Common use of OBLIGATIONS OF THE DATA PROCESSOR Clause in Contracts

OBLIGATIONS OF THE DATA PROCESSOR. 4.1 All processing by the Data Processor of the personal data provided by the Data Controller must be in accordance with these instructions from the Data Controller, and the Data Processor is, furthermore, obliged to comply with any and all data protection legislation in force from time to time. If European Union law or law of a EU Member State to which the Data Processor is subject stipulates that the Data Processor is required to process the personal data listed in clause 1.2, the Data Processor must inform the Data Controller of that legal requirement before processing. However, this does not apply if this legislation prohibits such information on important grounds of public interests. The Data Processor must immediately inform the Data Controller if, in the Data Processor’s opinion, an instruction infringes the EU General Data Protection Regulation or the data protection provisions of a EU Member State. 4.2 The Data Processor must take all necessary technical and organisational security measures, including any additional measures, required to ensure that the personal data specified in clause 1.2 is not accidentally or unlawfully destroyed, lost or impaired or brought to the knowledge of unauthorised third parties, abused or otherwise processed in a manner which is contrary to Danish data protection legislation in force at any time. These measures are described in more detail in Schedule 1. 4.3 The Data Processor must ensure that employees authorised to process the personal data have committed themselves to confidentiality or are under the appropriate statutory obligation of confidentiality. 4.4 If so requested by the Data Controller, the Data Processor must state and/or document that the Data Processor complies with the requirements of the applicable data protection legislation, including documentation regarding the data flows of the Data Processor as well as procedures/policies for processing of personal data. 4.5 Taking into account the nature of the processing, the Data Processor must, as far as possible, assist the controller by appropriate technical and organisational measures, for the fulfilment of the Data Controller’s obligation to respond to requests for exercising the data subject’s rights as laid down in chapter 3 in the General Data Protection Regulation. 4.6 The Data Processor, or another Data Processor (sub-Data Processor) must send requests and objections from data subjects to the Data Controller, for the Data Controller's further processing thereof, unless the Data Processor is entitled to handle such request itself. If requested by the Data Controller, the Data Processor must assist the Data Controller in answering any such requests and/or objections. 4.7 If the Data Processor processes personal data in another EU member state, the Data Processor must comply with legislation concerning security measures in that member state. 4.8 The Data Processor must notify the Data Controller where there is a suspicion that data protection rules have been breached or other irregularities in connection with the processing of the personal data occur. The Data Processor’s deadline for notifying the Data Controller of a security breach is 24 hours from the moment the Data Processor becomes aware of a security breach. If requested by the Data Controller, the Data Processor must assist the Data Controller in relation to clarifying the scope of the security breach, including preparation of any notification to the Danish Data Protection Agency and/or data subjects. 4.9 The Data Processor must make available to the Data Controller all information necessary to demonstrate compliance with article 28 of the General Data Protection Regulation and the Agreement. In this connection, the Data Processor allows for and contributes to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller. 4.10 In addition to the above, the Data Processor must assist the Data Controller in ensuring compliance with the Data Controller’s obligations under article 32-36 of the General Data Protection Regulation. This assistance will consider the nature of the processing and the information available to the Data Processor.

OBLIGATIONS OF THE DATA PROCESSOR. 4.1 All processing by the Data Processor of the personal data provided by the Data Controller must be in accordance with these instructions from the Data Controller, and the Data Processor is, furthermore, obliged to comply with any and all data protection legislation in force from time to time. If European Union law or law of a EU Member State to which the Data Processor is subject stipulates that the Data Processor is required to process the personal data listed in clause 1.2, the Data Processor must inform the Data Controller of that legal requirement before processing. However, this does not apply if this legislation prohibits such information on important grounds of public interests. The Data Processor must immediately inform the Data Controller if, in the Data Processor’s opinion, an instruction infringes the EU General Data Protection Regulation or the data protection provisions of a EU Member State. 4.2 The Data Processor must take all necessary technical and organisational security measures, including any additional measures, required to ensure that the personal data specified in clause 1.2 is not accidentally or unlawfully destroyed, lost or impaired or brought to the knowledge of unauthorised third parties, abused or otherwise processed in a manner which is contrary to Danish data protection legislation in force at any time. These measures are described in more detail in Schedule 1. 4.3 The Data Processor must ensure that employees authorised to process the personal data have committed themselves to confidentiality or are under the appropriate statutory obligation of confidentiality. 4.4 If so requested by the Data Controller, the Data Processor must state and/or document that the Data Processor complies with the requirements of the applicable data protection legislation, including documentation regarding the data flows of the Data Processor as well as procedures/policies for processing of personal data. 4.5 Taking into account the nature of the processing, the Data Processor must, as far as possible, assist the controller by appropriate technical and organisational measures, for the fulfilment of the Data Controller’s obligation to respond to requests for exercising the data subject’s rights as laid down in chapter 3 in the General Data Protection Regulation. 4.6 The Data Processor, or another Data Processor (sub-Data Processor) must send requests and objections from data subjects to the Data Controller, for the Data Controller's further processing thereof, unless the Data Processor is entitled to handle such request itself. If requested by the Data Controller, the Data Processor must assist the Data Controller in answering any such requests and/or objections. 4.7 If the Data Processor processes personal data in another EU member state, the Data Processor must comply with legislation concerning security measures in that member state. 4.8 The Data Processor must notify the Data Controller where there is a suspicion that data protection rules have been breached or other irregularities in connection with the processing of the personal data occur. The Data Processor’s deadline for notifying the Data Controller of a security breach is 24 hours from the moment the Data Processor becomes aware of a security breach. If requested by the Data Controller, the Data Processor must assist the Data Controller in relation to clarifying the scope of the security breach, including preparation of any notification to the Danish relevant Data Protection Agency and/or data subjects. 4.9 The Data Processor must make available to the Data Controller all information necessary to demonstrate compliance with article 28 of the General Data Protection Regulation and the Agreement. In this connection, the Data Processor allows for and contributes to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller. 4.10 In addition to the above, the Data Processor must assist the Data Controller in ensuring compliance with the Data Controller’s obligations under article 32-36 of the General Data Protection Regulation. This assistance will consider the nature of the processing and the information available to the Data Processor.

OBLIGATIONS OF THE DATA PROCESSOR. 4.1 All processing by the Data Processor of the personal data provided by the Data Controller must be in accordance with these instructions from prepared by the Data Controller, and the Data Processor is, furthermore, obliged to comply with any and all data protection legislation in force from time to time. If European Union law or law of a an EU Member State to which the Data Processor is subject stipulates that the Data Processor is required to process the personal data listed in clause 1.2Schedule 1, the Data Processor must inform the Data Controller of that legal requirement before processing. However, this does not apply if this legislation prohibits such information on important grounds of public interests. The Data Processor must immediately inform the Data Controller if, in the Data Processor’s opinion, an instruction infringes the EU General Data Protection Regulation or the data protection provisions of a an EU Member State. 4.2 The Data Processor must take all necessary technical and organisational security measures, including any additional measures, required to ensure that the personal data specified in clause 1.2 is not accidentally or unlawfully destroyed, lost or impaired or brought to the knowledge of unauthorised third parties, abused or otherwise processed in a manner which is contrary to Danish data protection legislation in force at any time. These measures are described in more detail in Schedule 12. 4.3 The Data Processor must ensure that employees authorised to process the personal data have committed themselves to confidentiality or are under the appropriate statutory obligation of confidentiality. 4.4 If so requested by the Data Controller, the Data Processor must state and/or document that the Data Processor complies with the requirements of the applicable data protection legislation, including documentation regarding the data flows of the Data Processor as well as procedures/policies for processing of personal data. 4.5 Taking into account the nature of the processing, the Data Processor must, as far as possible, assist the controller by appropriate technical and organisational measures, for the fulfilment of the Data Controller’s obligation to respond to requests for exercising the data subject’s rights rights, as laid down in chapter 3 in the General Data Protection Regulation. 4.6 The Data Processor, or another Data Processor (sub-Data Processordata processor) must send requests and objections from data subjects to the Data Controller, for the Data Controller's further processing thereof, unless the Data Processor is entitled to handle such request itself. If requested by the Data Controller, the Data Processor must assist the Data Controller in answering any such requests and/or objections. 4.7 If the Data Processor processes personal data in another EU member state, the Data Processor must comply with legislation concerning security measures in that member state. 4.8 The Data Processor must notify the Data Controller where there is an interruption in operation, a suspicion that data protection rules have been breached or other irregularities in connection with the processing of the personal data occur. The Data Processor’s deadline for notifying the Data Controller of a security breach is 24 hours from the moment the Data Processor becomes aware of a security breach. If requested by the Data Controller, the Data Processor must assist the Data Controller in relation to clarifying the scope of the security breach, including preparation of any notification to the Danish relevant Data Protection Agency and/or data subjects. 4.9 The Data Processor must make available to the Data Controller all information necessary to demonstrate compliance with article 28 of the General Data Protection Regulation and the Agreement. In this connection, connection the Data Processor allows for and contributes to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller. 4.10 In addition to the above, the Data Processor must assist the Data Controller in ensuring compliance with the Data Controller’s obligations under article 32-36 of the General Data Protection Regulation. This assistance will consider take into account the nature of the processing and the information available to the Data Processor.