Common use of OBLIGATIONS OF THE DATA PROCESSOR Clause in Contracts

OBLIGATIONS OF THE DATA PROCESSOR. 5.1 The Data Controller instructs the Data Processor to only Process Personal Data according to its lawful instructions, that have been described in Schedule 1 (instructions to the Data Processor). It is the Data Controller's responsibility to ensure that the instructions are not contrary to Personal Data Legislation. 5.2 In addition to what otherwise follows from the Agreement, the Data Processor undertakes: a) to assist the Data Controller in ensuring compliance with the obligations deriving from applicable Personal Data Legislation, taking into account the nature of Processing and the information available to the Data Processor; b) to immediately inform the Data Controller if, in the Data Processors opinion, an instruction infringes the applicable Personal Data Legislation and the Data Processor is then not obligated to carry out the relevant Processing until the parties have decided how to solve the matter or until a supervisory authority declares the instruction as lawful. c) to implement appropriate technical and organisational measures according to Schedule 1 in order to protect and safeguard the Personal Data that is Processed against Personal Data Breaches (Data Processor may amend the technical and organizational measures from time to time provided that the amended technical and organizational measures are not less protective of the Personal Data as those set out in Appendix 1); d) to maintain records of all categories of Processing performed on behalf of the Data Controller, including name and contact details and, where applicable, transfers of Personal Data to a Third Country or international organisation and, where possible, a general description of the technical and organisational security measures; e) to ensure that only authorised persons can Process Personal Data, and ensure that these persons have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; f) to without undue delay refer any third party requesting information relating to the Personal Data to the Data Controller, unless such reference is prohibited under criminal law (e.g. to preserve the confidentiality of a law enforcement investigation) and on request cooperate with relevant supervisory authority in the performance of its tasks and without undue delay inform the Data Controller of this; g) to assist the Data Controller through appropriate technical and organisational measures, to the extent possible, so that the Data Controller can fulfil its obligation to respond to a request following a data subject exercising its rights under applicable Personal Data Legislation; h) to, considering the type of Processing and the information available to the Data Processor, at the request of the Data Controller, assist the Data Controller in ensuring that the obligations regarding carrying out an impact assessment for data protection and preceding consultation with responsible supervisory authority, are met in accordance with applicable Personal Data Legislation; i) to transfer Personal Data belonging to the Data Controller, to a third country, provided that: (a) the third country according to a decision issued by the EU Commission provides an adequate level of protection for Personal Data which comprises the Processing of Personal Data; (b) Data Processor ensures that there are appropriate safeguards in place in accordance with Personal Data Legislation, e.g. standard data protection clauses adopted by the EU Commission under applicable Personal Data Legislation, that comprises the transfer and the Processing of Personal Data; or (c) if there are any other exemptions under applicable Personal Data Legislation that comprise the Processing of Personal Data; and j) to make available to the Data Controller, upon the Data Controller's request, information in order to demonstrate compliance with the obligations of Data Processor laid down in Art. 28 GDPR. The audit shall be carried out by the Data Controller or such independent third party that the Data Controller appoints (that is not a competitor to the Data Processor), provided that such person is bound by a duty of confidentiality (which the Data Processor in its reasonable opinion considers to be acceptable). Data Controller shall bear any costs arising out of or in connection with an audit.

OBLIGATIONS OF THE DATA PROCESSOR. 5.1 The Data Controller instructs the Processor warrants and undertakes that: 4.1 It will comply with all applicable law including Applicable Data Processor to only Process Personal Data according to Protection law in its lawful instructions, that have been described in Schedule 1 (instructions to the Data Processor). It is the Data Controller's responsibility to ensure that the instructions are not contrary to Personal Data Legislationperformance of this Agreement. 5.2 In addition to what otherwise follows from the Agreement, the Data Processor undertakes: a) to assist the Data Controller in ensuring compliance with the obligations deriving from applicable Personal Data Legislation, taking into account the nature of Processing and the information available to the Data Processor; b) to immediately inform the Data Controller if, in the Data Processors opinion, an instruction infringes the applicable Personal Data Legislation and the Data Processor is then not obligated to carry out the relevant Processing until the parties have decided how to solve the matter or until a supervisory authority declares the instruction as lawful. c) to implement appropriate technical and organisational measures according to Schedule 1 in order to protect and safeguard 4.2 It will only process the Personal Data that is Processed against Personal Data Breaches (Data Processor may amend on the technical and organizational measures from time to time provided that the amended technical and organizational measures are not less protective of the Personal Data as those set out in Appendix 1); d) to maintain records of all categories of Processing performed on behalf instructions of the Data Controller, including name and contact details and, where applicable, transfers of . 4.3 It will not transfer Personal Data to a Third Country or international organisation and, where possible, a general description without the prior written approval of the Data Controller and only then once the transfer to the Third Country has been legitimised and the Data Controller and the Data Processor are satisfied that an adequate Data Protection regime exists in the Third Country. 4.4 It will not appoint sub-processors to process the Personal Data on its behalf without the prior written approval of the Data Controller. 4.5 Once approved by the Data Controllers, sub-processors will only process the Personal Data on the instructions of the Data Processor and the Data Processor will put in place a legal agreement in writing to govern the sub-processing. 4.6 It will have in place appropriate technical and organisational measures, and all measures pursuant to Article 32 of the GDPR, to protect the confidentiality of the Personal Data and to protect the Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, and which provide a level of security measures;appropriate to the risk represented by the processing and the nature of the data to be protected. e) to ensure that only authorised persons can Process 4.7 It will obtain guarantees from any sub-processors processing the Personal Data, that they will have in place appropriate technical and ensure organisational measures, and all measures pursuant to Article 32 of the GDPR, to protect the confidentiality of the Personal Data and to protect the Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, and which provide a level of security appropriate to the risk represented by the processing and the nature of the data to be protected. 4.8 It will have in place procedures so that these persons any individual party it authorises to have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; f) to without undue delay refer any third party requesting information relating access to the Personal Data, including employees of the Data Processor, will respect and maintain the confidentiality and security of the Personal Data. Any person acting under the authority of the Data Processor shall be obligated to process the Personal Data only on instructions from the Data Processor. This provision does not apply to persons authorised or required by law or regulation to have access to the Personal Data. 4.9 It will not disclose any Personal Data to a third party in any circumstances other than at the specific written request of the Data Controller, unless such reference disclosure is prohibited under criminal necessary in order to fulfil the obligations of the Services Agreement, or is required by applicable law. 4.10 It will notify the Data Controller of any request for information by the DPC and will not disclose any Personal Data without the prior consent of the Data Controller. 4.11 It will notify the Data Controller of any complaint, notice or communication received which relates directly or indirectly to the processing of the Personal Data, or other connected activities, or which relates directly or indirectly to the compliance of the Data Processor and/or the Data Controller with relevant applicable law (e.g. to preserve including Applicable Data Protection law. 4.12 It will give the confidentiality Data Controller prompt notice of a law enforcement investigation) Personal Data breach or a potential data breach, once becoming aware of same, and the Data Processor will cooperate with the Data Controller in implementing any appropriate action concerning the breach or the potential breach as the case may be, including corrective actions. 4.13 It will delete from its systems all soft copies of any Personal Data and return all soft and hard copy documentation on the completion of the Service Agreement or on request cooperate with relevant supervisory authority from the Data Controller and will do so in a timely manner, giving a written confirmation of same having been done. The only exception to this Clause 4.14 shall be where the Data Processor shall have a legitimate reason, which is confirmed by the Data Controller, to continue to process particular data or where it is legally required to maintain data records. 4.14 Without prejudice to other legal provisions concerning the Data Subject’s right to compensation and the liability of the parties generally, as well as legal provisions concerning fines and penalties, the Data Processor will carry full liability in the performance instance where it or its sub-processor is found to have infringed applicable law including Applicable Data Protection law through his processing of its tasks the Personal Data. 4.15 It has no reason to believe, at the time of entering into this Agreement, of the existence of any reason that would have a substantial adverse effect on the guarantees provided for under this Agreement, and without undue delay it will inform the Data Controller (which will pass such notification on to the DPC where required) if it becomes aware of this;any such reason. g) 4.16 It will process the Personal Data for purposes described in Schedule 1, and has the legal authority to assist give the warranties and fulfil the undertakings set out in this Agreement. 4.17 It will identify to the Data Controller through appropriate technical and organisational measures, to the extent possible, so that the Data Controller can fulfil a contact person within its obligation organisation authorised to respond to a request following a data subject exercising its rights under applicable enquiries concerning processing of the Personal Data, and will cooperate in good faith with the Data Legislation; h) toController, considering the type of Processing Data Subject and the information available DPC concerning all such enquiries within a reasonable time. 4.18 It will register with the DPC in accordance with the Applicable Data Protection law and do all things necessary to comply with the Applicable Data ProcessorProtection law and be responsible in accordance with law, at both statutory and common law to Data Subjects for any infringement of privacy or disclosure arising from its negligence, howsoever caused. It will be capable of demonstrating its compliance with the obligations of Applicable Data Protection law. Upon reasonable request of the Data Controller, assist the Data Processor will submit it, and/or as appropriate its sub-processors will submit, data processing facilities, data files and documentation used for processing, reviewing, auditing and/or certifying by the Data Controller in ensuring that (or any independent or impartial inspection agents or auditors, selected by the obligations regarding carrying out an impact assessment for data protection Data Controller and preceding consultation with responsible supervisory authority, are met in accordance with applicable Personal not reasonably objected to by the Data Legislation; iProcessor) to transfer Personal ascertain compliance with the warranties and undertakings in this Agreement, with reasonable notice and during regular business hours. The request will be subject to any necessary consent or approval from a regulatory or supervisory authority within the country of the Data belonging to Controller. The Data Processor will assist the Data Controller, whenever reasonably required, in so far as possible, to a third country, provided that: (a) the third country according to a decision issued by the EU Commission provides an adequate level of protection for Personal Data which comprises the Processing of Personal Data; (b) Data Processor ensures that there are appropriate safeguards in place in accordance with Personal Data Legislation, e.g. standard data protection clauses adopted by the EU Commission under applicable Personal Data Legislation, that comprises the transfer and the Processing of Personal Data; or (c) if there are any other exemptions under applicable Personal Data Legislation that comprise the Processing of Personal Data; and j) to make available to fulfil the Data Controller, upon ’s obligation to respond to requests for exercising the Data Controller's request, information in order to demonstrate compliance with the obligations of Subject’s rights as provided under Applicable Data Processor laid down in Art. 28 GDPR. The audit shall be carried out by the Data Controller or such independent third party that the Data Controller appoints (that is not a competitor to the Data Processor), provided that such person is bound by a duty of confidentiality (which Protection law and the Data Processor will have the appropriate organisational and technical measures in its reasonable opinion considers place to be acceptable). deal with Data Controller shall bear any costs arising out of or in connection with an auditSubject requests.

OBLIGATIONS OF THE DATA PROCESSOR. 5.1 The Data Controller instructs Processor acknowledges and agrees that it shall only process Personal Data upon the written instructions of the Data Processor to only Process Personal Data according to its lawful instructions, that have been described Controller as set out in Schedule Exhibit 1 (instructions to the Data Processor)of this Agreement. It is the Data Controller's responsibility to ensure that the instructions are not contrary to Personal Data Legislation. 5.2 In addition to what otherwise follows from the AgreementAccordingly, the Data Processor undertakes: a) undertakes not to assist use the Personal Data of the Data Controller in ensuring for purposes other than those indicated by the Data Controller, or for the Data Processor’s own activity or for that of a third party. If the Data Processor can’t comply with the instructions of the Data Controller for any reason, other than non-compliance with the legal obligations deriving from applicable Personal Data Legislationof these instructions, taking into account the nature of Processing and the information available to the Data Processor; b) to immediately inform the Data Controller ifshall be informed promptly. In such a case, in the Data Processors opinion, an instruction infringes Parties shall discuss the applicable Personal Data Legislation and modifications that the Data Processor is then not obligated to carry out the relevant Processing until the parties have decided how to solve the matter or until a supervisory authority declares the instruction as lawful. c) would agree to implement or that the Data Controller could apply to its instructions. The Data Processor ensures that its authorized personnel have receive an appropriate technical training and organisational measures according to Schedule 1 in order to protect and safeguard has been made aware of the applicable security procedures before processing Personal Data that is Processed against Personal entrusted by the Data Breaches (Controller. The Data Processor may amend shall furthermore ensure that its authorized personnel in charge of Data Processing is bound by an appropriate obligation of confidentiality. The Data Processor further agrees: - that the technical and organizational security measures described in Exhibit 2 are based on the instructions and information received from time to time provided the Data Controller as set out in Exhibit 1; and, - that the amended technical and organizational security measures are adequate considering the processing risks and the defined Data Processing purposes. In particular, the Data Processor undertakes not less protective to reduce the overall security of the Personal Data Processing during the term of this Agreement without the prior consent of the Data Controller; and, - to provide the Data Controller with reasonably accessible and relevant information concerning the Data Processing carried out, such as those set out in Appendix 1); d) the information necessary to maintain records conduct a data protection impact assessment on the Data Processing; and, - to keep a record of processing activities of all categories of Data Processing performed activity carried out on behalf of the Data Controller, including name Controller and contact details and, where applicable, transfers of Personal Data to a Third Country or international organisation and, where possible, a general description of the technical and organisational security measures; e) to ensure that only authorised persons can Process Personal Data, and ensure that these persons have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; f) to without undue delay refer any third party requesting information relating to the Personal Data to the Data Controller, unless make such reference is prohibited under criminal law (e.g. to preserve the confidentiality of a law enforcement investigation) and on request cooperate with relevant supervisory authority in the performance of its tasks and without undue delay inform the Data Controller of this; g) to assist the Data Controller through appropriate technical and organisational measures, to the extent possible, so that the Data Controller can fulfil its obligation to respond to a request following a data subject exercising its rights under applicable Personal Data Legislation; h) to, considering the type of Processing and the information record available to the Data ProcessorController upon request; and, at - to comply with the request principles of the Data Controllerdata protection by design and by default; and, assist - to provide the Data Controller with the reasonably cooperation and assistance to answer to requests from data subjects, in ensuring that particular the rights of access, rectification, erasure, restriction or portability; and, - to provide the Data Controller with all the documentation justifying the compliance with the Data Processor’s obligations regarding carrying out an impact assessment for data protection and preceding consultation as per this Agreement; and, - to deal with responsible supervisory authority, are met Incidents in accordance with applicable Personal Data Legislation; i) to transfer Personal Data belonging to the Data Controllerthis Agreement, to a third country, provided that: (a) the third country according to a decision issued by the EU Commission provides an adequate level of protection for Personal Data which comprises the Processing of Personal Data; (b) Data Processor ensures that there are appropriate safeguards and in place particular in accordance with Personal Data Legislation, e.g. standard data protection clauses adopted by the EU Commission under applicable Personal Data Legislation, that comprises the transfer and the Processing Section “Management of Personal Data; or (c) if there are any other exemptions under applicable Personal Data Legislation that comprise the Processing of Personal Data; and j) to make available to the Data Controller, upon the Data Controller's request, information in order to demonstrate compliance with the obligations of Data Processor laid down in Art. 28 GDPR. The audit shall be carried out by the Data Controller or such independent third party that the Data Controller appoints (that is not a competitor to the Data Processor), provided that such person is bound by a duty of confidentiality (which the Data Processor in its reasonable opinion considers to be acceptable). Data Controller shall bear any costs arising out of or in connection with an auditIncidents”.

OBLIGATIONS OF THE DATA PROCESSOR. 5.1 The Data Controller instructs the Data Processor to only Process process Personal Data according to its lawful instructions, that have been described in Schedule 1 (instructions to the Data Processor). It is the Data Controller's responsibility to ensure that the instructions are not contrary to Personal Data Legislation. 5.2 In addition to what otherwise follows from the Agreement, the Data Processor undertakes: a) to assist the Data Controller in ensuring compliance with the obligations deriving from applicable Personal Data Legislation, taking into account the nature of Processing and the information available to the Data Processor; b) to immediately inform the Data Controller if, in the Data Processors opinion, an instruction infringes the applicable Personal Data Legislation and the Data Processor is then not obligated to carry out the relevant Processing until the parties have decided how to solve the matter or until a supervisory authority declares the instruction as lawful. c) to implement appropriate technical and organisational measures according to Schedule 1 in order to protect and safeguard the Personal Data that is Processed against Personal Data Breaches (Data Processor may amend the technical and organizational measures from time to time provided that the amended technical and organizational measures are not less protective of the Personal Data as those set out in Appendix 1); d) to maintain records of all categories of Processing performed on behalf of the Data Controller, including name and contact details and, where applicable, transfers of Personal Data to a Third Country or international organisation and, where possible, a general description of the technical and organisational security measures; e) to ensure that only authorised persons can Process Personal Data, and ensure that these persons have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; f) to without undue delay refer any third party requesting information relating to the Personal Data to the Data Controller, unless such reference is prohibited under criminal law (e.g. to preserve the confidentiality of a law enforcement investigation) and on request cooperate with relevant supervisory authority in the performance of its tasks and without undue delay inform the Data Controller of this; g) to assist the Data Controller through appropriate technical and organisational measures, to the extent possible, so that the Data Controller can fulfil its obligation to respond to a request following a data subject exercising its rights under applicable Personal Data Legislation; h) to, considering the type of Processing and the information available to the Data Processor, at the request of the Data Controller, assist the Data Controller in ensuring that the obligations regarding carrying out an impact assessment for data protection and preceding consultation with responsible supervisory authority, are met in accordance with applicable Personal Data Legislation; i) to transfer Personal Data belonging to the Data Controller, to a third country, provided that: (a) the third country according to a decision issued by the EU Commission provides an adequate level of protection for Personal Data which comprises the Processing of Personal Data; (b) Data Processor ensures that there are appropriate safeguards in place in accordance with Personal Data Legislation, e.g. standard data protection clauses adopted by the EU Commission under applicable Personal Data Legislation, that comprises the transfer and the Processing of Personal Data; or (c) if there are any other exemptions under applicable Personal Data Legislation that comprise the Processing of Personal Data; and j) to make available to the Data Controller, upon the Data Controller's request, information in order to demonstrate compliance with the obligations of Data Processor laid down in Art. 28 GDPR. The audit shall be carried out by the Data Controller or such independent third party that the Data Controller appoints (that is not a competitor to the Data Processor), provided that such person is bound by a duty of confidentiality (which the Data Processor in its reasonable opinion considers to be acceptable). Data Controller shall bear any costs arising out of or in connection with an audit.

OBLIGATIONS OF THE DATA PROCESSOR. 5.1 The 46.1 Foreseeti agrees that it will, unless otherwise required by applicable law: 1) process personal data solely in accordance with the instructions of the Data Controller instructs for the purpose set forth in the License Agreement, and according to the rules and the provisions contained in this DPA and in accordance with the applicable Data Privacy Law. Instructions in the License Agreement and in this DPA, together with any amended instructions are to be considered instructions as stipulated in applicable Privacy Law and are jointly referred to as “Instructions” herein. 2) will implement the security measures in accordance with applicable Data Privacy Law, including Art 32 in the EU General Data Protection Regulation and as further specified herein, 3) not acquire any rights in or to the personal data, 4) not use the personal data for any purpose other than for the performance of its obligations under this DPA and the License Agreement, and for fault localization in Foreseeti ’s system used for providing the agreed services, 5) refer to Data Controller in the event a data subject, supervisory or governmental authority or any third party is requesting Personal Data processed under this Agreement from Foreseeti, 6) notify Data Controller, without undue delay, in writing or email (unless prohibited by law) in the event that Foreseeti is legally obliged to disclose personal data to third parties or to a relevant supervisory authority to satisfy legal requirements, comply with law or respond to lawful requests or binding decisions by relevant authority. Foreseeti shall wait, unless prohibited by law, for further Instructions concerning the requested disclosure. 46.2 Where Foreseeti reasonably believes that any Instruction would result in a violation of the applicable Data Privacy Law, Foreseeti shall inform the Data Processor to only Process Personal Data according to Controller without undue delay of any such instruction and may suspend the execution of the Instruction until its lawful instructions, that have been described in Schedule 1 (instructions to the Data Processor). It lawfulness is confirmed by an authorized person of the Data Controller's responsibility to ensure that the instructions are not contrary to Personal , or it is changed in writing in a way which Foreseeti reasonably believes is compliant with applicable Data LegislationPrivacy Law. 5.2 In addition to what otherwise follows from the Agreement, 46.3 Foreseeti will assist the Data Processor undertakes:Controller for the fulfilment of the Data Controller’s obligations to respond to requests for exercising the data subject’s rights as stated in Chapter II of the GDPR. a) to 46.4 Foreseeti shall assist the Data Controller in ensuring compliance with any request made by the obligations deriving from applicable Personal Data Legislation, taking into account the nature of Processing and the information available to the Data Processor; b) to immediately inform the Data Controller if, in the Data Processors opinion, an instruction infringes the applicable Personal Data Legislation and the Data Processor is then not obligated to carry out the relevant Processing until the parties have decided how to solve the matter or until a supervisory authority declares the instruction as lawful. c) to implement appropriate technical and organisational measures according to Schedule 1 in order to protect and safeguard the Personal Data that is Processed against Personal Data Breaches (Data Processor may amend the technical and organizational measures from time to time provided that the amended technical and organizational measures are not less protective of the Personal Data as those set out in Appendix 1); d) to maintain records of all categories of Processing performed on behalf of the Data Controller, including name and contact details and, where applicable, transfers of Personal Data to a Third Country or international organisation and, where possible, a general description of the technical and organisational security measures; e) to ensure that only authorised persons can Process Personal Data, and ensure that these persons have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; f) to without undue delay refer any third party requesting information relating to the Personal Data to the Data Controller, unless such reference is prohibited under criminal law (e.g. to preserve the confidentiality of a law enforcement investigation) and on request cooperate with relevant supervisory authority in relation to Foreseeti’s processing of personal data. 46.5 In the performance of its tasks and without undue delay inform the Data Controller of this; g) to assist the Data Controller through appropriate technical and organisational measures, to the extent possible, so that the Data Controller can fulfil its obligation to respond to a request following a data subject exercising its rights under applicable Personal Data Legislation; h) to, considering the type of Processing and the information available to the Data Processor, at the request of event the Data Controller’s changes its instructions in a manner that goes beyond what the applicable Data Privacy Law requires, assist the Data Controller in ensuring that the obligations regarding carrying out an impact assessment for data protection and preceding consultation with responsible supervisory authority, are met in accordance with applicable Personal Data Legislation; i) to transfer Personal Data belonging or if such changes will require changes to the Data Controller, to a third country, service provided that: (a) the third country according to the License Agreement, and such changes will cause a decision issued by significant increase in cost for Foreseeti, the EU Commission provides an adequate level of protection for Personal Data which comprises parties shall, before Foreseeti starts implementing such changes, enter into a separate written agreement. In this agreement, the Processing of Personal Data; (b) Data Processor ensures that there are appropriate safeguards in place in accordance with Personal Data Legislation, e.g. standard data protection clauses adopted by the EU Commission under applicable Personal Data Legislation, that comprises the transfer and the Processing of Personal Data; or (c) if there are any other exemptions under applicable Personal Data Legislation that comprise the Processing of Personal Data; and j) to make available to the Data Controller, upon the Data Controller's request, information in order to demonstrate compliance with the obligations of Data Processor laid down in Art. 28 GDPR. The audit new actions shall be carried out by defined, as well as the Data Controller or such independent third party that compensation Foreseeti shall receive for implementing the Data Controller appoints (that is not a competitor to the Data Processor), provided that such person is bound by a duty of confidentiality (which the Data Processor in its reasonable opinion considers to be acceptable). Data Controller shall bear any costs arising out of or in connection with an auditnew instructions.

OBLIGATIONS OF THE DATA PROCESSOR. 5.1 The Data Controller instructs the Processor warrants and undertakes that: 4.1 It will comply with all applicable law including Applicable Data Processor to only Process Personal Data according to Protection law in its lawful instructions, that have been described in Schedule 1 (instructions to the Data Processor). It is the Data Controller's responsibility to ensure that the instructions are not contrary to Personal Data Legislationperformance of this Agreement. 5.2 In addition to what otherwise follows from the Agreement, the Data Processor undertakes: a) to assist the Data Controller in ensuring compliance with the obligations deriving from applicable Personal Data Legislation, taking into account the nature of Processing and the information available to the Data Processor; b) to immediately inform the Data Controller if, in the Data Processors opinion, an instruction infringes the applicable Personal Data Legislation and the Data Processor is then not obligated to carry out the relevant Processing until the parties have decided how to solve the matter or until a supervisory authority declares the instruction as lawful. c) to implement appropriate technical and organisational measures according to Schedule 1 in order to protect and safeguard 4.2 It will only process the Personal Data that is Processed against Personal Data Breaches (Data Processor may amend on the technical and organizational measures from time to time provided that the amended technical and organizational measures are not less protective of the Personal Data as those set out in Appendix 1); d) to maintain records of all categories of Processing performed on behalf instructions of the Data Controller, including name and contact details and, where applicable, transfers of . 4.3 It will not transfer Personal Data to a Third Country or international organisation and, where possible, a general description without the prior written approval of the Data Controller and only then once the transfer to the Third Country has been legitimised and the Data Controller and the Data Processor are satisfied that an adequate Data Protection regime exists in the Third Country. 4.4 It will not appoint sub-processors to process the Personal Data on its behalf without the prior written approval of the Data Controller. Data Processor will impose on such Sub-Processors data protection terms that protect the Protected Data to the same standard provided for by this DPA. Upon Data Controllers request, the Data Processor will provide to Customer a list of the then-current Sub- Processors. For the avoidance of doubt, the Data Controller hereby authorises the engagement by Data Processor of the Sub-processors set out in Schedule 2. 4.5 Once approved by the Data Controllers, sub-processors will only process the Personal Data on the instructions of the Data Processor and the Data Processor will put in place a legal agreement in writing to govern the sub-processing. 4.6 It will have in place appropriate technical and organisational measures, and all measures pursuant to Article 32 of the GDPR, to protect the confidentiality of the Personal Data and to protect the Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, and which provide a level of security measures;appropriate to the risk represented by the processing and the nature of the data to be protected. e) to ensure that only authorised persons can Process 4.7 It will obtain guarantees from any sub-processors processing the Personal Data, that they will have in place appropriate technical and ensure organisational measures, and all measures pursuant to Article 32 of the GDPR, to protect the confidentiality of the Personal Data and to protect the Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, and which provide a level of security appropriate to the risk represented by the processing and the nature of the data to be protected, including as a minimum implementing those measures specified in Schedule 3. 4.8 It will have in place procedures so that these persons any individual party it authorises to have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; f) to without undue delay refer any third party requesting information relating access to the Personal Data, including employees of the Data Processor, will respect and maintain the confidentiality and security of the Personal Data. Any person acting under the authority of the Data Processor shall be obligated to process the Personal Data only on instructions from the Data Processor. This provision does not apply to persons authorised or required by law or regulation to have access to the Personal Data. 4.9 It will not disclose any Personal Data to a third party in any circumstances other than at the specific written request of the Data Controller, unless such reference disclosure is prohibited under criminal law (e.g. necessary in order to preserve fulfil the confidentiality obligations of a law enforcement investigation) and on request cooperate with relevant supervisory authority in the performance of its tasks and without undue delay inform Services Agreement, or is required by applicable law. 4.10 It will notify the Data Controller of this; g) to assist any request for information by the Data Controller through DPC or other supervisiory authority where appropriate technical and organisational measures, to the extent possible, so that the Data Controller can fulfil its obligation to respond to a request following a data subject exercising its rights under applicable will not disclose any Personal Data Legislation; h) to, considering without the type of Processing and the information available to the Data Processor, at the request prior consent of the Data Controller, assist . 4.11 It will notify the Data Controller in ensuring that the obligations regarding carrying out an impact assessment for data protection and preceding consultation with responsible supervisory authorityof any complaint, are met in accordance with applicable Personal Data Legislation; i) to transfer Personal Data belonging notice or communication received which relates directly or indirectly to the Data Controller, to a third country, provided that: (a) processing of the third country according to a decision issued by the EU Commission provides an adequate level of protection for Personal Data which comprises the Processing of Personal Data; (b) , or other connected activities, or which relates directly or indirectly to the compliance of the Data Processor ensures that there are appropriate safeguards in place in accordance with Personal Data Legislation, e.g. standard data protection clauses adopted by the EU Commission under applicable Personal Data Legislation, that comprises the transfer and the Processing of Personal Data; or (c) if there are any other exemptions under applicable Personal Data Legislation that comprise the Processing of Personal Data; and j) to make available to the Data Controller, upon the Data Controller's request, information in order to demonstrate compliance with the obligations of Data Processor laid down in Art. 28 GDPR. The audit shall be carried out by and/or the Data Controller or such independent third party that the with relevant applicable law including Applicable Data Controller appoints (that is not a competitor to the Data Processor), provided that such person is bound by a duty of confidentiality (which the Data Processor in its reasonable opinion considers to be acceptable). Data Controller shall bear any costs arising out of or in connection with an auditProtection law.