Common use of OBLIGATIONS OF THE DATA PROCESSOR Clause in Contracts

OBLIGATIONS OF THE DATA PROCESSOR. 4.1. The Parties agree that the subject-matter of Processing performed by Data Processor under this DP Agreement, including the nature and purpose of Processing, the type of Personal Data, and categories of Data Subjects, shall be as described in Schedule 1 and Schedule 2 of this DP Agreement. 4.2. As part of Data Processor providing the Service to Data Controller under the Agreement, Data Processor agrees and declares as follows: 4.2.1. to process Personal Data in accordance with Data Controller's documented instructions as set out in the Agreement and this DP Agreement or as otherwise necessary to provide the Service, except where required otherwise by applicable laws (and provided such laws do not conflict with Data Protection Law); in such case, Data Processor shall inform Data Controller of that legal requirement upon becoming aware of the same (except where prohibited by applicable laws); 4.2.2. to ensure that all staff and management are fully aware of their responsibilities to protect Personal Data in accordance with this DP Agreement and have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; 4.2.3. to implement and maintain appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access (a "Data Security Breach"), provided that such measures shall take into account the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, so as to ensure a level of security appropriate to the risks represented by the Processing and the nature of the Data to be protected; 4.2.4. to notify Data Controller, without undue delay, in the event of a confirmed Data Security Breach affecting Data Controller's Data and to cooperate with Data Controller as necessary to mitigate or remediate the Data Security Breach; 4.2.5. to comply with the requirements of Clause 5 (Use of Sub-processors) when engaging a Sub-processor; 4.2.6. taking into account the nature of the Processing, to assist Data Controller (including by appropriate technical and organisational measures), insofar as it is commercially reasonable, to fulfil Data Controller's obligation to respond to requests from Data Subjects to exercise their rights under Data Protection Law (a "Data Subject Request"). In the event Data Processor receives a Data Subject Request directly from a Data Subject, it shall (unless prohibited by law) direct the Data Subject to the Data Controller in the first instance. However, in the event Data Controller is unable to address the Data Subject Request, taking into account the nature of the Processing, the complexity and frequency of the request(s), and the information available to Data Processor, Data Processor, shall, on Data Controller's request and at Data Controller's reasonable expense, address the Data Subject Request, as required under the Data Protection Law; 4.2.7. upon request, to provide Data Controller with commercially reasonable information and assistance, taking into account the nature of the Processing and the information available to Data Processor, to help Data Controller to conduct any data protection impact assessment or Supervisor consultation it is required to conduct under Data Protection Law; 4.2.8. upon termination of Data Controller's access to and use of the Service, to comply with the requirements of Clause 9 of this DP Agreement (Return and Destruction of Personal Data); 4.2.9. to comply with the requirements of Clause 6 of this DP Agreement (Audit) in order to make available to Data Controller information that demonstrates Data Processor’s compliance with this DP Agreement; and 4.2.10. to appoint a security officer who will act as a point of contact for Data Controller, and coordinate and control compliance with this DP Agreement, including the Security Measures. 4.3. Data Processor shall immediately inform Data Controller if, in its opinion, Data Controller's Processing instructions infringe any law or regulation. In such event, Data Processor is entitled to refuse Processing of Personal Data that it believes to be in violation of any law or regulation.

OBLIGATIONS OF THE DATA PROCESSOR. 4.16.1. The Parties agree that For the subject-matter purposes of Processing performed by Data Processor under this DP Agreement, including the nature and purpose of Processing, the type correct processing of Personal Data, and categories of Data Subjects, shall be as described in Schedule 1 and Schedule 2 of this DP Agreement. 4.2. As part of the Data Processor providing the Service to Data Controller under the Agreement, Data Processor agrees and declares as followsundertakes to: 4.2.1. a) carry out any Personal Data processing operation in compliance with the applicable regulations relating to process the protection of personal data, including the principles referred to in chapter II of the Regulation (articles 5-11); b) carry out the processing of Personal Data in accordance with Data Controller's documented instructions as set out in the implementation of this Framework Agreement and this DP Agreement or for the purposes relative to the provision of the services therein referred to, for the time period strictly necessary for the performance of the above mentioned purposes as otherwise necessary well as the purposes strictly linked and instrumental to provide the Servicemanagement of technical issues linked thereto; c) guarantee the full compliance with the obligations imposed by the Regulation directly onto the Data Processor, except including by way of example, the obligation to hold a register of the operations carried out on behalf of the Data Controller pursuant to article 30, paragraph 2 of the Regulation and, where required otherwise by applicable laws (and provided such laws do not conflict with required, the obligation to appoint a Data Protection Law); in such caseOfficer pursuant to article 37, Data Processor shall inform Data Controller of that legal requirement upon becoming aware paragraph 1 of the same (except where prohibited by applicable laws)Regulation; 4.2.2. to ensure that all staff and management are fully aware d) in compliance with article 32 of their responsibilities to protect Personal Data in accordance with this DP Agreement and have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; 4.2.3. to the Regulation, implement and maintain appropriate technical and organisational measures to protect guarantee an adequate level of security for the processing operations carried out on behalf of the Data Controller, as well as cooperate with the latter by providing the same with the information and documentation required by the same in order to assess and check from time to time that the Data Processor has adopted technical and administrative measures; e) in the performance of the data processing operations on behalf of the Data Controller, follow the provisions and instructions included in this Data Processing Agreement; f) in relation to the collection of Personal Data against accidental from data subjects, where required, the Data Processor ensures this is done in compliance with the specific procedures agreed with the Data Controller in order to guarantee that the collection of Personal Data and their subsequent processing comply with the law (e.g. privacy policy and requests of consent for the processing of data provided by the Data Controller; tracing and archiving of consents given by the data subjects); g) with the exclusion of cases strictly necessary for the provision of Services, not to disclose or unlawful destruction share Personal Data with third parties without the previous written consent of the Data Controller and to adopt the organisational and technical measures necessary to ensure the maximum confidentiality of the Personal Data acquired and used in the performance of the activities object of this designation; h) not transfer the Personal Data outside of the European Union, directly or accidental lossindirectly (possibly through third party suppliers that have been authorised in writing by the Data Controller) without the previous written consent of the Data Controller and in compliance with the general principles and conditions applicable to the transfer required by chapter V of the Regulation, alteration, unauthorized disclosure or access (a "notifying the Data Security Breach"), provided that such Controller of the measures shall take into account adopted in order to ensure an adequate level of protection for the costs of implementation transferred data and the naturerights of the data subjects (for example, scopeadequacy decisions, context type of clauses, binding regulations on the company, code of conduct, certification, etc.); i) guarantee that access to Personal Data by personnel takes place only on the basis of the principle of need and that the processing operations linked to the execution of the Framework Agreement are carried out only by authorised persons acting on the authority of the Data Processor on the basis of adequate instructions; j) adequately train authorised persons, tasked with the execution of the Framework Agreement, providing the same with precise instructions and supervising their compliance to the same. The updated list of personnel authorised to process Personal Data will be made available to the Data Controller on request from the latter; k) guarantee that all physical persons (employees and/or collaborators) authorised to process personal data for the above stated purposes are committed to confidentiality or have a legal obligation to confidentiality; l) regularly adopt, update and assess all the technical and organisational measures necessary to guarantee an adequate level of Processingrisk, in compliance with the provisions of article 32 of the Regulation, as well as the risk further measures provided for by article 10 of varying likelihood and severity for this Data Processing Agreement; m) designate, where applicable, the rights and freedoms of natural persons, so as Union Representative pursuant to ensure a level of security appropriate to the risks represented by the Processing and the nature article 27 of the Regulation; n) cooperate with the Data Controller on the implementation of any further measure that becomes necessary in order to be protectedguarantee compliance of the Personal Data processing with the applicable provisions; 4.2.4. to notify Data Controller, o) without undue delaydelay and in any case no later than 24 hours from the time it has become aware of it, in notify the event Data Controller of a confirmed Data Security Breach affecting Data Controller's Data any breach of personal data and to cooperate with Data Controller as necessary to mitigate or remediate the Data Security Breach; 4.2.5. to comply with the requirements of Clause 5 (Use of Sub-processors) when engaging a Sub-processor; 4.2.6. taking into account the nature of the Processing, to assist Data Controller (including by appropriate technical and organisational measures), insofar as it is commercially reasonable, to fulfil Data Controller's obligation to respond to requests from Data Subjects to exercise their rights under Data Protection Law (a "Data Subject Request"). In the event Data Processor receives a Data Subject Request directly from a Data Subject, it shall (unless prohibited by law) direct the Data Subject to the Data Controller in relation to the first instance. However, in analysis and assessments to carry out for the event Data Controller is unable to address the Data Subject Request, taking into account the nature purposes of the Processing, notification to the complexity and frequency supervisory authority pursuant to article 33 of the request(s), Regulation and of the information available communication to Data Processor, Data Processor, shall, on Data Controller's request and at Data Controller's reasonable expense, address data subjects pursuant to article 34 of the Data Subject RequestRegulation, as required under well as for the Data Protection Law; 4.2.7. upon request, to provide Data Controller with commercially reasonable information and assistance, taking into account the nature preparation of the Processing and the information available to Data Processor, to help Data Controller to conduct any data protection impact assessment or Supervisor consultation it is required to conduct under Data Protection Law; 4.2.8. upon termination of Data Controller's access to and use of the Service, to comply with the requirements of Clause 9 of this DP Agreement (Return and Destruction of Personal Data); 4.2.9. to comply with the requirements of Clause 6 of this DP Agreement (Audit) in order to make available to Data Controller information that demonstrates Data Processor’s compliance with this DP Agreement; and 4.2.10. to appoint a security officer who will act as a point of contact for Data Controller, and coordinate and control compliance with this DP Agreementrelative documentation, including the Security Measures.notification pursuant to article 35, paragraph 3; 4.3. p) keep the Data Controller informed in writing, on written request from the latter, of details relative to compliance with the applicable provisions and this Data Processing Agreement; q) the Data Processor shall immediately inform notifies, without delay, the Data Controller if, in its opinion, Data Controller's Processing instructions infringe any law or regulation. In such event, Data Processor is entitled to refuse Processing of Personal Data that it believes to be in violation of any law or regulationissue relevant for the purposes of this Data Processing Agreement, such as, simply by way of example: - Requests from the Authority; - Outcomes of inspections; - Request of access to data by public authorities.

OBLIGATIONS OF THE DATA PROCESSOR. 4.16.1. The Parties agree that For the subject-matter purposes of Processing performed by Data Processor under this DP Agreement, including the nature and purpose of Processing, the type correct processing of Personal Data, and categories of Data Subjects, shall be as described in Schedule 1 and Schedule 2 of this DP Agreement. 4.2. As part of the Data Processor providing the Service to Data Controller under the Agreement, Data Processor agrees and declares as followsundertakes to: 4.2.1. a) carry out any Personal Data processing operation in compliance with the applicable regulations relating to process the protection of personal data, including the principles referred to in chapter II of the Regulation (articles 5-11); b) carry out the processing of Personal Data in accordance with Data Controller's documented instructions as set out in the implementation of this Framework Agreement and this DP Agreement or for the purposes relative to the provision of the services therein referred to, for the time period strictly necessary for the performance of the above mentioned purposes as otherwise necessary well as the purposes strictly linked and instrumental to provide the Servicemanagement of technical issues linked thereto; c) guarantee the full compliance with the obligations imposed by the Regulation directly onto the Data Processor, except including by way of example, the obligation to hold a register of the operations carried out on behalf of the Data Controller pursuant to article 30, paragraph 2 of the Regulation and, where required otherwise by applicable laws (and provided such laws do not conflict with required, the requirement to appoint a Data Protection Law); in such caseOfficer pursuant to article 37, Data Processor shall inform Data Controller of that legal requirement upon becoming aware paragraph 1 of the same (except where prohibited by applicable laws)Regulations; 4.2.2. to ensure that all staff and management are fully aware d) in compliance with article 32 of their responsibilities to protect Personal Data in accordance with this DP Agreement and have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; 4.2.3. to the Regulation, implement and maintain appropriate technical and organisational measures to protect guarantee an adequate level of security for the processing operations carried out on behalf of the Data Controller, as well as cooperate with the latter by providing the same with the information and documentation required by the same in order to assess and check from time to time that the Data Processor has adopted technical and administrative measures; e) in the performance of the data processing operations on behalf of the Data Controller, follow the provisions and instructions included in this Data Processing Agreement; f) in relation to the collection of Personal Data against accidental from data subjects, where required, the Data Processor ensures this is done in compliance with the specific procedures agreed with the Data Controller in order to guarantee that the collection of Personal Data and their subsequent processing comply with the law (e.g. privacy policy and requests of consent for the processing of data provided by the Data Controller; tracing and archiving of consents given by the data subjects); g) with the exclusion of cases strictly necessary for the provision of Services, not to disclose or unlawful destruction share Personal Data with third parties without the previous written consent of the Data Controller and to adopt the organisational and technical measures necessary to ensure the maximum confidentiality of the Personal Data acquired and used in the performance of the activities object of this designation; h) not transfer the Personal Data outside of the European Union, directly or accidental lossindirectly (possibly through third party suppliers that have been authorised in writing by the Data Controller) without the previous written consent of the Data Controller and in compliance with the general principles and conditions applicable to the transfer required by chapter V of the Regulation, alteration, unauthorized disclosure or access (a "notifying the Data Security Breach"), provided that such Controller of the measures shall take into account adopted in order to ensure an adequate level of protection for the costs of implementation transferred data and the naturerights of the data subjects (for example, scopeadequacy decisions, context type of clauses, binding regulations on the company, code of conduct, certification, etc.); i) guarantee that access to Personal Data by personnel takes place only on the basis of the principle of need and that the processing operations linked to the execution of the Framework Agreement are carried out only by authorised persons acting on the authority of the Data Processor on the basis of adequate instructions; j) adequately train authorised persons, tasked with the execution of the Framework Agreement, providing the same with precise instructions and supervising their compliance to the same. The updated list of personnel authorised to process Personal Data will be made available to the Data Controller on request from the latter; k) guarantee that all physical persons (employees and/or collaborators) authorised to process personal data for the above stated purposes are committed to confidentiality or have a legal obligation to confidentiality; l) regularly adopt, update and assess all the technical and organisational measures necessary to guarantee an adequate level of Processingrisk, in compliance with the provisions of article 32 of the Regulation, as well as the risk further measures provided for by article 10 of varying likelihood and severity for this Data Processing Agreement; m) designate, where applicable, the rights and freedoms of natural persons, so as Union Representative pursuant to ensure a level of security appropriate to the risks represented by the Processing and the nature article 27 of the Regulation; n) cooperate with the Data Controller on the implementation of any further measure that becomes necessary in order to be protectedguarantee compliance of the Personal Data processing with the applicable provisions; 4.2.4. to notify Data Controller, o) without undue delaydelay and in any case no later than 24 hours from the time it has become aware of it, in notify the event Data Controller of a confirmed Data Security Breach affecting Data Controller's Data any breach of personal data and to cooperate with Data Controller as necessary to mitigate or remediate the Data Security Breach; 4.2.5. to comply with the requirements of Clause 5 (Use of Sub-processors) when engaging a Sub-processor; 4.2.6. taking into account the nature of the Processing, to assist Data Controller (including by appropriate technical and organisational measures), insofar as it is commercially reasonable, to fulfil Data Controller's obligation to respond to requests from Data Subjects to exercise their rights under Data Protection Law (a "Data Subject Request"). In the event Data Processor receives a Data Subject Request directly from a Data Subject, it shall (unless prohibited by law) direct the Data Subject to the Data Controller in relation to the first instance. However, in analysis and assessments to carry out for the event Data Controller is unable to address the Data Subject Request, taking into account the nature purposes of the Processing, notification to the complexity and frequency supervisory authority pursuant to article 33 of the request(s), Regulation and of the information available communication to Data Processor, Data Processor, shall, on Data Controller's request and at Data Controller's reasonable expense, address data subjects pursuant to article 34 of the Data Subject RequestRegulation, as required under well as for the Data Protection Law; 4.2.7. upon request, to provide Data Controller with commercially reasonable information and assistance, taking into account the nature preparation of the Processing and the information available to Data Processor, to help Data Controller to conduct any data protection impact assessment or Supervisor consultation it is required to conduct under Data Protection Law; 4.2.8. upon termination of Data Controller's access to and use of the Service, to comply with the requirements of Clause 9 of this DP Agreement (Return and Destruction of Personal Data); 4.2.9. to comply with the requirements of Clause 6 of this DP Agreement (Audit) in order to make available to Data Controller information that demonstrates Data Processor’s compliance with this DP Agreement; and 4.2.10. to appoint a security officer who will act as a point of contact for Data Controller, and coordinate and control compliance with this DP Agreementrelative documentation, including the Security Measures.notification pursuant to article 35, paragraph 3; 4.3. p) keep the Data Controller informed in writing, on written request from the latter, of details relative to compliance with the applicable provisions and this Data Processing Agreement; q) the Data Processor shall immediately inform notifies, without delay, the Data Controller if, in its opinion, Data Controller's Processing instructions infringe any law or regulation. In such event, Data Processor is entitled to refuse Processing of Personal Data that it believes to be in violation of any law or regulationissue relevant for the purposes of this Data Processing Agreement, such as, simply by way of example: - Requests from the Authority; - Outcomes of inspections; - Request of access to data by public authorities.

OBLIGATIONS OF THE DATA PROCESSOR. 4.15.1. The Parties agree that Processor agrees and warrants to: 5.2. To process Personal Data only on behalf of the subject-matter Controller while complying with the terms of Processing performed the Agreement and the Data Protection Law; 5.3. Process any Personal Data transferred to or collected by the Data Processor under this DP Agreementonly as a ‘processor’, including as such terms are defined in the nature Data Protection Law on behalf of the Data Controller; 5.4. Implement appropriate technical and purpose organizational measures and follow established routines in such a manner that Processing will meet the requirements of Processing, the type applicable Data Protection Law and ensure the protection of the rights of the Data Subjects; 5.5. To deal promptly and properly with requests and inquiries of the Data Controller; 5.6. Assist the Data Controller in ensuring compliance with the requirements for security of Personal Data; 5.7. On a regular basis or on the demand of the Controller, to carry out third party security audits for systems and categories similar relevant for the Processing of Personal Data Subjects, and the reports documenting such security audits shall be as described in Schedule 1 and Schedule 2 of this DP Agreement. 4.2. As part of Data Processor providing available to the Service to Data Controller under the Agreement, Data Processor agrees and declares as follows: 4.2.1. to process Personal Data in accordance with Data Controller's documented instructions as set out in the Agreement and this DP Agreement or as otherwise necessary to provide the Service, except where required otherwise by applicable laws (and provided such laws do not conflict with Data Protection Law); in such case, Data Processor shall inform Data Controller of that legal requirement upon becoming aware of the same (except where prohibited by applicable laws); 4.2.25.8. to ensure that all staff and management are fully aware of their responsibilities to protect Personal Data in accordance with this DP Agreement and have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; 4.2.3. to implement and maintain appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access (a "Data Security Breach"), provided that such measures shall take into account the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, so as to ensure a level of security appropriate to the risks represented by the Processing and the nature of the Data to be protected; 4.2.4. to notify Data Controller, without undue delay, in the event of a confirmed Data Security Breach affecting Data Controller's Data and to cooperate with Data Controller as necessary to mitigate or remediate the Data Security Breach; 4.2.5. to comply with the requirements of Clause 5 (Use of Sub-processors) when engaging a Sub-processor; 4.2.6. taking Take into account the nature of the Processing, to assist the Data Controller (including by appropriate technical and organisational organizational measures), insofar in so far as it this is commercially reasonablepossible, to fulfil for the fulfilment of the Data Controller's ’s obligation to respond to requests from Data Subjects to exercise their rights under Data Protection Law (a "Data Subject Request"). In for exercising the event Data Processor receives a Data Subject Request directly from a Data Subject, it shall (unless prohibited by law) direct the Data Subject ’s rights according to the Data Controller in the first instance. However, in the event Data Controller is unable to address the Data Subject Request, taking into account the nature of the Processing, the complexity and frequency of the request(s), and the information available to Data Processor, Data Processor, shall, on Data Controller's request and at Data Controller's reasonable expense, address the Data Subject Request, as required under the Data Protection Law; 4.2.75.9. upon request, Make available to provide the Data Controller all information necessary to demonstrate compliance with commercially reasonable information the obligations laid down in this Agreement and assistanceto allow for, taking into account co-operate and contribute to audits, including inspections to facilities under the nature control of the Processing and the information available to Data Processor, to help Data conducted by the Controller to conduct any data protection impact assessment or Supervisor consultation it is required to conduct under Data Protection Law; 4.2.8. upon termination of Data Controller's an auditor mandated by the Controller and provide access to and use of the Service, to comply with the requirements of Clause 9 of this DP Agreement (Return and Destruction of Personal Data)data systems; 4.2.9. to comply with the requirements of Clause 6 of this DP Agreement (Audit) in order to make available to Data Controller information that demonstrates Data Processor’s compliance with this DP Agreement; and 4.2.10. to appoint a security officer who will act as a point of contact for Data Controller, and coordinate and control compliance with this DP Agreement, including the Security Measures. 4.3. Data Processor shall immediately inform Data Controller if, in its opinion, Data Controller's Processing instructions infringe any law or regulation. In such event, Data Processor is entitled to refuse Processing of Personal Data that it believes to be in violation of any law or regulation.

OBLIGATIONS OF THE DATA PROCESSOR. 4.16.1. The Parties agree that For the subject-matter purposes of Processing performed by Data Processor under this DP Agreement, including the nature and purpose of Processing, the type correct processing of Personal Data, and categories of Data Subjects, shall be as described in Schedule 1 and Schedule 2 of this DP Agreement. 4.2. As part of the Data Processor providing the Service to Data Controller under the Agreement, Data Processor agrees and declares as followsundertakes to: 4.2.1. a) carry out any Personal Data processing operation in compliance with the applicable regulations relating to process the protection of personal data, including the principles referred to in Chapter II of the Regulation (Articles 5-11); b) carry out the processing of Personal Data in accordance with Data Controller's documented instructions as set out in the implementation of this Framework Agreement and this DP Agreement or for the purposes relative to the provision of the services therein referred to, for the time period strictly necessary for the performance of the above-mentioned purposes as otherwise necessary well as the purposes strictly related and instrumental to provide the Servicemanagement of technical issues associated therewith; c) ensure full compliance with the obligations imposed by the Regulation directly on the Data Processor, except including, for example, the obligation to maintain a register of the operations carried out on behalf of the Data Controller pursuant to article 30, paragraph 2 of the Regulation and, where required otherwise by applicable laws (and provided such laws do not conflict with required, the requirement to appoint a Data Protection Law); in such caseOfficer pursuant to article 37, Data Processor shall inform Data Controller of that legal requirement upon becoming aware paragraph 1 of the same (except where prohibited by applicable laws)Regulation; 4.2.2. to ensure that all staff and management are fully aware d) in compliance with article 32 of their responsibilities to protect Personal Data in accordance with this DP Agreement and have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; 4.2.3. to the Regulation, implement and maintain appropriate technical and organisational measures to protect guarantee an adequate level of security for the processing operations carried out on behalf of the Data Controller, as well as cooperate with the latter by providing the latter with the information and documentation required by the latter in order to assess and check from time to time that the Data Processor has adopted technical and administrative measures; e) in the performance of the data processing operations on behalf of the Data Controller, follow the provisions and instructions included in this Data Processing Agreement; f) in relation to the collection of Personal Data against accidental from data subjects, where required, the Data Processor ensures this is done in compliance with the specific procedures agreed with the Data Controller in order to guarantee that the collection of Personal Data and their subsequent processing comply with the law (e.g. privacy policy and requests of consent for the processing of data provided by the Data Controller; tracing and archiving of consent given by data subjects); g) with the exclusion of cases strictly necessary for the provision of Services, not to disclose or unlawful destruction share Personal Data with third parties without the previous written consent of the Data Controller and to adopt the organisational and technical measures necessary to ensure the maximum confidentiality of the Personal Data acquired and used in the performance of the activities object of this designation; h) not transfer the Personal Data outside of the European Union, directly or accidental lossindirectly (possibly through third party suppliers that have been authorised in writing by the Data Controller) without the previous written consent of the Data Controller and in compliance with the general principles and conditions applicable to the transfer required by Chapter V of the Regulation, alteration, unauthorized disclosure or access (a "notifying the Data Security Breach"), provided that such Controller of the measures shall take into account adopted in order to ensure an adequate level of protection for the costs of implementation transferred data and the naturerights of the data subjects (for example, scopeadequacy decisions, context type of clauses, binding regulations on the Company, Code of Conduct, certification, etc.); i) guarantee that access to Personal Data by personnel takes place only based on the principle of need and that the processing operations related to the execution of the Framework Agreement are carried out only by authorised persons acting on the authority of the Data Processor on the basis of adequate instructions; j) adequately train authorised persons, tasked with the execution of the Framework Agreement, providing the latter with precise instructions and supervising their compliance with said Agreement. The updated list of personnel authorised to process Personal Data shall be made available to the Data Controller at the latter's request; k) guarantee that all physical persons (employees and/or collaborators) authorised to process personal data for the above stated purposes are committed to confidentiality or have a legal obligation to confidentiality; l) regularly adopt, update and assess all the technical and organisational measures necessary to guarantee an adequate level of Processingrisk, in compliance with the provisions of article 32 of the Regulation, as well as the risk further measures provided for by article 10 of varying likelihood and severity for this Data Processing Agreement; m) designate, where applicable, the rights and freedoms Union Representative pursuant to article 27 of natural persons, so as the Regulation; n) cooperate with the Data Controller on the implementation of any further measure that becomes necessary in order to ensure a level of security appropriate to the risks represented by the Processing and the nature compliance of the Personal Data to be protectedprocessing with the applicable provisions; 4.2.4. to notify Data Controller, o) without undue delaydelay and in any case no later than 24 hours from the time it has become aware of it, in notify the event Data Controller of a confirmed Data Security Breach affecting Data Controller's Data any breach of personal data and to cooperate with Data Controller as necessary to mitigate or remediate the Data Security Breach; 4.2.5. to comply with the requirements of Clause 5 (Use of Sub-processors) when engaging a Sub-processor; 4.2.6. taking into account the nature of the Processing, to assist Data Controller (including by appropriate technical and organisational measures), insofar as it is commercially reasonable, to fulfil Data Controller's obligation to respond to requests from Data Subjects to exercise their rights under Data Protection Law (a "Data Subject Request"). In the event Data Processor receives a Data Subject Request directly from a Data Subject, it shall (unless prohibited by law) direct the Data Subject to the Data Controller in relation to the first instance. However, in analysis and assessments to carry out for the event Data Controller is unable to address the Data Subject Request, taking into account the nature purposes of the Processing, notification to the complexity and frequency supervisory authority pursuant to article 33 of the request(s), Regulation and of the information available communication to Data Processor, Data Processor, shall, on Data Controller's request and at Data Controller's reasonable expense, address data subjects pursuant to article 34 of the Data Subject RequestRegulation, as required under well as for the Data Protection Law; 4.2.7. upon request, to provide Data Controller with commercially reasonable information and assistance, taking into account the nature preparation of the Processing and the information available to Data Processor, to help Data Controller to conduct any data protection impact assessment or Supervisor consultation it is required to conduct under Data Protection Law; 4.2.8. upon termination of Data Controller's access to and use of the Service, to comply with the requirements of Clause 9 of this DP Agreement (Return and Destruction of Personal Data); 4.2.9. to comply with the requirements of Clause 6 of this DP Agreement (Audit) in order to make available to Data Controller information that demonstrates Data Processor’s compliance with this DP Agreement; and 4.2.10. to appoint a security officer who will act as a point of contact for Data Controller, and coordinate and control compliance with this DP Agreementrelative documentation, including the Security Measures.notification pursuant to article 35, paragraph 3; 4.3. p) keep the Data Controller informed in writing, on written request from the latter, of details relative to compliance with the applicable provisions and this Data Processing Agreement; q) the Data Processor shall immediately inform notifies, without delay, the Data Controller if, in its opinion, Data Controller's Processing instructions infringe any law or regulation. In such event, Data Processor is entitled to refuse Processing of Personal Data that it believes to be in violation of any law or regulationissue relevant for the purposes of this Data Processing Agreement, such as, for example: - Requests from the Authority; - Outcomes of inspections; - Request of access to data by public authorities.

OBLIGATIONS OF THE DATA PROCESSOR. 4.1The Data Processor is obliged to comply with requirements for Data Processors as provided by the Norwegian Personal Data Act, with regulations, including GDPR. The Parties agree Data Processor shall process personal data according to the agreed specified purposes pursuant to this Data Processing Agreement. The Data Processor shall not process personal data beyond the requirements for the purposes specified in this Data Processing Agreement without prior written agreement with the Data Controller or written instructions from the Data Controller. The Data Processor shall, as far as is required under GDPR, assist the Data Controller in: • Providing information to the Data Controller required in order to demonstrate that the subject-matter of Processing performed by Data Processor under this DP Agreement, including the nature and purpose of Processing, the type of Personal Data, and categories of Data Subjects, shall be as described in Schedule 1 and Schedule 2 of this DP Agreement. 4.2. As part of Data Processor providing the Service to Data Controller under the Agreement, Data Processor agrees and declares as follows: 4.2.1. to process Personal Data in accordance with Data Controller's documented instructions as obligations set out in GDPR art. 28 (3) are fulfilled. • To a reasonable extent, helping the Agreement and this DP Agreement or as otherwise necessary to provide the Service, except where required otherwise by applicable laws (and provided such laws do not conflict with Data Protection Law); in such case, Data Processor shall inform Data Controller of that legal requirement upon becoming aware of the same (except where prohibited by applicable laws); 4.2.2. to ensure that all staff and management are fully aware of their responsibilities to protect Personal Data in accordance with this DP Agreement and have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; 4.2.3. to implement and maintain appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access (a "Data Security Breach"), provided that such measures shall take into account the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, so as to ensure a level of security appropriate to the risks represented by the Processing and the nature of the Data to be protected; 4.2.4. to notify Data Controller, without undue delay, in the event of a confirmed Data Security Breach affecting Data Controller's Data and to cooperate with Data Controller as necessary to mitigate or remediate the Data Security Breach; 4.2.5. to comply with the requirements of Clause 5 (Use of Sub-processors) when engaging a Sub-processor; 4.2.6. taking into account the nature of the Processing, to assist Data Controller (including by appropriate technical and organisational measures), insofar as it is commercially reasonable, to fulfil the Data Controller's obligation to respond to requests from Data Subjects to exercise their rights under Data Protection Law (a "Data Subject Request"). In the event Data Processor receives a Data Subject Request directly from a Data Subject, it shall (unless prohibited submitted by law) direct the Data Subject to for the purpose of exercising his/her rights set out in Chapter III. • To a reasonable extent, helping the Data Controller in to fulfil the first instanceData Controller's obligations according to GDPR art. However32-36, in including non-conformance management. The Data Processor shall notify the event Data Controller if the Data Processor believes that an instruction from the Data Controller is unable to address the Data Subject Request, taking into account the nature in violation of the Processing, applicable privacy regulations. All assistance should be carried out to the complexity and frequency of extent required by the request(s), and the information available to Data Processor, Data Processor, shall, on Data Controller's request and at Data Controller's reasonable expenseneed, address the Data Subject Request, as required under the Data Protection Law; 4.2.7. upon request, to provide Data Controller with commercially reasonable information and assistance, taking into account the nature of the Processing and the information available to the Data Processor. All assistance and work in accordance with new and agreed instructions from the Data Controller may be invoiced to the Data Controller according to the rates stated in the Terms-of-Use Agreement and/or Service Level Agreement, unless otherwise expressly stated in this Data Processing Agreement or is limited by law. The Data Processor is subject to confidentiality regarding documentation and personal data that he/she has access to in accordance with this Data Processing Agreement. This provision also applies after the termination of the Data Processing Agreement. The Data Processors shall not disclose personal data to external parties unless otherwise follows from this Data Processing Agreement, have been agreed in writing, or such disclosure is required by law. Personal data processed by the Data Processor on behalf of the Data Controller may be transferred to countries in which the Data Processor, to help Data Controller to conduct any its sub-data protection impact assessment processor or Supervisor consultation it is required to conduct under Data Protection Law; 4.2.8. upon termination of Data Controllerthe sub-data processor's access to and sub-data processor, conducts its activities in accordance with the provisions on use of the Service, to comply with the requirements of Clause 9 of this DP Agreement (Return and Destruction of Personal Data); 4.2.9. to comply with the requirements of Clause 6 of this DP Agreement (Audit) subcontractors in order to make available to Data Controller information that demonstrates Data Processor’s compliance with this DP Agreement; and 4.2.10. to appoint a security officer who will act as a point of contact for Data Controller, and coordinate and control compliance with this DP Agreement, including the Security Measuressection 4. 4.3. Data Processor shall immediately inform Data Controller if, in its opinion, Data Controller's Processing instructions infringe any law or regulation. In such event, Data Processor is entitled to refuse Processing of Personal Data that it believes to be in violation of any law or regulation.

OBLIGATIONS OF THE DATA PROCESSOR. 4.1. The Parties agree that the subject-matter of Processing performed by Data Processor under this DP Agreement, including carries out the nature and purpose processing of Processing, Relevant Data on behalf of the type of Personal Data, and categories of Data Subjects, shall be as described in Schedule 1 and Schedule 2 of this DP AgreementController. 4.2. As part of Data Processor providing the Service to Data Controller In discharging its obligations under the Agreement, Data Processor agrees and declares as follows: 4.2.1. to process Personal Data in accordance with Data Controller's documented instructions as set out in the Agreement and this DP Agreement Data Sharing Agreement, the parties are responsible for compliance with all applicable data protection or as otherwise privacy legislation and will ensure that all necessary to registrations and notifications are made and provide the Serviceother party with a copy, except where required otherwise on request, of evidence of such and evidence of any amendments or alterations made thereto. 4.3. Without prejudice to the generality of clause 4.2 and further to the provisions of Article 28 of the GDPR, the Data Processor agrees that it will: 4.3.1. process Relevant Data only on behalf of the Data Controller and in compliance with the Data Controller’s instructions (including relating to international data transfers), this Data Sharing Agreement and the Agreement and shall not disclose Relevant Data to any third party (including for back-up purposes) apart from the sub-processors authorised by applicable laws (the Data Controller under this Data Sharing Agreement, and provided which are listed in Schedule B. If the Data Processor cannot provide such laws do not conflict with compliance, it shall promptly inform the Data Controller of its inability to comply in which case the Data Controller is entitled to immediately terminate the Agreement and this Data Sharing Agreement and the Data Processor’s access to Relevant Data and/or to take any other reasonable action; 4.3.2. if in the Data Processor’s opinion an instruction from the Data Controller infringes Applicable Data Protection Law); , immediately inform the Data Controller; 4.3.3. implement the technical and organisational security measures provided for in such case, Schedule C prior to the launch of the processing activities for the Relevant Data Processor shall inform and provide the Data Controller with copies of that legal requirement upon becoming aware of the same (except where prohibited by applicable laws)its privacy and security policies; 4.2.24.3.4. take all reasonable steps to ensure that all staff (i) persons employed by it; and management (ii) other persons engaged at its place of business, who process Relevant Data, are fully aware of, and comply with this Data Sharing Agreement; and that there is a Data Protection Officer whose primary concern is enabling compliance with the GDPR; 4.3.5. comply with strict confidentiality obligations in respect of the Relevant Data and ensure that its employees, authorised agents and any sub-processors are legally required in writing to comply with and acknowledge and respect the confidentiality of the Relevant Data, including after the end of their responsibilities to protect Personal employment, contract or at the end of their assignment; 4.3.6. inform the Data in accordance Controller without delay of: 4.3.6.1. any non-compliance by the Data Processor or its employees with this DP Data Sharing Agreement and have committed themselves or the regulatory provisions relating to confidentiality or are the protection of Relevant Data processed under an appropriate statutory obligation of confidentialitythis Data Sharing Agreement; 4.2.34.3.6.2. any legally binding request for disclosure of Relevant Data by a law enforcement authority, unless otherwise prohibited, such as in order to preserve the confidentiality of an investigation by the law enforcement authorities; 4.3.6.3. any incident which gives rise to a risk of unauthorised disclosure, loss, destruction or alternation of Relevant Data; 4.3.6.4. any notice, inquiry or investigation by a supervisory authority; and 4.3.6.5. any complaint, inquiry or request (in particular, requests for access to, rectification or blocking of Relevant Data) received directly from the data subjects without responding to that request, unless the Data Controller has authorised a response; 4.3.7. to implement fully co-operate with and maintain appropriate technical and organisational measures to protect Personal assist the Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access (a "Data Security Breach"), provided that such measures shall take into account the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, so as to ensure a level of security appropriate to the risks represented by the Processing and the nature Controller without delay in respect of the Data to be protected;Controller’s obligations regarding: 4.2.44.3.7.1. to notify Data Controller, without undue delay, in the event of a confirmed Data Security Breach affecting Data Controller's Data and to cooperate with Data Controller as necessary to mitigate or remediate the Data Security Breach; 4.2.5. to comply with the requirements of Clause 5 (Use of Sub-processors) when engaging a Sub-processor; 4.2.6. taking into account the nature of the Processing, to assist Data Controller (including by appropriate technical and organisational measures), insofar as it is commercially reasonable, to fulfil Data Controller's obligation to respond to requests from Data Subjects data subjects in respect of access to exercise their rights under Data Protection Law (a "Data Subject Request")or the rectification, erasure, restriction, blocking or deletion of Relevant Data. In the event that a data subject sends such a request directly to the Data Processor, the Data Processor receives a Data Subject Request directly from a Data Subject, will pass it shall (unless prohibited by law) direct the Data Subject on to the Data Controller in without delay; 4.3.7.2. the first instance. Howeverinvestigation of any incident which gives rise to a risk of unauthorised disclosure, in the event loss, destruction or alternation of Relevant Data Controller is unable to address the Data Subject Request, taking into account the nature of the Processing, the complexity and frequency of the request(s), and the information available notification to Data Processor, Data Processor, shall, on Data Controller's request the supervisory authority and at Data Controller's reasonable expense, address the Data Subject Request, as required under the Data Protection Lawdata subjects in respect of such incidents; 4.2.74.3.7.3. upon request, to provide Data Controller with commercially reasonable information and assistance, taking into account the nature preparation of the Processing and the information available to Data Processor, to help Data Controller to conduct any data protection impact assessment or Supervisor consultation it assessments and, where applicable, carrying out consultations with the supervisory authority; 4.3.7.4. the security of Relevant Data, including by implementing the technical and organisational security measures provided for in Schedule C; 4.3.8. if the Data Processor is required by law to conduct under process Relevant Data, inform the Data Protection Law; 4.2.8. upon termination of Data Controller's access to and use of the Service, to comply with the requirements of Clause 9 Controller of this DP Agreement (Return and Destruction requirement in advance of Personal Data);any processing, unless the Data Processor is prohibited from informing the Data Controller on grounds of important public interest; and 4.2.94.3.9. to comply with the requirements of Clause 6 of this DP Agreement (Audit) in order to make available to the Data Controller all information that demonstrates Data Processor’s necessary to demonstrate compliance with the obligations in this DP Agreement; and 4.2.10. to appoint a security officer who will act as a point of contact for Data Controller, and coordinate and control compliance with this DP Agreement, including the Security MeasuresClause 4. 4.3. Data Processor shall immediately inform Data Controller if, in its opinion, Data Controller's Processing instructions infringe any law or regulation. In such event, Data Processor is entitled to refuse Processing of Personal Data that it believes to be in violation of any law or regulation.

OBLIGATIONS OF THE DATA PROCESSOR. 4.1. The Parties agree that the subject-matter of Processing performed by Data Processor under this DP Agreementagrees, including the nature warrants and purpose of Processing, the type of Personal Data, and categories of Data Subjects, shall be as described in Schedule 1 and Schedule 2 of this DP Agreement. 4.2. As part of Data Processor providing the Service to Data Controller under the Agreement, Data Processor agrees and declares as followsrepresents that it: 4.2.1. a) ensures that persons authorized to process Process the Personal Data in accordance with Data Controller's documented instructions as set out in the Agreement and this DP Agreement or as otherwise necessary to provide the Service, except where required otherwise by applicable laws (and provided such laws do not conflict with Data Protection Law); in such case, Data Processor shall inform Data Controller of that legal requirement upon becoming aware of the same (except where prohibited by applicable laws); 4.2.2. to ensure that all staff and management are fully aware of their responsibilities to protect Personal Data in accordance with this DP Agreement and have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; further, Data Processor shall only allow access to the Personal Data to such of the Data Processor’s personnel who need access to the Personal Data in order to allow the Data Processor to perform its obligations under the Aircall Subscription Agreement and/or applicable Order Forms; 4.2.3. to implement and maintain appropriate technical and organisational b) informs Data Controller if an instruction infringes the GDPR or other Union or Member State data protection provisions that may be applicable; c) takes all measures to protect ensure the security of processing, as further specified under letter d) below; d) assists the Data Controller in ensuring compliance with the obligations relating to the security of the Personal Data, Client’s notification & communication obligations in case of Data against accidental or unlawful destruction or accidental lossBreach, alterationconducting data privacy assessment and consulting the supervisory authority if need be, unauthorized disclosure or access (a "Data Security Breach"), provided that such measures shall take taking into account the costs nature of Processing and the information available to the Data Processor. Specifically, Data Processor shall, while taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of Processing, Processing as well as the risk risks of varying likelihood and severity for the rights and freedoms of natural persons, so as to ensure a level of security appropriate to the risks represented by the Processing and the nature of the Data to be protected; 4.2.4. to notify Data Controller, without undue delay, in the event of a confirmed Data Security Breach affecting Data Controller's Data and to cooperate with Data Controller as necessary to mitigate or remediate the Data Security Breach; 4.2.5. to comply with the requirements of Clause 5 (Use of Sub-processors) when engaging a Sub-processor; 4.2.6. taking into account the nature of Subjects resulting from the Processing, to assist Data Controller (including by implement appropriate technical and organisational measures), insofar as it is commercially reasonable, organizational measures listed in Exhibit B. Those measures shall be reviewed and updated by Aircall where and when necessary; e) cooperate with the national supervisory authority if need be; f) makes available to fulfil Data Controller's obligation to respond to requests from Data Subjects to exercise their rights under Data Protection Law (a "Data Subject Request"). In the event Data Processor receives a Data Subject Request directly from a Data Subject, it shall (unless prohibited by law) direct the Data Subject Controller on a reasonable basis all information necessary to demonstrate compliance with the obligations relating to Data Processors as laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller in the first instance. However, in limit of 1 audit par year with a 15 days prior notice and subject to the event Parties agreeing on a Data Controller is unable to address the Data Subject Request, taking into account the nature of the Processing, the complexity and frequency of the request(s), and the information available to Data Processor, Data Processor, shall, on Data Controller's request and at Data Controller's reasonable expense, address the Data Subject Request, as required under the Data Protection LawSecurity Testing Agreement should this audit include penetration testing ; 4.2.7. upon request, to provide Data Controller with commercially reasonable information and assistance, taking into account the nature of the Processing and the information available to Data Processor, to help Data Controller to conduct any data protection impact assessment or Supervisor consultation it is required to conduct under Data Protection Law; 4.2.8. upon termination of Data Controller's access to and use of the Service, to comply with the requirements of Clause 9 of this DP Agreement (Return and Destruction of Personal Data); 4.2.9. to comply with the requirements of Clause 6 of this DP Agreement (Audit) in order to make available to Data Controller information that demonstrates Data Processor’s compliance with this DP Agreement; and 4.2.10. to appoint a security officer who will act as a point of contact for Data Controller, and coordinate and control compliance with this DP Agreement, including the Security Measures. 4.3. Data Processor shall immediately inform Data Controller if, in its opinion, Data Controller's Processing instructions infringe any law or regulation. In such event, Data Processor is entitled to refuse Processing of Personal Data that it believes to be in violation of any law or regulation.