Common use of Obligations of the Provider Clause in Contracts

Obligations of the Provider. 3.1. The Provider may process personal data of data subjects only within the scope of the assignment and the documented instructions of the Customer. In the event that the Provider is obliged to process data differently as a result of nation- al or European law, it shall inform the Customer before start of the processing, unless that law prohibits such information on important grounds of public interest. BOSCH und die Bildmarke sind registrierte Xxxxxx der Xxxxxx Xxxxx XxxX, Deutschland 3.2. The Provider shall set up the internal organisation of his area of responsibility in such a manner that it meets the specific requirements of data protection. The Provider shall take the technical and organisational measures described in Appendix 1 so as to ensure an adequate protection of the Customers personal data. The purpose of these measures is to ensure long-term confidentiality, integrity, availability and resilience of the systems and services in connection with the processing of personal data under commission. The Customer is informed of these technical and organisational measures. It is the Customer´s responsibility to ensure that these measures provide an adequate level of protection regarding the risks of personal data processing. 3.3. The Provider reserves the right to change the technical and organisational measures taken, but must guarantee that the level of protection agreed in the contract is not reduced. 3.4. To the best of his ability and within the scope of the services or under the contract, the Provider shall assist the Customer in dealing with requests and claims of data subjects according to chapter III of the GDPR and in respecting its obligations specified in Articles 32 to 36 GDPR. For these services, the Provider is entitled to adequate financial compensation. 3.5. The Provider warrants that its employees involved in the processing of the Customers personal data and other individuals working for the Provider are prohibited from processing such personal data outside the scope of the Customers instructions. The Provider further ensures that the individuals authorised to process personal data have signed an agreement of confidentiality or are subject to an adequate confidentiality clause. This obligation of confidentiality and secrecy shall remain in effect even beyond completion of an assignment. 3.6. The Provider shall inform the Customer without delay as soon as it becomes aware of any violation of the protection of the Customers personal data. The Provider shall take the necessary measures to safeguard personal data and to alleviate possible disadvantageous consequences for the data subject and shall consult with the Customer in that respect without delay. 3.7. The Provider is obliged to appoint a competent and reliable Data Protection Officer according to Art. 37 GDPR to the extent and as long as the statutory prerequisites for such an obligatory appointment are in force. The Customer shall be informed of the contact data of this individual for the purpose of making direct contact. If the Provider is not obliged to appoint a Data Protection Officer, it shall give the Customer the name of the contact for any questions in relation to data protection that may arise in connection with the Agreement. Contact information is available at xxxxx://xxx.xxxxx- xx.xxx/xx/xxxxxxx-xxxxxxxxx.xxxx. 3.8. The Provider shall ensure that its obligations according to Art. 32 (1) lit. d) GDPR are complied with and put in place a process for regular examination of the effectiveness of the technical and organisational measures to ensure the safety of processing. 3.9. The Customer is responsible for correction and erasure of personal data. The same is valid for the restriction of the processing of personal data under commission (blocking). 3.10. The personal data shall be erased at the date of completion of the respective Contract. It is up to the Customer to prepare backup copies of its personal data and to move such personal data before the end of the contract. The Provider is not obliged to hand over personal data to which the Customer has direct access. 3.11. The Provider undertakes to maintain a record of data processing activities according to Art. 30 (2) GDPR.

Obligations of the Provider. 3.1. The Provider may process To the extent that DSL shall be considered a processor of Controller’s customer personal data of data subjects only within data, the scope of the assignment and the documented instructions of the Customer. In the event that the Provider is obliged to process data differently as a result of nation- al or European law, it shall inform the Customer before start of the processing, unless that law prohibits such information on important grounds of public interest. BOSCH und die Bildmarke sind registrierte Xxxxxx der Xxxxxx Xxxxx XxxX, Deutschlandfollowing clauses apply: 3.2. The Provider Any additional processing of personal data shall set up only be in accordance with instruction from Controller, unless an exception applies as defined in the internal organisation GDPR. DSL shall promptly inform Controller if it believes that an instruction of his area of responsibility in Controller violates applicable laws. In such a manner that it meets cases, DSL reserves the specific requirements of data protectionright to refuse Controller’s instructions. 3.3. The Provider DSL shall take the implement technical and organisational measures described in Appendix 1 so as to protect Controller’s customer data and to ensure an adequate protection of the Customers personal data. The purpose of these measures is to ensure long-term confidentiality, integrity, availability and resilience capacity of the systems and services services. DSL shall be obliged, in connection accordance with the processing of personal data under commission. The Customer is informed of these technical and organisational measures. It is the Customer´s responsibility GDPR, to ensure that these measures provide an adequate level of protection regarding the risks of personal data processing. 3.3. The Provider reserves the right to change implement a procedure for regularly reviewing the technical and organisational measures taken, but must guarantee that designed to ensure the level security of protection agreed in the contract is not reducedprocessing. 3.4. To DSL reserves the best right to alter the agreed security measures, provided that any such amendment ensures that the agreed level of his ability and within the scope of the services or under the contract, the Provider protection shall assist the Customer in dealing with requests and claims of data subjects according to chapter III of the GDPR and in respecting its obligations specified in Articles 32 to 36 GDPR. For these services, the Provider is entitled to adequate financial compensationnot be materially diminished. 3.5. The Provider warrants DSL agrees to reasonably assist Controller in respect of any requests and claims in accordance with the GDPR. 3.6. DSL shall ensure that its employees employees, subcontractors and affiliates who may be involved in the processing of the Customers personal Controller’s data and other individuals working for the Provider are prohibited from processing such personal data outside the scope of the Customers instructions. The Provider further ensures that the individuals authorised to process personal data have signed an agreement of confidentiality or are subject to an adequate confidentiality clause. This obligation of confidentiality and secrecy shall remain act in effect even beyond completion of an assignmentaccordance with this Agreement. 3.63.7. The Provider DSL shall inform the Customer without delay as soon as it Controller promptly if DSL becomes aware of any violation of the protection of the Customers breaches which affect Controller’s personal data. The Provider shall take the necessary measures to safeguard personal data and to alleviate possible disadvantageous consequences for the data subject and shall consult with the Customer in that respect without delay. 3.7. The Provider is obliged to appoint a competent and reliable Data Protection Officer according to Art. 37 GDPR to the extent and as long as the statutory prerequisites for such an obligatory appointment are in force. The Customer shall be informed of the contact data of this individual for the purpose of making direct contact. If the Provider is not obliged to appoint a Data Protection Officer, it shall give the Customer the name of the contact for any questions in relation to data protection that may arise in connection with the Agreement. Contact information is available at xxxxx://xxx.xxxxx- xx.xxx/xx/xxxxxxx-xxxxxxxxx.xxxx. 3.8. The Provider shall ensure that its obligations according to Art. 32 (1) lit. d) GDPR are complied with and put DSL shall, once notified in place a process writing, inform Controller of any request for regular examination disclosure of the effectiveness of the technical and organisational measures to ensure the safety of processingpersonal data by authorities, unless expressly prohibited under applicable laws. 3.9. The Customer is responsible for correction and erasure of personal data. The same is valid for Controller may contact the restriction of the processing of personal data under commission (blocking)Data Protection Officer by sending an email to xxxxxxx@xxxxxxxxxxxxxxx.xxx . 3.10. The At termination of services and written request from the Controller, all customer data, personal data or otherwise, shall be erased at the date of completion of the respective Contract. It is up to the Customer to prepare backup copies of its personal data and to move such personal data before the end of the contract. The Provider is not obliged to hand over personal data to which the Customer has direct accessdeleted within an appropriate time, in accordance with applicable laws. 3.11. The Provider undertakes In the event of a claim against Controller regarding any of the rights defined under the GDPR, DSL shall provide reasonable assistance to maintain a record of data processing activities according the Controller to Art. 30 (2) GDPRavert any such claim.

Obligations of the Provider. 3.1. The Provider may process personal processes the data of data subjects only within the scope context of the assignment contractual relationship in accordance with the GTC, the Privacy Policy and the documented instructions of the Customer. In the event that the Provider is obliged to process data differently as a result of nation- al or European law, it shall inform the Customer before start of the processingthis OPC, unless that law prohibits such information on important grounds of public interest. BOSCH und die Bildmarke sind registrierte Xxxxxx der Xxxxxx Xxxxx XxxX, Deutschlandthere is an exceptional case regulated by law. 3.2. The Provider shall set up design the internal organisation of his organization within its area of responsibility in such a manner way that it meets the specific requirements of special data protectionprotection requirements. The Provider shall take the appropriate technical and organisational organizational measures described to protect the Client’s data in Appendix 1 so as to ensure an adequate protection of accordance with the Customers personal datarespective legal requirements. The purpose of In particular, these measures is to shall continuously ensure long-term the confidentiality, integrity, availability and resilience of the systems and services in connection with the processing of personal data under commissionprocessing. The Customer Client is informed aware of these technical and organisational measures. It organizational measures and is the Customer´s responsibility to ensure responsible for ensuring that these measures they provide an adequate level of protection regarding for the risks of personal related to the data processingto be processed. 3.3. The measures taken by the Provider reserves the right to change the are specified in Annex B. The technical and organisational organizational measures takenare subject to technical progress and further development. In this respect, but must guarantee that the Provider is permitted to implement alternative adequate measures at any time. In doing so, the security level of protection contractually agreed upon in the contract is not reducedGTC must be maintained. 3.4. To the best of his ability and extent agreed, the Provider shall support the Client within the scope of its possibilities in fulfilling the services or under the contract, the Provider shall assist the Customer in dealing with requests and claims of data subjects according to chapter III of the GDPR under data protection law and in respecting its complying with the obligations specified in Articles 32 to 36 GDPRunder data protection law. For these servicesIn accordance with the GTC, the Provider is entitled to adequate financial compensationdemand an expense allowance for this support. 3.5. The Provider warrants that its employees involved in the processing of the Customers personal Client’s data and other individuals third parties working for the Provider are prohibited from processing such personal shall process the data outside exclusively within the scope context of the Customers instructions. The Provider further ensures that contractual relationship in accordance with the individuals authorised GTC, the Privacy Policy and this OPC and are obliged to process personal data have signed an agreement of confidentiality or are subject to an adequate confidentiality clause. This obligation of confidentiality and secrecy shall remain in effect even beyond completion of an assignmentmaintain confidentiality. 3.6. The If the Provider shall inform the Customer without delay as soon as it becomes aware of any violation of the protection of the Customers personal data. The Provider , it shall take the necessary reasonable measures to safeguard personal secure the data and to alleviate mitigate any possible disadvantageous adverse consequences for the data subject and subjects. In addition, the Provider shall consult fully comply with the Customer in that respect without delayapplicable legal provisions regarding the notification of data protection violations. 3.7. The Provider is obliged to appoint a competent shall fully comply with the applicable data protection provisions and reliable Data Protection Officer according to Art. 37 GDPR to shall regularly review the extent and as long as the statutory prerequisites for such an obligatory appointment are in force. The Customer shall be informed effectiveness of the contact data of this individual for technical and organizational measures to ensure the purpose of making direct contact. If the Provider is not obliged to appoint a Data Protection Officer, it shall give the Customer the name security of the contact for any questions in relation to data protection that may arise in connection with the Agreement. Contact information is available at xxxxx://xxx.xxxxx- xx.xxx/xx/xxxxxxx-xxxxxxxxx.xxxxprocessing. 3.8. The Provider shall ensure that its obligations according to Art. 32 (1) lit. d) GDPR are complied with process and put in place a process for regular examination of the effectiveness of the technical and organisational measures to ensure the safety of processing. 3.9. The Customer is responsible for correction and erasure of personal data. The same is valid for the restriction of the processing of store personal data under commission (blocking). 3.10. The personal data shall be erased at for as long as the date of completion of contractual relationship between the respective Contract. It is up to Provider and the Customer to prepare backup copies of its personal data and to move such personal data before the end of the contractClient exists. The Provider shall rectify or erase the contractual data if the Client instructs it to do so and if this is covered by the scope of the instructions. This provision shall not obliged apply to hand over personal data that is required for further processing due to which the Customer has direct access. 3.11legal regulations or for compelling internal purposes. The Provider undertakes to maintain a record release of the data processing activities according to Art. 30 (2) GDPRand the corresponding remuneration is regulated in the GTC.

Obligations of the Provider. 3.1. 3.1 The Provider provider may process personal data of data subjects only within the scope of the assignment order and the documented instructions of the Customercustomer, unless there is an exceptional case in the sense of Article 28 (3) a) DS-GVO. In the event that the Provider is obliged to process data differently as a result of nation- al or European law, it The provider shall inform the Customer before start customer without delay if it believes that an instruction violates applicable law. The provider may suspend the implementation of the processing, unless that law prohibits such information on important grounds of public interest. BOSCH und die Bildmarke sind registrierte Xxxxxx der Xxxxxx Xxxxx XxxX, Deutschlandinstruction until it has been confirmed or amended by the customer. 3.2. 3.2 The Provider provider shall set up design the internal organisation of organization within his area of responsibility in such a manner way that it meets the specific special requirements of data protection. He will take technical and organizational measures for the appropriate pro- tection of the customer's data that meet the requirements of the basic data protection regulation (Art. 32 DS-GVO). The Provider provider shall take the technical and organisational organizational measures described in Appendix 1 so as to ensure an adequate protection of the Customers personal data. The purpose of these measures is to ensure long-term confidentiality, integrity, availability and resilience of the systems and services in connection with the processing of personal data under commissionin the long term. The Customer customer is informed aware of these technical and organisational measures. It organizational measures and is the Customer´s responsibility to ensure responsible for ensuring that these measures they provide an adequate level of protection regarding for the risks of personal the data processing. 3.3to be processed. The Provider measures established by the provider are documented in a data protection declaration and are updated continuously. The provider reserves the right to change the technical and organisational security measures taken, but although it must guarantee be ensured that any security measures correspond to the state of the art and do not fall below the contractually agreed level of protection agreed in the contract is not reducedprotection. 3.4. To 3.3 If agreed, the best of his ability and provider shall support the customer within the scope of its possibilities in fulfilling the services or under the contract, the Provider shall assist the Customer in dealing with requests and claims of data subjects according to chapter affected persons in accordance with Chapter III of the GDPR DS-GVO and in respecting its complying with the obligations specified set out in Articles 32 33 to 36 GDPR. For these services, the Provider is entitled to adequate financial compensationDS-GVO. 3.5. 3.4 The Provider warrants guarantees that its the employees involved in processing the processing of the Customers personal Customer's data and other individuals persons working for the Provider are prohibited from processing such personal the data outside the scope of the Customers instructionsinstruction. The Furthermore, the Provider further ensures shall ensure that the individuals authorised persons authorized to process the personal data have signed an agreement of undertaken to maintain confidentiality or are subject to an adequate confidentiality clauseappropriate statutory duty of confidentiality. This The confidentiality/discretion obligation shall continue to apply even after termination of confidentiality and secrecy shall remain in effect even beyond completion of an assignmentthe order. 3.6. 3.5 The Provider provider shall inform the Customer without delay as soon as it customer immediately if he/she becomes aware of any violation violations of the protection of personal data of the Customers personal datacustomer. The Provider shall take the necessary measures to safeguard personal secure the data and to alleviate reduce the possible disadvantageous adverse consequences for of the data subject persons concerned and shall consult with the Customer in that respect without delay. 3.7. 3.6 The Provider is obliged to appoint provider has appointed a competent and reliable Data Protection Officer according to Art. 37 GDPR to the extent and as long as the statutory prerequisites for such an obligatory appointment are in force. The Customer shall be informed of the contact data of this individual for the purpose of making direct contact. If the Provider is not obliged to appoint a Data Protection Officer, it shall give the Customer the name of the contact for any questions in relation to data protection that may arise in connection officer if there is a legal obligation to do so. This can be reached by the customer via the following contact details: Xxxxxx Xxxxxxx, external data protection officer comdatis it-consulting, Xxxxxxxx Xxx 0, 00000 Ahaus e-mail: xxxxxxxxxxx@xxxxxxx.xx Phone: 00000-0000000 or 0000-0000000 3.7 The provider guarantees to comply with the Agreement. Contact information is available at xxxxx://xxx.xxxxx- xx.xxx/xx/xxxxxxx-xxxxxxxxx.xxxx. 3.8. The Provider shall ensure that its obligations according to under Art. 32 (1) Para. 1 lit. d) GDPR are complied with and put in place DS-GVO to implement a process for regular examination of procedure to regularly check the effectiveness of the technical and organisational measures to ensure the safety security of processingthe pro- cessing. 3.93.8 The Provider corrects or deletes the contractual data if the Customer instructs him to do so and this is covered by the scope of instructions. The Customer is responsible for correction and erasure of personal data. The same is valid for the If a data protection-compliant deletion or a corresponding restriction of data processing is not possible, the processing Provider shall undertake the data protection-compliant destruction of personal data under commission (blocking)carriers and other materials on the basis of an individual order by the Customer or return these data carriers to the Customer, unless already agreed in the contract. In special cases, to be determined by the customer, a storage or handover will take place. Remuneration and protective measures for this are to be agreed separately, if not already agreed in the contract. 3.10. The personal 3.9 Data, data shall carriers as well as all other materials must either be erased surrendered or deleted at the date of completion of the respective Contract. It is up to the Customer to prepare backup copies of its personal data and to move such personal data before customer's request after the end of the contractorder. The Provider In the case of test and reject materials, an individual order is not obliged necessary. If additional costs are incurred due to hand over personal data to which deviating specifications for the Customer has direct accesssurrender or deletion of the data, these shall be borne by the customer. 3.113.10 In the event of a claim against the customer by a person affected with regard to any claims under Art. The Provider 82 DS-GVO, the provider undertakes to maintain a record support the customer in defending the claim within the scope of his possibilities. 3.11 The provision of the contractually agreed data processing activities according takes place exclusively in a member state of the European Union or in another state that is a party to Artthe Agreement on the European Economic Area. 30 (2) GDPRAny relocation to a third country requires the prior consent of the customer.