Common use of Processing of Personal Information Clause in Contracts

Processing of Personal Information. 2.1 The Recipient shall comply with Data Protection Laws and Regulations. 2.2 For the avoidance of doubt, Disclosing Party’s instructions to the Recipient for the Processing of Personal Information must comply with Data Protection Laws and Regulations. In addition, Disclosing Party shall have sole responsibility for the accuracy, reliability, integrity, quality, and legality of Personal Information, and the means by which Disclosing Party acquired Personal Information, including providing any required notices to, and obtaining any necessary consent from, its employees, agents or third parties. 2.3 The Recipient will not sell, share, or rent Disclosing Party’s Personal Information to any third party or use Disclosing Party’s phone number for unsolicited messages, without the express consent of the Disclosing Party. Any messages sent by the Recipient will only be pursuant to this Agreement. 2.4 It is expressly stated that the Recipient agrees and warrants: 2.4.1 that the Processing of Personal Information shall be carried out in accordance with the relevant provisions of the Data Protection Laws and Regulations and does not violate the relevant provisions of the POPI Act; 2.4.2 that it shall instruct throughout the duration of the Processing the Recipient to process the Personal Information only on the Disclosing Party's behalf and in accordance with the Data Protection Laws and Regulations; and 2.4.3 that after assessment of the requirements of the Data Protection Laws and Regulations, the security measures are appropriate to protect Personal Information against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the Processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the Processing and the nature of the Personal Information to be protected having regard to the state of the art and the cost of their implementation. 2.5 The Disclosing Party hereby consents to the Processing of their Personal Information in accordance with this Processing Agreement. 2.6 The Recipient shall keep the Personal Information of the Disclosing Party confidential and shall only Process Personal Information on behalf of and in accordance with Disclosing Party’s documented and lawful instructions to: 2.6.1 fulfil the purpose set out in Attachment 1 to this Processing Agreement; and 2.6.2 comply with other documented, reasonable instructions provided by Disclosing Party (for example, via email) where such instructions are consistent with the terms of the Processing Agreement. The Recipient will not process Personal Information outside of RSA without first having obtained Disclosing Party’s consent. Provided the Recipient has sufficient legal framework under the Data Protection Laws and Regulations to process Personal Information outside of the RSA, the Disclosing Party’s consent shall not be unreasonably withheld in respect of the Processing outside of the above two jurisdictions. Disclosing Party takes full responsibility to keep the amount of Personal Information provided to the Recipient to the minimum necessary for the fulfilment of the purpose or otherwise as required by the Recipient. The Recipient shall not be required to comply with or observe Disclosing Party’s instructions if such instructions would violate Data Protection Laws and Regulations.

Processing of Personal Information. 2.1 The Recipient shall comply with Data Protection Laws and Regulations. 2.2 . For the avoidance of doubt, Disclosing Party’s instructions to the Recipient for the Processing of Personal Information must comply with Data Protection Laws and Regulations. In addition, Disclosing Party shall have sole responsibility for the accuracy, reliability, integrity, quality, and legality of Personal Information, and the means by which Disclosing Party acquired Personal Information, including providing any required notices to, and obtaining any necessary consent from, its employees, agents or third parties. 2.3 . The Recipient will not sell, share, or rent Disclosing Party’s Personal Information to any third party or use Disclosing Party’s phone number for unsolicited messages, without the express consent of the Disclosing Party. Any messages sent by the Recipient will only be pursuant to this Agreement. 2.4 . It is expressly stated that the Recipient agrees and warrants: 2.4.1 : that the Processing of Personal Information shall be carried out in accordance with the relevant provisions of the Data Protection Laws and Regulations and does not violate the relevant provisions of the POPI Act; 2.4.2 ; that it shall instruct throughout the duration of the Processing the Recipient to process the Personal Information only on the Disclosing Party's behalf and in accordance with the Data Protection Laws and Regulations; and 2.4.3 and that after assessment of the requirements of the Data Protection Laws and Regulations, the security measures are appropriate to protect Personal Information against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the Processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the Processing and the nature of the Personal Information to be protected having regard to the state of the art and the cost of their implementation. 2.5 . The Disclosing Party hereby consents to the Processing of their Personal Information in accordance with this Processing Agreement. 2.6 . The Recipient shall keep the Personal Information of the Disclosing Party confidential and shall only Process Personal Information on behalf of and in accordance with Disclosing Party’s documented and lawful instructions to: 2.6.1 : fulfil the purpose set out in Attachment 1 to this Processing Agreement; and 2.6.2 and comply with other documented, reasonable instructions provided by Disclosing Party (for example, via email) where such instructions are consistent with the terms of the Processing Agreement. The Recipient will not process Personal Information outside of RSA without first having obtained Disclosing Party’s consent. Provided the Recipient has sufficient legal framework under the Data Protection Laws and Regulations to process Personal Information outside of the RSA, the Disclosing Party’s consent shall not be unreasonably withheld in respect of the Processing outside of the above two jurisdictions. Disclosing Party takes full responsibility to keep the amount of Personal Information provided to the Recipient to the minimum necessary for the fulfilment of the purpose or otherwise as required by the Recipient. The Recipient shall not be required to comply with or observe Disclosing Party’s instructions if such instructions would violate Data Protection Laws and Regulations.

Processing of Personal Information. 2.1 26.2.1. The Recipient shall comply with Data Protection Laws and Regulations. 2.2 For the avoidance of doubt, Disclosing Party’s instructions Parties acknowledge that they will have access to Personal Information relating to the Recipient for the Processing of Data Subjects. The Receiving Party agree that it shall only store, copy or use Personal Information must comply with Data Protection Laws and Regulations. In addition, disclosed by the Disclosing Party shall have sole responsibility for the accuracy, reliability, integrity, quality, under this Agreement and legality of Personal Information, and the means by which Disclosing Party acquired Personal Information, including providing any required notices to, and obtaining any necessary consent from, its employees, agents or third parties. 2.3 The Recipient that they will not sellotherwise modify, share, amend or rent Disclosing Party’s alter the contents of the Personal Information or disclose or permit the disclosure of any of the Personal Information to any third party or use Third Party (save as set forth in clause 26.2.3 hereunder and shall treat the Personal Information as strictly confidential, in compliance with the provisions of clause 54. 26.2.2. The Receiving Party shall only process the Personal Information of Data Subjects in accordance with any Applicable Law and for a specific, lawful purpose strictly in accordance with the Disclosing Party’s phone number express written instructions and shall not carry out any related or further processing activities for unsolicited messagesany other reason whatsoever. 26.2.3. Other than in respect of authorised Employees who require access to Personal Information strictly in order for the Parties to carry out their respective obligations under this Agreement, without the express Parties shall not disclose or otherwise make available the Personal Information to any Third Party (including sub- contractors and Employees), unless the Disclosing Party has been provided with prior written permission to do so. The Disclosing Party shall require of all such Third Parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 26, and dealing with that Third Party's obligations in respect of its processing of the Personal Information. Following approval by the Disclosing Party, the Receiving Party agrees that the provisions of this clause 26 shall mutatis mutandis apply to all authorised Third Parties who process Personal Information of Data Subjects. 26.2.4. Each Party shall keep all Personal Information and any analyses, profiles or documents derived therefrom logically separated from all other data and documentation held by it. 26.2.5. The Parties shall implement appropriate, reasonable technical and organisational measures to ensure that the integrity of the Personal Information in its possession or under its control is secure and that such Personal Information is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access by having regard to any requirement set forth in law, stipulated in industry rules or in codes of conduct or by a professional body and/or generally accepted information security practices and procedures which apply to the Parties. 26.2.6. Each Party shall also be required to carry out regular assessments to identify all reasonably foreseeable internal and external risks to the Personal Information in its possession or under its control, at least once in every 12 (twelve) month period and to provide the other Party with a written report in this regard. Each Party shall be required to implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place and has been effectively implemented. 26.2.7. Subject to the provisions of the PAI Act, the Parties are not permitted to disclose to any Data Subject that it is processing, has processed or intends to process the Personal Information of such Data Subject unless it has obtained the prior written consent of the Disclosing Party. Any messages sent by the Recipient will only be pursuant to this Agreement. 2.4 It is expressly stated that the Recipient agrees and warrants: 2.4.1 that the Processing of 26.2.8. The Receiving Party shall promptly return or destroy any Personal Information shall be carried out that belong to the Disclosing Party, in its possession or control, at the request of and on instruction from the Disclosing Party (including in circumstances where a Data Subject has requested the Disclosing Party to delete all instances of their Personal Information) in accordance with the relevant provisions of the Data Protection Laws any specific retention, destruction and Regulations and does not violate the relevant provisions of the POPI Act; 2.4.2 that it shall instruct throughout the duration of the Processing the Recipient to process the Personal Information only on the Disclosing Party's behalf and in accordance with the Data Protection Laws and Regulations; and 2.4.3 that after assessment of the purging requirements of the Data Protection Laws and Regulations, the security measures are appropriate to protect Personal Information against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the Processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented as may be prescribed by the Processing and the nature of the Personal Information to be protected having regard to the state of the art and the cost of their implementationApplicable Law. 2.5 The Disclosing Party hereby consents to the Processing of their Personal Information in accordance with this Processing Agreement. 2.6 The Recipient shall keep the Personal Information of the Disclosing Party confidential and shall only Process Personal Information on behalf of and in accordance with Disclosing Party’s documented and lawful instructions to: 2.6.1 fulfil the purpose set out in Attachment 1 to this Processing Agreement; and 2.6.2 comply with other documented, reasonable instructions provided by Disclosing Party (for example, via email) where such instructions are consistent with the terms of the Processing Agreement. The Recipient will not process Personal Information outside of RSA without first having obtained Disclosing Party’s consent. Provided the Recipient has sufficient legal framework under the Data Protection Laws and Regulations to process Personal Information outside of the RSA, the Disclosing Party’s consent shall not be unreasonably withheld in respect of the Processing outside of the above two jurisdictions. Disclosing Party takes full responsibility to keep the amount of Personal Information provided to the Recipient to the minimum necessary for the fulfilment of the purpose or otherwise as required by the Recipient. The Recipient shall not be required to comply with or observe Disclosing Party’s instructions if such instructions would violate Data Protection Laws and Regulations.

Processing of Personal Information. 2.1 28.2.1. The Recipient shall comply with Data Protection Laws and Regulations. 2.2 For the avoidance of doubt, Disclosing Party’s instructions Parties acknowledge that they will have access to Personal Information relating to the Recipient for the Processing of Data Subjects. The Receiving Party agree that it shall only store, copy or use Personal Information must comply with Data Protection Laws and Regulations. In addition, disclosed by the Disclosing Party shall have sole responsibility for the accuracy, reliability, integrity, quality, under this Agreement and legality of Personal Information, and the means by which Disclosing Party acquired Personal Information, including providing any required notices to, and obtaining any necessary consent from, its employees, agents or third parties. 2.3 The Recipient that they will not sellotherwise modify, share, amend or rent Disclosing Party’s alter the contents of the Personal Information or disclose or permit the disclosure of any of the Personal Information to any third party or use Third Party (save as set forth in clause 28.2.3 hereunder and shall treat the Personal Information as strictly confidential, in compliance with the provisions of clause 56. 28.2.2. The Receiving Party shall only process the Personal Information of Data Subjects in accordance with any Applicable Law and for a specific, lawful purpose strictly in accordance with the Disclosing Party’s phone number express written instructions and shall not carry out any related or further processing activities for unsolicited messagesany other reason whatsoever. 28.2.3. Other than in respect of authorised Employees who require access to Personal Information strictly in order for the Parties to carry out their respective obligations under this Agreement, without the express Parties shall not disclose or otherwise make available the Personal Information to any Third Party (including sub- contractors and Employees), unless the Disclosing Party has been provided with prior written permission to do so. The Disclosing Party shall require of all such Third Parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 28, and dealing with that Third Party's obligations in respect of its processing of the Personal Information. Following approval by the Disclosing Party, the Receiving Party agrees that the provisions of this clause 28 shall mutatis mutandis apply to all authorised Third Parties who process Personal Information of Data Subjects. 28.2.4. Each Party shall keep all Personal Information and any analyses, profiles or documents derived therefrom logically separated from all other data and documentation held by it. 28.2.5. The Parties shall implement appropriate, reasonable technical and organisational measures to ensure that the integrity of the Personal Information in its possession or under its control is secure and that such Personal Information is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access by having regard to any requirement set forth in law, stipulated in industry rules or in codes of conduct or by a professional body and/or generally accepted information security practices and procedures which apply to the Parties. 28.2.6. Each Party shall also be required to carry out regular assessments to identify all reasonably foreseeable internal and external risks to the Personal Information in its possession or under its control, at least once in every 12 (twelve) month period and to provide the other Party with a written report in this regard. Each Party shall be required to implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place and has been effectively implemented. 28.2.7. Subject to the provisions of the PAI Act, the Parties are not permitted to disclose to any Data Subject that it is processing, has processed or intends to process the Personal Information of such Data Subject unless it has obtained the prior written consent of the Disclosing Party. Any messages sent by the Recipient will only be pursuant to this Agreement. 2.4 It is expressly stated that the Recipient agrees and warrants: 2.4.1 that the Processing of 28.2.8. The Receiving Party shall promptly return or destroy any Personal Information shall be carried out that belong to the Disclosing Party, in its possession or control, at the request of and on instruction from the Disclosing Party (including in circumstances where a Data Subject has requested the Disclosing Party to delete all instances of their Personal Information) in accordance with the relevant provisions of the Data Protection Laws any specific retention, destruction and Regulations and does not violate the relevant provisions of the POPI Act; 2.4.2 that it shall instruct throughout the duration of the Processing the Recipient to process the Personal Information only on the Disclosing Party's behalf and in accordance with the Data Protection Laws and Regulations; and 2.4.3 that after assessment of the purging requirements of the Data Protection Laws and Regulations, the security measures are appropriate to protect Personal Information against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the Processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented as may be prescribed by the Processing and the nature of the Personal Information to be protected having regard to the state of the art and the cost of their implementationApplicable Law. 2.5 The Disclosing Party hereby consents to the Processing of their Personal Information in accordance with this Processing Agreement. 2.6 The Recipient shall keep the Personal Information of the Disclosing Party confidential and shall only Process Personal Information on behalf of and in accordance with Disclosing Party’s documented and lawful instructions to: 2.6.1 fulfil the purpose set out in Attachment 1 to this Processing Agreement; and 2.6.2 comply with other documented, reasonable instructions provided by Disclosing Party (for example, via email) where such instructions are consistent with the terms of the Processing Agreement. The Recipient will not process Personal Information outside of RSA without first having obtained Disclosing Party’s consent. Provided the Recipient has sufficient legal framework under the Data Protection Laws and Regulations to process Personal Information outside of the RSA, the Disclosing Party’s consent shall not be unreasonably withheld in respect of the Processing outside of the above two jurisdictions. Disclosing Party takes full responsibility to keep the amount of Personal Information provided to the Recipient to the minimum necessary for the fulfilment of the purpose or otherwise as required by the Recipient. The Recipient shall not be required to comply with or observe Disclosing Party’s instructions if such instructions would violate Data Protection Laws and Regulations.

Processing of Personal Information. 2.1 The Disclosing Party hereby consents to the Processing of their Personal Information in accordance with this Processing Agreement. 2.2 The Recipient shall comply with Data Protection Laws and Regulations. 2.2 2.3 For the avoidance of doubt, Disclosing Party’s instructions to the Recipient for the Processing of Personal Information must comply with Data Protection Laws and Regulations. In addition, Disclosing Party shall have sole responsibility for the accuracy, reliability, integrity, quality, and legality of Personal Information, and the means by which Disclosing Party acquired Personal Information, including providing any required notices to, and obtaining any necessary consent from, its employees, agents or third parties, if applicable. 2.3 2.4 The Recipient will not sell, share, or rent Disclosing Party’s Personal Information to any third party or use Disclosing Party’s phone number for unsolicited messages, without the express consent of the Disclosing Party. Any messages sent by the Recipient will only be pursuant to this Agreement. 2.4 2.5 It is expressly stated that the Recipient agrees and warrants: 2.4.1 2.5.1 that the Processing of Personal Information shall be carried out in accordance with the relevant provisions of the Data Protection Laws and Regulations and does not violate the relevant provisions of the POPI Act; 2.4.2 2.5.2 that it shall instruct throughout the duration of the Processing the Recipient to process the Personal Information only on the Disclosing Party's behalf and in accordance with the Data Protection Laws and Regulations; and 2.4.3 2.5.3 that after assessment of the requirements of the Data Protection Laws and Regulations, the security measures are appropriate to protect Personal Information against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or accessaccess to the Personal Information, in particular where the Processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the Processing and the nature of the Personal Information to be protected having regard to the state of the art and the cost of their implementation. 2.5 The Disclosing Party hereby consents to the Processing of their Personal Information in accordance with this Processing Agreement. 2.6 The Recipient shall keep the Personal Information of the Disclosing Party confidential and shall only Process Personal Information on behalf of and in accordance with Disclosing Party’s documented and lawful instructions to: 2.6.1 fulfil the purpose set out in Attachment 1 to the table at the end of this Processing Agreement; and 2.6.2 comply with other documented, reasonable instructions provided by Disclosing Party (for example, via email) where such instructions are consistent with the terms of the Processing Agreement. The Recipient will not process Personal Information outside of RSA without first having obtained Disclosing Party’s consent. Provided the Recipient has sufficient legal framework under the Data Protection Laws and Regulations to process Personal Information outside of the RSA, the Disclosing Party’s consent shall not be unreasonably withheld in respect of the Processing outside of the above two jurisdictions. Disclosing Party takes full responsibility to keep the amount of Personal Information provided to the Recipient to the minimum necessary for the fulfilment of the purpose or otherwise as required by the Recipient. The Recipient shall not be required to comply with or observe Disclosing Party’s instructions if such instructions would violate Data Protection Laws and Regulations.

Processing of Personal Information. 2.1 The Disclosing Party hereby consents to the Processing of their Personal Information in accordance with this Processing Agreement. 2.2 The Recipient shall comply with Data Protection Laws and Regulations. 2.2 2.3 For the avoidance of doubt, Disclosing Party’s instructions to the Recipient for the Processing of Personal Information must comply with Data Protection Laws and Regulations. In addition, Disclosing Party shall have sole responsibility for the accuracy, reliability, integrity, quality, and legality of Personal Information, and the means by which Disclosing Party acquired Personal Information, including providing any required notices to, and obtaining any necessary consent from, its employees, agents or third parties. 2.3 2.4 The Recipient will not sell, share, or rent Disclosing Party’s Personal Information to any third party or use Disclosing Party’s phone number for unsolicited messages, without the express consent of the Disclosing Party. Any messages sent by the Recipient will only be pursuant to this Agreement. 2.4 2.5 It is expressly stated that the Recipient agrees and warrants: 2.4.1 2.5.1 that the Processing of Personal Information shall be carried out in accordance with the relevant provisions of the Data Protection Laws and Regulations and does not violate the relevant provisions of the POPI Act; 2.4.2 2.5.2 that it shall instruct throughout the duration of the Processing the Recipient to process Processing, Process the Personal Information only on the Disclosing Party's behalf and in accordance with the Data Protection Laws and Regulations; and 2.4.3 2.5.3 that after assessment of the requirements of the Data Protection Laws and Regulations, the security measures are appropriate to protect Personal Information against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or accessaccess to the Personal Information, in particular where the Processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the Processing and the nature of the Personal Information to be protected having regard to the state of the art and the cost of their implementation. 2.5 The Disclosing Party hereby consents to the Processing of their Personal Information in accordance with this Processing Agreement. 2.6 The Recipient shall keep the Personal Information of the Disclosing Party confidential and shall only Process Personal Information on behalf of and in accordance with Disclosing Party’s documented and lawful instructions to: 2.6.1 fulfil the purpose set out in Attachment 1 to clause 3.1 of this Processing Agreement; and 2.6.2 comply with other documented, reasonable instructions provided by Disclosing Party (for example, via email) where such instructions are consistent with the terms of the Processing Agreement. The Recipient will not process Personal Information outside of RSA without first having obtained Disclosing Party’s consent. Provided the Recipient has sufficient legal framework under the Data Protection Laws and Regulations to process Personal Information outside of the RSA, the Disclosing Party’s consent shall not be unreasonably withheld in respect of the Processing outside of the above two jurisdictions. Disclosing Party takes full responsibility to keep the amount of Personal Information provided to the Recipient to the minimum necessary for the fulfilment of the purpose or otherwise as required by the Recipient. The Recipient shall not be required to comply with or observe Disclosing Party’s instructions if such instructions would violate Data Protection Laws and Regulations.

Processing of Personal Information. 2.1 28.2.1. The Recipient shall comply with Data Protection Laws and Regulations. 2.2 For the avoidance of doubt, Disclosing Party’s instructions Parties acknowledge that they will have access to Personal Information relating to the Recipient for the Processing of Data Subjects. The Receiving Party agree that it shall only store, copy or use Personal Information must comply with Data Protection Laws and Regulations. In addition, disclosed by the Disclosing Party shall have sole responsibility for the accuracy, reliability, integrity, quality, under this Agreement and legality of Personal Information, and the means by which Disclosing Party acquired Personal Information, including providing any required notices to, and obtaining any necessary consent from, its employees, agents or third parties. 2.3 The Recipient that they will not sellotherwise modify, share, amend or rent Disclosing Party’s alter the contents of the Personal Information or disclose or permit the disclosure of any of the Personal Information to any third party or use Third Party (save as set forth in clause 28.2.3 hereunder and shall treat the Personal Information as strictly confidential, in compliance with the provisions of clause 56. 28.2.2. The Receiving Party shall only process the Personal Information of Data Subjects in accordance with any Applicable Law and for a specific, lawful purpose strictly in accordance with the Disclosing Party’s phone number express written instructions and shall not carry out any related or further processing activities for unsolicited messagesany other reason whatsoever. 28.2.3. Other than in respect of authorised Employees who require access to Personal Information strictly in order for the Parties to carry out their respective obligations under this Agreement, without the express Parties shall not disclose or otherwise make available the Personal Information to any Third Party (including subcontractors and Employees), unless the Disclosing Party has been provided with prior written permission to do so. The Disclosing Party shall require of all such Third Parties, appropriate written undertakings to be provided, containing similar terms to that set forth in this clause 28, and dealing with that Third Party's obligations in respect of its processing of the Personal Information. Following approval by the Disclosing Party, the Receiving Party agrees that the provisions of this clause 28 shall mutatis mutandis apply to all authorised Third Parties who process Personal Information of Data Subjects. 28.2.4. Each Party shall keep all Personal Information and any analyses, profiles or documents derived therefrom logically separated from all other data and documentation held by it. 28.2.5. The Parties shall implement appropriate, reasonable technical and organisational measures to ensure that the integrity of the Personal Information in its possession or under its control is secure and that such Personal Information is protected against unauthorised or unlawful processing, accidental loss, destruction or damage, alteration, disclosure or access by having regard to any requirement set forth in law, stipulated in industry rules or in codes of conduct or by a professional body and/or generally accepted information security practices and procedures which apply to the Parties. 28.2.6. Each Party shall also be required to carry out regular assessments to identify all reasonably foreseeable internal and external risks to the Personal Information in its possession or under its control, at least once in every 12 (twelve) month period and to provide the other Party with a written report in this regard. Each Party shall be required to implement and maintain appropriate safeguards against the risks which it identifies and shall also regularly verify that the safeguards which it has in place and has been effectively implemented. 28.2.7. Subject to the provisions of the PAI Act, the Parties are not permitted to disclose to any Data Subject that it is processing, has processed or intends to process the Personal Information of such Data Subject unless it has obtained the prior written consent of the Disclosing Party. Any messages sent by the Recipient will only be pursuant to this Agreement. 2.4 It is expressly stated that the Recipient agrees and warrants: 2.4.1 that the Processing of 28.2.8. The Receiving Party shall promptly return or destroy any Personal Information shall be carried out that belong to the Disclosing Party, in its possession or control, at the request of and on instruction from the Disclosing Party (including in circumstances where a Data Subject has requested the Disclosing Party to delete all instances of their Personal Information) in accordance with the relevant provisions of the Data Protection Laws any specific retention, destruction and Regulations and does not violate the relevant provisions of the POPI Act; 2.4.2 that it shall instruct throughout the duration of the Processing the Recipient to process the Personal Information only on the Disclosing Party's behalf and in accordance with the Data Protection Laws and Regulations; and 2.4.3 that after assessment of the purging requirements of the Data Protection Laws and Regulations, the security measures are appropriate to protect Personal Information against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the Processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented as may be prescribed by the Processing and the nature of the Personal Information to be protected having regard to the state of the art and the cost of their implementationApplicable Law. 2.5 The Disclosing Party hereby consents to the Processing of their Personal Information in accordance with this Processing Agreement. 2.6 The Recipient shall keep the Personal Information of the Disclosing Party confidential and shall only Process Personal Information on behalf of and in accordance with Disclosing Party’s documented and lawful instructions to: 2.6.1 fulfil the purpose set out in Attachment 1 to this Processing Agreement; and 2.6.2 comply with other documented, reasonable instructions provided by Disclosing Party (for example, via email) where such instructions are consistent with the terms of the Processing Agreement. The Recipient will not process Personal Information outside of RSA without first having obtained Disclosing Party’s consent. Provided the Recipient has sufficient legal framework under the Data Protection Laws and Regulations to process Personal Information outside of the RSA, the Disclosing Party’s consent shall not be unreasonably withheld in respect of the Processing outside of the above two jurisdictions. Disclosing Party takes full responsibility to keep the amount of Personal Information provided to the Recipient to the minimum necessary for the fulfilment of the purpose or otherwise as required by the Recipient. The Recipient shall not be required to comply with or observe Disclosing Party’s instructions if such instructions would violate Data Protection Laws and Regulations.