Common use of OBLIGATIONS OF THE DATA PROCESSOR Clause in Contracts

OBLIGATIONS OF THE DATA PROCESSOR. 3.1 The Data Processor will process the personal data in compliance with The Data Protection Xxx 0000. 3.2 The Data Processor undertakes that it shall process the personal data strictly in accordance with the Data Controller's instructions for the processing of that personal data. 3.3 The Data Processor will process the Personal Data for the following purposes only: To facilitate the delivery of the pest control services 3.4 The· Data.Pro.cessor will treat the personal data, and any other information provided by the Data Controller as confidential, and will ensure that access to the personal data is limited to only those employees who require access to it for the purpose of the Data Processor carrying out the permitted processing and complying with its obligations under this Agreement. 3.5 The Data Processor will ensure that only such of its employees who may be required by it to assist it in meeting its obligations under the Agreement shall have access to the personal data. The Data Processor will ensure that all such employees have undergone training in the law of data protection, their duty of confidentiality under contract and in the care and handling of personal data. 3.6 The Data Processor agrees to assist the Data Controller promptly with all subject information requests which may be received from the data subjects of the personal data and within its service level target of 21 days. 3.7 The Data Processor will not disclose the personal data to a third party in any circumstances other than at the specific written request of the Data Controller, unless the disclosure is required by law. 3.8 The Data Processor will NOT transfer the personal data outside of the United Kingdom. 3.9 The Data Processor will not sub-contract any of the processing without explicit written agreement from the Data Controller. Where such written agreement is provided, the Data Processor will ensure that any sub­ contractor it uses to process the personal data complies with the terms of this agreement. 3.10 The Data Processor will employ appropriate operational and technological processes and procedures to keep the personal data safe from unauthorised use or access, loss, destruction, theft or disclosure. The organisational, operational and technological processes and procedures adopted are required to comply with the requirements of ISO 27001 as appropriate to the services being provided to the Data Controller. 3.11 The Data Processor will not keep the personal data on any laptop or other removable drive or device unless that device is protected by being fully encrypted, and the use of the device or laptop is necessary for the provision of the services under this agreement. Where this is necessary, the Data Processor will keep an audit trail of which laptops/drives/devices the personal data are held on. 3.12 The Data Processor will notify the Data Controller of any information security incident that may impact the processing of the personal data covered by this agreement within two working days of discovering, or becoming aware of any such incident. Following the report of the incident, the Data Processor will cooperate with the Data Controller's Information Management staff whilst they carry out a risk assessment, root cause analysis and identify any corrective action required. The Data Processor will cooperate with the Data Controller in implementing any required corrective action agreed between the parties. 3.13 On satisfactory completion of the service or on termination of this agreement, the Data Processor will ensure that the personal data is securely removed from their systems and any printed copies securely destroyed. In complying with this clause, electronic copies of the personal data shall be securely destroyed by either physical destruction of the storage media or secure deletion using appropriate electronic shredding software that meets HM Government standards. Any hard copy will be destroyed by cross-cut shredding and secure re-cycling of the resulting paper waste. 3.14 The Data Controller reserves the right upon giving reasonable notice and within normal business hours to carry out compliance and information security audits of the data processor in order to satisfy itself that the Data Processor is adhering to the terms of this agreement. Where a sub­ contractor is used, the Data Processor agrees that the Data Controller may also, upon giving reasonable notice and within normal business hours, carry out compliance and information security audits and checks of the sub­ contractor to ensure adherence to the terms of this agreement.

OBLIGATIONS OF THE DATA PROCESSOR. 3.1 The Data Processor will process the personal data in compliance with The Data Protection Xxx 0000. 3.2 The Data Processor undertakes that it shall process the personal data strictly in accordance with the Data Controller's instructions for the processing of that personal data. 3.3 The Data Processor will process the Personal Data for the following purposes only: To facilitate the delivery of the pest control servicesData Controller’s community alarm telecare monitoring and administration service i.e. to be determined case by case 3.4 The· Data.Pro.cessor will treat the personal data, and any other information provided by the Data Controller as confidential, and will ensure that access to the personal data is limited to only those employees who require access to it for the purpose of the Data Processor carrying out the permitted processing and complying with its obligations under this Agreement. 3.5 The Data Processor will ensure that only such of its employees who may be required by it to assist it in meeting its obligations under the Agreement shall have access to the personal data. The Data Processor will ensure that all such employees have undergone training in the law of data protection, their duty of confidentiality under contract and in the care and handling of personal data. 3.6 The Data Processor agrees to assist the Data Controller promptly with all subject information requests which may be received from the data subjects of the personal data and within its service level target of 21 days. 3.7 The Data Processor will not disclose the personal data to a third party in any circumstances other than at the specific written request of the Data Controller, unless the disclosure is required by law. 3.8 The Data Processor will NOT transfer the personal data outside of the United Kingdom. 3.9 The Data Processor will not sub-contract any of the processing without explicit written agreement from the Data Controller. Where such written agreement is provided, the Data Processor will ensure that any sub­ contractor it uses to process the personal data complies with the terms of this agreement. 3.10 The Data Processor will employ appropriate operational and technological processes and procedures to keep the personal data safe from unauthorised use or access, loss, destruction, theft or disclosure. The organisational, operational and technological processes and procedures adopted are required to comply with the requirements of ISO 27001 as appropriate to the services being provided to the Data Controller. 3.11 The Data Processor will not keep the personal data on any laptop or other removable drive or device unless that device is protected by being fully encrypted, and the use of the device or laptop is necessary for the provision of the services under this agreement. Where this is necessary, the Data Processor will keep an audit trail of which laptops/drives/devices the personal data are held on. 3.12 The Data Processor will notify the Data Controller of any information security incident that may impact the processing of the personal data covered by this agreement within two working days of discovering, or becoming aware of any such incident. Following the report of the incident, the Data Processor will cooperate with the Data Controller's Information Management staff whilst they carry out a risk assessment, root cause analysis and identify any corrective action required. The Data Processor will cooperate with the Data Controller in implementing any required corrective action agreed between the parties. 3.13 On satisfactory completion of the service or on termination of this agreement, the Data Processor will ensure that the personal data is securely removed from their systems and any printed copies securely destroyed. In complying with this clause, electronic copies of the personal data shall be securely destroyed by either physical destruction of the storage media or secure deletion using appropriate electronic shredding software that meets HM Government standards. Any hard copy will be destroyed by cross-cut shredding and secure re-cycling of the resulting paper waste. 3.14 The Data Controller reserves the right upon giving reasonable notice and within normal business hours to carry out compliance and information security audits of the data processor in order to satisfy itself that the Data Processor is adhering to the terms of this agreement. Where a sub­ contractor is used, the Data Processor agrees that the Data Controller may also, upon giving reasonable notice and within normal business hours, carry out compliance and information security audits and checks of the sub­ contractor to ensure adherence to the terms of this agreement.

OBLIGATIONS OF THE DATA PROCESSOR. 3.1 The Data Processor will shall process the personal data Data in compliance accordance with The the provisions of the Main Contract, this Agreement, and on the documented instructions of the Data Protection Xxx 0000Controller. It is not entitled to disclose the Data to third parties without authorization. This shall not apply if this (i) is done in accordance with the Agreement and the Main Agreement, (ii) is requested in writing by the Data Controller or (iii) is required by statutory or legal requirements. Data Processor shall, in cases under (iii), to the extent permitted by applicable law, inform Data Controller in advance of the intended disclosure and coordinate with Data Controller. 3.2 The Data Processor undertakes shall support the Data Controller in the event of inspections by the supervisory authorities within the scope of what is reasonable and necessary, insofar as these inspections concern Data processing by the Data Processor. It shall provide the Data Controller with the information that the latter requires to prove that it shall process the personal data strictly in accordance has complied with the requirements of the applicable Data Controller's instructions for the processing of that personal dataprotection law with regard to this processing. 3.3 The Data Processor will process shall also support the Data Controller, taking into account the nature of the Data processing and the information available to it, upon request, in complying with the following Data Controller's obligations: 3.3.1 ensuring the security of Personal Data for processing, 3.3.2 notification of Personal Data breaches to supervisory authorities and Data Subjects, 3.3.3 if necessary, carrying out a Data protection impact assessment, insofar as the following purposes only: To facilitate the delivery of the pest control services 3.4 The· Data.Pro.cessor will treat the personal data, and any other information provided Data processing by the Data Controller Processor is affected by this, 3.3.4 if necessary, carrying out a required prior consultation with the Data protection authority, insofar as confidential, and will ensure that access to the personal data is limited to only those employees who require access to it for the purpose of Data processing by the Data Processor carrying out is affected by this. 3.4 The Data Processor shall inform the permitted Data Controller without undue delay if it becomes aware of a Personal Data breach within the scope of its processing and complying with its obligations under this Agreementfor the Data Controller. 3.5 The Data Processor will ensure that only such of its employees who may be required by it to assist it in meeting its obligations under shall oblige the Agreement shall have access to the personal data. The Data Processor will ensure that all such employees have undergone training persons employed in the law processing of data protection, their duty of confidentiality under contract and in the care and handling of personal dataData to handle the Data confidentially. 3.6 The Data Processor agrees to assist the Data Controller promptly with all subject information requests which may be received from the data subjects of the personal data and within its service level target of 21 days. 3.7 The Data Processor will not disclose the personal data to a third party in any circumstances other than at the specific written request of the Data Controller, unless the disclosure is required by law. 3.8 The Data Processor will NOT transfer the personal data outside of the United Kingdom. 3.9 The Data Processor will not sub-contract any of the processing without explicit written agreement from the Data Controller. Where such written agreement is provided, the Data Processor will ensure that any sub­ contractor it uses to process the personal data complies with the terms of this agreement. 3.10 The Data Processor will employ appropriate operational and technological processes and procedures to keep the personal data safe from unauthorised use or access, loss, destruction, theft or disclosure. The organisational, operational and technological processes and procedures adopted are required to comply with the requirements of ISO 27001 as appropriate to the services being provided demand reasonable remuneration according to the Data Controller. 3.11 The Data Processor will not keep Processor’s usual rates at the personal data on any laptop or other removable drive or device unless that device is protected by being fully encrypted, and the use of the device or laptop is necessary time for the provision of cooperation services pursuant to Sections 3.2 and 3.3. However, this shall not apply to the services under this agreement. Where this cooperation pursuant to Section 3.3.2 if the violation is necessary, due to the Data Processor will keep an audit trail of which laptops/drives/devices the personal data are held onProcessor's fault. 3.12 The Data Processor will notify the Data Controller of any information security incident that may impact the processing of the personal data covered by this agreement within two working days of discovering, or becoming aware of any such incident. Following the report of the incident, the Data Processor will cooperate with the Data Controller's Information Management staff whilst they carry out a risk assessment, root cause analysis and identify any corrective action required. The Data Processor will cooperate with the Data Controller in implementing any required corrective action agreed between the parties. 3.13 On satisfactory completion of the service or on termination of this agreement, the Data Processor will ensure that the personal data is securely removed from their systems and any printed copies securely destroyed. In complying with this clause, electronic copies of the personal data shall be securely destroyed by either physical destruction of the storage media or secure deletion using appropriate electronic shredding software that meets HM Government standards. Any hard copy will be destroyed by cross-cut shredding and secure re-cycling of the resulting paper waste. 3.14 The Data Controller reserves the right upon giving reasonable notice and within normal business hours to carry out compliance and information security audits of the data processor in order to satisfy itself that the Data Processor is adhering to the terms of this agreement. Where a sub­ contractor is used, the Data Processor agrees that the Data Controller may also, upon giving reasonable notice and within normal business hours, carry out compliance and information security audits and checks of the sub­ contractor to ensure adherence to the terms of this agreement.

OBLIGATIONS OF THE DATA PROCESSOR. 3.1 The Data Processor will process the personal data in compliance with The Data Protection Xxx 0000. 3.2 The Data Processor undertakes that it shall process the personal data strictly in accordance with the Data Controller's instructions for the processing of that personal data. 3.3 The Data Processor will process the Personal Data for the following purposes only: To facilitate the delivery of the pest control servicessupply, installation, maintenance and repair of telecare equipment 3.4 The· Data.Pro.cessor will treat the personal data, and any other information provided by the Data Controller as confidential, and will ensure that access to the personal data is limited to only those employees who require access to it for the purpose of the Data Processor carrying out the permitted processing and complying with its obligations under this Agreement. 3.5 The Data Processor will ensure that only such of its employees who may be required by it to assist it in meeting its obligations under the Agreement shall have access to the personal data. The Data Processor will ensure that all such employees have undergone training in the law of data protection, their duty of confidentiality under contract and in the care and handling of personal data. 3.6 The Data Processor agrees to assist the Data Controller promptly with all subject information requests which may be received from the data subjects of the personal data and within its service level target of 21 days. 3.7 The Data Processor will not disclose the personal data to a third party in any circumstances other than at the specific written request of the Data Controller, unless the disclosure is required by law. 3.8 The Data Processor will NOT transfer the personal data outside of the United Kingdom. 3.9 The Data Processor will not sub-contract any of the processing without explicit written agreement from the Data Controller. Where such written agreement is provided, the Data Processor will ensure that any sub­ contractor it uses to process the personal data complies with the terms of this agreement. 3.10 The Data Processor will employ appropriate operational and technological processes and procedures to keep the personal data safe from unauthorised use or access, loss, destruction, theft or disclosure. The organisational, operational and technological processes and procedures adopted are required to comply with the requirements of ISO 27001 as appropriate to the services being provided to the Data Controller. 3.11 The Data Processor will not keep the personal data on any laptop or other removable drive or device unless that device is protected by being fully encrypted, and the use of the device or laptop is necessary for the provision of the services under this agreement. Where this is necessary, the Data Processor will keep an audit trail of which laptops/drives/devices the personal data are held on. 3.12 The Data Processor will notify the Data Controller of any information security incident that may impact the processing of the personal data covered by this agreement within two working days of discovering, or becoming aware of any such incident. Following the report of the incident, the Data Processor will cooperate with the Data Controller's Information Management staff whilst they carry out a risk assessment, root cause analysis and identify any corrective action required. The Data Processor will cooperate with the Data Controller in implementing any required corrective action agreed between the parties. 3.13 On satisfactory completion of the service or on termination of this agreement, the Data Processor will ensure that the personal data is securely removed from their systems and any printed copies securely destroyed. In complying with this clause, electronic copies of the personal data shall be securely destroyed by either physical destruction of the storage media or secure deletion using appropriate electronic shredding software that meets HM Government standards. Any hard copy will be destroyed by cross-cut shredding and secure re-cycling of the resulting paper waste. 3.14 The Data Controller reserves the right upon giving reasonable notice and within normal business hours to carry out compliance and information security audits of the data processor in order to satisfy itself that the Data Processor is adhering to the terms of this agreement. Where a sub­ contractor is used, the Data Processor agrees that the Data Controller may also, upon giving reasonable notice and within normal business hours, carry out compliance and information security audits and checks of the sub­ contractor to ensure adherence to the terms of this agreement.

OBLIGATIONS OF THE DATA PROCESSOR. 3.1 2.3.1 The Data Processor will process the personal data Personal Data in compliance with The applicable data protection regulations, including the Data Protection Xxx 00000000 and Regulation (EU) 2016/679 (the “General Data Protection Regulations”). 3.2 2.3.2 The Data Processor undertakes that it shall process the personal data Personal Data strictly in accordance with the Data Controller's instructions for the processing of that personal data. 3.3 2.3.3 The Data Processor will process the Personal Data for the following purposes defined in Schedule C only: To facilitate the delivery of the pest control services. 3.4 The· Data.Pro.cessor 2.3.4 The Data Processor will treat the personal data, and any other information Information provided by the Data Controller as confidential, and will ensure that access to the personal data Personal Data is limited to only those employees who require access to it for the purpose of the Data Processor carrying out the permitted processing and complying with its obligations under this Agreement. 3.5 2.3.5 The Data Processor will ensure that only such of its employees who may be required by it to assist it in meeting its obligations under the Agreement shall have access to the personal dataPersonal Data. The Data Processor will ensure that all such employees have undergone training in the law of data protection, their duty of confidentiality under contract and in the care and handling of personal dataPersonal Data. 3.6 2.3.6 The Data Processor agrees to assist the Data Controller promptly with all subject information requests, rectification requests, erasure requests, requests for restriction of processing, objections or complaints which may be received from the data subjects of the personal data and within its service level target of 21 daysPersonal Data. 3.7 2.3.7 The Data Processor will notify and cooperate with the Data Controller promptly with requests made under the Freedom of Information Xxx 0000. 2.3.8 The Data Processor will not disclose the personal data Personal Data to a third party in any circumstances other than at the specific written request of the Data Controller, unless the disclosure is required by law. 3.8 2.3.9 The Data Processor will NOT transfer or store the personal Personal data outside of the United Kingdom.only as permitted in Schedule B. 3.9 2.3.10 The Data Processor will not sub-contract any of the processing without explicit written agreement from the Data Controller. , detailed in Schedule B. Where such written agreement is provided, the Data Processor will ensure that any sub­ sub-contractor it uses to process the personal data complies with the terms of this agreement. 3.10 2.3.11 The Data Processor will employ appropriate operational and technological processes and procedures summarised in Schedule E to keep the personal data Personal Data safe from unauthorised use or access, loss, destruction, theft or disclosure. The organisational, operational and technological processes and procedures adopted are required to comply with the requirements of ISO 27001 as be appropriate to the services being provided to the Data Controller. 3.11 The Data Processor will not keep the personal data on any laptop or other removable drive or device unless that device is protected by being fully encrypted, and the use of the device or laptop is necessary for the provision of the services under this agreement. Where this is necessary, the Data Processor will keep an audit trail of which laptops/drives/devices the personal data are held on. 3.12 2.3.12 The Data Processor will notify the Data Controller of any information security incident that may impact the processing of the personal data covered by this agreement within two 2 working days of discovering, or becoming aware of any such incident. Following the report of the incident, the Data Processor will cooperate with the Data Controller's Compliance and Information Management Security staff whilst they carry out a risk assessment, root cause analysis and identify any corrective action required. The Data Processor will cooperate with the Data Controller in implementing any required corrective action agreed between the parties. 3.13 2.3.13 On satisfactory completion of the service or on termination of this agreement, the Data Processor will ensure that the personal data is securely removed from their systems and any printed copies securely destroyed. In complying with this clause, electronic copies of the personal data shall be securely destroyed by either physical destruction of the storage media or secure deletion using appropriate electronic shredding software that meets HM Government standards. Any hard copy will be destroyed by cross-cut shredding and secure re-cycling of the resulting paper wastemethods. 3.14 2.3.14 The Data Controller reserves the right upon giving reasonable notice and within normal business hours to carry out compliance and information security audits of the data processor in order to satisfy itself that the Data Processor is adhering to the terms of this agreement. Where a sub­ sub-contractor is used, the Data Processor agrees that the Data Controller may also, upon giving reasonable notice and within normal business hours, carry out compliance and information security audits and checks of the sub­ sub-contractor to ensure adherence to the terms of this agreement.

OBLIGATIONS OF THE DATA PROCESSOR. 3.1 The 3.1. Data Controller determines the purposes for which Client Personal Data is Processed in the context of the provision of the Service. 3.2. Aside from the obligations listed in Annexes 1 and 2 of this DPA, Data Processor further commits to complying with the following obligations: a) Data Processor will process Process Client Personal Data only as necessary to provide the personal data Service and subject to Data Controller’s written instructions provided in compliance with The this DPA. For these purposes, the Service Agreement and this DPA set out Data Protection Xxx 0000. 3.2 The Controllers’ complete instructions to Data Processor undertakes that it shall process in relation to the personal data strictly Processing of Client Personal Data – any Processing required which is outside the scope of these instructions (including the rights and obligations laid down in accordance with the Data Controller's instructions for MSA) will require prior written agreement between the processing of that personal data.Parties; 3.3 The b) Data Processor will process notify Data Controller in the Personal event that it considers a specific written instruction received from Data for the following purposes only: To facilitate the delivery Controller to be in violation of the pest control services 3.4 The· Data.Pro.cessor Applicable Data Protection Laws. In no case will treat the personal data, and Data Processor be under any other information obligation to perform a comprehensive legal examination of any written instructions provided by the Client; c) Aramex, as Data Processor, will notify Data Controller as confidentialwithout undue delay of any contact, communication or correspondence it may receive from a Supervisory Authority, related to the Processing of Client Personal Data. Both Parties acknowledge and agree that the responsibility for replying to such contacts, communications or correspondence rests solely on Data Controller, and will ensure that access to the personal data is limited to only those employees who require access to it for the purpose not on Data Processor; d) Data Processor has implemented adequate operational, technical and organisational measures under Article 32 of the Regulation (which are described in Annex 2 of this DPA), to protect the Client Personal Data (including Special Categories of Personal Data). The Parties acknowledge and agree that Data Processor carrying out is specifically allowed to implement adequate alternative measures or use alternative locations to Process the permitted processing Client Personal Data, so long as the security level of the measures is maintained and complying with is, in all respects, adequate; e) In the event that Data Processor discloses Client Personal Data to its obligations under this Agreement. 3.5 The personnel which is directly and exclusively involved in the provision of the Service, Data Processor will ensure that only such personnel: i) is committed to confidentiality or is under an appropriate statutory obligation of its employees who may be required by it to assist it confidentiality; and ii) Processes Client Personal Data under the instructions of Data Processor, and in meeting its compliance with Data Processor’s obligations under the Agreement shall have access to the personal data. The Data Processor will ensure that all such employees have undergone training in the law of data protection, their duty of confidentiality under contract and in the care and handling of personal datathis DPA. 3.6 The Data Processor agrees to assist the Data Controller promptly with all subject information requests which may be received from the data subjects of the personal data and within its service level target of 21 days. 3.7 The Data Processor will not disclose the personal data to a third party in any circumstances other than at the specific written request of the Data Controller, unless the disclosure is required by law. 3.8 The Data Processor will NOT transfer the personal data outside of the United Kingdom. 3.9 The Data Processor will not sub-contract any of the processing without explicit written agreement from the Data Controller. Where such written agreement is provided, the Data Processor will ensure that any sub­ contractor it uses to process the personal data complies with the terms of this agreement. 3.10 The Data Processor will employ appropriate operational and technological processes and procedures to keep the personal data safe from unauthorised use or access, loss, destruction, theft or disclosure. The organisational, operational and technological processes and procedures adopted are required to comply with the requirements of ISO 27001 as appropriate to the services being provided to the Data Controller. 3.11 The Data Processor will not keep the personal data on any laptop or other removable drive or device unless that device is protected by being fully encrypted, and the use of the device or laptop is necessary for the provision of the services under this agreement. Where this is necessary, the Data Processor will keep an audit trail of which laptops/drives/devices the personal data are held on. 3.12 The Data Processor will notify the Data Controller of any information security incident that may impact the processing of the personal data covered by this agreement within two working days of discovering, or becoming aware of any such incident. Following the report of the incident, the Data Processor will cooperate with the Data Controller's Information Management staff whilst they carry out a risk assessment, root cause analysis and identify any corrective action required. The Data Processor will cooperate with the Data Controller in implementing any required corrective action agreed between the parties. 3.13 On satisfactory completion of the service or on termination of this agreement, the Data Processor will ensure that the personal data is securely removed from their systems and any printed copies securely destroyed. In complying with this clause, electronic copies of the personal data shall be securely destroyed by either physical destruction of the storage media or secure deletion using appropriate electronic shredding software that meets HM Government standards. Any hard copy will be destroyed by cross-cut shredding and secure re-cycling of the resulting paper waste. 3.14 The Data Controller reserves the right upon giving reasonable notice and within normal business hours to carry out compliance and information security audits of the data processor in order to satisfy itself that the Data Processor is adhering to the terms of this agreement. Where a sub­ contractor is used, the Data Processor agrees that the Data Controller may also, upon giving reasonable notice and within normal business hours, carry out compliance and information security audits and checks of the sub­ contractor to ensure adherence to the terms of this agreement.

OBLIGATIONS OF THE DATA PROCESSOR. 3.1 The Data Processor will process the personal data in compliance with The Data Protection Xxx 0000. 3.2 The Data Processor undertakes that it shall process the personal data strictly in accordance with the Data Controller's instructions for the processing of that personal data. 3.3 The Data Processor will process the Personal Data for the following purposes only: To facilitate For the delivery of support for children and young people (who have special educational needs and disabilities) and their parents and for the pest control servicesprotection and safeguarding of children 3.4 The· Data.Pro.cessor The Data Processor will treat the personal data, and any other information provided by the Data Controller as confidential, and will ensure that access to the personal data is limited to only those employees who require access to it for the purpose of the Data Processor carrying out the permitted processing and complying with its obligations under this Agreement. 3.5 The Data Processor will ensure that only such of its employees who may be required by it to assist it in meeting its obligations under the Agreement shall have access to the personal data. The Data Processor will ensure that all such employees have undergone training in the law of data protection, their duty of confidentiality under contract and in the care and handling of personal data. 3.6 The Data Processor agrees to assist the Data Controller promptly with all subject information requests which may be received from the data subjects of the personal data and within its service level target of 21 days. 3.7 The Data Processor will not disclose the personal data to a third party in any circumstances other than at the specific written request of the Data Controller, unless the disclosure is required by law. 3.8 The Data Processor will NOT transfer the personal data outside of the United Kingdom. 3.9 The Data Processor will not sub-contract any of the processing without explicit written agreement from the Data Controller. Where such written agreement is provided, the Data Processor will ensure that any sub­ contractor it uses to process the personal data complies with the terms of this agreement. 3.10 The Data Processor will employ appropriate operational and technological processes and procedures to keep the personal data safe from unauthorised use or access, loss, destruction, theft or disclosure. The organisational, operational and technological processes and procedures adopted are required to comply with the requirements of ISO 27001 as appropriate to the services being provided to the Data Controller. 3.11 The Data Processor will not keep the personal data on any laptop or other removable drive or device unless that device is protected by being fully encrypted, and the use of the device or laptop is necessary for the provision of the services under this agreement. Where this is necessary, the Data Processor will keep an audit trail of which laptops/drives/devices the personal data are held on. 3.12 The Data Processor will notify the Data Controller of any information security incident that may impact the processing of the personal data covered by this agreement within two working days of discovering, or becoming aware of any such incident. Following the report of the incident, the Data Processor will cooperate with the Data Controller's Information Management staff whilst they carry out a risk assessment, root cause analysis and identify any corrective action required. The Data Processor will cooperate with the Data Controller in implementing any required corrective action agreed between the parties. 3.13 On satisfactory completion of the service or on termination of this agreement, the Data Processor will ensure that the personal data is securely removed from their systems and any printed copies securely destroyed. In complying with this clause, electronic copies of the personal data shall be securely destroyed by either physical destruction of the storage media or secure deletion using appropriate electronic shredding software that meets HM Government standards. Any hard copy will be destroyed by cross-cut shredding and secure re-cycling of the resulting paper waste. 3.14 The Data Controller reserves the right upon giving reasonable notice and within normal business hours to carry out compliance and information security audits of the data processor in order to satisfy itself that the Data Processor is adhering to the terms of this agreement. Where a sub­ contractor is used, the Data Processor agrees that the Data Controller may also, upon giving reasonable notice and within normal business hours, carry out compliance and information security audits and checks of the sub­ contractor to ensure adherence to the terms of this agreement.

OBLIGATIONS OF THE DATA PROCESSOR. 3.1 The Data Processor will process the personal data in compliance with The Data Protection Xxx 0000. 3.2 The Data Processor undertakes that it shall process the personal data strictly in accordance with the Data Controller's instructions for the processing of that personal data. 3.3 The Data Processor will process the Personal Data for the following purposes only: To facilitate the delivery of the pest control servicesData Controller’s community alarm telecare monitoring and administration service i.e. to be determined case by case 3.4 The· Data.Pro.cessor will treat the personal data, and any other information provided by the Data Controller as confidential, and will ensure that access to the personal data is limited to only those employees who require access to it for the purpose of the Data Processor carrying out the permitted processing and complying with its obligations under this Agreement. 3.5 The Data Processor will ensure that only such of its employees who may be required by it to assist it in meeting its obligations under the Agreement shall have access to the personal data. The Data Processor will ensure that all such employees have undergone training in the law of data protection, their duty of confidentiality under contract and in the care and handling of personal data. 3.6 The Data Processor agrees to assist the Data Controller promptly with all subject information requests which may be received from the data subjects of the personal data and within its service level target of 21 days. 3.7 The Data Processor will not disclose the personal data to a third party in any circumstances other than at the specific written request of the Data Controller, unless the disclosure is required by law. 3.8 The Data Processor will NOT transfer the personal data outside of the United Kingdom. 3.9 The Data Processor will not sub-contract any of the processing without explicit written agreement from the Data Controller. Where such written agreement is provided, the Data Processor will ensure that any sub­ contractor Provider it uses to process the personal data complies with the terms of this agreement. 3.10 The Data Processor will employ appropriate operational and technological processes and procedures to keep the personal data safe from unauthorised use or access, loss, destruction, theft or disclosure. The organisational, operational and technological processes and procedures adopted are required to comply with the requirements of ISO 27001 as appropriate to the services being provided to the Data Controller. 3.11 The Data Processor will not keep the personal data on any laptop or other removable drive or device unless that device is protected by being fully encrypted, and the use of the device or laptop is necessary for the provision of the services under this agreement. Where this is necessary, the Data Processor will keep an audit trail of which laptops/drives/devices the personal data are held on. 3.12 The Data Processor will notify the Data Controller of any information security incident that may impact the processing of the personal data covered by this agreement within two working days of discovering, or becoming aware of any such incident. Following the report of the incident, the Data Processor will cooperate with the Data Controller's Information Management staff whilst they carry out a risk assessment, root cause analysis and identify any corrective action required. The Data Processor will cooperate with the Data Controller in implementing any required corrective action agreed between the parties. 3.13 On satisfactory completion of the service or on termination of this agreement, the Data Processor will ensure that the personal data is securely removed from their systems and any printed copies securely destroyed. In complying with this clause, electronic copies of the personal data shall be securely destroyed by either physical destruction of the storage media or secure deletion using appropriate electronic shredding software that meets HM Government standards. Any hard copy will be destroyed by cross-cut shredding and secure re-cycling of the resulting paper waste. 3.14 The Data Controller reserves the right upon giving reasonable notice and within normal business hours to carry out compliance and information security audits of the data processor in order to satisfy itself that the Data Processor is adhering to the terms of this agreement. Where a sub­ contractor Provider is used, the Data Processor agrees that the Data Controller may also, upon giving reasonable notice and within normal business hours, carry out compliance and information security audits and checks of the sub­ contractor Provider to ensure adherence to the terms of this agreement.