2 7.2. The term “incident” used in Paragraph 9.1 Article 7.1 shall be understood to mean in any case: (a) a complaint or a request with respect to the exercise of a data subject’s rights under EU Data Protection Law; (b) an investigation into or seizure of the Personal Data by government officials, or a specific indication that such an investigation or seizure is imminent; (c) any unauthorized or accidental access, processing, deletion, loss or any form of unlawful processing of the Personal Data; (d) any breach of the security and/or confidentiality as set out in Paragraphs 5 Articles 3 and 6 4 of this Addendum these Data Processing Terms leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, the Personal Data, or any indication of such breach having taken place or being about to take place; (e) where, in the opinion of the Data Processor, implementing an instruction received from the Data Controller would violate applicable laws to which the Data Controller or the Data Processor are subject. 9.3 7.3. The Data Processor shall at all times have in place written procedures which enable it to promptly respond to the Data Controller about an incident. Where an the incident is reasonably likely to require a data breach notification by the Data Controller under the applicable EU Data Protection Law, the Data Processor shall implement its written procedures in such a way that it is in a position to notify the Data Controller no later than 24 72 hours of having become aware of such an incident. 9.4 7.4. Any notifications made to the Data Controller pursuant to this Article 7 shall be addressed to the Data Protection Officer or other employee of the Data Controller whose contact details are provided during the registration processin Annex 1 of these Data Processing Terms, and shall contain: (a) a description of the nature of the incident, including where possible the categories and approximate number of data subjects concerned and the categories and approximate number of Personal Data records concerned; (b) the name and contact details of the Data Processor’s data protection officer or another contact point where more information can be obtained; (c) a description of the likely consequences of the incident; and (d) a description of the measures taken or proposed to be taken by the Data Processor to address the incident including, where appropriate, measures to mitigate its possible adverse effects.

Information Obligations and Incident Management. 9.1 When the 7.1 The Data Processor becomes aware of an incident that impacts the Processing of the Personal Data that is the subject of the Service Agreementshall at all times have in place written procedures which enable it to promptly, it shall promptly within seventy-two (72) hours, notify the Data Controller about the incident, shall at all times cooperate with the Data Controller, and shall follow the Data Controller’s 's instructions with regard to such incidents, in order to enable the Data Controller to perform a thorough investigation into the incident, to formulate a correct response, and to take suitable further steps in respect of the incident.such 9.2 7.2 The term “"incident” " used in Paragraph 9.1 Section 7.1 shall be understood to mean in any case: (a) a. a complaint or a request with respect to the exercise of a data subject’s Data Subject's rights under EU Data Protection Law; (b) b. an investigation into or seizure of the Personal Data by government officials, or a specific indication that such an investigation or seizure is imminent; (c) c. any unauthorized or accidental access, processingProcessing, deletion, loss or any form of unlawful processing of the Personal Data; (d) d. any breach of the security and/or confidentiality as set out in Paragraphs 5 Sections 3 and 6 4 of this Addendum Data Processing Agreement leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, the Personal Data, or any indication of such breach having taken place or being about to take place; (e) e. where, in the opinion of the Data Processor, implementing an instruction received from the Data Controller would violate applicable laws to which the Data Controller or the Data Processor are subject. 9.3 The Data Processor shall at all times have in place written procedures which enable it to promptly respond to the Data Controller about an incident. Where an incident is reasonably likely to require a data breach notification by the Data Controller under the EU Data Protection Law, the Data Processor shall implement its written procedures in such a way that it is in a position to notify the Data Controller no later than 24 hours of having become aware of such an incident. 9.4 7.3 Any notifications made to the Data Controller pursuant to this Article Section 7 shall be addressed to using the Data Protection Officer or other employee of the Data Controller whose contact details are provided during the registration process, in Annex 1 and shall contain: (a) a. a description of the nature of the incident, including where possible the categories and approximate number of data subjects Data Subjects concerned and the categories and approximate number of Personal Data records concerned; (b) b. the name and contact details of the Data Processor’s 's data protection officer or another contact point where more information can be obtained; (c) c. a description of the likely consequences of the incident; and (d) d. a description of the measures taken or proposed to be taken by the Data Processor to address the incident including, where appropriate, measures to mitigate its possible adverse effects.

Information Obligations and Incident Management. 9.1 7.1. When the Data Processor becomes aware of an a successful incident that impacts the Processing of the Personal Data that is the subject of the Service Services Agreement, it shall promptly notify the Data Controller about the incident, shall at all times cooperate with the Data Controller, and shall follow the Data Controller’s instructions with regard to such incidents, in order to enable the Data Controller to perform a thorough investigation into the incident, to formulate a correct response, and to take suitable further steps in respect of the incident. 9.2 7.2. The term “incident” used in Paragraph 9.1 Article 7.1 shall be understood to mean in any case: (a) a complaint or a request with respect to the exercise of a data subject’s rights under EU Data Protection Law; (b) an investigation into or seizure of the Personal Data by government officials, or a specific indication that such an investigation or seizure is imminent;; subject to HCL permitted to disclose such investigation. (c) any unauthorized or accidental access, processing, deletion, loss or any form of unlawful processing of the Personal Data; (d) any breach of the security and/or confidentiality as set out in Paragraphs 5 Articles 3 and 6 4 of this Addendum these Data Processing Terms leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, the Personal Data, or any indication of such breach having taken place or being about to take place; (e) where, in the opinion of the Data Processor, implementing an instruction received from the Data Controller would violate applicable laws to which the Data Controller or the Data Processor are subject. 9.3 7.3. The Data Processor shall at all times have in place written procedures which enable it to promptly respond to the Data Controller about an incident. Where an the incident is reasonably likely to require a data breach notification by the Data Controller under the applicable EU Data Protection Law, the Data Processor shall implement its written procedures in such a way that it is in a position to notify the Data Controller no later than 24 72 hours of having become aware confirmed of such an incident. 9.4 7.4. Any notifications made to the Data Controller pursuant to this Article 7 shall be addressed to the Data Protection Officer or other employee of the Data Controller whose contact details are provided during the registration processin Annex 1 of these Data Processing Terms, and shall contain: (a) a description of the nature of the incident, including where possible the categories and approximate number of data subjects concerned and the categories and approximate number of Personal Data records concerned; (b) the name and contact details of the Data Processor’s data protection officer or another contact point where more information can be obtained; (c) a description of the likely consequences of the incident; and (d) a description of the measures taken or proposed to be taken by the Data Processor to address the incident including, where appropriate, measures to mitigate its possible adverse effects.

Information Obligations and Incident Management. 9.1 7.1. When the Data Processor becomes aware of an a successful incident that impacts the Processing of the Personal Data that is the subject of the Service Services Agreement, it shall promptly notify the Data Controller about the incident, shall at all times cooperate with the Data Controller, and shall follow the Data Controller’s instructions with regard to such incidents, in order to enable the Data Controller to perform a thorough investigation into the incident, to formulate a correct response, and to take suitable further steps in respect of the incident. 9.2 7.2. The term “incident” used in Paragraph 9.1 Article 7.1 shall be understood to mean in any case: (a) a complaint or a request with respect to the exercise of a data subject’s rights under EU Data Protection Law; (b) an investigation into or seizure of the Personal Data by government officials, or a specific indication that such an investigation or seizure is imminent;; subject to HCL permitted to dislclose such investigation. (c) any unauthorized or accidental access, processing, deletion, loss or any form of unlawful processing of the Personal Data; (d) any breach of the security and/or confidentiality as set out in Paragraphs 5 Articles 3 and 6 4 of this Addendum these Data Processing Terms leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, the Personal Data, or any indication of such breach having taken place or being about to take place; (e) where, in the opinion of the Data Processor, implementing an instruction received from the Data Controller would violate applicable laws to which the Data Controller or the Data Processor are subject. 9.3 7.3. The Data Processor shall at all times have in place written procedures which enable it to promptly respond to the Data Controller about an incident. Where an the incident is reasonably likely to require a data breach notification by the Data Controller under the applicable EU Data Protection Law, the Data Processor shall implement its written procedures in such a way that it is in a position to notify the Data Controller no later than 24 72 hours of having become aware confirmed of such an incident. 9.4 7.4. Any notifications made to the Data Controller pursuant to this Article 7 shall be addressed to the Data Protection Officer or other employee of the Data Controller whose contact details are provided during the registration processin Annex 1 of these Data Processing Terms, and shall contain: (a) a description of the nature of the incident, including where possible the categories and approximate number of data subjects concerned and the categories and approximate number of Personal Data records concerned; (b) the name and contact details of the Data Processor’s data protection officer or another contact point where more information can be obtained; (c) a description of the likely consequences of the incident; and (d) a description of the measures taken or proposed to be taken by the Data Processor to address the incident including, where appropriate, measures to mitigate its possible adverse effects.