Common use of OBLIGATIONS OF THE DATA PROCESSOR Clause in Contracts

OBLIGATIONS OF THE DATA PROCESSOR. 4.1 All processing by the Data Processor of the personal data provided by the Data Controller must be in accordance with instructions set forth in this Agreement (including with regard to data transfers) and which constitute the Data Controllers complete and final instructions to the Data Processor, unless i) EU or EU Member State law to which the Data Processor is subject requires other processing of the personal data by the Data Processor, or ii) in the event the Data Processors makes changes to its systems, processes, etc. which requires chan- ges to the instructions, in which case Data Processor will notify the Data Controller of amen- dents to the instructions in the same manner as the Data Processor provides notice of Amendments to the General Terms and Conditions under the Main Agreement. 4.2 Should the Data Controller in its reasonable opinion believe, and be able to substantiate, that the amendments to the instructions introduced by the Data Processor cause the Data Con- troller to be non-compliant with General Data Protection Regulation, the Data Controller shall be entitled to terminate this Agreement and the Main Agreement by giving notice of termination to the Data Processor within the 10 business days from receiving notice of the amendments, otherwise the amendments will be deemed accepted by the Data Controller and will effectively become part of this Agreement. 4.3 The Data Processor must immediately inform the Data Controller if, in the Data Processor’s opinion, an instruction infringes the EU General Data Protection Regulation or the data pro- tection provisions of a Member State. 4.4 The Data Processor must take all necessary technical and organisational security measures, including any additional measures, required to ensure that the personal data specified in clause 1.2 is not accidentally or unlawfully destroyed, lost or impaired or brought to the knowledge of unauthorised third parties, abused or otherwise processed in a manner which is contrary to applicable national law in the relevant EU/EEA member states in force at any time. These measures shall meet and be equivalent to the certificate and security require- ments specified by card associations and the authorities, including the PCI DSS (Payment Card Industry – Data Security Standard), for details see xxxxx://xxx.xxxxxxxxxxxxxxxxxxxx.xxx. The security measures deemed necessary and applied by the Data Processor shall be risk based, and will be updated from time to time by the Data Processor. 4.5 The Data Processor must ensure that employees authorized to process the personal data have committed themselves to confidentiality or are under appropriate statutory obligation of confidentiality. 4.6 If so requested by the Data Controller, the Data Processor must state and/or document that the Data Processor complies with the requirements of the applicable data protection legisla- tion, including documentation regarding the data flows of the Data Processor as well as pro- cedures/policies for processing of personal data. In terms of documentation supporting such statement of compliance, it is agreed that the Data Processors Attestation of Compliance with the Payment Card Industry Data Security Standard Requirements and Security Assess- ment Procedures (PCI DSS) is sufficient. 4.7 Taking into account the nature of the processing, the Data Processor must, as far as possible, assist the controller by appropriate technical and organisational measures, for the fulfilment of the Data Controller’s obligation to respond to requests for exercising the data subject’s rights as laid down in chapter 3 in the General Data Protection Regulation. 4.8 The Data Processor, or another data processor (sub-data processor) must send requests and objections from data subjects to the Data Controller, for the Data Controller's further pro- cessing thereof, unless the Data Processor is entitled to handle such request itself. If re- quested by the Data Controller, the Data Processor must assist the Data Controller in answer- ing any such requests and/or objections. 4.9 If the Data Processor processes personal data in another member state, the Data Processor must comply with legislation concerning security measures in that member state. 4.10 The Data Processor must notify the Data Controller where there is a data breach, as defined in 4.12 of the General Data Protection Regulation. The Data Processor’s deadline for notifying the Data Controller of a security breach is 24 hours from the moment the Data Processor becomes aware of a security breach. If requested by the Data Controller, the Data Processor must assist the Data Controller in relation to clarifying the scope of the security breach, in- cluding preparation of any notification to the Danish Data Protection Agency and/or data subjects. 4.11 The Data Processor must make available to the Data Controller all information necessary to demonstrate compliance with article 28 of the General Data Protection Regulation and the Agreement. This requirement can be met by the Data Processor demonstrating a valid PCI compliance certification and/or the relevant and required sections (as determined by the Data Processor) from the latest annual PCI DSS compliance audit performed on the Data Pro- cessor. Details regarding the audit procedures and scope are available from the PCI Security Standards Council, xxxxx://xxx.xxxxxxxxxxxxxxxxxxxx.xxx, or can be obtained from the Data Processor upon request. 4.12 In addition to the above, the Data Processor must to the extent reasonable assist the Data Controller in ensuring compliance with the Data Controller’s obligations under article 32-36 of the General Data Protection Regulation. This assistance will take into account the nature of the processing and the information available to the Data Processor.

OBLIGATIONS OF THE DATA PROCESSOR. 4.1 All processing by the Data Processor of the personal data provided by the Data Controller must be in accordance with instructions set forth in this Agreement (including with regard to data transfers) and which constitute the Data Controllers complete and final instructions to the Data Processor, unless i) EU or EU Member State law to which the Data Processor is subject requires other processing of the personal data by the Data Processor, or ii) in the event the Data Processors makes changes to its systems, processes, etc. which requires chan- ges to the instructions, in which case Data Processor will notify the Data Controller of amen- dents to the instructions in the same manner as the Data Processor provides notice of Amendments to the General Terms and Conditions under the Main Agreement. 4.2 Should the Data Controller in its reasonable opinion believe, and be able to substantiate, that the amendments to the instructions introduced by the Data Processor cause the Data Con- troller to be non-compliant with General Data Protection Regulation, the Data Controller shall be entitled to terminate this Agreement and the Main Agreement by giving notice of termination to the Data Processor within the 10 business days from receiving notice of the amendments, otherwise the amendments will be deemed accepted by the Data Controller and will effectively become part of this Agreement. 4.3 The Data Processor must immediately inform the Data Controller if, in the Data Processor’s opinion, an instruction infringes the EU General Data Protection Regulation or the data pro- tection provisions of a Member State. 4.4 The Data Processor must take all necessary technical and organisational security measures, including any additional measures, required to ensure that the personal data specified in clause 1.2 is not accidentally or unlawfully destroyed, lost or impaired or brought to the knowledge of unauthorised third parties, abused or otherwise processed in a manner which is contrary to applicable national law in the relevant EU/EEA EU member states states, in the Nordics and Baltics.legislation in force at any time. These measures shall meet and be equivalent to the certificate and security require- ments requirements specified by card associations and the authorities, including in- cluding the PCI DSS (Payment Card Industry – Data Security Standard), for details see xxxxx://xxx.xxxxxxxxxxxxxxxxxxxx.xxx. The security measures deemed necessary and applied by the Data Processor shall be risk based, and will be updated from time to time by the Data Processor. 4.5 The Data Processor must ensure that employees authorized to process the personal data have committed themselves to confidentiality or are under appropriate statutory obligation of confidentiality. 4.6 If so requested by the Data Controller, the Data Processor must state and/or document that the Data Processor complies with the requirements of the applicable data protection legisla- tion, including documentation regarding the data flows of the Data Processor as well as pro- cedures/policies for processing of personal data. In terms of documentation supporting such statement of compliance, it is agreed that the Data Processors Attestation of Compliance with the Payment Card Industry Data Security Standard Requirements and Security Assess- ment Procedures (PCI DSS) is sufficient. 4.7 Taking into account the nature of the processing, the Data Processor must, as far as possible, assist the controller by appropriate technical and organisational measures, for the fulfilment of the Data Controller’s obligation to respond to requests for exercising the data subject’s rights as laid down in chapter 3 in the General Data Protection Regulation. 4.8 The Data Processor, or another data processor (sub-data processor) must send requests and objections from data subjects to the Data Controller, for the Data Controller's further pro- cessing thereof, unless the Data Processor is entitled to handle such request itself. If re- quested by the Data Controller, the Data Processor must assist the Data Controller in answer- ing any such requests and/or objections. 4.9 If the Data Processor processes personal data in another member state, the Data Processor must comply with legislation concerning security measures in that member state. 4.10 The Data Processor must notify the Data Controller where there is a data breach, as defined in 4.12 of the General Data Protection Regulation. The Data Processor’s deadline for notifying the Data Controller of a security breach is 24 hours from the moment the Data Processor becomes aware of a security breach. If requested by the Data Controller, the Data Processor must assist the Data Controller in relation to clarifying the scope of the security breach, in- cluding preparation of any notification to the Danish Data Protection Agency and/or data subjects. 4.11 The Data Processor must make available to the Data Controller all information necessary to demonstrate compliance with article 28 of the General Data Protection Regulation and the Agreement. This requirement can be met by the Data Processor demonstrating a valid PCI compliance certification and/or the relevant and required sections (as determined by the Data Processor) from the latest annual PCI DSS compliance audit performed on the Data Pro- cessor. Details regarding the audit procedures and scope are available from the PCI Security Standards Council, xxxxx://xxx.xxxxxxxxxxxxxxxxxxxx.xxx, or can be obtained from the Data Processor upon request. 4.12 In addition to the above, the Data Processor must to the extent reasonable assist the Data Controller in ensuring compliance with the Data Controller’s obligations under article 32-36 of the General Data Protection Regulation. This assistance will take into account the nature of the processing and the information available to the Data Processor.

OBLIGATIONS OF THE DATA PROCESSOR. 4.1 All processing by the Data Processor of the personal data provided by the Data Controller must be in accordance with instructions set forth in this Agreement (including with regard to data transfersagrees, warrants and represents that it: a) and which constitute the Data Controllers complete and final instructions to the Data Processor, unless i) EU or EU Member State law to which the Data Processor is subject requires other processing of the personal data by the Data Processor, or ii) in the event the Data Processors makes changes to its systems, processes, etc. which requires chan- ges to the instructions, in which case Data Processor will notify the Data Controller of amen- dents to the instructions in the same manner as the Data Processor provides notice of Amendments to the General Terms and Conditions under the Main Agreement. 4.2 Should the Data Controller in its reasonable opinion believe, and be able to substantiate, ensures that the amendments to the instructions introduced by the Data Processor cause the Data Con- troller to be non-compliant with General Data Protection Regulation, the Data Controller shall be entitled to terminate this Agreement and the Main Agreement by giving notice of termination to the Data Processor within the 10 business days from receiving notice of the amendments, otherwise the amendments will be deemed accepted by the Data Controller and will effectively become part of this Agreement. 4.3 The Data Processor must immediately inform the Data Controller if, in the Data Processor’s opinion, an instruction infringes the EU General Data Protection Regulation or the data pro- tection provisions of a Member State. 4.4 The Data Processor must take all necessary technical and organisational security measures, including any additional measures, required to ensure that the personal data specified in clause 1.2 is not accidentally or unlawfully destroyed, lost or impaired or brought to the knowledge of unauthorised third parties, abused or otherwise processed in a manner which is contrary to applicable national law in the relevant EU/EEA member states in force at any time. These measures shall meet and be equivalent to the certificate and security require- ments specified by card associations and the authorities, including the PCI DSS (Payment Card Industry – Data Security Standard), for details see xxxxx://xxx.xxxxxxxxxxxxxxxxxxxx.xxx. The security measures deemed necessary and applied by the Data Processor shall be risk based, and will be updated from time to time by the Data Processor. 4.5 The Data Processor must ensure that employees persons authorized to process Process the personal data Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. 4.6 If so requested by ; further, Data Processor shall only allow access to the Personal Data to such of the Data Controller, Processor’s personnel who need access to the Personal Data in order to allow the Data Processor must state to perform its obligations under the Aircall Subscription Agreement and/or document that applicable Order Forms; b) informs Data Controller if an instruction infringes the Data Processor complies with the requirements of the applicable GDPR or other Union or Member State data protection legisla- tion, including documentation regarding provisions that may be applicable; c) takes all measures to ensure the data flows security of the Data Processor as well as pro- cedures/policies for processing of personal data. In terms of documentation supporting such statement of compliance, it is agreed that the Data Processors Attestation of Compliance with the Payment Card Industry Data Security Standard Requirements and Security Assess- ment Procedures (PCI DSS) is sufficient. 4.7 Taking into account the nature of the processing, the Data Processor must, as far as possible, assist the controller by appropriate technical and organisational measures, for the fulfilment of the Data Controller’s obligation to respond to requests for exercising the data subject’s rights as laid down in chapter 3 in the General Data Protection Regulation.further specified under letter d) below; 4.8 The Data Processor, or another data processor (sub-data processord) must send requests and objections from data subjects to the Data Controller, for the Data Controller's further pro- cessing thereof, unless the Data Processor is entitled to handle such request itself. If re- quested by the Data Controller, the Data Processor must assist the Data Controller in answer- ing any such requests and/or objections. 4.9 If the Data Processor processes personal data in another member state, the Data Processor must comply with legislation concerning security measures in that member state. 4.10 The Data Processor must notify the Data Controller where there is a data breach, as defined in 4.12 of the General Data Protection Regulation. The Data Processor’s deadline for notifying the Data Controller of a security breach is 24 hours from the moment the Data Processor becomes aware of a security breach. If requested by the Data Controller, the Data Processor must assist the Data Controller in relation to clarifying the scope of the security breach, in- cluding preparation of any notification to the Danish Data Protection Agency and/or data subjects. 4.11 The Data Processor must make available to the Data Controller all information necessary to demonstrate compliance with article 28 of the General Data Protection Regulation and the Agreement. This requirement can be met by the Data Processor demonstrating a valid PCI compliance certification and/or the relevant and required sections (as determined by the Data Processor) from the latest annual PCI DSS compliance audit performed on the Data Pro- cessor. Details regarding the audit procedures and scope are available from the PCI Security Standards Council, xxxxx://xxx.xxxxxxxxxxxxxxxxxxxx.xxx, or can be obtained from the Data Processor upon request. 4.12 In addition to the above, the Data Processor must to the extent reasonable assist assists the Data Controller in ensuring compliance with the Data Controller’s obligations under article 32-36 relating to the security of the General Personal Data, Client’s notification & communication obligations in case of Data Protection Regulation. This assistance will take Breach, conducting data privacy assessment and consulting the supervisory authority if need be, taking into account the nature of the processing Processing and the information available to the Data Processor.. Specifically, Data Processor shall, while taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of Processing as well as the risks of varying likelihood and severity for rights and freedoms of Data Subjects resulting from the Processing, implement appropriate technical and organizational measures listed in Exhibit B. Those measures shall be reviewed and updated by Aircall where and when necessary; e) cooperate with the national supervisory authority if need be; f) makes available to the Data Controller on a reasonable basis all information necessary to demonstrate compliance with the obligations relating to Data Processors as laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller in the limit of 1 audit par year with a 15 days prior notice and subject to the Parties agreeing on a Data Security Testing Agreement should this audit include penetration testing ;

OBLIGATIONS OF THE DATA PROCESSOR. 4.1 All processing by the Data Processor of the personal data provided by the Data Controller must be in accordance with instructions set forth in this Agreement (including with regard to data transfers) and which constitute the Data Controllers complete and final instructions to the Data Processor, unless i) EU or EU Member State law to which the Data Processor is subject requires other processing of the personal data by the Data Processor, or ii) in the event the Data Processors makes changes to its systems, processes, etc. which requires chan- ges to the instructions, in which case Data Processor will notify the Data Controller of amen- dents to the instructions in the same manner as the Data Processor provides notice of Amendments to the General Terms and Conditions under the Main Agreement. 4.2 Should the Data Controller in its reasonable opinion believe, and be able to substantiate, that the amendments to the instructions introduced by the Data Processor cause the Data Con- troller to be non-compliant with General Data Protection Regulation, the Data Controller shall be entitled to terminate this Agreement and the Main Agreement by giving notice of termination to the Data Processor within the 10 business days from receiving notice of the amendments, otherwise the amendments will be deemed accepted by the Data Controller and will effectively become part of this Agreement. 4.3 The Data Processor must immediately inform the Data Controller if, in the Data Processor’s opinion, an instruction infringes the EU General Data Protection Regulation or the data pro- tection provisions of a Member State. 4.4 The Data Processor must take all necessary technical and organisational security measures, including any additional measures, required to ensure that the personal data specified in clause 1.2 is not accidentally or unlawfully destroyed, lost or impaired or brought to the knowledge of unauthorised third parties, abused or otherwise processed in a manner which is contrary to applicable national law in the relevant EU/EEA member states in force at any time. These measures shall meet and be equivalent to the certificate and security require- ments specified by card associations and the authorities, including the PCI DSS (Payment Card Industry – Data Security Standard), for details see xxxxx://xxx.xxxxxxxxxxxxxxxxxxxx.xxx. The security measures deemed necessary and applied by the Data Processor shall be risk based, and will be updated from time to time by the Data Processor. 4.5 The Data Processor must ensure that employees authorized to process the personal data have committed themselves to confidentiality or are under appropriate statutory obligation of confidentiality. 4.6 If so requested by the Data Controller, the Data Processor must state and/or document that the Data Processor complies with the requirements of the applicable data protection legisla- tion, including documentation regarding the data flows of the Data Processor as well as pro- cedures/policies for processing of personal data. In terms of documentation supporting such statement of compliance, it is agreed that the Data Processors Attestation of Compliance with the Payment Card Industry Data Security Standard Requirements and Security Assess- ment Procedures (PCI DSS) is sufficient. 4.7 Taking into account the nature of the processing, the Data Processor must, as far as possible, assist the controller by appropriate technical and organisational measures, for the fulfilment of the Data Controller’s obligation to respond to requests for exercising the data subject’s rights as laid down in chapter 3 in the General Data Protection Regulation. 4.8 The Data Processor, or another data processor (sub-data processor) must send requests and objections from data subjects to the Data Controller, for the Data Controller's further pro- cessing thereof, unless the Data Processor is entitled to handle such request itself. If re- quested by the Data Controller, the Data Processor must assist the Data Controller in answer- ing any such requests and/or objections. 4.9 If the Data Processor processes personal data in another member state, the Data Processor must comply with legislation concerning security measures in that member state. 4.10 The Data Processor must notify the Data Controller where there is a data breach, as defined in 4.12 of the General Data Protection Regulation. The Data Processor’s deadline for notifying the Data Controller of a security breach is 24 hours from the moment the Data Processor becomes aware of a security breach. If requested by the Data Controller, the Data Processor must assist the Data Controller in relation to clarifying the scope of the security breach, in- cluding preparation of any notification to the Danish competent Data Protection Agency and/or data subjects. 4.11 The Data Processor must make available to the Data Controller all information necessary to demonstrate compliance with article 28 of the General Data Protection Regulation and the Agreement. This requirement can be met by the Data Processor demonstrating a valid PCI compliance certification and/or the relevant and required sections (as determined by the Data Processor) from the latest annual PCI DSS compliance audit performed on the Data Pro- cessor. Details regarding the audit procedures and scope are available from the PCI Security Standards Council, xxxxx://xxx.xxxxxxxxxxxxxxxxxxxx.xxx, or can be obtained from the Data Processor upon request. 4.12 In addition to the above, the Data Processor must to the extent reasonable assist the Data Controller in ensuring compliance with the Data Controller’s obligations under article 32-36 of the General Data Protection Regulation. This assistance will take into account the nature of the processing and the information available to the Data Processor.

OBLIGATIONS OF THE DATA PROCESSOR. 4.1 All processing by the Data Processor of the personal data provided by the Data Controller must be in accordance with instructions set forth in this Agreement (including with regard to data transfers) and which constitute the Data Controllers complete and final instructions to the Data Processor, unless i) EU or EU Member State law to which the Data Processor is subject requires other processing of the personal data by the Data Processor, or ii) in the event the Data Processors makes changes to its systems, processes, etc. which requires chan- ges changes to the instructions, in which case Data Processor will notify the Data Controller of amen- dents amendents to the instructions in the same manner as the Data Processor provides notice of Amendments to the General Terms and Conditions under the Main Agreement. 4.2 Should the Data Controller in its reasonable opinion believe, and be able to substantiate, that the amendments to the instructions introduced by the Data Processor cause the Data Con- troller Controller to be non-compliant with General Data Protection Regulation, the Data Controller shall be entitled to terminate this Agreement and the Main Agreement by giving notice of termination to the Data Processor within the 10 business days from receiving notice of the amendments, otherwise the amendments will be deemed accepted by the Data Controller and will effectively become part of this Agreement. 4.3 The Data Processor must immediately inform the Data Controller if, in the Data Processor’s opinion, an instruction infringes the EU General Data Protection Regulation or the data pro- tection protection provisions of a Member State. 4.4 The Data Processor must take all necessary technical and organisational security measures, including any additional measures, required to ensure that the personal data specified in clause 1.2 is not accidentally or unlawfully destroyed, lost or impaired or brought to the knowledge of unauthorised third parties, abused or otherwise processed in a manner which is contrary to applicable national law in the relevant EU/EEA member states in force at any time. These measures shall meet and be equivalent to the certificate and security require- ments requirements specified by card associations and the authorities, including the PCI DSS (Payment Card Industry – Data Security Standard), for details see xxxxx://xxx.xxxxxxxxxxxxxxxxxxxx.xxx. The security measures deemed necessary and applied by the Data Processor shall be risk based, and will be updated from time to time by the Data Processor. 4.5 The Data Processor must ensure that employees authorized to process the personal data have committed themselves to confidentiality or are under appropriate statutory obligation of confidentiality. 4.6 If so requested by the Data Controller, the Data Processor must state and/or document that the Data Processor complies with the requirements of the applicable data protection legisla- tionlegislation, including documentation regarding the data flows of the Data Processor as well as pro- ceduresprocedures/policies for processing of personal data. In terms of documentation supporting such statement of compliance, it is agreed that the Data Processors Attestation of Compliance with the Payment Card Industry Data Security Standard Requirements and Security Assess- ment Assessment Procedures (PCI DSS) is sufficient. 4.7 Taking into account the nature of the processing, the Data Processor must, as far as possible, assist the controller by appropriate technical and organisational measures, for the fulfilment of the Data Controller’s obligation to respond to requests for exercising the data subject’s rights as laid down in chapter 3 in the General Data Protection Regulation. 4.8 The Data Processor, or another data processor (sub-data processor) must send requests and objections from data subjects to the Data Controller, for the Data Controller's further pro- cessing processing thereof, unless the Data Processor is entitled to handle such request itself. If re- quested requested by the Data Controller, the Data Processor must assist the Data Controller in answer- ing answering any such requests and/or objections. 4.9 If the Data Processor processes personal data in another member state, the Data Processor must comply with legislation concerning security measures in that member state. 4.10 The Data Processor must notify the Data Controller where there is a data breach, as defined in 4.12 of the General Data Protection Regulation. The Data Processor’s deadline for notifying the Data Controller of a security breach is 24 hours from the moment the Data Processor becomes aware of a security breach. If requested by the Data Controller, the Data Processor must assist the Data Controller in relation to clarifying the scope of the security breach, in- cluding including preparation of any notification to the Danish competent Data Protection Agency and/or data subjects. 4.11 The Data Processor must make available to the Data Controller all information necessary to demonstrate compliance with article 28 of the General Data Protection Regulation and the Agreement. This requirement can be met by the Data Processor demonstrating a valid PCI compliance certification and/or the relevant and required sections (as determined by the Data Processor) from the latest annual PCI DSS compliance audit performed on the Data Pro- cessorProcessor. Details regarding the audit procedures and scope are available from the PCI Security Standards Council, xxxxx://xxx.xxxxxxxxxxxxxxxxxxxx.xxx, or can be obtained from the Data Processor upon request. 4.12 In addition to the above, the Data Processor must to the extent reasonable assist the Data Controller in ensuring compliance with the Data Controller’s obligations under article 32-36 of the General Data Protection Regulation. This assistance will take into account the nature of the processing and the information available to the Data Processor.

OBLIGATIONS OF THE DATA PROCESSOR. 4.1 All 3.1 The Data Processor undertakes that it shall process the Personal Data strictly in accordance with the Data Controller’s written and duly documented instructions for the processing of that Personal Data. If the Data Processor acts outside the Data Controller’s instructions or contrary to these instructions, the Data Processor will be considered as Data Controller within the meaning of the GDPR and will assume all liabilities and consequences, in particular financial liabilities and consequences. 3.2 If the Data Processor considers that an instruction from the Data Controller constitutes a violation of the GDPR, it shall inform the Data Controller as soon as possible. 3.3 The Data Processor will process the Personal Data only for the purposes of the performance of the Service, i.e. to provide a hosting solution. 3.4 The Data Processor will ensure, as far as possible, that only such of its employees who may be required by it to assist it in meeting its obligations under the Agreement shall have access to the Personal Data. The Data Processor will ensure that all such employees have undergone training in the law of data protection, their duty of confidentiality under contract and in the care and handling of the Personal Data. 3.5 The Data Processor will make its best efforts to assist the Data Controller with all individuals’ requests which may be received from Data Subjects to whom the Personal Data refers. 3.6 The Data Processor will make its best efforts to collaborate with the Data Controller, in particular by providing it with the necessary documentation to demonstrate compliance with all its obligations, in particular the performance of audits, including inspections, by the Data Controller or another auditor (that is independent and not a competitor of the Data Processor) that the Data Controller has mandated, and contribute to such audits. 3.7 The Data Processor will not disclose the Personal Data to a third party in any circumstances other than at the specific written request of the Data Controller, unless the disclosure is required by law. 3.8 The Data Controller recognizes and agrees that the Processor may store the Personal Data, in its possession, outside the European Economic Area (EEA), notably in the United States, and, in any case, with appropriate safeguards. 3.9 The Data Processor will not sub-contract any of the processing without the prior consent of the Data Controller, it being specified that the Data Processor shall ensure that all of the Data Processor’s obligations under the Agreement are respected by any company replacing the Data Processor and any subcontractor, regardless of its rank or method of intervention, by expressly providing for these same obligations in the contract binding the Data Processor to the said company or the subcontractor to any subsequent subcontractor, so that they undertake to respect the Agreement. At the time of this agreement, the Data Controller has agreed to the sub-contractors listed in the Annex 3 of this Agreement. 3.10 The Data Processor will make its best efforts to use appropriate operational and technological processes and procedures to guarantee the security of its premises and to keep the Personal Data safe from unauthorized use or access, loss, destruction, theft, alteration, distortion, disclosure or any other modification. 3.11 The Data Processor will inform, without undue delay, the Data Controller in case of a request from an administrative or judiciary authority received by the Data Processor related to the Processing of Personal Data made in respect of Services. 3.12 The Data Processor will not store Personal Data beyond the personal data provided retention period fixed by the Data Controller must be in accordance with instructions set forth in this Agreement (including with regard to data transfers) and which constitute the Data Controllers complete and final instructions relation to the Data Processorpurposes for which they were collected and, unless i) EU or EU Member State law in any event, not to which store them after the Data Processor is subject requires other processing expiration of the personal data by the Data ProcessorAgreement, or ii) except in the event of any legislative or regulatory provision or any administrative or judicial decision stating the Data Processors makes changes to its systems, processes, etc. which requires chan- ges to the instructions, in which case contrary. 3.13 The Data Processor will notify the Data Controller of amen- dents to any information security incident that may impact the instructions in processing of the same manner as the personal data covered by this agreement without undue delay after discovering, or becoming aware of any such incident. The Data Processor provides notice of Amendments will make its best efforts to the General Terms and Conditions under the Main Agreement. 4.2 Should co-operate with the Data Controller in its reasonable opinion believe, and be able implementing any required corrective action agreed between the parties. 3.14 The Data Controller reserves the right subject to substantiate, that the amendments at least one month's written notice prior to the instructions introduced by date of the audit and within normal business hours to carry out compliance and information security audits of the Data Processor, in order to satisfy itself that the Data Processor cause is adhering to the Data Con- troller to be nonterms of this agreement. Where a sub-compliant with General Data Protection Regulationcontractor is used, the Data Controller shall be entitled to terminate this Agreement and the Main Agreement by giving notice of termination to the Data Processor within the 10 business days from receiving notice of the amendments, otherwise the amendments will be deemed accepted by agrees that the Data Controller may also, upon giving reasonable notice and will effectively become part within normal business hours, carry out compliance and information security audits and checks of the sub- contractor to ensure adherence to the terms of this Agreement. 4.3 The Data Processor must immediately inform 3.15 At the Data Controller if, in termination of the Data Processor’s opinion, an instruction infringes the EU General Data Protection Regulation or the data pro- tection provisions of a Member State. 4.4 The Data Processor must take all necessary technical and organisational security measures, including any additional measures, required to ensure that the personal data specified in clause 1.2 is not accidentally or unlawfully destroyed, lost or impaired or brought to the knowledge of unauthorised third parties, abused or otherwise processed in a manner which is contrary to applicable national law in the relevant EU/EEA member states in force at any time. These measures shall meet and be equivalent to the certificate and security require- ments specified by card associations and the authorities, including the PCI DSS (Payment Card Industry – Data Security Standard), for details see xxxxx://xxx.xxxxxxxxxxxxxxxxxxxx.xxx. The security measures deemed necessary and applied by the Data Processor shall be risk based, and will be updated from time to time by the Data Processor. 4.5 The Data Processor must ensure that employees authorized to process the personal data have committed themselves to confidentiality or are under appropriate statutory obligation of confidentiality. 4.6 If so requested by the Data ControllerAgreement, the Data Processor must state and/or document that will delete or return all the Personal Data to the Data Processor complies with the requirements of the applicable data protection legisla- tion, including documentation regarding the data flows of the Data Processor as well as pro- cedures/policies for processing of personal data. In terms of documentation supporting such statement of compliance, it is agreed that the Data Processors Attestation of Compliance with the Payment Card Industry Data Security Standard Requirements and Security Assess- ment Procedures (PCI DSS) is sufficient. 4.7 Taking into account the nature of the processing, the Data Processor must, as far as possible, assist the controller by appropriate technical and organisational measures, for the fulfilment of Controller at the Data Controller’s obligation to respond to requests for exercising the data subject’s rights as laid down in chapter 3 in the General Data Protection Regulation. 4.8 The Data Processorchoice, and delete existing copies unless European Union or another data processor (sub-data processor) must send requests and objections from data subjects to the Data Controller, for the Data Controller's further pro- cessing thereof, unless the Data Processor is entitled to handle such request itself. If re- quested by the Data Controller, the Data Processor must assist the Data Controller in answer- ing any such requests and/or objections. 4.9 If the Data Processor processes personal data in another member state, the Data Processor must comply with legislation concerning security measures in that member state. 4.10 The Data Processor must notify the Data Controller where there is a data breach, as defined in 4.12 Member State law requires storage of the General Data Protection Regulation. The Data Processor’s deadline for notifying the Data Controller of a security breach is 24 hours from the moment the Data Processor becomes aware of a security breach. If requested by the Data Controller, the Data Processor must assist the Data Controller in relation to clarifying the scope of the security breach, in- cluding preparation of any notification to the Danish Data Protection Agency and/or data subjectsPersonal Data. 4.11 The Data Processor must make available to the Data Controller all information necessary to demonstrate compliance with article 28 of the General Data Protection Regulation and the Agreement. This requirement can be met by the Data Processor demonstrating a valid PCI compliance certification and/or the relevant and required sections (as determined by the Data Processor) from the latest annual PCI DSS compliance audit performed on the Data Pro- cessor. Details regarding the audit procedures and scope are available from the PCI Security Standards Council, xxxxx://xxx.xxxxxxxxxxxxxxxxxxxx.xxx, or can be obtained from the Data Processor upon request. 4.12 In addition to the above, the Data Processor must to the extent reasonable assist the Data Controller in ensuring compliance with the Data Controller’s obligations under article 32-36 of the General Data Protection Regulation. This assistance will take into account the nature of the processing and the information available to the Data Processor.

OBLIGATIONS OF THE DATA PROCESSOR. 4.1 All processing In general, the Data Processor is required to: i. process the Customer Data for the sole purpose of correctly providing the Services in favor of the Data Controller; ii. process the Customer Data in compliance with the instructions given by the Data Controller with this DPSA and/or subsequently and, in any case, to operate in accordance with the provisions of GDPR and the applicable provisions of the Italian Data Protection Authority ("Italian DPA"). Any possible further instruction not listed in this DPSA that the Data Controller intends to provide to the Data Processor must be previously confirmed in writing by Data Processor. Where Data Processor believes compliance with Data Controller’s instructions could result in a violation of the GDPR and/or any other applicable data protection law or is not in the ordinary course of Data Processor’s obligations in providing the Services, Data Processor shall promptly notify Data Controller thereof. No damages and/or lack of service and/or prejudice will be reimbursed by the Data Processor of the personal data provided by to the Data Controller must be in accordance with instructions set forth in this Agreement (including with regard to data transfers) and which constitute the Data Controllers complete and final instructions due to the Data Processor, unless i) EU or EU Member State law 's failure to which perform processing operations under this DPSA as a result of any refusal of the Data Processor is subject requires other processing of the personal data by the Data Processor, or ii) in the event the Data Processors makes changes to its systems, processes, etc. which requires chan- ges to the instructions, in which case Data Processor will notify the Data Controller of amen- dents to the instructions in the same manner as the Data Processor provides notice of Amendments to the General Terms and Conditions under the Main Agreement. 4.2 Should the Data Controller in its reasonable opinion believe, and be able to substantiate, that the amendments to the instructions introduced by the Data Processor cause the Data Con- troller to be non-compliant comply with General Data Protection Regulation, the Data Controller shall be entitled to terminate this Agreement and the Main Agreement by giving notice of termination to the Data Processor within the 10 business days from receiving notice of the amendments, otherwise the amendments will be deemed accepted by the Data Controller and will effectively become part of this Agreement. 4.3 The Data Processor must immediately inform the Data Controller if, in the Data Processor’s opinion, an unlawful instruction infringes the EU General Data Protection Regulation or the data pro- tection provisions of a Member State. 4.4 The Data Processor must take all necessary technical and organisational security measures, including any additional measures, required to ensure that the personal data specified in clause 1.2 is not accidentally or unlawfully destroyed, lost or impaired or brought to the knowledge of unauthorised third parties, abused or otherwise processed in a manner which is contrary to applicable national law in the relevant EU/EEA member states in force at any time. These measures shall meet and be equivalent to the certificate and security require- ments specified by card associations and the authorities, including the PCI DSS (Payment Card Industry – Data Security Standard), for details see xxxxx://xxx.xxxxxxxxxxxxxxxxxxxx.xxx. The security measures deemed necessary and applied by the Data Processor shall be risk based, and will be updated from time to time by the Data Processor. 4.5 The Data Processor must ensure that employees authorized to process the personal data have committed themselves to confidentiality or are under appropriate statutory obligation of confidentiality. 4.6 If so requested received by the Data Controller, the Data Processor must state and/or document that the Data Processor complies with the requirements of the applicable data protection legisla- tion, including documentation regarding the data flows of the Data Processor as well as pro- cedures/policies for processing of personal data; iii. In terms of documentation supporting such statement of compliance, it is agreed that the Data Processors Attestation of Compliance with the Payment Card Industry Data Security Standard Requirements and Security Assess- ment Procedures (PCI DSS) is sufficient. 4.7 Taking into account the nature of the processing, the Data Processor must, as far as possible, assist the controller by appropriate technical and organisational measures, for the fulfilment of the Data Controller’s obligation to respond to requests for exercising the data subject’s rights as laid down in chapter 3 in the General Data Protection Regulation. 4.8 The Data Processor, or another data processor (sub-data processor) must send requests and objections from data subjects to the Data Controller, for the Data Controller's further pro- cessing thereof, unless the Data Processor is entitled to handle such request itself. If re- quested by the Data Controller, the Data Processor must assist the Data Controller in answer- ing any such requests and/or objections. 4.9 If the Data Processor processes personal data in another member state, the Data Processor must comply with legislation concerning security measures in that member state. 4.10 The Data Processor must notify the Data Controller where there is a data breach, as defined in 4.12 of the General Data Protection Regulation. The Data Processor’s deadline for notifying the Data Controller of a security breach is 24 hours from the moment the Data Processor becomes aware of a security breach. If requested by the Data Controller, the Data Processor must assist the Data Controller in relation to clarifying the scope of the security breach, in- cluding preparation of any notification to the Danish Data Protection Agency and/or data subjects. 4.11 The Data Processor must make available to the Data Controller all the information necessary to demonstrate compliance with article 28 of the General Data Protection Regulation obligations set forth in this DPSA and to allow and contribute to the Agreement. This requirement can be met audit activities, including inspections, carried out by the Data Processor demonstrating a valid PCI compliance certification Controller or another authorized person, as indicated in art. 11 below; iv. not communicate and/or disseminate the relevant processed data to third parties, unless strictly necessary for the purposes of the processing and/or with the prior authorization of the Data Controller; v. comply with the conditions and required sections (as determined procedures set forth in art. 9 below for the appointment of any sub- processor; vi. carry out, for the purposes of the correct application of the GDPR and the instructions provided by the Data Processor) from the latest annual PCI DSS compliance audit performed Controller, periodic checks on the Data Pro- cessor. Details regarding fulfilments and activities carried out by the audit procedures and scope are available from the PCI Security Standards Council, xxxxx://xxx.xxxxxxxxxxxxxxxxxxxx.xxx, or can be obtained from the Data Processor upon request. 4.12 In addition subjects authorized to the above, the Data Processor must to the extent reasonable processing and by their sub-processors; vii. assist the Data Controller in ensuring compliance with the preparation of a possible data protection impact assessment (“DPIA”) and in any prior consultation of the Italian Data Controller’s obligations under article 32-Protection Authority, where deemed necessary, pursuant to art. 36 of the General Data Protection Regulation. This assistance will take into account the nature of the processing and the information available to the Data ProcessorGDPR.