Common use of Obligations of the Processor Clause in Contracts

Obligations of the Processor. (1) The processor is obliged to maintain strict confidentiality during processing and shall process personal data only as contractually agreed or as instructed by the controller, unless the processor is required by law to carry out a specific processing activity. If such obligations exist for the processor, the processor shall notify the controller thereof prior to processing, unless such notification is prohibited by law. Furthermore, the processor shall not use the data provided for processing for any other purpose, in particular for his own purposes. (2) The processor assures that the persons employed by him for processing have been made familiar with the relevant provisions of data protection and this Agreement prior to commencement of processing. Appropriate training and awareness-raising measures shall be repeated at regular intervals. The processor shall ensure that persons assigned to data processing activities are instructed and monitored appropriately on an ongoing basis with regard to the fulfilment of data protection requirements as well as the provisions resulting from this Agreement, such as the controller’s authority to issue directives and purpose limitation. (3) Persons who may gain knowledge of the data processed on behalf of the controller must commit in writing to maintain confidentiality, unless they are already legally subject to a relevant confidentiality obligation. (4) The processor confirms that he is aware of the relevant general data protection regulations. He shall comply with the principles of proper data processing and ensure proper data processing by means of ongoing monitoring and regular checks. (5) In connection with the commissioned data processing, the processor shall assist the controller in drawing up and updating the record of data processing activities and in carrying out the data protection impact assessment. All necessary information and documentation shall be provided and forwarded to the controller upon request. (6) If the controller is subject to an inspection by supervisory authorities or other bodies, or if data subjects claim rights against him, the processor is obliged to support the controller to the extent necessary, as far as the data processing activities carried out by the processor are concerned. (7) The processor shall inform the controller of inspections carried out by or on behalf of supervisory authorities for data protection without delay. (8) The processor shall not provide information to third parties or to the data subject without the prior consent of the controller. Requests addressed directly to him shall be forwarded to the controller without delay. (9) To the extent required by law, the processor shall appoint a competent and reliable person as data protection officer. It must be ensured that there are no conflicts of interest for the data protection officer. The controller may contact the data protection officer directly. The processor shall inform the controller of the contact details of the data protection officer or of the reasons why no officer has been appointed. The processor shall immediately inform the controller of any changes in the person of the data protection officer. (10) The data processing shall generally take place within the EU or the EEA. Any relocation to a third country may only take place with the consent of the controller and under the conditions contained in Chapter V of the GDPR and in compliance with the provisions of this Agreement. (11) If the processor is not established in the European Union, he shall appoint a responsible contact person in the European Union in accordance with Art. 27 GDPR. The contact details of the contact person as well as all changes in the contact person must be communicated to the controller without delay. (12) The processor shall comply with all principles set out by the GÉANT Data Protection Code of Conduct in its most current version, which will be made available to the processor by the controller upon request.

Obligations of the Processor. (1) The processor is obliged to maintain strict confidentiality during processing and Processor shall exclusively process personal data only as contractually agreed or as instructed by in compliance with the controllerAgreement and the instructions of the Controller, unless required to do so by Union or Member State law to which the processor is required by law to carry out subject (e.g. investigations of prosecution or investigation authorities); in such a specific processing activity. If such obligations exist for the processorcase, the processor Processor shall notify inform the controller thereof prior to Controller of that legal requirement before processing, unless that law prohibits such notification is prohibited by lawinformation on important grounds of public interest (Art. Furthermore, 28 par 3 2nd sentence lit. a of the processor GDPR). The Processor shall not process or use the personal data provided transferred or disclosed for processing its services for any other purpose, in particular not for his its own purposes. (2) . The processor assures Processor may not create any copies or duplicates of personal data without the Controller’s knowledge. The Processor undertakes to ensure that all agreed measures with respect to the persons employed by him for processing have been made familiar of personal data are implemented in compliance with the relevant provisions of data protection and this Agreement prior to commencement of processing. Appropriate training and awareness-raising measures shall be repeated at regular intervalsAgreement. The processor shall Processor undertakes to ensure that persons assigned to data processing activities are instructed and monitored appropriately on an ongoing basis with regard to the fulfilment of data protection requirements as well as the provisions resulting from this Agreement, such as the controller’s authority to issue directives and purpose limitation. (3) Persons who may gain knowledge of the data processed on behalf of the controller must commit Controller are strictly separated from any other data in writing its possession. All data and media which are provided by the Controller, or used for the Controller, shall be marked as such. Receipt and shipping, as well as any use thereof, shall be documented. The Processor shall regularly conduct the agreed audits with respect to maintain confidentiality, unless they are already legally subject to a relevant confidentiality obligation. (4) the processing services within its area of responsibility. The processor confirms that he is aware results of the relevant general data protection regulationssuch audits shall be documented. He The Processor shall comply reasonably cooperate with the principles of proper data processing Controller, and ensure proper data processing by means of ongoing monitoring and regular checks. (5) In connection with the commissioned data processing, the processor shall assist the controller in drawing up and updating the record of data processing activities and in carrying out the data protection impact assessment. All necessary information and documentation shall be provided and forwarded to the controller upon request. (6) If the controller is subject to an inspection by supervisory authorities or other bodies, or if data subjects claim rights against him, the processor is obliged to support the controller to the extent necessaryController, as far as the data processing activities carried out by the processor are concerned. possible (7) The processor shall inform the controller of inspections carried out by or on behalf of supervisory authorities for data protection without delay. (8) The processor shall not provide information to third parties or to the data subject without the prior consent Art. 28 par 3 2nd sentence lit. b and f of the controller. Requests addressed directly GDPR), with respect to him shall be forwarded to (a) the controller without delay. (9) To the extent required by law, the processor shall appoint a competent and reliable person as data protection officer. It must be ensured that there are no conflicts of interest for the data protection officer. The controller may contact the data protection officer directly. The processor shall inform the controller consummation of the contact details rights of the data protection officer or subjects according to Artt. 12 through 22 of the reasons why no officer has been appointedGDPR by the Controller, (b) drafting the records of processing activities, as well as (c) the implementation of data protection impact assessments. The processor Processor shall promptly provide all required information to the authorized representative of the Controller. The Processor shall immediately inform the controller Controller if, in its opinion, an instruction infringes applicable data protection provisions (Art. 28 par 3 3rd sentence of the GDPR). The Processor shall then be entitled to suspend implementation of any changes in instruction pending the person Controller’s review and confirmation of such instruction. The Processor shall correct, erase, or restrict the processing of, personal data which fall within the scope of the Processor Relationship upon the Controller’s instructions, provided that these do not conflict with a prevailing legitimate interest of the Processor. The Processor shall provide information to any third parties or data subjects with respect to personal data within the scope of the Processor Relationship only upon instruction of the Controller or with the Controller’s prior consent. The Processor acknowledges and agrees that the Controller may reasonably audit, or have audited by a third party retained by the Controller, the Processor’s compliance with all applicable data protection officer. (10) The and data processing shall generally take place within the EU or the EEA. Any relocation to a third country may only take place security provisions and with the consent terms of the controller and under Agreement, in particular, without limitation, by requesting information, reviewing data files and/or hardware or software used for processing, and/or through on-site inspections – normally after having made an appointment (Art. 28 par. 3 2nd sentence lit. h of the conditions contained in Chapter V GDPR). The Processor undertakes to reasonably cooperate, to the extent required, with such audits. The Processor confirms that is fully aware of all provisions of the GDPR which are relevant to processing on behalf. The Processor undertakes to to maintain and preserve full confidentiality whenever it processes personal data own behalf of the Controller. This obligation shall survive expiry or termination of the Agreement. The Processor guarantees that it has instructed all employees involved in processing hereunder prior to such involvement on the provisions applicable to the protection of personal data and has ensured, in an appropriate manner, that they are, and remain even after the expiry or termination of employment, subject to an obligation of confidentiality (Art. 28 par. 3 2nd sentence lit. b and Art. 29 of the GDPR). The Processor shall ensure and supervise full compliance with the all provisions of this Agreement. (11) If the processor is not established in the European Union, he shall appoint a responsible contact person in the European Union in accordance with Art. 27 GDPR. The contact details of the contact person as well as all changes in the contact person must be communicated applicable to the controller without delayprotection of personal data in all of its offices and facilities. (12) The processor shall comply with all principles set out by the GÉANT Data Protection Code of Conduct in its most current version, which will be made available to the processor by the controller upon request.

Obligations of the Processor. (1a) The processor is obliged to maintain strict confidentiality during processing and shall process personal data only as contractually agreed or as instructed by the controller, unless the processor is required by law to carry out a specific processing activity. If such obligations exist for the processor, the processor shall notify the controller thereof prior to processing, unless such notification is prohibited by law. Furthermore, the processor shall not use the data provided for processing for any other purpose, in particular for his own purposes. (2) The processor assures that the persons employed by him for processing have been made familiar with the relevant provisions of data protection and this Agreement prior to commencement of processing. Appropriate training and awareness-raising measures shall be repeated at regular intervals. The processor Processor shall ensure that persons assigned authorised by the Processor to process the personal data processing activities are instructed and monitored appropriately on an ongoing basis with regard to the fulfilment of data protection requirements as well as the provisions resulting from this Agreement, such as the controller’s authority to issue directives and purpose limitation. (3) Persons who may gain knowledge of the data processed on behalf of the controller must commit Controller, in writing to maintain confidentialityparticular the Processor's employees as well as employees of any Subprocessors, unless they are already legally subject to a relevant binding obligation of confidentiality obligationand that such persons process any personal data to which they have access in compliance with the Controller's instructions. (4b) The processor confirms that he is aware Processor shall implement the technical and organisational measures as specified in Annex 2 before processing the personal data on behalf of the relevant general data protection regulationsController. He shall comply with The Processor may amend the principles of proper data processing technical and ensure proper data processing by means of ongoing monitoring organisational measures from time to time provided that the amended technical and regular checksorganisational measures are not less protective than those set out in Annex 2. (5c) In connection The Processor shall make available to the Controller any information necessary to demonstrate compliance with the commissioned obligations of the Processor relating to information security as required by Applicable data processingprotection law and by this Schedule to the extent applicable to the Services. The Processor is in particular obliged to allow for and contribute to audits (e.g., providing audit reports and/or other relevant information or certificates to Controller upon Controller's request) or on-site inspections, conducted by the processor Controller or another auditor mandated by the Controller in relation to the processing of the personal data. The Processor’s contribution to such audits shall be proportionate to the nature and purpose of the processing and subject to receipt by the Processor of reasonable notice. (d) The Processor shall notify the Controller (using the contact details provided by the Controller) without undue delay of becoming aware of a Personal Data Breach and the Processor will assist the controller in drawing up Controller with the Controller's obligation under Applicable data protection laws to inform the data subjects and updating the record supervisory authorities, as applicable, by providing the necessary information taking into account the nature of the processing and the information available to the Processor. For the avoidance of doubt, these obligations shall not be construed as an acknowledgement by the Processor of any liability for a Personal Data Breach or failure to prevent it. (e) The Processor shall provide reasonable assistance (taking account of the nature of the processing and the information available to the Processor) to the Controller with its obligation under Applicable data processing activities and in carrying out the protection laws, to carry out: a. a data protection impact assessment. All necessary information and documentation shall be provided and forwarded ; and b. prior consultation with the supervisory authorities that relates to the controller upon requestServices provided by the Processor to the Controller under this Schedule by providing the necessary and available information to the Controller on request to allow it to meet its obligations under the GDPR. (6f) If The Processor shall, at the controller is subject option of the Controller, delete or return to an inspection the Controller all personal data which are processed by supervisory authorities the Processor on behalf of the Controller under this Schedule after the end of the provision of the Services, and delete any existing copies unless European Union or other bodiesMember State law requires the Processor to retain such personal data. For the avoidance of doubt, or if this obligation shall not be infringed by the shredding of material containing personal data subjects claim rights against himwhich was provided to the Processor by the Controller for destruction in the normal course of the Services. (g) The Processor shall provide to the Controller the records of processing activities relating to the Services under this Schedule, the processor is obliged to support the controller to the extent necessary, as far as necessary for the data Controller to comply with its obligation to maintain records of processing activities carried out by the processor are concernedactivities. (7h) The processor Processor shall inform the controller of inspections carried out by or on behalf of supervisory authorities for designate a data protection without delay. (8) The processor shall not provide information officer and/or a representative, to third parties or to the data subject without the prior consent of the controller. Requests addressed directly to him shall be forwarded to the controller without delay. (9) To the extent required by law, the processor shall appoint a competent and reliable person as Applicable data protection officer. It must be ensured that there are no conflicts of interest for the data protection officerlaw. The controller may contact the data protection officer directly. The processor Processor shall inform the controller of the provide contact details of the data protection officer or of the reasons why no officer has been appointed. The processor shall immediately inform the controller of any changes in the person of the data protection officer. (10) The data processing shall generally take place within the EU or the EEA. Any relocation to a third country may only take place with the consent of the controller and under the conditions contained in Chapter V of the GDPR and in compliance with the provisions of this Agreement. (11) If the processor is not established in the European Unionand/or representative, he shall appoint a responsible contact person in the European Union in accordance with Art. 27 GDPR. The contact details of the contact person as well as all changes in the contact person must be communicated if any, to the controller without delayController. (12) The processor shall comply with all principles set out by the GÉANT Data Protection Code of Conduct in its most current version, which will be made available to the processor by the controller upon request.

Obligations of the Processor. (1) The processor is obliged to maintain strict confidentiality during processing Processor processes Personal Data solely and shall process personal data only as contractually agreed in full compliance with the Regulations and instructions of the Controller or as instructed otherwise required in this Agreement. This obligation also applies to transfers by the controllerProcessor of Personal Data to a third country or an international organisation, unless the processor Processor is required to do so by law the Regulations or laws to carry out which the Processor is subject. In such a specific processing activity. If such obligations exist for the processorcase, the processor Processor shall notify inform the controller thereof prior to Controller of such legal requirements before processing, unless that law prohibits such notification is prohibited by law. Furthermore, the processor shall not use the data provided for processing for any other purpose, in particular for his own purposesinformation on important grounds of public interest. (2) The processor assures Processor and Controller agree that the persons employed by him for processing have been made familiar with the relevant provisions of data protection and this Agreement and the Synology C2 Service Agreement represents the Controller’s complete and final instructions to the Processor. Processing outside the scope of this Agreement (if any) will require prior to commencement of written agreement between both parties on additional instructions for processing. Appropriate training and awareness-raising measures shall be repeated at regular intervals. The processor shall ensure Controller may terminate this Agreement if the Processor declines to follow instructions requested by the Controller that persons assigned to data processing activities are instructed and monitored appropriately on an ongoing basis with regard to outside the fulfilment scope of data protection requirements as well as the provisions resulting from this Agreement, such as the controller’s authority to issue directives and purpose limitation. (3) Persons who may gain knowledge In the performance of this Agreement, the Controller shall immediately confirm any oral instructions in writing. (4) Copies or duplicates of the data processed on behalf of the controller must commit in writing to maintain confidentialityController shall never be created without the knowledge of the Controller, unless with the exception of back-up copies as far as they are already legally subject necessary to a relevant confidentiality obligation. (4) The processor confirms that he is aware of ensure orderly data processing, as well as data required to meet regulatory requirements to retain data under the relevant general data protection regulations. He shall comply with the principles of proper data processing and ensure proper data processing by means of ongoing monitoring and regular checksRegulations. (5) In connection with The Processor may not on its own authority rectify, erase, or restrict the commissioned processing of data processingthat is being processed on behalf of the Controller or port/transfer any such data to any third party, but do so only on documented instructions from the Controller. When a Data Subject contacts the Processor directly concerning a rectification, erasure, or restriction of processing or to exercise the right of portability, the processor shall assist Processor will immediately forward the controller Data Subject’s request to the Controller. Insofar as it is included in drawing up the scope of services, the erasure policy, ‘right to be forgotten’, rectification, data portability and updating the record of data processing activities and in carrying out the data protection impact assessment. All necessary information and documentation access shall be provided and forwarded to ensured by the controller upon requestProcessor in accordance with documented instructions from the Controller without undue delay. (6) If The Processor shall inform the controller Controller immediately if the Processor considers that an instruction of the Controller violates the GDPR (with regard to Art. 28 Paragraph 3 Sentence 3) or the Regulations. The Processor shall then be entitled to suspend the execution of the relevant instructions until the Controller confirms or changes them. (7) In addition to complying with the rules set out in this Agreement, the Processor shall comply with the statutory requirements referred to in Articles 28 to 33 GDPR. Accordingly, the Processor assures particularly compliance with the following requirements: a) The Processor entrusts only such employees with the data processing outlined in this Agreement who have been bound to confidentiality and have previously been familiarised with the data protection provisions relevant to their work. The Processor and any person acting under its authority who has access to Personal Data, shall not process that data unless on instructions from the Controller, which includes the powers granted in this Agreement, unless required to do so by law (Article 28 Paragraph 3 Sentence 2 Point b, Articles 29 and 32 Paragraph 4 GDPR). b) The Processor must assist the Controller to comply with requests from individuals exercising their rights to access, rectify, port, erase or object to the processing of their Personal Data. c) The Processor must assist the Controller to comply with requests from the supervisory authority. The Controller and the Processor shall cooperate, on request, with the supervisory authority in performance of its tasks. d) Designation of Data Protection Officer / Contact Person / Representative Synology’s Data Protection Team can be contacted at xxxxx://xxx.xxxxxxxx.xxx/en- global/form/privacy_issue. The Controller shall be informed immediately of any change of Data Protection Officer. e) The Controller shall be informed immediately of any inspections and measures conducted by the relevant supervisory authority as described in Point 9 of this Agreement, insofar as they relate to the processing of this Agreement. f) Insofar as the Controller is subject to an inspection by a supervisory authorities authority, an administrative or summary offence or criminal procedure, a liability claim by a Data Subject or by a third party or any other bodies, or if claim in connection with the Agreement data subjects claim rights against himprocessing by the Processor, the processor is obliged Processor shall make every effort to support the controller to the extent necessary, as far as the data processing activities carried out by the processor Controller. Further assistance duties are concerned. (7) The processor shall inform the controller of inspections carried out by or on behalf of supervisory authorities for data protection without delay. (8) The processor shall not provide information to third parties or to the data subject without the prior consent of the controller. Requests addressed directly to him shall be forwarded to the controller without delay. (9) To the extent required by law, the processor shall appoint a competent and reliable person as data protection officer. It must be ensured that there are no conflicts of interest for the data protection officer. The controller may contact the data protection officer directly. The processor shall inform the controller of the contact details of the data protection officer or of the reasons why no officer has been appointed. The processor shall immediately inform the controller of any changes described in the person of the data protection officer. (10) The data processing shall generally take place within the EU or the EEA. Any relocation to a third country may only take place with the consent of the controller and under the conditions contained in Chapter V of the GDPR and in compliance with the provisions Point 8 of this Agreement. (11g) If The Processor shall assist the processor is not established Controller in ensuring compliance with the European Union, he shall appoint a responsible contact person obligations pursuant to Articles 32 to 36 as described in the European Union Point 9 of this Agreement. h) Implementation of and compliance with all Technical and Organisational Measures necessary for this Agreement in accordance with Art. 27 Article 28 Paragraph 3 Sentence 2 Point c, Article 32 GDPR. The contact details of the contact person , as well as all changes detailed in the contact person must be communicated to the controller without delayAppendix. (12) The processor shall comply with all principles set out by the GÉANT Data Protection Code of Conduct in its most current version, which will be made available to the processor by the controller upon request.

Obligations of the Processor. (1) The processor is obliged Within the scope of this Data Processing Covenant, and in its use of the services, the Processor shall be solely responsible for complying with the statutory requirements relating to maintain strict confidentiality during processing data protection and shall privacy, in particular regarding the disclosure of Personal Data to other entities except the Controller, and the Processing of Personal Data. Processor must process personal data only as contractually agreed or as instructed by in accordance with present arrangements and the controllerinstructions of Controller, unless required to otherwise process the processor is required data by investigations, by law to carry out a specific processing activityenforcement or national security agencies. If such obligations exist for the processor, the processor shall notify the controller thereof prior to processing, unless such notification is prohibited by law. Furthermore, the processor shall Processor may not use the personal data provided for processing for any other purpose, in particular particularly for his its own purposes. (2) The processor assures that . Copies or duplicates of the persons employed by him for processing have been made familiar personal data must not be created without Controller’s knowledge. Processor undertakes to provide Controller with the relevant provisions information about the fulfillment of data protection the connection between the processor and this Agreement prior to commencement of processingthe Customer, as provided in Clause 9.2. Appropriate training and awareness-raising measures shall be repeated at regular intervalslit. The processor shall ensure t. Processor guarantees that persons assigned to data processing activities are instructed and monitored appropriately on an ongoing basis with regard to the fulfilment of data protection requirements as well as the provisions resulting from this Agreement, such as the controller’s authority to issue directives and purpose limitation. (3) Persons who may gain knowledge of the data processed on behalf for Controller will be strictly separated from other data. If the Processor believes that an Instruction of the controller must commit in writing to maintain confidentialityController infringes the Data Protection Law, unless they are already legally subject to a relevant confidentiality obligation. (4) The processor confirms that he is aware of the relevant general data protection regulations. He shall comply with the principles of proper data processing and ensure proper data processing by means of ongoing monitoring and regular checks. (5) In connection with the commissioned data processing, the processor shall assist the controller in drawing up and updating the record of data processing activities and in carrying out the data protection impact assessment. All necessary information and documentation shall be provided and forwarded to the controller upon request. (6) If the controller is subject to an inspection by supervisory authorities or other bodies, or if data subjects claim rights against him, the processor is obliged to support the controller to the extent necessary, as far as the data processing activities carried out by the processor are concerned. (7) The processor shall inform the controller of inspections carried out by or on behalf of supervisory authorities for data protection without delay. (8) The processor shall not provide information to third parties or to the data subject without the prior consent of the controller. Requests addressed directly to him shall be forwarded to the controller without delay. (9) To the extent required by law, the processor shall appoint a competent and reliable person as data protection officer. It must be ensured that there are no conflicts of interest for the data protection officer. The controller may contact the data protection officer directly. The processor shall inform the controller of the contact details of the data protection officer or of the reasons why no officer has been appointed. The processor it shall immediately inform the controller of any changes in the person of the data protection officer. (10) The data processing shall generally take place within the EU or the EEAController without delay. Any relocation to a third country may only take place with the consent of the controller and under the conditions contained in Chapter V of the GDPR and in compliance with the provisions of this Agreement. (11) If the processor is Processor cannot established in the European Union, he shall appoint a responsible contact person in the European Union process Personal Data in accordance with Art. 27 GDPR. The contact details the Instructions due to a legal requirement under any applicable European Union or United States law, the Processor will (i) promptly notify the Controller of that legal requirement before the relevant Processing to the extent permitted by the Data Protection Law; and (ii) cease all Processing (other than merely storing and maintaining the security of the contact person affected Personal Data) until such time as well the Controller issues new instructions with which Processor is able to comply. If this provision is invoked, Processor will not be liable to the Controller under this Data Processing Covenant for any failure to perform the applicable services until such time as all changes the Controller issues new instructions in regard to the Processing. Processor shall take the appropriate technical and organizational measures to adequately protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data. Such measures include, but are not be limited to: the prevention of unauthorized persons from gaining access to Personal Data Processing systems (physical access control), the prevention of Personal Data Processing systems from being used without authorization (logical access control), ensuring that persons entitled to use a Personal Data Processing system gain access only to such Personal Data as they are entitled to accessing in accordance with their access rights, and that, in the contact person must course of Processing or use and after storage, Personal Data cannot be communicated read, copied, modified or deleted without authorization (data access control), ensuring that Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media, and that the target entities for any transfer of Personal Data by means of data transmission facilities can be established and verified (data transfer control), ensuring the establishment of an audit trail to document whether and by whom Personal Data have been entered into, modified in, or removed from Personal Data Processing systems (entry control), ensuring that Personal Data is Processed solely in accordance with the controller without delayInstructions (control of instructions), ensuring that Personal Data is protected against accidental destruction or loss (availability control). (12) The processor shall comply with all principles set out by the GÉANT Data Protection Code of Conduct in its most current version, which will be made available to the processor by the controller upon request.

Obligations of the Processor. (1) The processor is obliged Processor undertakes to strictly maintain strict confidentiality during processing and shall to process personal data only Personal Data exclusively as contractually agreed or as instructed by the controllerController, unless the processor Processor is required by law legally obliged to carry out perform a specific processing activityprocessing. If such obligations exist for the processorit, the processor Processor shall notify the controller thereof Controller of them prior to processingthe Processing, unless such the notification is prohibited by law. Furthermore, the processor Processor shall not use the data provided for processing for any other purposepurposes, in particular for his its own purposes. (2) The processor assures Processor warrants that the persons employed by him it for processing have been made familiar familiarized with the relevant provisions of data protection and this Agreement prior to commencement the start of processing. Appropriate Corresponding training and awareness-raising measures shall be repeated at on an appropriate regular intervalsbasis. The processor Processor shall ensure that persons assigned to data deployed for commissioned processing activities are appropriately instructed and monitored appropriately on an ongoing basis with regard to the fulfilment of compliance with data protection requirements and that they comply with the statutory provisions on data protection as well as the provisions rules resulting from this Agreementcontract, such as the controller’s authority to issue directives binding of instructions and purpose limitation. (3) Persons who may gain obtain knowledge of the data processed on behalf of in the controller must commit order shall undertake in writing to maintain confidentiality, unless they are already legally subject to a relevant confidentiality obligationobligation by law. (4) The processor Processor confirms that he it is aware of the relevant general data protection regulations. He It shall comply with observe the principles of proper data processing and shall ensure proper data processing by means of ongoing monitoring and regular checks. (5) In connection with the commissioned data processing, the processor Processor shall assist support the controller Controller in drawing up and updating complying with the record obligations set forth in Articles 32 to 36 of data processing activities and in carrying out the GDPR, including the performance of a data protection impact assessment, as well as in creating and updating the list of processing activities pursuant to Article 30 of the GDPR. All necessary required information and documentation shall be kept available and provided and forwarded to the controller Controller, without undue delay, upon request. (6) If the controller Controller is subject to an inspection by supervisory authorities or other bodies, bodies or if data subjects claim assert rights against himthe Controller, the processor is obliged Processor undertakes to support the controller Controller to the extent necessary, as far insofar as the data processing activities carried out by the processor are concernedon behalf is affected. (7) The processor shall inform the controller of inspections carried out by or on behalf of supervisory authorities for data protection without delay. (8) The processor shall not Processor may only provide information to third parties or to the data subject without Data Subject, including the disclosure of personal data, with the prior consent of the controllerController. Requests The Processor shall immediately forward any inquiries addressed directly to him shall be forwarded it to the controller without delayController. (9) To the extent required by law, the processor shall appoint a competent and reliable person as 8) A data protection officer. It must be ensured that there are no conflicts of interest for officer has been appointed by the data protection officerProcessor. The controller may e-mail address xxxxxxxxxxx@xx0.xx can be used to contact the data protection officer directly. The processor shall inform the controller of Changes to the contact details data of the data protection officer or shall be communicated to the Controller for the purpose of the reasons why no officer has been appointed. The processor shall immediately inform the controller of any changes in the person of the data protection officerdirect contact. (109) The data As a matter of principle, commissioned processing shall generally take takes place within the EU or the EEA. Any relocation to a third country may only take place with the consent of the controller Controller and under the conditions contained in Chapter V of the GDPR and in compliance with the provisions of this AgreementGDPR. (1110) If the processor Processor is not established in the European Union, he it shall appoint a responsible contact person in the European Union in accordance with Art. pursuant to Article 27 of the GDPR. The contact details of the contact person as well as all any changes in the person of the contact person must shall be communicated notified to the controller Controller without undue delay. (12) The processor shall comply with all principles set out by the GÉANT Data Protection Code of Conduct in its most current version, which will be made available to the processor by the controller upon request.

Obligations of the Processor. a. The Processor acknowledges that the Personal Data transferred to it are subject to the Data Protection Rules. The Processor shall only process the Personal Data (1i) The processor is obliged as part of and to maintain strict confidentiality during processing and shall process personal data only as contractually agreed or as instructed by the controller, unless the processor is required by law to carry out a specific processing activity. If such obligations exist extent necessary for the processorperformance of the Addendum, (ii) in accordance with this Addendum and the processor shall notify the controller thereof prior to processingData Protection Rules, unless such notification is prohibited by lawand (iii) in accordance with and only on documented instructions from Controller. Furthermore, the processor The Processor shall not use the data provided for processing Personal Data for any other purpose, in particular for his of its own secondary purposes. (2) b. The processor assures that the persons employed by him for processing have been made familiar with the relevant provisions of data protection Processor must inform its employees and this Agreement prior to commencement of processing. Appropriate training and awareness-raising measures shall be repeated at regular intervals. The processor shall ensure that persons assigned to data processing activities are instructed and monitored appropriately on an ongoing basis with regard to the fulfilment of data protection requirements as well as the provisions resulting from this Agreement, such as the controller’s authority to issue directives and purpose limitation. (3) Persons who may gain knowledge of the data processed on behalf of the controller must commit in writing to maintain confidentiality, unless they are already legally subject to a relevant confidentiality obligation. (4) The processor confirms that he is aware staff of the relevant general data obligations under this Addendum and Controller’s instructions. The Processor shall ensure and monitor its employees’ compliance with such obligations and instructions. c. The Processor must implement appropriate technical, physical and organizational security measures to protect the Personal Data under its control against accidental or unlawful destruction or accidental loss, alteration, unauthorized or unlawful storage, processing, access or disclosure, and any other unauthorized processing of the Personal Data. These security measures should meet the best industry standards and must be updated from time to time to provide an adequate level of protection regulations. He shall comply with taking into account the principles of proper data risks involved in the processing and ensure proper data processing by means the nature of ongoing monitoring the Personal Data to be secured. The Processor’s implemented security measures (technical and organizational measures) can be found in Annex 2. The Processor shall have in place a security plan (see the security plan in Annex 3) and conduct regular checkstests, assessments and evaluations of the effectiveness of such measures and report to Controller. d. The Processor shall maintain a written (5or electronic) In connection with the commissioned data processing, the processor shall assist the controller in drawing up and updating the record of data processing activities and in carrying out the data protection impact assessment. All necessary information and documentation shall be provided and forwarded to the controller upon request. (6) If the controller is subject to an inspection by supervisory authorities or other bodies, or if data subjects claim rights against him, the processor is obliged to support the controller to the extent necessary, as far as the data all categories of processing activities carried out by the processor are concerned. (7) The processor shall inform the controller of inspections carried out by or on behalf of Controller. Such a register shall include, at least, all information referred to in Article 30.2 of the GDPR. e. The Processor shall take all technical and organisational measures required to comply with the Data Protection Rules, including the implementation of security measures, carrying out privacy impact assessments as well as allowing the data subjects to exercise their rights under the Data Protection Rules. In addition, the Processor shall assist Controller in complying with its obligations under applicable Data Protection Rules or requests it receives from supervisory authorities. f. The Processor shall promptly inform Controller: i. of any complaint, request or enquiry from a data subject regarding the processing of its Personal Data and/or its rights under the Data Protection Rules and, in such a case, assist Controller with the fulfilment of its obligation to address/respond to such complaints, requests or enquiries; ii. of any inquiry it receives from public authorities for data protection without delayan inspection or audit of the processing of Personal Data. (8) g. The processor Processor shall not immediately take all appropriate measures to remedy any breach of security or data breach and provide Controller with all information to third parties or at its disposal relevant to the data subject security breach, including, without limitation, the prior consent nature and scope of the controllerPersonal Data affected by said breach, the individuals concerned, the technological protection measures that had been put in place beforehand (e.g., whether the data was pseudonymized and/or encrypted), the measures taken or recommended to mitigate the possible adverse effects of the security breach, and any other information that might be or become relevant in order for Controller to comply with statutory or other security breach notification duties. Requests addressed directly to him The Processor shall be forwarded prepare a data breach report and provide the Controller with that report within reasonable period of time from the occurrence of the breach. The Processor shall also fully cooperate with Controller in the framework of any consequential action (e.g. notification of the breach to the controller without delay. (9) To the extent required by law, the processor shall appoint a competent supervisory authority and reliable person as data protection officer. It must be ensured that there are no conflicts of interest for the data protection officer. The controller may contact the data protection officer directly. The processor shall inform the controller of the contact details of the data protection officer or of the reasons why no officer has been appointed. The processor shall immediately inform the controller of any changes in the person of the data protection officer. (10) The data processing shall generally take place within the EU or the EEA. Any relocation to a third country may only take place with the consent of the controller and under the conditions contained in Chapter V of the GDPR and in compliance with the provisions of this Agreement. (11) If the processor is not established in the European Union, he shall appoint a responsible contact person in the European Union in accordance with Art. 27 GDPR. The contact details of the contact person as well as all changes in the contact person must be communicated to the controller without delay. (12) The processor shall comply with all principles set out by the GÉANT Data Protection Code of Conduct in its most current version, which will be made available to the processor by the controller upon request.data

Obligations of the Processor. (1) 4.1 The processor Processing is obliged described in detail in Appendix A. The Processor undertakes only to maintain strict confidentiality during processing and shall process personal data only as contractually agreed necessary for the performance of its obligations under the Main Agreement, this DPA or as instructed according to the specific and documented instructions provided by the controllerController in Appendix A and in connection with the conclusion of the Main Agreement, unless which have been approved by the processor is required Processor. The Processor may also process personal data in connection with the provision of additional services which from time to time may be ordered by law to carry out a specific processing activity. If the Controller and added under the Main Agreement. 4.2 Upon receipt of written instructions from the Controller regarding the Processing, such obligations exist as provided for the processorin Appendix A or additional written instructions, the processor shall notify Processor must, within a reasonable period of time, take appropriate measures to ensure that the controller thereof prior to processing, unless such notification Processing is prohibited by lawcarried out in accordance with the instructions. Furthermore, the processor shall The Processor is not use the data provided for processing responsible for any other purpose, ambiguities in particular for his own purposessuch instructions and is not required to take any actions beyond what is expressly requested by the Controller. (2) 4.3 The processor assures that the persons employed by him for processing have been made familiar with the relevant provisions of data protection and this Agreement prior Processor undertakes to commencement of processing. Appropriate training and awareness-raising measures shall be repeated at regular intervals. The processor shall ensure that persons assigned any natural person acting under the authority of the Processor and who has access to data processing activities are instructed personal data, is informed of the content of this DPA and monitored appropriately on an ongoing basis only performs the Processing in accordance with regard this DPA and the Controller’s documented instructions. 4.4 The Processor agrees, to a reasonable extent: to assist the Controller with appropriate technical and organisational measures for the fulfilment of the Controller’s obligation to respond to requests from data protection requirements as well as the provisions resulting from this Agreement, such as the controller’s authority subjects regarding access to issue directives and purpose limitationrectification or erasure of personal data. (3) Persons who may gain knowledge 4.5 The Processor shall, without undue delay, notify the Controller after becoming aware of a personal data breach involving personal data provided within the scope of the data processed on behalf of the controller must commit in writing to maintain confidentiality, unless they are already legally subject to a relevant confidentiality obligation. (4) Main Agreement. The processor confirms that he is aware of the relevant general data protection regulations. He shall comply with the principles of proper data processing and ensure proper data processing by means of ongoing monitoring and regular checks. (5) In connection with the commissioned data processing, the processor Processor shall assist the controller Controller to a reasonable extent by providing information necessary for the fulfilment of the Controller’s obligation to notify the relevant supervisory authority of a personal data breach and, when applicable, the Controller’s obligation to communicate the personal data breach to the affected data subjects. 4.6 The Processor shall, to a reasonable extent, assist the Controller: (i) in drawing up and updating the record of data processing activities and in carrying out the connection with any data protection impact assessment. All necessary information assessments and documentation shall be provided and forwarded to the controller upon request. (6) If the controller is subject to an inspection by supervisory authorities or other bodies, or if data subjects claim rights against him, the processor is obliged to support the controller to the extent necessary, as far as the data processing activities prior consultations carried out by the processor are concerned. Controller; and (7ii) The processor shall inform the controller of inspections in any investigation carried out by or on behalf of the relevant supervisory authorities for authority regarding a personal data protection without delay. (8) The processor shall not provide information to third parties or to breach involving personal data provided within the data subject without the prior consent scope of the controller. Requests addressed directly to him shall be forwarded to the controller without delay. (9) To the extent required by law, the processor shall appoint a competent and reliable person as data protection officer. It must be ensured that there are no conflicts of interest for the data protection officer. The controller may contact the data protection officer directly. The processor shall inform the controller of the contact details of the data protection officer or of the reasons why no officer has been appointed. The processor shall immediately inform the controller of any changes in the person of the data protection officer. (10) The data processing shall generally take place within the EU or the EEA. Any relocation to a third country may only take place with the consent of the controller and under the conditions contained in Chapter V of the GDPR and in compliance with the provisions of this Main Agreement. (11) If 4.7 The Processor is entitled to reasonable compensation from the processor is not established Controller for any additional costs and expense incurred in the European Union, he shall appoint a responsible contact person connection with measures taken or services performed in the European Union in accordance with Art. 27 GDPR. The contact details of the contact person as well as all changes in the contact person must be communicated relation to the controller without delay. (12) The processor shall comply with all principles obligations set out by the GÉANT Data Protection Code of Conduct in its most current version, which will be made available sections 4.4 to the processor by the controller upon request4.6.

Obligations of the Processor. (1) The processor is obliged to maintain strict confidentiality during processing Processor processes Personal Data solely and shall process personal data only as contractually agreed in full compliance with the Regulations and instructions of the Controller or as instructed otherwise required in this Agreement. This obligation also applies to transfers by the controllerProcessor of Personal Data to a third country or an international organisation, unless the processor Processor is required to do so by law the Regulations or laws to carry out which the Processor is subject. In such a specific processing activity. If such obligations exist for the processorcase, the processor Processor shall notify inform the controller thereof prior to Controller of such legal requirements before processing, unless that law prohibits such notification is prohibited by law. Furthermore, the processor shall not use the data provided for processing for any other purpose, in particular for his own purposesinformation on important grounds of public interest. (2) The processor assures Processor and Controller agree that the persons employed by him for processing have been made familiar with the relevant provisions of data protection and this Agreement and the Synology C2 Service Agreement represents the Controller’s complete and final instructions to the Processor. Processing outside the scope of this Agreement (if any) will require prior to commencement of written agreement between both parties on additional instructions for processing. Appropriate training and awareness-raising measures shall be repeated at regular intervals. The processor shall ensure Controller may terminate this Agreement if the Processor declines to follow instructions requested by the Controller that persons assigned to data processing activities are instructed and monitored appropriately on an ongoing basis with regard to outside the fulfilment scope of data protection requirements as well as the provisions resulting from this Agreement, such as the controller’s authority to issue directives and purpose limitation. (3) Persons who may gain knowledge In the performance of this Agreement, the Controller shall immediately confirm any oral instructions in writing. (4) Copies or duplicates of the data processed on behalf of the controller must commit in writing to maintain confidentialityController shall never be created without the knowledge of the Controller, unless with the exception of back-up copies as far as they are already legally subject necessary to a relevant confidentiality obligation. (4) The processor confirms that he is aware of ensure orderly data processing, as well as data required to meet regulatory requirements to retain data under the relevant general data protection regulations. He shall comply with the principles of proper data processing and ensure proper data processing by means of ongoing monitoring and regular checksRegulations. (5) In connection with The Processor may not on its own authority rectify, erase, or restrict the commissioned processing of data processingthat is being processed on behalf of the Controller or port/transfer any such data to any third party, but do so only on documented instructions from the Controller. When a Data Subject contacts the Processor directly concerning a rectification, erasure, or restriction of processing or to exercise the right of portability, the processor shall assist Processor will immediately forward the controller Data Subject’s request to the Controller. Insofar as it is included in drawing up the scope of services, the erasure policy, ‘right to be forgotten’, rectification, data portability and updating the record of data processing activities and in carrying out the data protection impact assessment. All necessary information and documentation access shall be provided and forwarded to ensured by the controller upon requestProcessor in accordance with documented instructions from the Controller without undue delay. (6) If The Processor shall inform the controller Controller immediately if the Processor considers that an instruction of the Controller violates the GDPR (with regard to Art. 28 Paragraph 3 Sentence 3) or the Regulations. The Processor shall then be entitled to suspend the execution of the relevant instructions until the Controller confirms or changes them. (7) In addition to complying with the rules set out in this Agreement, the Processor shall comply with the statutory requirements referred to in Articles 28 to 33 GDPR. Accordingly, the Processor assures particularly compliance with the following requirements: a) The Processor entrusts only such employees with the data processing outlined in this Agreement who have been bound to confidentiality and have previously been familiarised with the data protection provisions relevant to their work. The Processor and any person acting under its authority who has access to Personal Data, shall not process that data unless on instructions from the Controller, which includes the powers granted in this Agreement, unless required to do so by law (Article 28 Paragraph 3 Sentence 2 Point b, Articles 29 and 32 Paragraph 4 GDPR). b) The Processor must assist the Controller to comply with requests from individuals exercising their rights to access, rectify, port, erase or object to the processing of their Personal Data. c) The Processor must assist the Controller to comply with requests from the supervisory authority. The Controller and the Processor shall cooperate, on request, with the supervisory authority in performance of its tasks. d) Designation of Data Protection Officer / Contact Person / Representative Synology’s Data Protection Team can be contacted at xxxxx://xxx.xxxxxxxx.xxx/form/privacy_issue. The Controller shall be informed immediately of any change of Data Protection Officer. e) The Controller shall be informed immediately of any inspections and measures conducted by the relevant supervisory authority as described in Point 9 of this Agreement, insofar as they relate to the processing of this Agreement. f) Insofar as the Controller is subject to an inspection by a supervisory authorities authority, an administrative or summary offence or criminal procedure, a liability claim by a Data Subject or by a third party or any other bodies, or if claim in connection with the Agreement data subjects claim rights against himprocessing by the Processor, the processor is obliged Processor shall make every effort to support the controller to the extent necessary, as far as the data processing activities carried out by the processor Controller. Further assistance duties are concerned. (7) The processor shall inform the controller of inspections carried out by or on behalf of supervisory authorities for data protection without delay. (8) The processor shall not provide information to third parties or to the data subject without the prior consent of the controller. Requests addressed directly to him shall be forwarded to the controller without delay. (9) To the extent required by law, the processor shall appoint a competent and reliable person as data protection officer. It must be ensured that there are no conflicts of interest for the data protection officer. The controller may contact the data protection officer directly. The processor shall inform the controller of the contact details of the data protection officer or of the reasons why no officer has been appointed. The processor shall immediately inform the controller of any changes described in the person of the data protection officer. (10) The data processing shall generally take place within the EU or the EEA. Any relocation to a third country may only take place with the consent of the controller and under the conditions contained in Chapter V of the GDPR and in compliance with the provisions Point 8 of this Agreement. (11g) If The Processor shall assist the processor is not established Controller in ensuring compliance with the European Union, he shall appoint a responsible contact person obligations pursuant to Articles 32 to 36 as described in the European Union Point 9 of this Agreement. h) Implementation of and compliance with all Technical and Organisational Measures necessary for this Agreement in accordance with Art. 27 Article 28 Paragraph 3 Sentence 2 Point c, Article 32 GDPR. The contact details of the contact person , as well as all changes detailed in the contact person must be communicated to the controller without delayAppendix. (12) The processor shall comply with all principles set out by the GÉANT Data Protection Code of Conduct in its most current version, which will be made available to the processor by the controller upon request.

Obligations of the Processor. 1. The Processor Processes Personal Data only on the Controller’s documented instruction contained in this Agreement, agreement or otherwise transferred to the Processor, which also applies to the transfer of Personal Data to a third country or international organization, unless it is required to do so by law. In such case, before processing begins, the Processor will inform the Controller of such legal obligation. 2. The Processor may use the services of other processors that will act as a subcontractor in the provision of services under the Agreement, to which the Controller agrees. The list of other processors (1hereinafter: the “List") referred to in the previous sentence is attached as Appendix 1 to this Agreement. 3. Where specific Processing activities are performed on behalf of the Controller, the Processor, using the services of another processing entity referred to in para. 2 above, imposes on such other processor, under an agreement for further entrustment of Personal Data Processing, the same data protection obligations as those indicated in this Agreement, in particular the obligation to provide sufficient guarantees for the implementation of appropriate technical and organizational measures so that the Processing meets the requirements of the GDPR. If such other processor fails to fulfil its data protection obligations, the Processor will bear full liability towards the Controller for fulfilling the obligations of that other processor. 4. The Processor informs the Controller of any intended changes regarding the addition or replacement of other processors on the List. Within 21 days from the date of notification, the Controller may object to such changes, in which objection it will explain the grounds for non- acceptance of a new processor. Raising an objection means no consent to the addition or replacement of such a processor for further entrustment of Processing of Personal Data provided pursuant to this Agreement. In such case, unless it is possible to provide services under the Agreement, with the exclusion of the processor to which the Controller has objected, the Parties will have the right to terminate the Agreement with immediate effect. 5. When processing Personal Data, the Processor is obliged to maintain strict confidentiality during processing apply technical and shall process personal data organizational measures to ensure the protection of Personal Data, in accordance with Article 32 GDPR, and in particular the Processor will secure Personal Data against disclosure to unauthorized persons, loss, damage or destruction, including, but not limited to: a) pseudonymization and encryption of Personal Data; b) capability to continuously ensure the confidentiality, integrity, availability and resilience of Processing systems and services; c) capability to quickly restore the availability of Personal Data and access to the same in the event of a physical or technical incident; d) regular testing, measuring and assessing the effectiveness of technical and organizational measures to ensure security of Processing. 6. In order to perform the obligation referred to in the previous paragraph, the Processor is obliged to keep documentation describing the method of Personal Data Processing and the means indicated in the previous paragraph. 7. Any activities for Personal Data Processing may only as contractually agreed be undertaken by Personnel members who have previously obtained a written authorization from the Processor. Each authorization or as instructed its withdrawal must be entered by the controllerProcessor in the “Register of Persons Authorized to Process Personal Data”, unless which should contain the processor is required by law to carry out a specific processing activity. If such obligations exist for following data: a) first name and surname of the processorauthorized person, the processor shall notify the controller thereof prior to processingb) date of granting and expiry, unless such notification is prohibited by law. Furthermore, the processor shall not use the data provided for processing for any other purpose, in particular for his own purposes. (2) The processor assures that the persons employed by him for processing have been made familiar with the relevant provisions of data protection and this Agreement prior to commencement of processing. Appropriate training and awareness-raising measures shall be repeated at regular intervals. The processor shall ensure that persons assigned to data processing activities are instructed and monitored appropriately on an ongoing basis with regard to the fulfilment of data protection requirements as well as the provisions resulting from this Agreementscope of authorization to access Personal Data, c) identifier, such as if Personal Data Processing is carried out using the controller’s authority to issue directives and purpose limitationInformation System. (3) Persons who may gain knowledge 8. Personnel Members whom the Processor will use in performing this Agreement will be obliged by the Processor to keep confidentiality of Personal Data and apply protection measures for Processing of the data processed on behalf of the controller must commit in writing to maintain confidentiality, unless they are already legally subject to a relevant confidentiality obligationsame. (4) 9. The processor confirms that he is aware of the relevant general data protection regulations. He shall comply with the principles of proper data processing and ensure proper data processing by means of ongoing monitoring and regular checks. (5) In connection with the commissioned data processing, the processor shall assist the controller in drawing up and updating the record of data processing activities and in carrying out the data protection impact assessment. All necessary information and documentation shall be provided and forwarded to the controller upon request. (6) If the controller is subject to an inspection by supervisory authorities or other bodies, or if data subjects claim rights against him, the processor Processor is obliged to support train the controller to Personnel in the extent necessary, as far as ways of securing the data processing activities carried out by the processor are concernedProcessed Personal Data. (7) The processor shall inform 10. Where applicable, the controller of inspections carried out by or on behalf of supervisory authorities for data protection without delay. (8) The processor shall not provide information to third parties or to Processor, taking into account the data subject without the prior consent nature of the controller. Requests addressed directly Processing and the information available to him shall be forwarded it, will assist the Controller and provide necessary information in order for the Controller to the controller without delay. (9) To the extent required properly fulfil its obligations provided for by law, the processor shall appoint a competent and reliable person as data protection officer. It must be ensured that there are no conflicts of interest for the data protection officer. The controller may contact the data protection officer directly. The processor shall inform the controller of the contact details of the data protection officer or of the reasons why no officer has been appointed. The processor shall immediately inform the controller of any changes in the person of the data protection officer. (10) The data processing shall generally take place within the EU or the EEA. Any relocation to a third country may only take place with the consent of the controller and under the conditions contained particular those specified in Chapter V of the GDPR III and in compliance with the provisions of this Agreement. (11) If the processor is not established in the European Union, he shall appoint a responsible contact person in the European Union in accordance with Art. 27 GDPR. The contact details of the contact person as well as all changes in the contact person must be communicated to the controller without delay. (12) The processor shall comply with all principles set out by the GÉANT Data Protection Code of Conduct in its most current version, which will be made available to the processor by the controller upon request.Article 32-36

Obligations of the Processor. (1a) The processor is obliged to maintain strict confidentiality during processing and shall process personal data only as contractually agreed or as instructed by the controller, unless the processor is required by law to carry out a specific processing activity. If such obligations exist for the processor, the processor shall notify the controller thereof prior to processing, unless such notification is prohibited by law. Furthermore, the processor shall not use the data provided for processing for any other purpose, in particular for his own purposes. (2) The processor assures that the persons employed by him for processing have been made familiar with the relevant provisions of data protection and this Agreement prior to commencement of processing. Appropriate training and awareness-raising measures shall be repeated at regular intervals. The processor Processor shall ensure that persons assigned authorised by the Processor to process the personal data processing activities are instructed and monitored appropriately on an ongoing basis with regard to the fulfilment of data protection requirements as well as the provisions resulting from this Agreement, such as the controller’s authority to issue directives and purpose limitation. (3) Persons who may gain knowledge of the data processed on behalf of the controller must commit Controller, in writing to maintain confidentialityparticular the Processor's employees as well as employees of any Subprocessors, unless they are already legally subject to a relevant binding obligation of confidentiality obligationand that such persons process any personal data to which they have access in compliance with the Controller's instructions. (4b) The processor confirms that he is aware Processor shall implement the technical and organisational measures as specified in Annex 2 before processing the personal data on behalf of the relevant general data protection regulationsController. He shall comply with The Processor may amend the principles of proper data processing technical and ensure proper data processing by means of ongoing monitoring organisational measures from time to time provided that the amended technical and regular checksorganisational measures are not less protective than those set out in Annex 2. (5c) In connection The Processor shall make available to the Controller any information necessary to demonstrate compliance with the commissioned obligations of the Processor relating to information security as required by Applicable data processingprotection law and by this Schedule to the extent applicable to the Services. The Processor is in particular obliged to allow for and contribute to audits (e.g., providing audit reports and/or other relevant information or certificates to Controller upon Controller's request) or on-site inspections, conducted by the processor Controller or another auditor mandated by the Controller in relation to the processing of the personal data. The Processor’s contribution to such audits shall assist be proportionate to the controller in drawing up nature and updating purpose of the record processing and subject to receipt by the Processor of reasonable notice. (d) The Processor shall notify the Controller (using the contact details provided by the Controller) without undue delay of becoming aware of a personal data breach and the Processor will provide reasonable assistance to the Controller with the Controller's obligation under Applicable Data Protection Laws to inform the data subjects and the supervisory authorities, as applicable, by providing the necessary information taking into account the nature of the processing activities and in carrying out the information available to the Processor. For the avoidance of doubt, these obligations shall not be construed as an acknowledgement by the Processor of any liability for a Personal Data Breach or failure to prevent it. (e) The Processor shall provide reasonable assistance (taking account of the nature of the processing and the information available to the Processor) to the Controller with its obligation under Applicable Data Protection Laws, to carry out: a. a data protection impact assessment. All necessary information and documentation shall be provided and forwarded ; and b. prior consultation with the supervisory authorities that relates to the controller upon requestServices provided by the Processor to the Controller under this Schedule by providing the necessary and available information to the Controller on reasonable request to allow it to meet its obligations under the Applicable Data Protection Laws. (6f) If The Processor shall, at the controller is subject to an inspection by supervisory authorities option of the Controller, delete or other bodies, or if data subjects claim rights against him, the processor is obliged to support the controller return to the extent necessary, as far as the Controller all personal data processing activities carried out which are processed by the processor are concernedProcessor on behalf of the Controller under this Schedule after the end of the provision of the Services, and delete any existing copies unless Applicable Data Protection Laws require the Processor to retain such personal data. For the avoidance of doubt, this obligation shall not be infringed by the shredding of material containing personal data which was provided to the Processor by the Controller for destruction in the normal course of the Services. (7g) The processor Processor shall inform the controller of inspections carried out by or on behalf of supervisory authorities for designate a data protection without delay. (8) The processor shall not provide information officer and/or a representative, to third parties or to the data subject without the prior consent of the controller. Requests addressed directly to him shall be forwarded to the controller without delay. (9) To the extent required by law, the processor shall appoint a competent and reliable person as data protection officer. It must be ensured that there are no conflicts of interest for the data protection officerApplicable Data Protection Law. The controller may contact the data protection officer directly. The processor Processor shall inform the controller of the provide contact details of the data protection officer or of and/or representative, if any, to the reasons why no officer has been appointed. The processor shall immediately inform the controller of any changes in the person of the data protection officerController. (10h) The Processor shall not process personal data processing shall generally take place within the EU or the EEA. Any relocation to a third country may only take place with the consent outside of the controller and under country where the conditions contained in Chapter V of personal data was originally received from the GDPR and in compliance with the provisions of this AgreementController. (11) If the processor is not established in the European Union, he shall appoint a responsible contact person in the European Union in accordance with Art. 27 GDPR. The contact details of the contact person as well as all changes in the contact person must be communicated to the controller without delay. (12) The processor shall comply with all principles set out by the GÉANT Data Protection Code of Conduct in its most current version, which will be made available to the processor by the controller upon request.

Obligations of the Processor. (1) . The processor is obliged to maintain strict confidentiality during processing and Processor shall only process personal data only as contractually agreed or as instructed by the controllerController, unless the processor Processor is required by law legally obliged to carry out a specific processing activitytype of data processing. If Should the Processor be bound by such obligations exist for the processorobligations, the processor shall notify is to inform the controller Controller thereof prior to processingprocessing the data, unless such notification informing him/her is prohibited by lawillegal. Furthermore, the processor Processor shall not use the data provided for processing for any other purpose, in particular for his own purposesspecifically his/her own. (2) . The processor assures Processor confirms that he/she is aware of the persons employed by him for processing have been made familiar with applicable legal provisions on data protection. He is to observe the relevant provisions principles of correct data protection and this Agreement prior to commencement of processing. 3. Appropriate training and awareness-raising measures The Processor shall be repeated at regular intervals. The processor shall ensure that persons assigned obliged to data maintain strict confidentiality when processing activities are instructed and monitored appropriately on an ongoing basis with regard to the fulfilment of data protection requirements as well as the provisions resulting from this Agreement, such as the controller’s authority to issue directives and purpose limitationdata. (3) Persons 4. Any individuals who may gain knowledge of could have access to the data processed on behalf of the controller Controller must commit be obliged in writing to maintain confidentiality, unless they are already legally subject required to a relevant confidentiality obligationdo so via another written agreement. (4) 5. The processor confirms Processor shall ensure that he is the individuals he/she employs, who are to process the data, have been made aware of the relevant general data protection regulationsprovisions as well as this contract before starting to process the data. He The corresponding training and sensitization measures are to be appropriately carried out on a regular basis. The Processor shall comply ensure that the individuals tasked with processing the principles data are adequately instructed and supervised on an ongoing basis in terms of proper fulfilling data processing and ensure proper data processing by means of ongoing monitoring and regular checksprotection requirements. (5) 6. In connection with the commissioned data processing, the processor shall assist Processor must support the controller in drawing up Controller when designing and updating the record list of data processing activities and in carrying out implementing the data protection impact assessment. All necessary information data and documentation shall required are to be provided and forwarded made immediately available to the controller Controller upon request. (6) If 7. Should the controller is Controller be subject to an the inspection by of supervisory authorities or any other bodies, bodies or if data subjects claim should affected persons exercise any rights against himthe Controller, then the processor is Processor shall be obliged to support the controller Controller to the extent necessaryrequired, as far as if the data processing activities carried out by the processor are concerned. (7) The processor shall inform the controller of inspections carried out by or being processed on behalf of supervisory authorities for data protection without delaythe Controller is affected. (8) The processor shall not provide information 8. Information may be provided to third parties or by the Processor solely with the Controller’s prior consent. Inquiries sent directly to the data subject without the prior consent of the controller. Requests addressed directly to him shall Processor will be forwarded to the controller without delayController. (9) To the extent required by law. If he/she is legally obliged to do so, the processor Processor shall appoint a competent professional and reliable person individual as the authorized data protection officer. It must be ensured that there are no the officer does not have any conflicts of interest for interest. In the data protection officer. The controller may event of any doubts, the Controller can contact the data protection officer directly. The processor shall inform Processor is to then immediately notify the controller of the contact details of the data protection officer or of the reasons provide a reason as to why no a data protection officer has not been appointed. The processor shall immediately Processor is to inform the controller Controller of any changes in to the person status of the data protection officerofficer or of any changes to his in-house tasks. (10) The . Any data processing shall generally take place within may only be carried out in the EU or the EEAEEC. Any relocation change to a third third- party country may only take place with the Controller’s consent of the controller and under in accordance with the conditions contained stipulated in Chapter chapter V of the GDPR and in compliance with the provisions of this Agreementcontract. (11) If the processor is not established in the European Union, he shall appoint a responsible contact person in the European Union in accordance with Art. 27 GDPR. The contact details of the contact person as well as all changes in the contact person must be communicated to the controller without delay. (12) The processor shall comply with all principles set out by the GÉANT Data Protection Code of Conduct in its most current version, which will be made available to the processor by the controller upon request.

Obligations of the Processor. 1. The Processor shall be a processor within the meaning of Art 4(8) GDPR with respect to any information pursuant to Section 1.2 of this Agreement that relates to identified or identi- fiable persons within the meaning of Art 4(1) GDPR (1"personal data") that is provided to it in connection with the performance of the activities referred to in Section 1.1. 2. The processor is Processor undertakes to process data and processing results during the performance of the activities described under item 1.1 exclusively within the scope of the Controller's written orders. If the Processor receives an official order to release data of the Controller, the Processor shall - to the extent permitted by law - immediately inform the Controller thereof and refer the authority to the Controller. Similarly, processing of the data for the Pro- cessor's own purposes requires a written order. 3. The Processor declares in a legally binding manner that it has obliged all persons entrusted with the data processing to maintain strict confidentiality during processing and shall process personal data only as contractually agreed or as instructed by the controller, unless the processor is required by law to carry out a specific processing activity. If such obligations exist for the processor, the processor shall notify the controller thereof prior to processing, unless such notification is prohibited by law. Furthermore, the processor shall not use the data provided for processing for any other purpose, in particular for his own purposes. (2) The processor assures that the persons employed by him for processing have been made familiar with the relevant provisions of data protection and this Agreement prior to commencement of processingthe activity or that they are subject to an appropriate legal obligation of confidentiality within the meaning of Art 28 (3) lit b DSGVO and Section 6 DSG. Appropriate training In particular, the confidentiality obligation of the persons entrusted with the data processing shall remain in force even after termination of their activity and awareness-raising measures shall be repeated at regular intervalsleaving the Processor. 4. The processor Processor declares in a legally binding manner that it has taken sufficient measures to ensure the security of processing in accordance with Art 32 GDPR in order to prevent data from being used in an unlawful manner or from being made accessible to third parties with- out authorisation (for details, see xxxxx://xxx.xxxxx/wp-content/uploads/7/0/0000460307/an- lage-i-auftragsverarbeitung.pdf). 5. The Processor shall take the technical and organisational measures to ensure that persons assigned the Con- troller can fulfil the rights of the data subject under Chapter III of the GDPR (duty to inform, right to information, right to rectification and deletion, data processing activities are instructed and monitored appropriately on an ongoing basis with regard to the fulfilment of data protection requirements portability, objection, as well as automated decision-making in individual cases) within the provisions resulting from statutory time limits at any time and shall provide the Controller with all information necessary for this Agreement, such as purpose. If a request to this effect is addressed to the controller’s authority Processor and if the Processor indicates that the applicant mistakenly believes it to issue directives and purpose limitation. (3) Persons who may gain knowledge be the principal of the data processed on behalf processing carried out by it, the Proces- sor shall immediately forward the request to the principal and inform the applicant accord- ingly. The Processor shall be entitled to reasonable remuneration for the assistance. 6. The Processor shall support the Controller in complying with the obligations set out in Art 32 to 36 GDPR (data security measures, prompt notifications of personal data breaches to the supervisory authority, notification of the controller must commit in writing to maintain confidentialityperson affected by a personal data breach, unless they are already legally subject to a relevant confidentiality obligation. (4) The processor confirms that he is aware of the relevant general data protection regulations. He shall comply with the principles of proper data processing and ensure proper data processing by means of ongoing monitoring and regular checks. (5) In connection with the commissioned data processing, the processor shall assist the controller in drawing up and updating the record of data processing activities and in carrying out the data protection impact assessment, prior consultation). 7. All necessary information and documentation The Processor is advised that it must set up a processing directory for the present commis- sioned processing in accordance with Art 30 DSGVO. 8. With regard to the processing of the data provided by the Controller, the Controller shall be provided granted the right to inspect and forwarded control the data processing facilities at any time, including through third parties commissioned by the Client. The Processor undertakes to provide the controller upon requestController with the information necessary to monitor compliance with the obligations set out in this agreement. (6) If the controller is subject to an inspection by supervisory authorities or other bodies, or if data subjects claim rights against him, the processor 9. The Processor is obliged to support the controller to the extent necessarydestroy all processing results and documents containing data on its behalf after termination of this Processing Agreement. Display may, as far as however, further process the data processing activities carried out by itself as a data controller in the processor are concernedpublic interest for archival purposes. (7) 10. The processor Processor shall inform the controller of inspections carried out Controller without undue delay if it believes that an instruction given by the Controller violates EU or on behalf of supervisory authorities for Member State data protection without delayprovisions. (8) The processor shall not provide information to third parties or to the data subject without the prior consent of the controller. Requests addressed directly to him shall be forwarded to the controller without delay. (9) To the extent required by law, the processor shall appoint a competent and reliable person as data protection officer. It must be ensured that there are no conflicts of interest for the data protection officer. The controller may contact the data protection officer directly. The processor shall inform the controller of the contact details of the data protection officer or of the reasons why no officer has been appointed. The processor shall immediately inform the controller of any changes in the person of the data protection officer. (10) The data processing shall generally take place within the EU or the EEA. Any relocation to a third country may only take place with the consent of the controller and under the conditions contained in Chapter V of the GDPR and in compliance with the provisions of this Agreement. (11) If the processor is not established in the European Union, he shall appoint a responsible contact person in the European Union in accordance with Art. 27 GDPR. The contact details of the contact person as well as all changes in the contact person must be communicated to the controller without delay. (12) The processor shall comply with all principles set out by the GÉANT Data Protection Code of Conduct in its most current version, which will be made available to the processor by the controller upon request.