Common use of Obligations of the Provider Clause in Contracts

Obligations of the Provider. 3.1. The Provider processes the data of data subjects only within the context of the contractual relationship in accordance with the GTC, the Privacy Policy and this OPC, unless there is an exceptional case regulated by law. 3.2. The Provider shall design the internal organization within its area of responsibility in such a way that it meets the special data protection requirements. The Provider shall take the appropriate technical and organizational measures to protect the Client’s data in accordance with the respective legal requirements. In particular, these measures shall continuously ensure the confidentiality, integrity, availability and resilience of the systems and services in connection with the processing. The Client is aware of these technical and organizational measures and is responsible for ensuring that they provide an adequate level of protection for the risks related to the data to be processed. 3.3. The measures taken by the Provider are specified in Annex B. The technical and organizational measures are subject to technical progress and further development. In this respect, the Provider is permitted to implement alternative adequate measures at any time. In doing so, the security level contractually agreed upon in the GTC must be maintained. 3.4. To the extent agreed, the Provider shall support the Client within the scope of its possibilities in fulfilling the requests and claims of data subjects under data protection law and in complying with the obligations under data protection law. In accordance with the GTC, the Provider is entitled to demand an expense allowance for this support. 3.5. The employees involved in the processing of the Client’s data and other third parties working for the Provider shall process the data exclusively within the context of the contractual relationship in accordance with the GTC, the Privacy Policy and this OPC and are obliged to maintain confidentiality. 3.6. If the Provider becomes aware of any violation of the protection of personal data, it shall take reasonable measures to secure the data and to mitigate any possible adverse consequences for the data subjects. In addition, the Provider shall fully comply with the applicable legal provisions regarding the notification of data protection violations. 3.7. The Provider shall fully comply with the applicable data protection provisions and shall regularly review the effectiveness of the technical and organizational measures to ensure the security of the processing. 3.8. The Provider shall process and store personal data for as long as the contractual relationship between the Provider and the Client exists. The Provider shall rectify or erase the contractual data if the Client instructs it to do so and if this is covered by the scope of the instructions. This provision shall not apply to data that is required for further processing due to legal regulations or for compelling internal purposes. The release of the data and the corresponding remuneration is regulated in the GTC.

Obligations of the Provider. 3.1. The Provider processes the may process personal data of data subjects only within the context scope of the contractual relationship in accordance with assignment and the GTCdocumented instructions of the Customer. In the event that the Provider is obliged to process data differently as a result of nation- al or European law, it shall inform the Privacy Policy and this OPCCustomer before start of the processing, unless there is an exceptional case regulated by law.that law prohibits such information on important grounds of public interest. BOSCH und die Bildmarke sind registrierte Xxxxxx der Xxxxxx Xxxxx XxxX, Deutschland 3.2. The Provider shall design set up the internal organization within its organisation of his area of responsibility in such a way manner that it meets the special specific requirements of data protection requirementsprotection. The Provider shall take the appropriate technical and organizational organisational measures described in Appendix 1 so as to protect ensure an adequate protection of the Client’s data in accordance with the respective legal requirementsCustomers personal data. In particular, The purpose of these measures shall continuously is to ensure the long-term confidentiality, integrity, availability and resilience of the systems and services in connection with the processingprocessing of personal data under commission. The Client Customer is aware informed of these technical and organizational organisational measures. It is the Customer´s responsibility to ensure that these measures and is responsible for ensuring that they provide an adequate level of protection for regarding the risks related to the of personal data to be processedprocessing. 3.3. The measures taken by Provider reserves the Provider are specified in Annex B. The right to change the technical and organizational organisational measures are subject to technical progress and further development. In this respecttaken, but must guarantee that the Provider is permitted to implement alternative adequate measures at any time. In doing so, the security level contractually of protection agreed upon in the GTC must be maintainedcontract is not reduced. 3.4. To the extent agreedbest of his ability and within the scope of the services or under the contract, the Provider shall support assist the Client within the scope of its possibilities Customer in fulfilling the dealing with requests and claims of data subjects under data protection law according to chapter III of the GDPR and in complying with the respecting its obligations under data protection lawspecified in Articles 32 to 36 GDPR. In accordance with the GTCFor these services, the Provider is entitled to demand an expense allowance for this supportadequate financial compensation. 3.5. The Provider warrants that its employees involved in the processing of the Client’s Customers personal data and other third parties individuals working for the Provider shall process are prohibited from processing such personal data outside the data exclusively within the context scope of the contractual relationship Customers instructions. The Provider further ensures that the individuals authorised to process personal data have signed an agreement of confidentiality or are subject to an adequate confidentiality clause. This obligation of confidentiality and secrecy shall remain in accordance with the GTC, the Privacy Policy and this OPC and are obliged to maintain confidentialityeffect even beyond completion of an assignment. 3.6. If The Provider shall inform the Provider Customer without delay as soon as it becomes aware of any violation of the protection of the Customers personal data, it . The Provider shall take reasonable the necessary measures to secure the safeguard personal data and to mitigate any alleviate possible adverse disadvantageous consequences for the data subjects. In addition, the Provider subject and shall fully comply consult with the applicable legal provisions regarding the notification of data protection violationsCustomer in that respect without delay. 3.7. The Provider is obliged to appoint a competent and reliable Data Protection Officer according to Art. 37 GDPR to the extent and as long as the statutory prerequisites for such an obligatory appointment are in force. The Customer shall fully comply be informed of the contact data of this individual for the purpose of making direct contact. If the Provider is not obliged to appoint a Data Protection Officer, it shall give the Customer the name of the contact for any questions in relation to data protection that may arise in connection with the applicable data protection provisions and shall regularly review the effectiveness of the technical and organizational measures to ensure the security of the processingAgreement. Contact information is available at xxxxx://xxx.xxxxx- xx.xxx/xx/xxxxxxx-xxxxxxxxx.xxxx. 3.8. The Provider shall ensure that its obligations according to Art. 32 (1) lit. d) GDPR are complied with and put in place a process for regular examination of the effectiveness of the technical and store organisational measures to ensure the safety of processing. 3.9. The Customer is responsible for correction and erasure of personal data. The same is valid for the restriction of the processing of personal data for as long as under commission (blocking). 3.10. The personal data shall be erased at the contractual relationship between date of completion of the Provider respective Contract. It is up to the Customer to prepare backup copies of its personal data and to move such personal data before the Client existsend of the contract. The Provider shall rectify or erase is not obliged to hand over personal data to which the contractual data if the Client instructs it to do so and if this is covered by the scope of the instructions. This provision shall not apply to data that is required for further processing due to legal regulations or for compelling internal purposesCustomer has direct access. 3.11. The release Provider undertakes to maintain a record of the data and the corresponding remuneration is regulated in the GTCprocessing activities according to Art. 30 (2) GDPR.

Obligations of the Provider. 3.1. The Provider processes To the extent that DSL shall be considered a processor of Controller’s customer personal data, the following clauses apply: 3.2. Any additional processing of personal data of data subjects shall only within the context of the contractual relationship be in accordance with the GTC, the Privacy Policy and this OPCinstruction from Controller, unless there is an exceptional case regulated by lawexception applies as defined in the GDPR. DSL shall promptly inform Controller if it believes that an instruction of Controller violates applicable laws. In such cases, DSL reserves the right to refuse Controller’s instructions. 3.23.3. The Provider DSL shall design the internal organization within its area of responsibility in such a way that it meets the special data protection requirements. The Provider shall take the appropriate implement technical and organizational organisational measures to protect the ClientController’s customer data in accordance with the respective legal requirements. In particular, these measures shall continuously and to ensure the confidentiality, integrity, availability and resilience capacity of the systems and services in connection with the processingservices. The Client is aware of these technical and organizational measures and is responsible for ensuring that they provide an adequate level of protection for the risks related to the data to DSL shall be processed. 3.3. The measures taken by the Provider are specified in Annex B. The technical and organizational measures are subject to technical progress and further development. In this respectobliged, the Provider is permitted to implement alternative adequate measures at any time. In doing so, the security level contractually agreed upon in the GTC must be maintained. 3.4. To the extent agreed, the Provider shall support the Client within the scope of its possibilities in fulfilling the requests and claims of data subjects under data protection law and in complying with the obligations under data protection law. In accordance with the GTC, the Provider is entitled to demand an expense allowance for this support. 3.5. The employees involved in the processing of the Client’s data and other third parties working for the Provider shall process the data exclusively within the context of the contractual relationship in accordance with the GTCGDPR, the Privacy Policy and this OPC and are obliged to maintain confidentiality. 3.6. If the Provider becomes aware of any violation of the protection of personal data, it shall take reasonable measures to secure the data and to mitigate any possible adverse consequences implement a procedure for the data subjects. In addition, the Provider shall fully comply with the applicable legal provisions regarding the notification of data protection violations. 3.7. The Provider shall fully comply with the applicable data protection provisions and shall regularly review the effectiveness of reviewing the technical and organizational organisational measures designed to ensure the security of the processing. 3.4. DSL reserves the right to alter the agreed security measures, provided that any such amendment ensures that the agreed level of protection shall not be materially diminished. 3.5. DSL agrees to reasonably assist Controller in respect of any requests and claims in accordance with the GDPR. 3.6. DSL shall ensure that employees, subcontractors and affiliates who may be involved in the processing of Controller’s data shall act in accordance with this Agreement. 3.7. DSL shall inform Controller promptly if DSL becomes aware of any breaches which affect Controller’s personal data. 3.8. The Provider shall process and store DSL shall, once notified in writing, inform Controller of any request for disclosure of personal data for as long as by authorities, unless expressly prohibited under applicable laws. 3.9. Controller may contact the contractual relationship between Data Protection Officer by sending an email to xxxxxxx@xxxxxxxxxxxxxxx.xxx . 3.10. At termination of services and written request from the Provider and Controller, all customer data, personal or otherwise, shall be deleted within an appropriate time, in accordance with applicable laws. 3.11. In the Client exists. The Provider shall rectify or erase the contractual data if the Client instructs it to do so and if this is covered by the scope event of a claim against Controller regarding any of the instructions. This provision rights defined under the GDPR, DSL shall not apply provide reasonable assistance to data that is required for further processing due the Controller to legal regulations or for compelling internal purposes. The release of the data and the corresponding remuneration is regulated in the GTCavert any such claim.

Obligations of the Provider. 3.1. 3.1 The Provider processes the provider may process data of data subjects only within the context scope of the contractual relationship in accordance with order and the GTC, instructions of the Privacy Policy and this OPCcustomer, unless there is an exceptional case regulated in the sense of Article 28 (3) a) DS-GVO. The provider shall inform the customer without delay if it believes that an instruction violates applicable law. The provider may suspend the implementation of the instruction until it has been confirmed or amended by lawthe customer. 3.2. 3.2 The Provider provider shall design the internal organization within its his area of responsibility in such a way that it meets the special requirements of data protection. He will take technical and organizational measures for the appropriate pro- tection of the customer's data that meet the requirements of the basic data protection requirementsregulation (Art. 32 DS-GVO). The Provider provider shall take the appropriate technical and organizational measures to protect the Client’s data in accordance with the respective legal requirements. In particular, these measures shall continuously ensure the confidentiality, integrity, availability and resilience of the systems and services in connection with the processingprocessing in the long term. The Client customer is aware of these technical and organizational measures and is responsible for ensuring that they provide an adequate level of protection for the risks related to of the data to be processed. 3.3. The measures taken established by the Provider provider are specified documented in Annex B. a data protection declaration and are updated continuously. The technical and organizational measures are subject provider reserves the right to technical progress and further development. In this respect, the Provider is permitted to implement alternative adequate measures at any time. In doing so, change the security level measures taken, although it must be ensured that any security measures correspond to the state of the art and do not fall below the contractually agreed upon in the GTC must be maintainedlevel of protection. 3.4. To the extent 3.3 If agreed, the Provider provider shall support the Client customer within the scope of its possibilities in fulfilling the requests and claims of data subjects under data protection law affected persons in accordance with Chapter III of the DS-GVO and in complying with the obligations under data protection law. In accordance with the GTC, the Provider is entitled set out in Articles 33 to demand an expense allowance for this support36 DS-GVO. 3.5. 3.4 The Provider guarantees that the employees involved in processing the processing of the Client’s Customer's data and other third parties persons working for the Provider are prohibited from processing the data outside of the instruction. Furthermore, the Provider shall ensure that the persons authorized to process the personal data exclusively within the context have undertaken to maintain confidentiality or are subject to an appropriate statutory duty of confidentiality. The confidentiality/discretion obligation shall continue to apply even after termination of the contractual relationship in accordance with the GTC, the Privacy Policy and this OPC and are obliged to maintain confidentialityorder. 3.6. If 3.5 The provider shall inform the Provider customer immediately if he/she becomes aware of any violation violations of the protection of personal data, it data of the customer. The Provider shall take reasonable the necessary measures to secure the data and to mitigate any reduce the possible adverse consequences for of the persons concerned and shall consult with the Customer without delay. 3.6 The provider has appointed a data subjectsprotection officer if there is a legal obligation to do so. In additionThis can be reached by the customer via the following contact details: Xxxxxx Xxxxxxx, the Provider shall fully external data protection officer comdatis it-consulting, Xxxxxxxx Xxx 0, 00000 Ahaus e-mail: xxxxxxxxxxx@xxxxxxx.xx Phone: 00000-0000000 or 0000-0000000 3.7 The provider guarantees to comply with the applicable legal provisions regarding the notification of data protection violations. 3.7its obligations under Art. The Provider shall fully comply with the applicable data protection provisions and shall 32 Para. 1 lit. d) DS-GVO to implement a procedure to regularly review check the effectiveness of the technical and organizational organisational measures to ensure the security of the processingpro- cessing. 3.8. 3.8 The Provider shall process and store personal data for as long as the contractual relationship between the Provider and the Client exists. The Provider shall rectify corrects or erase deletes the contractual data if the Client Customer instructs it him to do so and if this is covered by the scope of the instructions. This If a data protection-compliant deletion or a corresponding restriction of data processing is not possible, the Provider shall undertake the data protection-compliant destruction of data carriers and other materials on the basis of an individual order by the Customer or return these data carriers to the Customer, unless already agreed in the contract. In special cases, to be determined by the customer, a storage or handover will take place. Remuneration and protective measures for this are to be agreed separately, if not already agreed in the contract. 3.9 Data, data carriers as well as all other materials must either be surrendered or deleted at the customer's request after the end of the order. In the case of test and reject materials, an individual order is not necessary. If additional costs are incurred due to deviating specifications for the surrender or deletion of the data, these shall be borne by the customer. 3.10 In the event of a claim against the customer by a person affected with regard to any claims under Art. 82 DS-GVO, the provider undertakes to support the customer in defending the claim within the scope of his possibilities. 3.11 The provision shall not apply to of the contractually agreed data processing takes place exclusively in a member state of the European Union or in another state that is required for further processing due a party to legal regulations or for compelling internal purposesthe Agreement on the European Economic Area. The release Any relocation to a third country requires the prior consent of the data and the corresponding remuneration is regulated in the GTCcustomer.

Obligations of the Provider. 3.1. 3.1 The Provider processes the may process personal data of data subjects only within the context scope of the contractual relationship in accordance with assignment and the GTCdocumented instructions of the Customer. In the event that the Provider is obliged to process data differently as a result of national or European law, it shall inform the Privacy Policy and this OPCCustomer before start of the processing, unless there is an exceptional case regulated by lawthat law prohibits such information on important grounds of public interest. 3.2. 3.2 The Provider shall design set up the internal organization within its organisation of his area of responsibility in such a way manner that it meets the special specific requirements of data protection requirementsprotection. The Provider shall take the appropriate technical and organizational organisational measures described in Appendix 1 so as to protect ensure an adequate protection of the Client’s data in accordance with the respective legal requirementsCustomers personal data. In particular, The purpose of these measures shall continuously is to ensure the long-term confidentiality, integrity, availability and resilience of the systems and services in connection with the processingprocessing of personal data under commission. The Client Customer is aware informed of these technical and organizational organisational measures. It is the Customer´s responsibility to ensure that these measures and is responsible for ensuring that they provide an adequate level of protection for regarding the risks related to the of personal data to be processedprocessing. 3.3. 3.3 The measures taken by Provider reserves the Provider are specified in Annex B. The right to change the technical and organizational organisational measures are subject to technical progress and further development. In this respecttaken, but must guarantee that the Provider is permitted to implement alternative adequate measures at any time. In doing so, the security level contractually of protection agreed upon in the GTC must be maintainedcontract is not reduced. 3.4. 3.4 To the extent agreedbest of his ability and within the scope of the services or under the contract, the Provider shall support assist the Client within the scope of its possibilities Customer in fulfilling the dealing with requests and claims of data subjects under data protection law according to chapter III of the GDPR and in complying with the respecting its obligations under data protection lawspecified in Articles 32 to 36 GDPR. In accordance with the GTCFor these services, the Provider is entitled to demand an expense allowance for this supportadequate financial compensation. 3.5. 3.5 The Provider warrants that its employees involved in the processing of the Client’s Customers personal data and other third parties individuals working for the Provider shall process are prohibited from processing such personal data outside the data exclusively within the context scope of the contractual relationship Customers instructions. The Provider further ensures that the individuals authorised to process personal data have signed an agreement of confidentiality or are subject to an adequate confidentiality clause. This obligation of confidentiality and secrecy shall remain in accordance with the GTC, the Privacy Policy and this OPC and are obliged to maintain confidentialityeffect even beyond completion of an assignment. 3.6. If 3.6 The Provider shall inform the Provider Customer without delay as soon as it becomes aware of any violation of the protection of the Customers personal data, it . The Provider shall take reasonable the necessary measures to secure the safeguard personal data and to mitigate any alleviate possible adverse disadvantageous consequences for the data subjectssubject and shall consult with the Customer in that respect without delay. 3.7 The Provider is obliged to appoint a competent and reliable Data Protection Officer according to Art. In addition, 37 GDPR to the extent and as long as the statutory prerequisites for such an obligatory appointment are in force. The Customer shall be informed of the contact data of this individual for the purpose of making direct contact. If the Provider is not obliged to appoint a Data Protection Officer, it shall fully comply give the Customer the name of the contact for any questions in relation to data protection that may arise in connection with the applicable legal provisions regarding the notification of data protection violationsAgreement. Contact information is available at xxxxx://xxx.xxxxx.xx/lp/privacy-statement.html. 3.7. 3.8 The Provider shall fully comply ensure that its obligations according to Art. 32 (1) lit. d) GDPR are complied with the applicable data protection provisions and shall regularly review put in place a process for regular examination of the effectiveness of the technical and organizational organisational measures to ensure the security safety of the processing. 3.83.9 The Customer is responsible for correction and erasure of personal data. The same is valid for the restriction of the processing of personal data under commission (blocking). 3.10 The personal data shall be erased at the date of completion of the respective Contract. It is up to the Customer to prepare backup copies of its personal data and to move such personal data before the end of the contract. The Provider shall process and store is not obliged to hand over personal data for as long as to which the contractual relationship between the Provider and the Client exists. Customer has direct access. 3.11 The Provider shall rectify or erase the contractual undertakes to maintain a record of data if the Client instructs it processing activities according to do so and if this is covered by the scope of the instructionsArt. This provision shall not apply to data that is required for further processing due to legal regulations or for compelling internal purposes. The release of the data and the corresponding remuneration is regulated in the GTC.30 (2)