Common use of Obligations of the Processor Clause in Contracts

Obligations of the Processor. 1.1. The Participating Partners acknowledge that for the purposes of the Data Protection Legislation, the Participating Partners are [Joint Controller] [Controllers of their respective Personal Data] and the Lead Authority is the Processor of the Personal Data. 1.2. The Lead Authority shall process the Personal Data on behalf of the Participating Partners only to the extent, and in such a manner, as is necessary for the purposes specified in the Appendix to this Schedule 2 and in accordance with the Participating Partner’s instructions from time to time and shall not process the Personal Data for any other purpose. The Lead Authority will keep a record of any processing of Personal Data it carries out on behalf of the Participating Partners. 1.3. The Lead Authority shall promptly comply with any request from the Participating Partners requiring the Lead Authority to amend, transfer or delete the Personal Data. 1.4. Where the Lead Authority is collecting Personal Data on behalf of the Participating Partners, the Lead Authority shall only collect Personal Data via a suitable form approved by the Participating Partners in advance of its use which will contain a privacy notice informing the Data Subject of the identity of the [Joint] Controller[s] and the Processor, the identity of any data protection representative it may have appointed, the purpose or purposes for which the Data Subject’s Personal Data will be processed and any other information required under the Data Protection Legislation and any other information which is deemed necessary having regard to the specific circumstances in which the Personal Data is, or is to be, processed to enable processing in respect of the Data Subject to be fair. The Lead Authority shall not modify or alter the form in any way without the prior written consent of the Participating Partners. 1.5. If the Lead Authority or one of the Other Authorities receives any complaint, notice or communication which relates directly or indirectly to the processing of the Personal Data or to any of the Participating Partners compliance with the Data Protection Legislation in relating to this Agreement, it shall immediately notify the Participating Partners and the parties will fully co- operation and assist each other in relation to any such complaint, notice or communication including providing full details and copies of the complaint, communication or request and providing such assistance in a timely manner so that the Participating Partners can comply to their obligation within the timescales set out in the Data Protection Legislation; 1.6. At the Participating Partner's request, the Lead Authority shall provide the Participating Partners with a copy of all Personal Data held by it in the format and on the media reasonably specified by the Participating Partners. 1.7. The Lead Authority shall not transfer the Personal Data outside the European Economic Area without the prior written consent of the Participating Partners. 1.8. The Lead Authority will promptly and without undue delay notify the Participating Partners if any Personal Data is lost or destroyed or becomes damaged, corrupted, or unusable. The Lead Authority will restore such Personal Data at its own expense. 1.9. The Lead Authority and the Other Authorities will immediately and without undue delay notify all the Participating Partners if it becomes aware of: a) any accidental, unauthorised or unlawful processing of the Personal Data; or b) any Personal Data Breach. 1.10. Where the Lead Authority becomes aware of (a) and/or (b) above, it shall, without undue delay, also provide the Participating Partners with the following information: a) description of the nature of (a) and/or (b), including the categories and approximate number of both Data Subjects and Personal Data records concerned; b) the likely consequences; and c) description of the measures taken, or proposed to be taken to address (a) and/or (b) above, including measures to mitigate its possible adverse effects. 1.11. Immediately following any unauthorised or unlawful Personal Data processing or Personal Data Breach, the parties will co-ordinate with each other to investigate the matter. The [Participating Partners] [Lead Authority] will reasonably co-operate with the [Lead Authority’s] [relevant Participating Partner’s] handling of the matter, including: a) assisting with any investigation; b) providing the Lead Authority with physical access to any facilities and operations affected; c) facilitating interviews with the [Participating Partner's] [Lead Authority’s] [Other Authorities] employees, former employees and others involved in the matter; d) making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by the Participating Partners; and e) taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach or unlawful Personal Data processing. 1.12. The Participating Partners will not inform any third party of any Personal Data Breach without agreement of the Participating Partner's where the parties are acting as Joint Controllers or the relevant Participating Partner if the parties are acting as individual Controllers, except when required to do so by law. 1.13. The Lead Authority agrees that the Participating Partners acting as [Joint Controller] [individual Controllers] has the sole right to determine: a) whether to provide notice of the Personal Data Breach to any Data Subjects, supervisory authorities, regulators, law enforcement agencies or others, as required by law or regulation or in the Participating Partner's discretion, including the contents and delivery method of the notice; and b) whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy. 1.14. [The Lead Authority will cover all reasonable expenses associated with the performance of the obligations under clause 1.9 and clause 1.11 unless the matter arose from one of the Other Authority's specific instructions, negligence, wilful default or breach of this Agreement, in which case that Participating Partner will cover all reasonable expenses.] 1.15. [The Lead Authority will also reimburse the Participating Partners for actual reasonable expenses that the Participating Partners incurs when responding to a Personal Data Breach to the extent that the Lead Authority caused such a Personal Data Breach, including all costs of notice and any remedy as set out in clause 1.13.]

Obligations of the Processor. 1.1. The Participating Partners acknowledge Processor shall make sure that for the purposes all processing of the Personal Data is conducted in accordance with relevant provisions of any applicable Data Protection Legislation. The Processor specifically undertakes that it shall process Personal Data only in accordance with the Agreement and in accordance with the Controller’s instructions (including the instructions attached hereto in Schedule 1). The Processor shall immediately notify the Controller if, in its opinion, any instructions implies a breach of Data Protection Legislation. However, the Participating Partners Processor shall not be obliged to verify whether any instruction given by the Controller complies with Data Protection Legislation. The Processor shall ensure that its personnel engaged in the processing of Personal Data are [Joint Controller] [Controllers informed of their respective the confidential nature of the Personal Data] , have received appropriate training on their responsibilities and are subject to obligations of confidentiality during the persons’ engagement with the Controller. Taking into account the state of the art, the costs of implementation and the Lead Authority is nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk to protect the Personal Data that is Processed on behalf of the Controller. A description of the Processor’s security principles and measures is listed in schedule 2 of this DPA. Taking into account the nature of the processing, the Processor shall assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to requests for exercising the Data Subject’s rights laid down in Chapter III of the GDPR. The Processor shall notify the Controller without undue delay, and no later than 24 hours, after becoming aware of a personal data breach. Taking into account the nature of processing and the information available to the Processor, the Processor shall provide reasonable assistance to the Controller as may be necessary to satisfy any notification obligations required under Articles 33 or 34 of the GDPR related to any Personal Data Breach. The Processor shall, at the choice of the Controller, delete or return all the Personal Data to the Controller after the end of the provision of services relating to Processing, and deletes existing copies unless Union or Member State law requires storage of the Personal Data. 1.2. The Lead Authority shall process the Personal Data on behalf of the Participating Partners only to the extent, and in such a manner, as is necessary for the purposes specified in the Appendix to this Schedule 2 and in accordance with the Participating Partner’s instructions from time to time and shall not process the Personal Data for any other purpose. The Lead Authority will keep a record of any processing of Personal Data it carries out on behalf of the Participating Partners. 1.3. The Lead Authority shall promptly comply with any request from the Participating Partners requiring the Lead Authority to amend, transfer or delete the Personal Data. 1.4. Where the Lead Authority is collecting Personal Data on behalf of the Participating Partners, the Lead Authority shall only collect Personal Data via a suitable form approved by the Participating Partners in advance of its use which will contain a privacy notice informing the Data Subject of the identity of the [Joint] Controller[s] and the Processor, the identity of any data protection representative it may have appointed, the purpose or purposes for which the Data Subject’s Personal Data will be processed and any other information required under the Data Protection Legislation and any other information which is deemed necessary having regard to the specific circumstances in which the Personal Data is, or is to be, processed to enable processing in respect of the Data Subject to be fair. The Lead Authority shall not modify or alter the form in any way without the prior written consent of the Participating Partners. 1.5. If the Lead Authority or one of the Other Authorities receives any complaint, notice or communication which relates directly or indirectly to the processing of the Personal Data or to any of the Participating Partners compliance with the Data Protection Legislation in relating to this Agreement, it shall immediately notify the Participating Partners and the parties will fully co- operation and assist each other in relation to any such complaint, notice or communication including providing full details and copies of the complaint, communication or request and providing such assistance in a timely manner so that the Participating Partners can comply to their obligation within the timescales set out in the Data Protection Legislation; 1.6. At the Participating Partner's request, the Lead Authority shall provide the Participating Partners with a copy of all Personal Data held by it in the format and on the media reasonably specified by the Participating Partners. 1.7. The Lead Authority shall not transfer the Personal Data outside the European Economic Area without the prior written consent of the Participating Partners. 1.8. The Lead Authority will promptly and without undue delay notify the Participating Partners if any Personal Data is lost or destroyed or becomes damaged, corrupted, or unusable. The Lead Authority will restore such Personal Data at its own expense. 1.9. The Lead Authority and the Other Authorities will immediately and without undue delay notify all the Participating Partners if it becomes aware of: a) any accidental, unauthorised or unlawful processing of the Personal Data; or b) any Personal Data Breach. 1.10. Where the Lead Authority becomes aware of (a) and/or (b) above, it shall, without undue delay, also provide the Participating Partners with the following information: a) description of the nature of (a) and/or (b), including the categories and approximate number of both Data Subjects and Personal Data records concerned; b) the likely consequences; and c) description of the measures taken, or proposed to be taken to address (a) and/or (b) above, including measures to mitigate its possible adverse effects. 1.11. Immediately following any unauthorised or unlawful Personal Data processing or Personal Data Breach, the parties will co-ordinate with each other to investigate the matter. The [Participating Partners] [Lead Authority] will reasonably co-operate with the [Lead Authority’s] [relevant Participating Partner’s] handling of the matter, including: a) assisting with any investigation; b) providing the Lead Authority with physical access to any facilities and operations affected; c) facilitating interviews with the [Participating Partner's] [Lead Authority’s] [Other Authorities] employees, former employees and others involved in the matter; d) making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by the Participating Partners; and e) taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach or unlawful Personal Data processing. 1.12. The Participating Partners will not inform any third party of any Personal Data Breach without agreement of the Participating Partner's where the parties are acting as Joint Controllers or the relevant Participating Partner if the parties are acting as individual Controllers, except when required to do so by law. 1.13. The Lead Authority agrees that the Participating Partners acting as [Joint Controller] [individual Controllers] has the sole right to determine: a) whether to provide notice of the Personal Data Breach to any Data Subjects, supervisory authorities, regulators, law enforcement agencies or others, as required by law or regulation or in the Participating Partner's discretion, including the contents and delivery method of the notice; and b) whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy. 1.14. [The Lead Authority will cover all reasonable expenses associated with the performance of the obligations under clause 1.9 and clause 1.11 unless the matter arose from one of the Other Authority's specific instructions, negligence, wilful default or breach of this Agreement, in which case that Participating Partner will cover all reasonable expenses.] 1.15. [The Lead Authority will also reimburse the Participating Partners for actual reasonable expenses that the Participating Partners incurs when responding to a Personal Data Breach to the extent that the Lead Authority caused such a Personal Data Breach, including all costs of notice and any remedy as set out in clause 1.13.]

Obligations of the Processor. 1.1. (a) The Participating Partners acknowledge Processor shall ensure that for the purposes of the Data Protection Legislation, the Participating Partners are [Joint Controller] [Controllers of their respective Personal Data] and the Lead Authority is persons authorised by the Processor of the Personal Data. 1.2. The Lead Authority shall to process the Personal Data personal data on behalf of the Participating Partners only Controller, in particular the Processor's employees as well as employees of any Subprocessors, are subject to a binding obligation of confidentiality and that such persons process any personal data to which they have access in compliance with the extent, Controller's instructions. (b) The Processor shall implement the technical and in such a manner, organisational measures as is necessary for the purposes specified in Annex 2 before processing the Appendix to this Schedule 2 personal data on behalf of the Controller. The Processor may amend the technical and in accordance with the Participating Partner’s instructions organisational measures from time to time provided that the amended technical and organisational measures are not less protective than those set out in Annex 2. (c) The Processor shall not process make available to the Personal Data for Controller any other purposeinformation necessary to demonstrate compliance with the obligations of the Processor relating to information security as required by applicable data protection law and by this DPA. The Lead Authority Processor is in particular obliged to allow for and contribute to audits (e.g., providing audit reports and/or other relevant information or certificates to Controller upon Controller's request) or on-site inspections, conducted by the Controller or another auditor mandated by the Controller. The Processor’s contribution to such audits shall be proportionate to the nature and purpose of the processing and subject to receipt by the Processor of reasonable notice. (d) The Processor shall notify the Controller without undue delay of a Security Breach at the Processor or its Subprocessors after the Processor becomes aware of such a Security Breach and in this case the Processor will keep assist the Controller with the Controller's obligation under applicable data protection law to inform the data subjects and the supervisory authorities, as applicable, by providing the necessary information taking into account the nature of the processing and the information available to the Processor. (e) The Processor shall provide reasonable assistance to the Controller with its obligation to carry out a record data protection impact assessment and prior consultation with the supervisory authorities that relates to the Services provided by the Processor to the Controller under this DPA by means of any processing providing the necessary and available information to the Controller. (f) The Processor shall, at the option of Personal Data it carries out the Controller, delete or return to the Controller all personal data which are processed by the Processor on behalf of the Participating PartnersController under this DPA after the end of the provision of the Services, and delete any existing copies unless European Union or Member State law requires the Processor to retain such personal data. For the avoidance of doubt, this obligation shall not be infringed by the shredding of material containing personal data which was provided to the Processor by the Controller for destruction in the normal course of the Services. 1.3. (g) The Lead Authority Processor shall promptly comply with any request from the Participating Partners requiring the Lead Authority to amend, transfer or delete the Personal Data. 1.4. Where the Lead Authority is collecting Personal Data on behalf of the Participating Partners, the Lead Authority shall only collect Personal Data via a suitable form approved by the Participating Partners in advance of its use which will contain a privacy notice informing the Data Subject of the identity of the [Joint] Controller[s] and the Processor, the identity of any data protection representative it may have appointed, the purpose or purposes for which the Data Subject’s Personal Data will be processed and any other information required under the Data Protection Legislation and any other information which is deemed necessary having regard provide to the specific circumstances in which Controller the Personal Data is, or is to be, processed to enable records of processing in respect of the Data Subject to be fair. The Lead Authority shall not modify or alter the form in any way without the prior written consent of the Participating Partners. 1.5. If the Lead Authority or one of the Other Authorities receives any complaint, notice or communication which relates directly or indirectly activities relating to the processing of Services under this DPA, to the Personal Data or to any of extent necessary for the Participating Partners compliance with the Data Protection Legislation in relating to this Agreement, it shall immediately notify the Participating Partners and the parties will fully co- operation and assist each other in relation to any such complaint, notice or communication including providing full details and copies of the complaint, communication or request and providing such assistance in a timely manner so that the Participating Partners can comply to their obligation within the timescales set out in the Data Protection Legislation; 1.6. At the Participating Partner's request, the Lead Authority shall provide the Participating Partners with a copy of all Personal Data held by it in the format and on the media reasonably specified by the Participating Partners. 1.7. The Lead Authority shall not transfer the Personal Data outside the European Economic Area without the prior written consent of the Participating Partners. 1.8. The Lead Authority will promptly and without undue delay notify the Participating Partners if any Personal Data is lost or destroyed or becomes damaged, corrupted, or unusable. The Lead Authority will restore such Personal Data at its own expense. 1.9. The Lead Authority and the Other Authorities will immediately and without undue delay notify all the Participating Partners if it becomes aware of: a) any accidental, unauthorised or unlawful processing of the Personal Data; or b) any Personal Data Breach. 1.10. Where the Lead Authority becomes aware of (a) and/or (b) above, it shall, without undue delay, also provide the Participating Partners with the following information: a) description of the nature of (a) and/or (b), including the categories and approximate number of both Data Subjects and Personal Data records concerned; b) the likely consequences; and c) description of the measures taken, or proposed to be taken to address (a) and/or (b) above, including measures to mitigate its possible adverse effects. 1.11. Immediately following any unauthorised or unlawful Personal Data processing or Personal Data Breach, the parties will co-ordinate with each other to investigate the matter. The [Participating Partners] [Lead Authority] will reasonably co-operate with the [Lead Authority’s] [relevant Participating Partner’s] handling of the matter, including: a) assisting with any investigation; b) providing the Lead Authority with physical access to any facilities and operations affected; c) facilitating interviews with the [Participating Partner's] [Lead Authority’s] [Other Authorities] employees, former employees and others involved in the matter; d) making available all relevant records, logs, files, data reporting and other materials required Controller to comply with all Data Protection Legislation or as otherwise reasonably required by the Participating Partners; and e) taking reasonable and prompt steps its obligation to mitigate the effects and to minimise any damage resulting from the Personal Data Breach or unlawful Personal Data processingmaintain records of processing activities. 1.12. (h) The Participating Partners will not inform any third party of any Personal Data Breach without agreement of the Participating Partner's where the parties are acting as Joint Controllers or the relevant Participating Partner if the parties are acting as individual ControllersProcessor shall designate a data protection officer and/or a representative, except when required to do so by law. 1.13. The Lead Authority agrees that the Participating Partners acting as [Joint Controller] [individual Controllers] has the sole right to determine: a) whether to provide notice of the Personal Data Breach to any Data Subjects, supervisory authorities, regulators, law enforcement agencies or others, as required by law or regulation or in the Participating Partner's discretion, including the contents and delivery method of the notice; and b) whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy. 1.14. [The Lead Authority will cover all reasonable expenses associated with the performance of the obligations under clause 1.9 and clause 1.11 unless the matter arose from one of the Other Authority's specific instructions, negligence, wilful default or breach of this Agreement, in which case that Participating Partner will cover all reasonable expenses.] 1.15. [The Lead Authority will also reimburse the Participating Partners for actual reasonable expenses that the Participating Partners incurs when responding to a Personal Data Breach to the extent that required by applicable data protection law. The Processor shall provide contact details of the Lead Authority caused such a Personal Data Breachdata protection officer and/or representative, including all costs of notice and any remedy as set out in clause 1.13if any, to the Controller.]

Obligations of the Processor. 1.1. The Participating Partners acknowledge that for the purposes of In fulfilling its obligations under the Data Protection LegislationLaw, the Participating Partners are [Joint Controller] [Controllers of their respective Personal Data] Terms and the Lead Authority is Conditions and this DPA, the Processor of the Personal Data. 1.2. The Lead Authority shall shall: Only process the Personal Data on behalf of the Participating Partners only to the extent, and in such a manner, so far as it is absolutely necessary for the purposes specified in purpose of performance of the Appendix to this Schedule 2 Services and in accordance with only on the Participating Partner’s documented instructions from time to time and of the Controller. The Processor shall not process the Personal Data for any other purposepurposes, as well as not process any data inferred from Personal Data. The Lead Authority will keep Implement all appropriate technical and organizational measures, necessary to ensure that the Processing undertaken pursuant to this DPA meets the requirements laid down by the GDPR, providing the best possible level of security appropriate to the particular risks in question and take all measures as required by Article 32 of the GDPR. When assessing the appropriate level of security, the Processor shall take into consideration the risks that are present in processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data Processed. Ensure the protection of the rights of the Data Subject as listed in chapter III of the GDPR. Make available to the Controller all information necessary to demonstrate its compliance with its obligations under the GDPR and this DPA, including to allow for and contribute to audits and inspections conducted by the Controller or any other auditor as mandated by the Controller. For the avoidance of doubt, the right to conduct audits and/or inspections shall also include a right of the Controller, including its auditors, to access the Processor's premises, software, documentation and employees as may be reasonably required to carry out such audit and/or inspection. Inform the Controller if, in its opinion, the instructions of the Controller infringe the GDPR or any other Data Protection Law. Maintain a record of any processing of Personal Data it carries out the Processing being undertaken on behalf of the Participating Partners. 1.3. The Lead Authority shall promptly comply Controller in accordance with any request from the Participating Partners requiring the Lead Authority to amend, transfer or delete the Personal Data. 1.4. Where the Lead Authority is collecting Personal Data on behalf Article 30 of the Participating PartnersGDPR, the Lead a copy of which shall be made available to a Supervisory Authority shall only collect Personal Data via a suitable form approved by the Participating Partners in advance of its use which will contain a privacy notice informing the Data Subject of the identity of the [Joint] Controller[s] and the Processor, the identity of any Controller on request. Appoint a data protection representative it may have appointedofficer, where required. Allow the purpose or purposes for which Controller the Data Subject’s Personal Data will be processed and any other information required under the Data Protection Legislation and any other information which is deemed necessary having regard to the specific circumstances in which right to: Access the Personal Data isprocessed on its behalf at any time; Extract and/or download the Personal Data processed on its behalf at any time; Request the deletion and/or rectification of Personal Data processed on its behalf at any time; and Request implementation of its retention periods applicable to Personal Data processed hereunder, or is to be, processed to enable processing in respect accordance with the retention policy of the Controller which may be provided to the Processor from time to time. Not engage another processor (a “Subprocessor”) without the prior specific written authorization of the Controller. Where such authorization is given, the Processor shall ensure that the Subprocessor is bound by the same obligations set out in this DPA, including but not limited to providing sufficient guarantees to implement appropriate technical and organisational measures that meet the requirements laid down by the GDPR. For the avoidance of doubt, the Processor shall remain fully liable to the Controller for the performance of the Subprocessor’s obligations and any failure thereof. Not transfer Personal Data Subject to be fair. The Lead Authority shall not modify or alter a country outside of the form in any way EU/EEA without the prior written consent authorization of the Participating Partners. 1.5. If the Lead Authority or one of the Other Authorities receives any complaintController, notice or communication which relates directly or indirectly to the processing of the Personal Data or to any of the Participating Partners compliance with the Data Protection Legislation in relating to this Agreement, it shall immediately notify the Participating Partners and the parties will fully co- operation and assist each other in relation to any such complaint, notice or communication including providing full details and copies of the complaint, communication or request and providing such assistance in a timely manner so that the Participating Partners can comply to their obligation within the timescales set out in the Data Protection Legislation; 1.6. At the Participating Partner's request, the Lead Authority shall provide the Participating Partners with a copy of all Personal Data held by it in the format and on the media reasonably specified by the Participating Partners. 1.7. The Lead Authority shall not transfer the Personal Data outside the European Economic Area without the prior written consent of the Participating Partners. 1.8. The Lead Authority will promptly and without undue delay notify the Participating Partners if any Personal Data is lost or destroyed or becomes damaged, corrupted, or unusable. The Lead Authority will restore such Personal Data at its own expense. 1.9. The Lead Authority and the Other Authorities will immediately and without undue delay notify all the Participating Partners if it becomes aware of: a) any accidental, unauthorised or unlawful processing of the Personal Data; or b) any Personal Data Breach. 1.10. Where the Lead Authority becomes aware of (a) and/or (b) above, it shall, without undue delay, also provide the Participating Partners with the following information: a) description of the nature of (a) and/or (b), including the categories and approximate number of both Data Subjects and Personal Data records concerned; b) the likely consequences; and c) description of the measures taken, or proposed to be taken to address (a) and/or (b) above, including measures to mitigate its possible adverse effects. 1.11. Immediately following any unauthorised or unlawful Personal Data processing or Personal Data Breach, the parties will co-ordinate with each other to investigate the matter. The [Participating Partners] [Lead Authority] will reasonably co-operate with the [Lead Authority’s] [relevant Participating Partner’s] handling of the matter, including: a) assisting with any investigation; b) providing the Lead Authority with physical access to any facilities and operations affected; c) facilitating interviews with the [Participating Partner's] [Lead Authority’s] [Other Authorities] employees, former employees and others involved in the matter; d) making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by the Participating Partners; and e) taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach or unlawful Personal Data processing. 1.12. The Participating Partners will not inform any third party of any Personal Data Breach without agreement of the Participating Partner's where the parties are acting as Joint Controllers or the relevant Participating Partner if the parties are acting as individual Controllers, except when unless required to do so by law. 1.13Union or Member State law to which the Processor is subject. The Lead Authority agrees In such case, the Processor shall inform the Controller of such requirement prior to Processing, unless doing so is prohibited on important grounds of public interest. Subject to the foregoing Clause 3.1.10, where Personal Data processed under this DPA is transferred to a country outside the EU/EEA, the Processor shall: ensure that such transfer is carried out in full compliance with the GDPR, notably with the Chapter V thereof; ensure that the Participating Partners acting as [Joint Controller] [individual Controllers] has Personal Data is adequately protected; ensure that the sole right transfer is carried out on a basis of valid transfer mechanism, which shall be notified to determine: a) whether the Company in advance; and be obliged to provide notice the Controller with all information and assistance necessary, in particular, in order to assess the adequacy of the level of protection afforded to Personal Data in the country of import and assist the Controller in any assessment carried out to this end, should SCCs be selected as a transfer mechanism. At the discretion of the Controller, promptly, and in any event within fifteen (15) business days, delete or return all Personal Data to the Controller following the termination or expiration of the agreement between the Parties, as well as delete all existing copies, as well as procuring the deletion of any copies held by Subprocessors, unless Union or Member State law requires storage of the Personal Data Breach Data. The Processor shall provide written certification to any Data Subjectsthe Controller that it has fully complied with this clause. For the avoidance of doubt, supervisory authorities, regulators, law enforcement agencies or others, as required by law or regulation or in following the Participating Partner's discretion, including the contents and delivery method of the notice; and b) whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy. 1.14. [The Lead Authority will cover all reasonable expenses associated with the performance of the obligations under clause 1.9 and clause 1.11 unless the matter arose from one of the Other Authority's specific instructions, negligence, wilful default or breach termination of this AgreementDPA, in which case the Processor shall not Process Personal Data, save for their storage until their return or deletion pursuant to the foregoing. Ensure that Participating Partner will cover all reasonable expenses.] 1.15. [The Lead Authority will also reimburse the Participating Partners for actual reasonable expenses that the Participating Partners incurs when responding to a Personal Data Breach is kept accurate and complete and shall not make any changes to the extent that the Lead Authority caused such a Personal Data Breach, including all costs of notice and any remedy except as set out in clause 1.13instructed by the Controller.]

Obligations of the Processor. 1.1. The Participating Partners acknowledge that for the purposes of the Data Protection Legislation, the Participating Partners are [Joint Controller] [Controllers of their respective Personal Data] and the Lead Authority is the Processor of the Personal Data. 1.2. The Lead Authority shall process the Personal Controller’s Data only on behalf of the Participating Partners only to the extent, Controller and in such a manner, as is necessary solely for the purposes specified in by the Appendix to this Schedule 2 and Controller. In particular, the Processor shall: a. Process the Controller’s Data only in accordance with (i) this DPA; (ii) the Participating Partner’s instructions from time to time and shall not process the Personal Data for any other purpose. The Lead Authority will keep a record of any regarding processing of Personal Controller’s Data it carries out on behalf of the Participating Partners. 1.3. The Lead Authority shall promptly comply with any request from the Participating Partners requiring the Lead Authority to amend, transfer or delete the Personal Data. 1.4. Where the Lead Authority is collecting Personal Data on behalf of the Participating Partners, the Lead Authority shall only collect Personal Data via a suitable form approved provided by the Participating Partners in advance of its use which will contain a privacy notice informing the Controller; and (iii) Applicable Data Subject of the identity of the [Joint] Controller[s] and Protection Law. If the Processor, in order to comply with Applicable Data Protection Law, is obliged to deviate from the identity provisions of any data protection representative it may have appointedthis DPA and/or the Controller’s instructions, the purpose or purposes for which Processor shall, without undue delay and before further processing of the Data SubjectController’s Personal Data will be processed Data, inform the Controller of such mandatory requirements, unless providing such information violates mandatory law. b. Implement such technical, physical, administrative and any other information organisational security measures as required under the Data Protection Legislation by Article 32 GDPR and any other information which is deemed necessary having regard appropriate to the specific circumstances risk that the processing of the Controller’s Data may impose on the rights and freedoms of data subjects. In assessing the appropriate security levels, and taking appropriate measures, the Processor shall ensure that account is taken in which particular of the Personal Data isrisks for accidental or unlawful destruction, loss or alteration and of the risks of unauthorised disclosure of, or is to beunauthorised access to, processed to enable processing in respect the Controller’s Data as well as of the Data Subject to be fair. The Lead Authority shall not modify or alter the form in any way without the prior written consent risk of the Participating Partnerspersonal data breaches. 1.5. If the Lead Authority c. Ensure that individuals authorised to process Controller’s Data have committed to confidentiality or one of the Other Authorities receives any complaint, notice or communication which relates directly or indirectly are under an appropriate statutory confidentiality obligation. d. Ensure that individuals processing Controller’s Data has undergone relevant training in relation to the processing of the Personal Data or to any of Controller’s Data. e. Assist the Participating Partners compliance with Controller by ensuring that the Controller’s obligations under Applicable Data Protection Legislation in relating to this Agreement, it shall immediately notify the Participating Partners Law and the parties will fully co- operation DPA are complied with, for example, but not limited to regarding the performance of data protection impact assessments or audits performed by competent supervisory authorities. f. Assist the Controller by implementing appropriate technical and assist each other organisational measures to comply with Controller’s obligations in relation to any such complaint, notice or communication including providing full details and copies of the complaint, communication or request and providing such assistance in a timely manner so that the Participating Partners can comply data subjects’ requests to exercise their obligation within the timescales set out in the Data Protection Legislation; 1.6. At the Participating Partner's request, the Lead Authority shall provide the Participating Partners with a copy of all Personal Data held by it in the format and on the media reasonably specified by the Participating Partners. 1.7. The Lead Authority shall not transfer the Personal Data outside the European Economic Area without the prior written consent of the Participating Partners. 1.8. The Lead Authority will promptly and without undue delay notify the Participating Partners if any Personal Data is lost or destroyed or becomes damaged, corrupted, or unusable. The Lead Authority will restore such Personal Data at its own expense. 1.9. The Lead Authority and the Other Authorities will immediately and without undue delay notify all the Participating Partners if it becomes aware of: a) any accidental, unauthorised or unlawful processing of the Personal Data; or b) any Personal Data Breach. 1.10. Where the Lead Authority becomes aware of (a) and/or (b) above, it shall, without undue delay, also provide the Participating Partners with the following information: a) description of the nature of (a) and/or (b), including the categories and approximate number of both Data Subjects and Personal Data records concerned; b) the likely consequences; and c) description of the measures taken, or proposed to be taken to address (a) and/or (b) above, including measures to mitigate its possible adverse effects. 1.11. Immediately following any unauthorised or unlawful Personal Data processing or Personal Data Breach, the parties will corights under Articles 12-ordinate with each other to investigate the matter. The [Participating Partners] [Lead Authority] will reasonably co-operate with the [Lead Authority’s] [relevant Participating Partner’s] handling of the matter, including: a) assisting with any investigation; b) providing the Lead Authority with physical access to any facilities and operations affected; c) facilitating interviews with the [Participating Partner's] [Lead Authority’s] [Other Authorities] employees, former employees and others involved in the matter; d) making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by the Participating Partners; and e) taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach or unlawful Personal Data processing. 1.12. The Participating Partners will not inform any third party of any Personal Data Breach without agreement of the Participating Partner's where the parties are acting as Joint Controllers or the relevant Participating Partner if the parties are acting as individual Controllers, except when required to do so by law. 1.13. The Lead Authority agrees that the Participating Partners acting as [Joint Controller] [individual Controllers] has the sole right to determine: a) whether to provide notice of the Personal Data Breach to any Data Subjects, supervisory authorities, regulators, law enforcement agencies or others, as required by law or regulation or in the Participating Partner's discretion, including the contents and delivery method of the notice; and b) whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy. 1.14. [The Lead Authority will cover all reasonable expenses associated with the performance of the obligations under clause 1.9 and clause 1.11 unless the matter arose from one of the Other Authority's specific instructions, negligence, wilful default or breach of this Agreement, in which case that Participating Partner will cover all reasonable expenses.] 1.15. [The Lead Authority will also reimburse the Participating Partners for actual reasonable expenses that the Participating Partners incurs when responding to a Personal Data Breach to the extent that the Lead Authority caused such a Personal Data Breach, including all costs of notice and any remedy as set out in clause 1.13.]23

Obligations of the Processor. 1.1The Processor guarantees the imple- mentation of and compliance with all necessary technical and organisational measures pursuant to Art 28 para 3 lit c) and Art 32 GDPR. These measures must comply with the state of the art throughout the term of the contract. In particular, it must be ensured that the personal data are protected against ac- cidental or unlawful destruction and loss, that they are used properly and that they are not accessible to unau- thorised persons. The Participating Partners acknowledge that for the purposes level of the Data Protection Legislation, the Participating Partners are [Joint Controller] [Controllers of their respective Personal Data] and the Lead Authority is protection provided by the Processor of shall be appropriate with re- gard to the Personal Data. 1.2risks posed by the pro- cessing operations. The Lead Authority applicable technical and organizational measures are listed in the Online Services Terms (OST) of Microsoft available at xxxxx://xxx.xxxxxxxxx.xxx/en-us/li- censing/product-licensing/products. These measures currently taken in this context may subsequently only be ex- ceeded, but never undercut. The Pro- cessor shall process guarantee that the Personal Data on behalf of the Participating Partners only to the extent, tech- nical and in such a manner, as is necessary for the purposes organisational measures specified in the Appendix OST are appropriate with regard to this Schedule 2 the risk for the persons concerned. The Processor shall regu- larly review his internal processes and technical and organisational measures to ensure that the processing is carried out in accordance with all applicable le- gal requirements and that the Participating Partner’s instructions from time to time and shall not process rights of the Personal Data for any other purposedata subjects are protected. The Lead Authority will keep a record of any processing of Personal Data it carries out on behalf Processor guarantees that he has committed the persons authorised to process personal data to maintain con- fidentiality and in particular to observe data secrecy, which must also be ob- served after termination of the Participating Partners. 1.3. The Lead Authority shall promptly comply em- ployment contract with any request from the Participating Partners requiring the Lead Authority to amend, transfer or delete the Personal Data. 1.4. Where the Lead Authority is collecting Personal Data on behalf of the Participating Partners, the Lead Authority shall only collect Personal Data via a suitable form approved by the Participating Partners in advance of its use which will contain a privacy notice informing the Data Subject of the identity of the [Joint] Controller[s] and the Processor, and that the identity Processor has trained these persons accordingly in dealing with personal data. The Processor shall support the Con- troller with appropriate technical and organisational measures to enable the Controller to fulfil his obligation to re- spond to enquiries or requests from data subjects in connection with their rights, in particular with regard to ac- cess to personal data, rectification, erasure, restriction of any processing, data protection representative it may have appointedportability and objection. Particularly in the case of requests for access by data subjects, the purpose or purposes for which Processor shall make the Data Subject’s Personal Data will be processed and any other information required under the Data Protection Legislation and any other information which is deemed necessary having regard personal data of such persons available to the specific circumstances Control- ler in which a structured and machine- readable format. In the Personal Data isevent that the Processor is contacted directly by the data subject, or is to be, processed to enable processing in respect of he will inform the Data Subject to be fairCon- troller immediately and provide appro- priate assistance. The Lead Authority Processor shall not modify or alter also assist the form Con- troller in any way without the prior written consent of the Participating Partners. 1.5. If the Lead Authority or one of the Other Authorities receives any complaint, notice or communication which relates directly or indirectly to the processing of the Personal Data or to any of the Participating Partners ensuring compliance with the Data Protection Legislation in relating obligations pursuant to this AgreementArt 32 to 36 GDPR, it considering the nature of pro- cessing and the information available to the Processor. The Processor shall immediately assist and enable the Controller to notify the Participating Partners and the parties will fully co- operation and assist each other in relation to any such complaint, notice or communication including providing full details and copies of the complaint, communication or request and providing such assistance supervisory authority in a timely manner so that the Participating Partners can comply to their obligation within the timescales set out in the Data Protection Legislation; 1.6. At the Participating Partner's request, the Lead Authority shall provide the Participating Partners with a copy event of all Personal Data held by it in the format and on the media reasonably specified by the Participating Partners. 1.7. The Lead Authority shall not transfer the Personal Data outside the European Economic Area without the prior written consent breaches of the Participating Partners. 1.8. The Lead Authority will promptly protection of personal data and shall inform the Controller without undue delay notify the Participating Partners if any Personal Data is lost or destroyed or becomes damaged, corrupted, or unusable. The Lead Authority will restore such Personal Data at its own expense. 1.9. The Lead Authority and the Other Authorities will immediately and without undue delay notify all the Participating Partners if it becomes aware of: a) any accidental, unauthorised or unlawful processing least of the Personal Data; or b) any Personal Data Breach. 1.10. Where the Lead Authority becomes aware of (a) and/or (b) above, it shall, without undue delay, also provide the Participating Partners with the following information: a) following: a description of the nature of (a) and/or (b)the breach of the protection of per- xxxxx data, including indicating where possible the categories and approximate num- ber of persons concerned, the catego- xxxx of data concerned and the approx- imate number of both Data Subjects and Personal Data personal data records concerned; b) the likely consequencesinvolved; and c) a description of the likely consequences of the breach of the pro- tection of personal data and a descrip- tion of the measures taken, or proposed to be taken or at least proposed to address (a) and/or (b) aboveremedy the breach of the protection of personal data and, including where appropriate, possible measures to mitigate its possible any adverse effects. 1.11. Immediately following any unauthorised or unlawful Personal Data processing or Personal Data BreachThe Processor must further document all violations of the protection of per- xxxxx data and all related facts, the parties will co-ordinate with each other ef- fects and the proposed remedial measures and make this documenta- tion available to investigate the matterController without delay. The [Participating Partners] [Lead Authority] will reasonably co-operate with Processor shall also assist the [Lead Authority’s] [relevant Participating Partner’s] handling Con- troller to ensure that the data subjects may be notified without delay. In addition, the Processor must take all reasonable steps to protect the personal data from further data pro- tection violations of a similar nature and to mitigate adverse effects. The Processor shall also inform the Controller immediately if and to what extent personal data of the matterController became or may become subject of sei- zure, including: a) assisting with any investigation; b) providing the Lead Authority with physical access to any facilities and operations affected; c) facilitating interviews with the [Participating Partner's] [Lead Authority’s] [Other Authorities] employees, former employees and others involved execution measures or measures in the matter; d) making available all relevant records, logs, files, data reporting and context of insolvency proceed- ings or other materials required to comply with all Data Protection Legislation measures of this or as otherwise reasonably required by the Participating Partners; and e) taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach or unlawful Personal Data processing. 1.12simi- lar nature. The Participating Partners will not Processor shall also im- mediately inform any third party the Controller of any Personal Data Breach without agreement orders, audits or other inquiries by a supervisory authority or other authori- ties concerning the personal data of the Participating Partner's where the parties are acting as Joint Controllers or the relevant Participating Partner if the parties are acting as individual Controllers, except when required to do so by law. 1.13Controller. The Lead Authority agrees that Processor shall provide reasonable assistance to the Participating Partners acting as [Joint Controller] [individual Controllers] has the sole right to determine: a) whether to provide notice Controller in defend- ing claims for alleged or actual breach of the Personal Data Breach to any Data Subjects, supervisory authorities, regulators, law enforcement agencies or others, as required by law or regulation data protection laws or in the Participating Partner's discretionevent of any regulatory or other authority acting in connection with the pro- cessing of such data by the Processor or an authorised sub-processor. The Processor shall assist the Control- ler in carrying out any data protection impact assessment, including in particular pro- vide the contents and delivery method Controller with all information necessary for carrying out this data protection impact assessment. In the event that prior consultation of the notice; and b) whether to offer any type of remedy to affected Data Subjectssu- pervisory authority is necessary (Art 36 GDPR), including the nature and extent of such remedy. 1.14. [The Lead Authority Processor will cover all reasonable expenses associated with assist the performance of the obligations under clause 1.9 and clause 1.11 unless the matter arose from one of the Other Authority's specific instructions, negligence, wilful default or breach of this Agreement, in which case that Participating Partner will cover all reasonable expenses.] 1.15. [The Lead Authority will also reimburse the Participating Partners for actual reasonable expenses that the Participating Partners incurs when responding to a Personal Data Breach Controller to the extent that possible in the Lead Authority caused such a Personal Data Breachconsultation itself, including all costs but also already in the evaluation of notice and any remedy as set out in clause 1.13whether consultation is necessary.]

Obligations of the Processor. 1.1. The Participating Partners acknowledge that for the purposes Processor undertakes to carry out processing of the Data Protection Legislation, the Participating Partners are [Joint Controller] [Controllers personal data in respect of their respective Personal Data] and the Lead Authority is the Processor of the Personal Data. 1.2. The Lead Authority shall process the Personal Data on behalf of the Participating Partners only to the extent, and in such a manner, as is necessary for the purposes specified in the Appendix to this Schedule 2 and agreed personal data solely in accordance with the Participating Partner’s instructions from time provided by the Controller under Item 5, below, unless such processing is required under union Law or the national law of a Member State to time which the Controller is subject. In such cases, the Processor must notify the Controller about the legal requirement before the data is processed, provided such information is not prohibited with reference to a substantial public interest under this law. The Processor certifies that requisite technical and shall not organizational protective measures are taken regarding the personal data, to ensure the processing complies with the provisions of the GDPR and protects the rights of the data subjects. The Processor ensures that persons within its organization with the authority to process personal data are subject to confidentiality and under a non-disclosure agreement. Moreover, the Processor undertakes to give the Controller access to all the information required in order to show it has fulfilled all obligations as processor, and enable and contribute to inspections and other reviews the Personal Data for any Controller wishes to carry out. Moreover, the Processor shall assist the Controller, without delay, through appropriate organizational measures in order to ensure the Controller can fulfill its obligations to respond to the requests of data subjects regarding access to personal data, correction or deletion of personal data, restriction of or objection to processing of personal data, data portability or other purposerights specified in the General Data Protection Regulation (GDPR). The Lead Authority will keep a record of any processing of Personal Data it carries out on behalf of the Participating Partners. 1.3. The Lead Authority shall promptly comply with any request from the Participating Partners requiring the Lead Authority to amend, transfer or delete the Personal Data. 1.4. Where the Lead Authority is collecting Personal Data on behalf of the Participating Partners, the Lead Authority shall only collect Personal Data via a suitable form approved by the Participating Partners in advance of its use which will contain a privacy notice informing the Data Subject of the identity of the [Joint] Controller[s] and the Processor, the identity of any data protection representative it may have appointed, the purpose or purposes for which the Data Subject’s Personal Data will be processed and any other information required under the Data Protection Legislation and any other information which is deemed necessary having regard to the specific circumstances in which the Personal Data is, or is to be, processed to enable processing in respect of the Data Subject to be fair. The Lead Authority shall not modify or alter the form in any way without the prior written consent of the Participating Partners. 1.5. If the Lead Authority or one of the Other Authorities receives any complaint, notice or communication which relates directly or indirectly to the processing of the Personal Data or to any of the Participating Partners compliance with the Data Protection Legislation in relating to this Agreement, it shall immediately notify the Participating Partners and the parties will fully co- operation and assist each other in relation to any such complaint, notice or communication including providing full details and copies of the complaint, communication or request and providing such assistance in a timely manner so that the Participating Partners can comply to their obligation within the timescales set out in the Data Protection Legislation; 1.6. At the Participating Partner's request, the Lead Authority Processor shall provide the Participating Partners with a copy of all Personal Data held by it in the format and on the media reasonably specified by the Participating Partners. 1.7. The Lead Authority shall not transfer the Personal Data outside the European Economic Area without the prior written consent of the Participating Partners. 1.8. The Lead Authority will promptly and without undue delay notify the Participating Partners if any Personal Data is lost or destroyed or becomes damaged, corrupted, or unusable. The Lead Authority will restore such Personal Data at its own expense. 1.9. The Lead Authority and the Other Authorities will immediately and without undue delay notify all the Participating Partners if it becomes aware of: a) any accidental, unauthorised or unlawful processing of the Personal Data; or b) any Personal Data Breach. 1.10. Where the Lead Authority becomes aware of (a) and/or (b) above, it shall, without undue delay, also provide the Participating Partners with the following information: a) description of the nature of (a) and/or (b), including the categories and approximate number of both Data Subjects and Personal Data records concerned; b) the likely consequences; and c) description of the measures taken, or proposed to be taken to address (a) and/or (b) above, including measures to mitigate its possible adverse effects. 1.11. Immediately following any unauthorised or unlawful Personal Data processing or Personal Data Breach, the parties will co-ordinate with each other to investigate the matter. The [Participating Partners] [Lead Authority] will reasonably co-operate with the [Lead Authority’s] [relevant Participating Partner’s] handling of the matter, including: a) assisting with any investigation; b) providing the Lead Authority with physical access to any facilities and operations affected; c) facilitating interviews with the [Participating Partner's] [Lead Authority’s] [Other Authorities] employees, former employees and others involved in the matter; d) making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by the Participating Partners; and e) taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach or unlawful Personal Data processing. 1.12. The Participating Partners will not inform any third party of any Personal Data Breach without agreement of the Participating Partner's where the parties are acting as Joint Controllers or the relevant Participating Partner if the parties are acting as individual Controllers, except when required to do so by law. 1.13. The Lead Authority agrees that the Participating Partners acting as [Joint Controller] [individual Controllers] has the sole right to determine: a) whether to provide notice of the Personal Data Breach to any Data Subjects, supervisory authorities, regulators, law enforcement agencies or others, as required by law or regulation or in the Participating Partner's discretion, including the contents and delivery method of the notice; and b) whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy. 1.14. [The Lead Authority will cover all reasonable expenses associated with the performance of the obligations under clause 1.9 and clause 1.11 unless the matter arose from one of the Other Authority's specific instructions, negligence, wilful default or breach of this Agreement, in which case that Participating Partner will cover all reasonable expenses.] 1.15. [The Lead Authority will also reimburse the Participating Partners for actual reasonable expenses that the Participating Partners incurs when responding to a Personal Data Breach assistance to the extent that required in order for the Lead Authority caused Controller to be able to fulfill its other obligations under the General Data Protection Regulation (GDPR) or other applicable legislation, such a Personal Data Breachas those relating to security, including all costs reporting of notice and any remedy as set out information provided to data subjects in clause 1.13the event of personal data breaches, impact evaluations, and prior consultations with regulatory authorities.]