Common use of OBLIGATIONS OF THE DATA PROCESSOR Clause in Contracts

OBLIGATIONS OF THE DATA PROCESSOR. 4.1 All processing by the Data Processor of the personal data provided by the Data Controller must be in accordance with instructions set forth in this Agreement (including with regard to data transfers) and which constitute the Data Controllers complete and final instructions to the Data Processor, unless i) EU or EU Member State law to which the Data Processor is subject requires other processing of the personal data by the Data Processor, or ii) in the event the Data Processors makes changes to its systems, processes, etc. which requires chan- ges to the instructions, in which case Data Processor will notify the Data Controller of amen- dents to the instructions in the same manner as the Data Processor provides notice of Amendments to the General Terms and Conditions under the Main Agreement. 4.2 Should the Data Controller in its reasonable opinion believe, and be able to substantiate, that the amendments to the instructions introduced by the Data Processor cause the Data Con- troller to be non-compliant with General Data Protection Regulation, the Data Controller shall be entitled to terminate this Agreement and the Main Agreement by giving notice of termination to the Data Processor within the 10 business days from receiving notice of the amendments, otherwise the amendments will be deemed accepted by the Data Controller and will effectively become part of this Agreement. 4.3 The Data Processor must immediately inform the Data Controller if, in the Data Processor’s opinion, an instruction infringes the EU General Data Protection Regulation or the data pro- tection provisions of a Member State. 4.4 The Data Processor must take all necessary technical and organisational security measures, including any additional measures, required to ensure that the personal data specified in clause 1.2 is not accidentally or unlawfully destroyed, lost or impaired or brought to the knowledge of unauthorised third parties, abused or otherwise processed in a manner which is contrary to applicable national law in the relevant EU member states, in the Nordics and Baltics.legislation in force at any time. These measures shall meet and be equivalent to the certificate and security requirements specified by card associations and the authorities, in- cluding the PCI DSS (Payment Card Industry – Data Security Standard), for details see xxxxx://xxx.xxxxxxxxxxxxxxxxxxxx.xxx. The security measures deemed necessary and applied by the Data Processor shall be risk based, and will be updated from time to time by the Data Processor. 4.5 The Data Processor must ensure that employees authorized to process the personal data have committed themselves to confidentiality or are under appropriate statutory obligation of confidentiality. 4.6 If so requested by the Data Controller, the Data Processor must state and/or document that the Data Processor complies with the requirements of the applicable data protection legisla- tion, including documentation regarding the data flows of the Data Processor as well as pro- cedures/policies for processing of personal data. In terms of documentation supporting such statement of compliance, it is agreed that the Data Processors Attestation of Compliance with the Payment Card Industry Data Security Standard Requirements and Security Assess- ment Procedures (PCI DSS) is sufficient. 4.7 Taking into account the nature of the processing, the Data Processor must, as far as possible, assist the controller by appropriate technical and organisational measures, for the fulfilment of the Data Controller’s obligation to respond to requests for exercising the data subject’s rights as laid down in chapter 3 in the General Data Protection Regulation. 4.8 The Data Processor, or another data processor (sub-data processor) must send requests and objections from data subjects to the Data Controller, for the Data Controller's further pro- cessing thereof, unless the Data Processor is entitled to handle such request itself. If re- quested by the Data Controller, the Data Processor must assist the Data Controller in answer- ing any such requests and/or objections. 4.9 If the Data Processor processes personal data in another member state, the Data Processor must comply with legislation concerning security measures in that member state. 4.10 The Data Processor must notify the Data Controller where there is a data breach, as defined in 4.12 of the General Data Protection Regulation. The Data Processor’s deadline for notifying the Data Controller of a security breach is 24 hours from the moment the Data Processor becomes aware of a security breach. If requested by the Data Controller, the Data Processor must assist the Data Controller in relation to clarifying the scope of the security breach, in- cluding preparation of any notification to the Danish Data Protection Agency and/or data subjects. 4.11 The Data Processor must make available to the Data Controller all information necessary to demonstrate compliance with article 28 of the General Data Protection Regulation and the Agreement. This requirement can be met by the Data Processor demonstrating a valid PCI compliance certification and/or the relevant and required sections (as determined by the Data Processor) from the latest annual PCI DSS compliance audit performed on the Data Pro- cessor. Details regarding the audit procedures and scope are available from the PCI Security Standards Council, xxxxx://xxx.xxxxxxxxxxxxxxxxxxxx.xxx, or can be obtained from the Data Processor upon request. 4.12 In addition to the above, the Data Processor must to the extent reasonable assist the Data Controller in ensuring compliance with the Data Controller’s obligations under article 32-36 of the General Data Protection Regulation. This assistance will take into account the nature of the processing and the information available to the Data Processor.

OBLIGATIONS OF THE DATA PROCESSOR. 4.1 All processing by the Data Processor of the personal data provided by the Data Controller must be in accordance with instructions set forth in this Agreement (including with regard to data transfers) and which constitute the Data Controllers complete and final instructions to the Data Processor, unless i) EU or EU Member State law to which the Data Processor is subject requires other processing of the personal data by the Data Processor, or ii) in the event the Data Processors makes changes to its systems, processes, etc. which requires chan- ges to the instructions, in which case Data Processor will notify the Data Controller of amen- dents to the instructions in the same manner as the Data Processor provides notice of Amendments to the General Terms and Conditions under the Main Agreement. 4.2 Should the Data Controller in its reasonable opinion believe, and be able to substantiate, that the amendments to the instructions introduced by the Data Processor cause the Data Con- troller to be non-compliant with General Data Protection Regulation, the Data Controller shall be entitled to terminate this Agreement and the Main Agreement by giving notice of termination to the Data Processor within the 10 business days from receiving notice of the amendments, otherwise the amendments will be deemed accepted by the Data Controller and will effectively become part of this Agreement. 4.3 The Data Processor must immediately inform the Data Controller if, in the Data Processor’s opinion, an instruction infringes the EU General Data Protection Regulation or the data pro- tection provisions of a Member State. 4.4 The Data Processor must take all necessary technical and organisational security measures, including any additional measures, required to ensure that the personal data specified in clause 1.2 is not accidentally or unlawfully destroyed, lost or impaired or brought to the knowledge of unauthorised third parties, abused or otherwise processed in a manner which is contrary to applicable national law in the relevant EU EU/EEA member states, in the Nordics and Baltics.legislation states in force at any time. These measures shall meet and be equivalent to the certificate and security requirements require- ments specified by card associations and the authorities, in- cluding including the PCI DSS (Payment Card Industry – Data Security Standard), for details see xxxxx://xxx.xxxxxxxxxxxxxxxxxxxx.xxx. The security measures deemed necessary and applied by the Data Processor shall be risk based, and will be updated from time to time by the Data Processor. 4.5 The Data Processor must ensure that employees authorized to process the personal data have committed themselves to confidentiality or are under appropriate statutory obligation of confidentiality. 4.6 If so requested by the Data Controller, the Data Processor must state and/or document that the Data Processor complies with the requirements of the applicable data protection legisla- tion, including documentation regarding the data flows of the Data Processor as well as pro- cedures/policies for processing of personal data. In terms of documentation supporting such statement of compliance, it is agreed that the Data Processors Attestation of Compliance with the Payment Card Industry Data Security Standard Requirements and Security Assess- ment Procedures (PCI DSS) is sufficient. 4.7 Taking into account the nature of the processing, the Data Processor must, as far as possible, assist the controller by appropriate technical and organisational measures, for the fulfilment of the Data Controller’s obligation to respond to requests for exercising the data subject’s rights as laid down in chapter 3 in the General Data Protection Regulation. 4.8 The Data Processor, or another data processor (sub-data processor) must send requests and objections from data subjects to the Data Controller, for the Data Controller's further pro- cessing thereof, unless the Data Processor is entitled to handle such request itself. If re- quested by the Data Controller, the Data Processor must assist the Data Controller in answer- ing any such requests and/or objections. 4.9 If the Data Processor processes personal data in another member state, the Data Processor must comply with legislation concerning security measures in that member state. 4.10 The Data Processor must notify the Data Controller where there is a data breach, as defined in 4.12 of the General Data Protection Regulation. The Data Processor’s deadline for notifying the Data Controller of a security breach is 24 hours from the moment the Data Processor becomes aware of a security breach. If requested by the Data Controller, the Data Processor must assist the Data Controller in relation to clarifying the scope of the security breach, in- cluding preparation of any notification to the Danish Data Protection Agency and/or data subjects. 4.11 The Data Processor must make available to the Data Controller all information necessary to demonstrate compliance with article 28 of the General Data Protection Regulation and the Agreement. This requirement can be met by the Data Processor demonstrating a valid PCI compliance certification and/or the relevant and required sections (as determined by the Data Processor) from the latest annual PCI DSS compliance audit performed on the Data Pro- cessor. Details regarding the audit procedures and scope are available from the PCI Security Standards Council, xxxxx://xxx.xxxxxxxxxxxxxxxxxxxx.xxx, or can be obtained from the Data Processor upon request. 4.12 In addition to the above, the Data Processor must to the extent reasonable assist the Data Controller in ensuring compliance with the Data Controller’s obligations under article 32-36 of the General Data Protection Regulation. This assistance will take into account the nature of the processing and the information available to the Data Processor.

OBLIGATIONS OF THE DATA PROCESSOR. 4.1 All processing by the Data Processor of the personal data provided by the Data Controller must be in accordance with instructions set forth in this Agreement (including with regard to data transfers) and which constitute the Data Controllers complete and final instructions to the Data Processor, unless i) EU or EU Member State law to which the Data Processor is subject requires other processing of the personal data by the Data Processor, or ii) in the event the Data Processors makes changes to its systems, processes, etc. which requires chan- ges to the instructions, in which case Data Processor will notify the Data Controller of amen- dents to the instructions in the same manner as the Data Processor provides notice of Amendments to the General Terms and Conditions under the Main Agreement. 4.2 Should the Data Controller in its reasonable opinion believe, and be able to substantiate, that the amendments to the instructions introduced by the Data Processor cause the Data Con- troller to be non-compliant with General Data Protection Regulation, the Data Controller shall be entitled to terminate this Agreement and the Main Agreement by giving notice of termination to the Data Processor within the 10 business days from receiving notice of the amendments, otherwise the amendments will be deemed accepted by the Data Controller and will effectively become part of this Agreement. 4.3 The Data Processor must immediately inform the Data Controller if, in the Data Processor’s opinion, an instruction infringes the EU General Data Protection Regulation or the data pro- tection provisions of a Member State. 4.4 The Data Processor must take all necessary technical and organisational security measures, including any additional measures, required to ensure that the personal data specified in clause 1.2 is not accidentally or unlawfully destroyed, lost or impaired or brought to the knowledge of unauthorised third parties, abused or otherwise processed in a manner which is contrary to applicable national law in the relevant EU EU/EEA member states, in the Nordics and Baltics.legislation states in force at any time. These measures shall meet and be equivalent to the certificate and security requirements require- ments specified by card associations and the authorities, in- cluding including the PCI DSS (Payment Card Industry – Data Security Standard), for details see xxxxx://xxx.xxxxxxxxxxxxxxxxxxxx.xxx. The security measures deemed necessary and applied by the Data Processor shall be risk based, and will be updated from time to time by the Data Processor. 4.5 The Data Processor must ensure that employees authorized to process the personal data have committed themselves to confidentiality or are under appropriate statutory obligation of confidentiality. 4.6 If so requested by the Data Controller, the Data Processor must state and/or document that the Data Processor complies with the requirements of the applicable data protection legisla- tion, including documentation regarding the data flows of the Data Processor as well as pro- cedures/policies for processing of personal data. In terms of documentation supporting such statement of compliance, it is agreed that the Data Processors Attestation of Compliance with the Payment Card Industry Data Security Standard Requirements and Security Assess- ment Procedures (PCI DSS) is sufficient. 4.7 Taking into account the nature of the processing, the Data Processor must, as far as possible, assist the controller by appropriate technical and organisational measures, for the fulfilment of the Data Controller’s obligation to respond to requests for exercising the data subject’s rights as laid down in chapter 3 in the General Data Protection Regulation. 4.8 The Data Processor, or another data processor (sub-data processor) must send requests and objections from data subjects to the Data Controller, for the Data Controller's further pro- cessing thereof, unless the Data Processor is entitled to handle such request itself. If re- quested by the Data Controller, the Data Processor must assist the Data Controller in answer- ing any such requests and/or objections. 4.9 If the Data Processor processes personal data in another member state, the Data Processor must comply with legislation concerning security measures in that member state. 4.10 The Data Processor must notify the Data Controller where there is a data breach, as defined in 4.12 of the General Data Protection Regulation. The Data Processor’s deadline for notifying the Data Controller of a security breach is 24 hours from the moment the Data Processor becomes aware of a security breach. If requested by the Data Controller, the Data Processor must assist the Data Controller in relation to clarifying the scope of the security breach, in- cluding preparation of any notification to the Danish competent Data Protection Agency and/or data subjects. 4.11 The Data Processor must make available to the Data Controller all information necessary to demonstrate compliance with article 28 of the General Data Protection Regulation and the Agreement. This requirement can be met by the Data Processor demonstrating a valid PCI compliance certification and/or the relevant and required sections (as determined by the Data Processor) from the latest annual PCI DSS compliance audit performed on the Data Pro- cessor. Details regarding the audit procedures and scope are available from the PCI Security Standards Council, xxxxx://xxx.xxxxxxxxxxxxxxxxxxxx.xxx, or can be obtained from the Data Processor upon request. 4.12 In addition to the above, the Data Processor must to the extent reasonable assist the Data Controller in ensuring compliance with the Data Controller’s obligations under article 32-36 of the General Data Protection Regulation. This assistance will take into account the nature of the processing and the information available to the Data Processor.

OBLIGATIONS OF THE DATA PROCESSOR. 4.1 All processing In general, the Data Processor is required to: i. process the Customer Data for the sole purpose of correctly providing the Services in favor of the Data Controller; ii. process the Customer Data in compliance with the instructions given by the Data Controller with this DPSA and/or subsequently and, in any case, to operate in accordance with the provisions of GDPR and the applicable provisions of the Italian Data Protection Authority ("Italian DPA"). Any possible further instruction not listed in this DPSA that the Data Controller intends to provide to the Data Processor must be previously confirmed in writing by Data Processor. Where Data Processor believes compliance with Data Controller’s instructions could result in a violation of the GDPR and/or any other applicable data protection law or is not in the ordinary course of Data Processor’s obligations in providing the Services, Data Processor shall promptly notify Data Controller thereof. No damages and/or lack of service and/or prejudice will be reimbursed by the Data Processor of the personal data provided by to the Data Controller must be in accordance with instructions set forth in this Agreement (including with regard to data transfers) and which constitute the Data Controllers complete and final instructions due to the Data Processor, unless i) EU or EU Member State law 's failure to which perform processing operations under this DPSA as a result of any refusal of the Data Processor is subject requires other processing of the personal data by the Data Processor, or ii) in the event the Data Processors makes changes to its systems, processes, etc. which requires chan- ges to the instructions, in which case Data Processor will notify the Data Controller of amen- dents to the instructions in the same manner as the Data Processor provides notice of Amendments to the General Terms and Conditions under the Main Agreement. 4.2 Should the Data Controller in its reasonable opinion believe, and be able to substantiate, that the amendments to the instructions introduced by the Data Processor cause the Data Con- troller to be non-compliant comply with General Data Protection Regulation, the Data Controller shall be entitled to terminate this Agreement and the Main Agreement by giving notice of termination to the Data Processor within the 10 business days from receiving notice of the amendments, otherwise the amendments will be deemed accepted by the Data Controller and will effectively become part of this Agreement. 4.3 The Data Processor must immediately inform the Data Controller if, in the Data Processor’s opinion, an unlawful instruction infringes the EU General Data Protection Regulation or the data pro- tection provisions of a Member State. 4.4 The Data Processor must take all necessary technical and organisational security measures, including any additional measures, required to ensure that the personal data specified in clause 1.2 is not accidentally or unlawfully destroyed, lost or impaired or brought to the knowledge of unauthorised third parties, abused or otherwise processed in a manner which is contrary to applicable national law in the relevant EU member states, in the Nordics and Baltics.legislation in force at any time. These measures shall meet and be equivalent to the certificate and security requirements specified by card associations and the authorities, in- cluding the PCI DSS (Payment Card Industry – Data Security Standard), for details see xxxxx://xxx.xxxxxxxxxxxxxxxxxxxx.xxx. The security measures deemed necessary and applied by the Data Processor shall be risk based, and will be updated from time to time by the Data Processor. 4.5 The Data Processor must ensure that employees authorized to process the personal data have committed themselves to confidentiality or are under appropriate statutory obligation of confidentiality. 4.6 If so requested received by the Data Controller, the Data Processor must state and/or document that the Data Processor complies with the requirements of the applicable data protection legisla- tion, including documentation regarding the data flows of the Data Processor as well as pro- cedures/policies for processing of personal data; iii. In terms of documentation supporting such statement of compliance, it is agreed that the Data Processors Attestation of Compliance with the Payment Card Industry Data Security Standard Requirements and Security Assess- ment Procedures (PCI DSS) is sufficient. 4.7 Taking into account the nature of the processing, the Data Processor must, as far as possible, assist the controller by appropriate technical and organisational measures, for the fulfilment of the Data Controller’s obligation to respond to requests for exercising the data subject’s rights as laid down in chapter 3 in the General Data Protection Regulation. 4.8 The Data Processor, or another data processor (sub-data processor) must send requests and objections from data subjects to the Data Controller, for the Data Controller's further pro- cessing thereof, unless the Data Processor is entitled to handle such request itself. If re- quested by the Data Controller, the Data Processor must assist the Data Controller in answer- ing any such requests and/or objections. 4.9 If the Data Processor processes personal data in another member state, the Data Processor must comply with legislation concerning security measures in that member state. 4.10 The Data Processor must notify the Data Controller where there is a data breach, as defined in 4.12 of the General Data Protection Regulation. The Data Processor’s deadline for notifying the Data Controller of a security breach is 24 hours from the moment the Data Processor becomes aware of a security breach. If requested by the Data Controller, the Data Processor must assist the Data Controller in relation to clarifying the scope of the security breach, in- cluding preparation of any notification to the Danish Data Protection Agency and/or data subjects. 4.11 The Data Processor must make available to the Data Controller all the information necessary to demonstrate compliance with article 28 of the General Data Protection Regulation obligations set forth in this DPSA and to allow and contribute to the Agreement. This requirement can be met audit activities, including inspections, carried out by the Data Processor demonstrating a valid PCI compliance certification Controller or another authorized person, as indicated in art. 11 below; iv. not communicate and/or disseminate the relevant processed data to third parties, unless strictly necessary for the purposes of the processing and/or with the prior authorization of the Data Controller; v. comply with the conditions and required sections (as determined procedures set forth in art. 9 below for the appointment of any sub- processor; vi. carry out, for the purposes of the correct application of the GDPR and the instructions provided by the Data Processor) from the latest annual PCI DSS compliance audit performed Controller, periodic checks on the Data Pro- cessor. Details regarding fulfilments and activities carried out by the audit procedures and scope are available from the PCI Security Standards Council, xxxxx://xxx.xxxxxxxxxxxxxxxxxxxx.xxx, or can be obtained from the Data Processor upon request. 4.12 In addition subjects authorized to the above, the Data Processor must to the extent reasonable processing and by their sub-processors; vii. assist the Data Controller in ensuring compliance with the preparation of a possible data protection impact assessment (“DPIA”) and in any prior consultation of the Italian Data Controller’s obligations under article 32-Protection Authority, where deemed necessary, pursuant to art. 36 of the General Data Protection Regulation. This assistance will take into account the nature of the processing and the information available to the Data ProcessorGDPR.

OBLIGATIONS OF THE DATA PROCESSOR. 4.1 All processing by the Data Processor of the personal data provided by the Data Controller must be in accordance with instructions set forth in this Agreement (including with regard to data transfers) and which constitute the Data Controllers complete and final instructions to the Data Processor, unless i) EU or EU Member State law to which the Data Processor is subject requires other processing of the personal data by the Data Processor, or ii) in the event the Data Processors makes changes to its systems, processes, etc. which requires chan- ges changes to the instructions, in which case Data Processor will notify the Data Controller of amen- dents amendents to the instructions in the same manner as the Data Processor provides notice of Amendments to the General Terms and Conditions under the Main Agreement. 4.2 Should the Data Controller in its reasonable opinion believe, and be able to substantiate, that the amendments to the instructions introduced by the Data Processor cause the Data Con- troller Controller to be non-compliant with General Data Protection Regulation, the Data Controller shall be entitled to terminate this Agreement and the Main Agreement by giving notice of termination to the Data Processor within the 10 business days from receiving notice of the amendments, otherwise the amendments will be deemed accepted by the Data Controller and will effectively become part of this Agreement. 4.3 The Data Processor must immediately inform the Data Controller if, in the Data Processor’s opinion, an instruction infringes the EU General Data Protection Regulation or the data pro- tection protection provisions of a Member State. 4.4 The Data Processor must take all necessary technical and organisational security measures, including any additional measures, required to ensure that the personal data specified in clause 1.2 is not accidentally or unlawfully destroyed, lost or impaired or brought to the knowledge of unauthorised third parties, abused or otherwise processed in a manner which is contrary to applicable national law in the relevant EU EU/EEA member states, in the Nordics and Baltics.legislation states in force at any time. These measures shall meet and be equivalent to the certificate and security requirements specified by card associations and the authorities, in- cluding including the PCI DSS (Payment Card Industry – Data Security Standard), for details see xxxxx://xxx.xxxxxxxxxxxxxxxxxxxx.xxx. The security measures deemed necessary and applied by the Data Processor shall be risk based, and will be updated from time to time by the Data Processor. 4.5 The Data Processor must ensure that employees authorized to process the personal data have committed themselves to confidentiality or are under appropriate statutory obligation of confidentiality. 4.6 If so requested by the Data Controller, the Data Processor must state and/or document that the Data Processor complies with the requirements of the applicable data protection legisla- tionlegislation, including documentation regarding the data flows of the Data Processor as well as pro- ceduresprocedures/policies for processing of personal data. In terms of documentation supporting such statement of compliance, it is agreed that the Data Processors Attestation of Compliance with the Payment Card Industry Data Security Standard Requirements and Security Assess- ment Assessment Procedures (PCI DSS) is sufficient. 4.7 Taking into account the nature of the processing, the Data Processor must, as far as possible, assist the controller by appropriate technical and organisational measures, for the fulfilment of the Data Controller’s obligation to respond to requests for exercising the data subject’s rights as laid down in chapter 3 in the General Data Protection Regulation. 4.8 The Data Processor, or another data processor (sub-data processor) must send requests and objections from data subjects to the Data Controller, for the Data Controller's further pro- cessing processing thereof, unless the Data Processor is entitled to handle such request itself. If re- quested requested by the Data Controller, the Data Processor must assist the Data Controller in answer- ing answering any such requests and/or objections. 4.9 If the Data Processor processes personal data in another member state, the Data Processor must comply with legislation concerning security measures in that member state. 4.10 The Data Processor must notify the Data Controller where there is a data breach, as defined in 4.12 of the General Data Protection Regulation. The Data Processor’s deadline for notifying the Data Controller of a security breach is 24 hours from the moment the Data Processor becomes aware of a security breach. If requested by the Data Controller, the Data Processor must assist the Data Controller in relation to clarifying the scope of the security breach, in- cluding including preparation of any notification to the Danish competent Data Protection Agency and/or data subjects. 4.11 The Data Processor must make available to the Data Controller all information necessary to demonstrate compliance with article 28 of the General Data Protection Regulation and the Agreement. This requirement can be met by the Data Processor demonstrating a valid PCI compliance certification and/or the relevant and required sections (as determined by the Data Processor) from the latest annual PCI DSS compliance audit performed on the Data Pro- cessorProcessor. Details regarding the audit procedures and scope are available from the PCI Security Standards Council, xxxxx://xxx.xxxxxxxxxxxxxxxxxxxx.xxx, or can be obtained from the Data Processor upon request. 4.12 In addition to the above, the Data Processor must to the extent reasonable assist the Data Controller in ensuring compliance with the Data Controller’s obligations under article 32-36 of the General Data Protection Regulation. This assistance will take into account the nature of the processing and the information available to the Data Processor.