Common use of Processing of Personal Information Clause in Contracts

Processing of Personal Information. 9.1 This paragraph 9 of the Information Security Terms comprises requirements in relation to the processing of any “personal information” (as defined in the Data Protection Act 1998) which is subject to any law or regulation implementing European Union Directive 95/46/EC, where this is applicable. MSFA and Customer agree that the Services are not anticipated to involve any processing of personal information, but acknowledge that if any personal information is ever processed in the course of providing the Services, this paragraph 9 shall apply. 9.2 Where Customer is obliged by law or regulations, or the rules of a regulatory authority to which Customer is subject, MSFA shall disclose the results of the security assessments referred to in these Information Security Terms to a regulator (including national data protection authorities) MSFA hereby consents to such disclosure. 9.3 MSFA shall ensure that: (a) only authorised MSFA employees with job-related needs access any personal information in the course of providing goods and services under the Agreement (and such personal information cannot be read, copied, modified or removed without authorisation, either in the course of processing or use or after storage); (b) such access is only given to such authorised staff to the extent necessary for the performance of their duties; (c) an up-to-date list is kept of such authorised staff and their level of authorised access (and authorisation credentials are checked at least on an annual basis); (d) personal information collected for different purposes can be processed separately; and (e) a documented procedure is put in place to control access by authorised users under which each user is provided with a particular identification code that cannot be assigned to any other user at any time, while passwords: (i) are at least eight characters long (or less, but only if the password is as long as the maximum number of characters allowed by the electronic device involved), (ii) do not contain any clear reference to the user, and (iii) are changed after the first access and periodically, at least every six (6) months, or disenabled if they are not used for six (6) months or if the means necessary to access personal information are lost (and in each case, if the user has access to Sensitive Personal Data the six (6) month period is reduced to three months). Such passwords shall be kept secret/confidential and not shared or otherwise disclosed whilst still valid. 9.4 MSFA shall ensure that the identification and verification of authorised users is implemented in such a way that the risk of an error occurring is minimised, and impose industry-standard limits designed to prevent attempts to obtain unauthorised access. 9.5 MSFA shall ensure that such authorised employees are provided with mandatory policies governing their access to such personal information, such mandatory policies to be regularly updated. 9.6 MSFA shall ensure that personal information cannot be read, copied, modified or removed without authorisation during electronic transmission or transport, and that it is possible to check and establish to which bodies personal information is to be transferred by means of data transmission facilities. 9.7 MSFA shall keep a register of any incident which may affect the security of such personal information, such register to be made available to Customer upon request. For each security incident registered, the register must include the following information: (a) the time at which the incident occurred; (b) the person reporting it; (c) to whom it was reported; (d) the consequences thereof; and (e) the procedures put in place to recover any personal information (indicating the person who undertook the process, the information recovered and, if appropriate, which data items had to be input manually as part of the recovery process). 9.8 MSFA shall not implement any data recovery procedures in relation to personal information unless it has obtained written authorisation from Customer. 9.9 MSFA shall ensure files containing personal information which are handled manually shall comply with appropriate security measures, and, will be subject to the following measures: (a) adequate archiving of the media or documents containing personal information (so that document conservation, location and information look-up is guaranteed and privacy rights of individuals are preserved); (b) storing devices incorporate mechanisms which make its opening difficult; (c) appropriate protection of media or documents containing personal information is effected prior and consequent to its archiving so that unauthorised access is prevented at all times; (d) cabinets or other storing elements shall have access doors with a key or equivalent device; (e) copies of documents will solely be done under the control of authorised staff; (f) discarded copies shall be destroyed; and (g) access or manipulation of such files will be impeded during their transportation. 9.10 MSFA shall ensure that, if applicable, any MSFA employee is authorised to access personal information in the course of providing the Services and that it can be checked and established whether and by whom personal information has been input into MSFA’s data processing systems, modified or removed. 9.11 MSFA shall ensure that, if any personal information is to be processed in the coming year, a security measures document is created or updated by 1 March in such year, identifying the relevant personal information file and data treatment and specifying: (a) the security measures to be implemented with regard to the provision of Services; (b) an analysis of the risks run in the data processing; (c) the data recovery procedures; and (d) the training programs aimed at the employees who process the personal information. 9.12 MSFA shall ensure that the use of portable devices storing personal information are previously authorised by Customer and in any case the applicable security measures are applied. 9.13 MSFA shall ensure temporary files have a level of security appropriate to the type of personal information contained therein. All temporary files must be erased once they are no longer necessary for the purposes for which they were created. 9.14 Security measures required for access to personal information via communications networks or when processing personal information outside the premises where the personal information is located (e.g. via remote access) must have a security level equivalent to that applying to local access. 9.15 Where the Services involve processing of personal information, MSFA shall perform backups of all systems, applications, and data used to provide such Services at least weekly. 9.16 The back up and data recovery procedures must guarantee the reconstruction of any personal or confidential information involved to the state they were in at the time they were lost or destroyed. 9.17 The back up and data recovery procedures described in this paragraph 9, to the extent applicable, must include a regular testing schedule.

Processing of Personal Information. 9.1 This paragraph 9 of the Information Security Terms comprises requirements in relation to the processing of any “personal information” (as defined in the Data Protection Act 1998) which is subject to any law or regulation implementing European Union Directive 95/46/EC, where this is applicable. MSFA Xxxxxx and Customer Subscriber agree that the Services are not anticipated to involve any processing of personal information, but acknowledge that if any personal information is ever processed in the course of providing the Services, this paragraph 9 shall apply. 9.2 Where Customer Subscriber is obliged by law or regulations, or the rules of a regulatory authority to which Customer Subscriber is subject, MSFA Markit shall disclose the results of the security assessments referred to in these Information Security Terms to a regulator (including national data protection authorities) MSFA Markit hereby consents to such disclosure. 9.3 MSFA Markit shall ensure that: (a) only authorised MSFA Markit employees with job-related needs access any personal information in the course of providing goods and services under the Agreement (and such personal information cannot be read, copied, modified or removed without authorisation, either in the course of processing or use or after storage); (b) such access is only given to such authorised staff to the extent necessary for the performance of their duties; (c) an up-to-date list is kept of such authorised staff and their level of authorised access (and authorisation credentials are checked at least on an annual basis); (d) personal information collected for different purposes can be processed separately; and (e) a documented procedure is put in place to control access by authorised users under which each user is provided with a particular identification code that cannot be assigned to any other user at any time, while passwords: (i) are at least eight characters long (or less, but only if the password is as long as the maximum number of characters allowed by the electronic device involved), (ii) do not contain any clear reference to the user, and (iii) are changed after the first access and periodically, at least every six (6) months, or disenabled if they are not used for six (6) months or if the means necessary to access personal information are lost (and in each case, if the user has access to Sensitive Personal Data the six (6) month period is reduced to three months). Such passwords shall be kept secret/confidential and not shared or otherwise disclosed whilst still valid. 9.4 MSFA Markit shall ensure that the identification and verification of authorised users is implemented in such a way that the risk of an error occurring is minimised, and impose industry-standard limits designed to prevent attempts to obtain unauthorised access. 9.5 MSFA Markit shall ensure that such authorised employees are provided with mandatory policies governing their access to such personal information, such mandatory policies to be regularly updated. 9.6 MSFA Markit shall ensure that personal information cannot be read, copied, modified or removed without authorisation during electronic transmission or transport, and that it is possible to check and establish to which bodies personal information is to be transferred by means of data transmission facilities. 9.7 MSFA Markit shall keep a register of any incident which may affect the security of such personal information, such register to be made available to Customer Subscriber upon request. For each security incident registered, the register must include the following information: (a) the time at which the incident occurred; (b) the person reporting it; (c) to whom it was reported; (d) the consequences thereof; and (e) the procedures put in place to recover any personal information (indicating the person who undertook the process, the information recovered and, if appropriate, which data items had to be input manually as part of the recovery process). 9.8 MSFA Markit shall not implement any data recovery procedures in relation to personal information unless it has obtained written authorisation from CustomerSubscriber. 9.9 MSFA Markit shall ensure files containing personal information which are handled manually shall comply with appropriate security measures, and, will be subject to the following measures: (a) adequate archiving of the media or documents containing personal information (so that document conservation, location and information look-up is guaranteed and privacy rights of individuals are preserved); (b) storing devices incorporate mechanisms which make its opening difficult; (c) appropriate protection of media or documents containing personal information is effected prior and consequent to its archiving so that unauthorised access is prevented at all times; (d) cabinets or other storing elements shall have access doors with a key or equivalent device; (e) copies of documents will solely be done under the control of authorised staff; (f) discarded copies shall be destroyed; and (g) access or manipulation of such files will be impeded during their transportation. 9.10 MSFA Markit shall ensure that, if applicable, any MSFA Markit employee is authorised to access personal information in the course of providing the Services and that it can be checked and established whether and by whom personal information has been input into MSFAXxxxxx’s data processing systems, modified or removed. 9.11 MSFA Markit shall ensure that, if any personal information is to be processed in the coming year, a security measures document is created or updated by 1 March in such year, identifying the relevant personal information file and data treatment and specifying: (a) the security measures to be implemented with regard to the provision of Services; (b) an analysis of the risks run in the data processing; (c) the data recovery procedures; and (d) the training programs aimed at the employees who process the personal information. 9.12 MSFA Markit shall ensure that the use of portable devices storing personal information are previously authorised by Customer Subscriber and in any case the applicable security measures are applied. 9.13 MSFA Markit shall ensure temporary files have a level of security appropriate to the type of personal information contained therein. All temporary files must be erased once they are no longer necessary for the purposes for which they were created. 9.14 Security measures required for access to personal information via communications networks or when processing personal information outside the premises where the personal information is located (e.g. via remote access) must have a security level equivalent to that applying to local access. 9.15 Where the Services involve processing of personal information, MSFA Markit shall perform backups of all systems, applications, and data used to provide such Services at least weekly. 9.16 The back up and data recovery procedures must guarantee the reconstruction of any personal or confidential information involved to the state they were in at the time they were lost or destroyed. 9.17 The back up and data recovery procedures described in this paragraph 9, to the extent applicable, must include a regular testing schedule.

Processing of Personal Information. 9.1 This paragraph 9 of the Information Security Terms comprises requirements in relation to the processing of any “personal information” (as defined in the Data Protection Act 1998) which is subject to any law or regulation implementing European Union Directive 95/46/EC, where this is applicable. MSFA IHS Markit and Customer agree that the Services are not anticipated to involve any processing of personal information, but acknowledge that if any personal information is ever processed in the course of providing the Services, this paragraph 9 shall apply. 9.2 . Where Customer is obliged by law or regulations, or the rules of a regulatory authority to which Customer is subject, MSFA IHS Markit shall disclose the results of the security assessments referred to in these Information Security Terms to a regulator (including national data protection authorities) MSFA IHS Markit hereby consents to such disclosure. 9.3 MSFA . IHS Markit shall ensure that: (a) : only authorised MSFA IHS Markit employees with job-related needs access any personal information in the course of providing goods and services under the Agreement (and such personal information cannot be read, copied, modified or removed without authorisation, either in the course of processing or use or after storage); (b) ; such access is only given to such authorised staff to the extent necessary for the performance of their duties; (c) ; an up-to-date list is kept of such authorised staff and their level of authorised access (and authorisation credentials are checked at least on an annual basis); (d) ; personal information collected for different purposes can be processed separately; and (e) and a documented procedure is put in place to control access by authorised users under which each user is provided with a particular identification code that cannot be assigned to any other user at any time, while passwords: (i) : are at least eight characters long (or less, but only if the password is as long as the maximum number of characters allowed by the electronic device involved), (ii) , do not contain any clear reference to the user, and (iii) and are changed after the first access and periodically, at least every six (6) months, or disenabled if they are not used for six (6) months or if the means necessary to access personal information are lost (and in each case, if the user has access to Sensitive Personal Data the six (6) month period is reduced to three months). Such passwords shall be kept secret/confidential and not shared or otherwise disclosed whilst still valid. 9.4 MSFA . IHS Markit shall ensure that the identification and verification of authorised users is implemented in such a way that the risk of an error occurring is minimised, and impose industry-standard limits designed to prevent attempts to obtain unauthorised access. 9.5 MSFA . IHS Markit shall ensure that such authorised employees are provided with mandatory policies governing their access to such personal information, such mandatory policies to be regularly updated. 9.6 MSFA . IHS Markit shall ensure that personal information cannot be read, copied, modified or removed without authorisation during electronic transmission or transport, and that it is possible to check and establish to which bodies personal information is to be transferred by means of data transmission facilities. 9.7 MSFA . IHS Markit shall keep a register of any incident which may affect the security of such personal information, such register to be made available to Customer upon request. For each security incident registered, the register must include the following information: (a) : the time at which the incident occurred; (b) ; the person reporting it; (c) ; to whom it was reported; (d) ; the consequences thereof; and (e) and the procedures put in place to recover any personal information (indicating the person who undertook the process, the information recovered and, if appropriate, which data items had to be input manually as part of the recovery process). 9.8 MSFA . IHS Markit shall not implement any data recovery procedures in relation to personal information unless it has obtained written authorisation from Customer. 9.9 MSFA . IHS Markit shall ensure files containing personal information which are handled manually shall comply with appropriate security measures, and, will be subject to the following measures: (a) : adequate archiving of the media or documents containing personal information (so that document conservation, location and information look-up is guaranteed and privacy rights of individuals are preserved); (b) ; storing devices incorporate mechanisms which make its opening difficult; (c) ; appropriate protection of media or documents containing personal information is effected prior and consequent to its archiving so that unauthorised access is prevented at all times; (d) ; cabinets or other storing elements shall have access doors with a key or equivalent device; (e) ; copies of documents will solely be done under the control of authorised staff; (f) ; discarded copies shall be destroyed; and (g) and access or manipulation of such files will be impeded during their transportation. 9.10 MSFA . IHS Markit shall ensure that, if applicable, any MSFA IHS Markit employee is authorised to access personal information in the course of providing the Services and that it can be checked and established whether and by whom personal information has been input into MSFAIHS Markit’s data processing systems, modified or removed. 9.11 MSFA . IHS Markit shall ensure that, if any personal information is to be processed in the coming year, a security measures document is created or updated by 1 March in such year, identifying the relevant personal information file and data treatment and specifying: (a) : the security measures to be implemented with regard to the provision of Services; (b) ; an analysis of the risks run in the data processing; (c) ; the data recovery procedures; and (d) and the training programs aimed at the employees who process the personal information. 9.12 MSFA . IHS Markit shall ensure that the use of portable devices storing personal information are previously authorised by Customer and in any case the applicable security measures are applied. 9.13 MSFA . IHS Markit shall ensure temporary files have a level of security appropriate to the type of personal information contained therein. All temporary files must be erased once they are no longer necessary for the purposes for which they were created. 9.14 . Security measures required for access to personal information via communications networks or when processing personal information outside the premises where the personal information is located (e.g. via remote access) must have a security level equivalent to that applying to local access. 9.15 . Where the Services involve processing of personal information, MSFA IHS Markit shall perform backups of all systems, applications, and data used to provide such Services at least weekly. 9.16 . The back up and data recovery procedures must guarantee the reconstruction of any personal or confidential information involved to the state they were in at the time they were lost or destroyed. 9.17 . The back up and data recovery procedures described in this paragraph 9, to the extent applicable, must include a regular testing schedule.

Processing of Personal Information. 9.1 This paragraph 9 of the Information Security Terms comprises requirements in relation to the processing of any “personal information” (as defined in the Data Protection Act 1998) which is subject to any law or regulation implementing European Union Directive 95/46/EC, where this is applicable. MSFA Xxxxxx and Customer Subscriber agree that the Services are not anticipated to involve any processing of personal information, but acknowledge that if any personal information is ever processed in the course of providing the Services, this paragraph 9 shall apply. 9.2 Where Customer Subscriber is obliged by law or regulations, or the rules of a regulatory authority to which Customer Subscriber is subject, MSFA Markit shall disclose the results of the security assessments referred to in these Information Security Terms to a regulator (including national data protection authorities) MSFA Markit hereby consents to such disclosuresuchdisclosure. 9.3 MSFA Markit shall ensure that: (a) only authorised MSFA Markit employees with job-related needs access any personal information in the course of providing goods and services under the Agreement (and such personal information cannot be read, copied, modified or removed without authorisation, either in the course of processing or use or after storage); (b) such access is only given to such authorised staff to the extent necessary for the performance of their duties; (c) an up-to-date list is kept of such authorised staff and their level of authorised access (and authorisation credentials are checked at least on an annual basis); (d) personal information collected for different purposes can be processed separately; and (e) a documented procedure is put in place to control access by authorised users under which each user is provided with a particular identification code that cannot be assigned to any other user at any time, while passwords: (i) are at least eight characters long (or less, but only if the password is as long as the maximum number of characters allowed by the electronic device involved), (ii) do not contain any clear reference to the user, and (iii) are changed after the first access and periodically, at least every six (6) months, or disenabled if they are not used for six (6) months or if the means necessary to access personal information are lost (and in each case, if the user has access to Sensitive Personal Data the six (6) month period is reduced to three months). Such passwords shall be kept secret/confidential and not shared or otherwise disclosed whilst still valid. 9.4 MSFA Markit shall ensure that the identification and verification of authorised users is implemented in such a way that the risk of an error occurring is minimised, and impose industry-standard limits designed to prevent attempts to obtain unauthorised access. 9.5 MSFA Markit shall ensure that such authorised employees are provided with mandatory policies governing their access to such personal information, such mandatory policies to be regularly updatedregularlyupdated. 9.6 MSFA Markit shall ensure that personal information cannot be read, copied, modified or removed without authorisation during electronic transmission or transport, and that it is possible to check and establish to which bodies personal information is to be transferred by means of data transmission facilities. 9.7 MSFA Markit shall keep a register of any incident which may affect the security of such personal information, such register to be made available to Customer Subscriber upon request. For each security incident registered, the register must include the following information: (a) the time at which the incident occurred; (b) the person reporting it; (c) to whom it was reported; (d) the consequences thereof; and (e) the procedures put in place to recover any personal information (indicating the person who undertook the process, the information recovered and, if appropriate, which data items had to be input manually as part of the recovery process). 9.8 MSFA Markit shall not implement any data recovery procedures in relation to personal information unless it has obtained written authorisation from CustomerSubscriber. 9.9 MSFA Markit shall ensure files containing personal information which are handled manually shall comply with appropriate security measures, and, will be subject to the following measures: (a) adequate archiving of the media or documents containing personal information (so that document conservation, location and information look-up is guaranteed and privacy rights of individuals are preservedarepreserved); (b) storing devices incorporate mechanisms which make its opening difficultopeningdifficult; (c) appropriate protection of media or documents containing personal information is effected prior and consequent to its archiving so that unauthorised access is prevented at all timesalltimes; (d) cabinets or other storing elements shall have access doors with a key or equivalent device; (e) copies of documents will solely be done under the control of authorised staff; (f) discarded copies shall be destroyed; and (g) access or manipulation of such files will be impeded during their transportationtheirtransportation. 9.10 MSFA Markit shall ensure that, if applicable, any MSFA Markit employee is authorised to access personal information in the course of providing the Services and that it can be checked and established whether and by whom personal information has been input into MSFAXxxxxx’s data processing systems, modified or removed. 9.11 MSFA Markit shall ensure that, if any personal information is to be processed in the coming year, a security measures document is created or updated by 1 March in such year, identifying the relevant personal information file and data treatment and specifying: (a) the security measures to be implemented with regard to the provision of Services; (b) an analysis of the risks run in the data processing; (c) the data recovery procedures; and (d) the training programs aimed at the employees who process the personal information. 9.12 MSFA Markit shall ensure that the use of portable devices storing personal information are previously authorised by Customer Subscriber and in any case the applicable security measures are appliedareapplied. 9.13 MSFA Markit shall ensure temporary files have a level of security appropriate to the type of personal information contained therein. All temporary files must be erased once they are no longer necessary for the purposes for which they were created. 9.14 Security measures required for access to personal information via communications networks or when processing personal information outside the premises where the personal information is located (e.g. via remote access) must have a security level equivalent to that applying to local access. 9.15 Where the Services involve processing of personal information, MSFA Markit shall perform backups of all systems, applications, and data used to provide such Services at least weekly. 9.16 The back up and data recovery procedures must guarantee the reconstruction of any personal or confidential information involved to the state they were in at the time they were lost or destroyedordestroyed. 9.17 The back up and data recovery procedures described in this paragraph 9, to the extent applicable, must include a regular testing schedule.