Common use of Processor’s Obligations Clause in Contracts

Processor’s Obligations. 5.1. The Processor shall fulfill all the obligations set forth by the Agreement and this DAP, and, specifically, it shall: (i) follow the instructions of the Data Controller based on the functionality of the Platform and carry out only the processing activities on Personal Data agreed with the Data Controller and indicated by the latter, and strictly necessary to execute the Agreement and the DAP; (ii) comply with the instructions given by the Data Controller related to safety regulations and with the Privacy Law, following the measures adopted by the Data Controller. (iii) request the Data Controller authorization if, in order to execute the Agreement, the Processor needs to carry out Processing activities on Personal Data other than those strictly related to the object of the Agreement; (iv) taking into account the nature, object, context, purpose of the Processing, as well as the possible risk for the rights and freedoms of the Data Subject, adopt the appropriate technical and organizational measures to ensure a level of security adequate to the risk and, in any case, the integrity, accuracy of the Personal Data processed and the lawfulness of the Processing; (v) Xxxxx to the Data Controller the possibility of complying with requests to exercise the rights of the Data Subject, including, by way of example, the right of access to their Personal Data, the right to rectification, the right to erasure (or right to be forgotten), the right to restriction of processing, the right to data portability, the right to object, the right not to be subject to decisions based on an automated decision-making process. In particular, the Processor will be required to take the necessary technical and organizational measures to allow the timely transmission to the Controller of the aforementioned requests; (vi) Ensure that the personnel who will carry out the processing activities are adequately trained in the protection of personal data and bound by confidentiality obligations with regard to the processing of Personal Data of the Controller; (vii) on the basis of the information at its disposal and following receipt of a written request by the Data Controller, assist the latter in fulfilling its obligations under the Privacy Law, with particular reference to the implementation of technical and organizational measures, the performance of the necessary activities following a Data Breach, and the performance of a data protection impact assessment; (viii) make available to the Data Controller all the information required in order to demonstrate the compliance with its obligations pursuant to the Privacy Law; (ix) assist the Data Controller in carrying out the audit activities, including any inspections carried out by the Data Controller and/or another subject appointed by the Data Controller.

Processor’s Obligations. 5.19.1. The Processor shall: a) Process User’s Data only on documented instructions from the User; b) Ensure that persons authorized to Process User’s Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. The Processor shall fulfill all regularly train those persons to whom it grants access to User’s Data on IT security and privacy law compliance. The undertaking to data secrecy shall continue after the obligations set forth by the Agreement and termination of this DAP, and, specifically, it shall: (i) follow the instructions of the Data Controller based on the functionality of the Platform and carry out only the processing activities on Personal Data agreed with the Data Controller and indicated by the latter, and strictly necessary to execute the Agreement and the DAP; (ii) comply with the instructions given by the Data Controller related to safety regulations and with the Privacy Law, following the measures adopted by the Data Controller. (iii) request the Data Controller authorization if, in order to execute the Agreement, the Processor needs to carry out Processing activities on Personal Data other than those strictly related to the object of the Agreement; (ivc) taking into account the nature, object, context, purpose of the Processing, as well as the possible risk for the rights and freedoms of the Data Subject, adopt the Implement appropriate technical and organizational security measures to ensure a level of security adequate appropriate to User’s Data; d) Ensure that any natural person acting under the risk and, in any case, authority of the integrity, accuracy of Processor who has access to the Personal Data processed and does not process them except on instructions from the lawfulness User; e) Assist the User in compliance with User’s obligations under Art. 32 to 36 of the ProcessingGDPR; (vf) Xxxxx Make available to the Data Controller User all information necessary to demonstrate compliance with Processor’s obligations under the possibility of complying with requests to exercise the rights of Agreement, the Data SubjectProtection Law, includingand allow for and contribute to audits, including inspections, conducted by the User or another auditor mandated by the User; g) Appoint a data protection officer if it is legally obliged to do so or, if it is not obliged to do so, a contact person for data protection issues; h) Provide the User, upon request in writing, with the name and contact details of its data protection officer or the contact person for data protection issues; i) Monitor the Processing by way of exampleregular reviews concerning the performance of and compliance with this Agreement, the right Terms, and the applicable Data Protection Law; j) At User’s written request, reasonably support the User in dealing with requests from individual Data Subjects and/or a supervisory authority with respect to the Processing of access to their Personal Data, Data hereunder; k) Assist the right to rectification, User with the right to erasure (or right to be forgotten), the right to restriction implementation of processing, the right to data portability, the right to object, the right not to be subject to decisions based on an automated decision-making process. In particular, the Processor will be required to take the necessary appropriate technical and organizational measures in order to allow the timely transmission respond to the Controller of the aforementioned requests; (vi) Ensure that the personnel who will carry out the processing activities are adequately trained in the protection of personal data and bound by confidentiality obligations with regard to the processing of Personal Data of the Controller; (vii) on the basis of the information at its disposal and following receipt of a written request applications by the Data ControllerSubjects for the exercise of their rights (in particular, assist Art. 13 to 23 of the latter GDPR); l) Provide at minimum the information set out in fulfilling its obligations under Art. 33(3) of the Privacy Law, with particular reference GDPR in the case of a Personal Data breach; m) Communicate information to the implementation of technical and organizational measuresData Subjects after a Personal Data breach, the performance in particular pursuant to Art. 34 of the necessary activities following a Data Breach, and GDPR; and n) Conduct prior (i.e. before the performance start of a the processing) data protection impact assessment;assessments pursuant to Art. 35 of the GDPR and, if necessary, consult with a supervisory authority pursuant to Art. 36 of the GDPR. (viii) make available 9.2. The Processor commits to observe any and all other duties that are imposed to the Data Controller Processor pursuant to Art. 28 of the GDPR. 9.3. The Processor shall collaborate with User’s data protection officer to generate the records of processing activities, pursuant to Art. 30 of the GDPR, and provide all the information required in order to demonstrate the compliance with its obligations pursuant necessary details to the Privacy Law; (ix) assist the Data Controller in carrying out the audit activities, including any inspections carried out by the Data Controller and/or another subject appointed by the Data ControllerUser.

Processor’s Obligations. 5.1The Processor shall: Process User’s Data only on documented instructions from the User; Ensure that persons authorised to Process User’s Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. The Processor shall fulfill all regularly train those persons to whom it grants access to User’s Data on IT security and privacy law compliance. The undertaking to data secrecy shall continue after the obligations set forth by the Agreement and termination of this DAP, and, specifically, it shall: (i) follow the instructions of the Data Controller based on the functionality of the Platform and carry out only the processing activities on Personal Data agreed with the Data Controller and indicated by the latter, and strictly necessary to execute the Agreement and the DAP; (ii) comply with the instructions given by the Data Controller related to safety regulations and with the Privacy Law, following the measures adopted by the Data Controller. (iii) request the Data Controller authorization if, in order to execute the Agreement, the Processor needs to carry out Processing activities on Personal Data other than those strictly related to the object of the Agreement; (iv) taking into account the nature, object, context, purpose of the Processing, as well as the possible risk for the rights and freedoms of the Data Subject, adopt the ; Implement appropriate technical and organizational organisational security measures to ensure a level of security adequate appropriate to User’s Data; Ensure that any natural person acting under the risk and, in any case, authority of the integrity, accuracy of Processor who has access to the Personal Data processed does not process them except on instructions from the User; Assist the User in compliance with User’s obligations under Art. 32 to 36 of the GDPR; Make available to the User all information necessary to demonstrate compliance with Processor’s obligations under the Agreement, the Data Protection Law, and allow for and contribute to audits, including inspections, conducted by the User or another auditor mandated by the User; Appoint a data protection officer if it is legally obliged to do so or, if it is not obliged to do so, a contact person for data protection issues; Provide the User, upon request in writing, with the name and contact details of its data protection officer or the contact person for data protection issues; Monitor the Processing by way of regular reviews concerning the performance of and compliance with this Agreement, the Terms, and the lawfulness applicable Data Protection Law; At User’s written request, reasonably support the User in dealing with requests from individual Data Subjects and/or a supervisory authority with respect to the Processing of Personal Data hereunder; Assist the User with the implementation of appropriate technical and organisational measures in order to respond to applications by the Data Subjects for the exercise of their rights (in particular, Art. 13 to 23 of the Processing; (vGDPR); Provide at minimum the information set out in Art. 33(3) Xxxxx of the GDPR in the case of a Personal Data breach; Communicate information to the Data Controller the possibility of complying with requests Subjects after a Personal Data breach, in particular pursuant to exercise the rights Art. 34 of the Data Subject, including, by way of example, GDPR; and Conduct prior (i.e. before the right of access to their Personal Data, the right to rectification, the right to erasure (or right to be forgotten), the right to restriction of processing, the right to data portability, the right to object, the right not to be subject to decisions based on an automated decision-making process. In particular, the Processor will be required to take the necessary technical and organizational measures to allow the timely transmission to the Controller start of the aforementioned requests; (viprocessing) Ensure that the personnel who will carry out the processing activities are adequately trained in the protection of personal data and bound by confidentiality obligations with regard to the processing of Personal Data of the Controller; (vii) on the basis of the information at its disposal and following receipt of a written request by the Data Controller, assist the latter in fulfilling its obligations under the Privacy Law, with particular reference to the implementation of technical and organizational measures, the performance of the necessary activities following a Data Breach, and the performance of a data protection impact assessment; (viii) make available assessments pursuant to Art. 35 of the GDPR and, if necessary, consult with a supervisory authority pursuant to Art. 36 of the GDPR. The Processor commits to observe any and all other duties that are imposed to the Data Controller Processor pursuant to Art. 28 of the GDPR. The Processor shall collaborate with User’s data protection officer to generate the records of processing activities, pursuant to Art. 30 of the GDPR, and provide all the information required in order to demonstrate the compliance with its obligations pursuant necessary details to the Privacy Law; (ix) assist the Data Controller in carrying out the audit activities, including any inspections carried out by the Data Controller and/or another subject appointed by the Data ControllerUser.

Processor’s Obligations. 5.1. ‌ 2.1 The data Processor shall fulfill all the obligations set forth by the Agreement and this DAP, and, specifically, it shallundertakes to : (ia) follow process the instructions of the Data Controller based on the functionality of the Platform and carry out only the processing activities on Personal Data agreed only on documented instructions from the data Controller, including with regard to Personal Data Transfers to a Third Country or an international organisation, unless required to do so by any applicable local law to which the Data data Processor is subject; in such a case, the data Processor shall inform the data Controller and indicated by of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest. The data Processor shall immediately inform the latterdata Controller if, and strictly necessary to execute in its opinion, an instruction infringes the Agreement and the DAPGDPR or other applicable local data protection provisions; (iib) comply with ensure that persons authorised to process the instructions given by the Data Controller related to safety regulations and with the Privacy Law, following the measures adopted by the Data Controller. (iii) request the Data Controller authorization if, in order to execute the Agreement, the Processor needs to carry out Processing activities on Personal Data other than those strictly related have committed themselves to the object confidentiality or are under an appropriate statutory obligation of the Agreementconfidentiality; (ivc) take all measures required pursuant to Article 3 of the DPA; (d) respect the conditions referred to in Article 5 of this DPA for engaging a sub-processor; (e) taking into account the nature, object, context, purpose nature of the Processing, assist the data Controller by appropriate technical and organisational measures, insofar as well as the possible risk this is possible, for the rights and freedoms fulfilment of the Controller's obligation to respond to requests for exercising the Data Subject, adopt 's rights laid down in the appropriate technical GDPR; (f) assist the data Controller in ensuring compliance with the obligations pursuant to Articles 3 and organizational measures to ensure a level 4 of security adequate the DPA taking into account the nature of Processing and the information available to the risk andProcessor (including but not limited for privacy impact assessment) ; (g) at the choice of the data Controller, in delete or return all the Personal Data to the data Controller after the end of the provision of Services relating to Processing, and deletes existing copies unless any case, the integrity, accuracy applicable local law requires storage of the Personal Data processed and the lawfulness of the ProcessingData; (v) Xxxxx to the Data Controller the possibility of complying with requests to exercise the rights of the Data Subject, including, by way of example, the right of access to their Personal Data, the right to rectification, the right to erasure (or right to be forgotten), the right to restriction of processing, the right to data portability, the right to object, the right not to be subject to decisions based on an automated decision-making process. In particular, the Processor will be required to take the necessary technical and organizational measures to allow the timely transmission to the Controller of the aforementioned requests; (vi) Ensure that the personnel who will carry out the processing activities are adequately trained in the protection of personal data and bound by confidentiality obligations with regard to the processing of Personal Data of the Controller; (vii) on the basis of the information at its disposal and following receipt of a written request by the Data Controller, assist the latter in fulfilling its obligations under the Privacy Law, with particular reference to the implementation of technical and organizational measures, the performance of the necessary activities following a Data Breach, and the performance of a data protection impact assessment; (viiih) make available to the Data data Controller all the information required in order necessary to demonstrate the compliance with its the obligations pursuant laid down in this DPA and allow for and contribute to the Privacy Law; (ix) assist the Data Controller in carrying out the audit activitiesaudits, including any inspections carried out inspections, conducted by the Data data Controller and/or or another subject appointed auditor mandated by the Data data Controller. 2.2 The data Processor shall communicate the data Controller the name and contact details of its Data Protection Officer if any in accordance with article 37 of the GDPR.

Processor’s Obligations. 5.13.1. The In view of its obligations under the Data Protection Laws, the Data Processor shall fulfill all the obligations set forth by the Agreement and this DAP, and, specifically, it shall: (i) follow 3.1.1. Act only upon the strict instructions of the Data Controller based on the functionality of the Platform and carry out only the processing activities on Personal Data agreed with the Data Controller and indicated by the latter, and strictly necessary not process any personal data that may be transferred to execute the Agreement and the DAP; (ii) comply with the instructions given it by the Data Controller related except as may be necessary for the performance of any service or task provided by the Data Processor to/for the Data Controller and, in particular, to safety regulations process the said personal data only on documented instructions from the Data Controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by EU or Maltese law. In such a case, the Data Processor shall inform the Data Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest; 3.1.2. Ensure that persons authorised to process the personal data (including but not limited to the Data Processor’s employees) have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; 3.1.3. Implement appropriate technical and with organisational measures to protect any personal data that may be processed on behalf of the Privacy LawData Controller (if any) against accidental destruction or loss or unlawful forms of processing thereby providing the best possible level of security appropriate to the particular risks in question and take any other such measures as required by the Data Processor’s direct obligations as a data processor in terms of Article 32 of the GDPR; 3.1.4. Not engage another data processor without prior specific or general written authorisation of the Data Controller. In the case of general written authorisation, following the measures adopted Data Processor shall inform the Data Controller of any intended changes concerning the addition or replacement of other processors, thereby giving the Data Controller the opportunity to object to such changes. Where the Data Processor engages another processor for carrying out specific processing activities on behalf of the Data Controller (as authorised by the Data Controller. (iii) request ), the same data protection obligations as set out in this DPA shall be imposed on that other processor or sub-processor by way of a contract or other legal act under EU or Maltese law, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the GDPR. Where that other processor or sub-processor fails to fulfil its data protection obligations, the Data Processor shall remain fully liable to the Data Controller authorization iffor the performance of that other processor or sub-processor's obligations. A list of sub-processors currently employed by Data Processor can be found in “Annex A”; 3.1.5. Assist the Data Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Data Controller’s obligation to respond to requests for exercising the data subject's rights laid down in order Chapter III of the GDPR, taking into account the nature of the processing; 3.1.6. Assist the Data Controller in ensuring compliance with the obligations pursuant to execute Articles 32 to 36 of the AgreementGDPR (security obligations, the Processor needs to carry out Processing activities on Personal Data other than those strictly related notification of personal data breach to the object supervisory authority obligation, communication of a personal data breach to the Agreement; (ivdata subject obligation, data protection impact assessment obligation and prior consultation with the supervisory authority obligation) taking into account the naturenature of processing and the information available to the Data Processor; 3.1.7. In any case, object, context, purpose notify the Data Controller without undue delay after becoming aware of a personal data breach; 3.1.8. At the Processing, as well as the possible risk for the rights and freedoms choice of the Data SubjectController, adopt delete or return all the appropriate technical and organizational measures to ensure a level of security adequate to the risk and, in any case, the integrity, accuracy of the Personal Data processed and the lawfulness of the Processing; (v) Xxxxx personal data to the Data Controller after the possibility of complying with requests to exercise the rights end of the Data Subject, including, by way provision of example, the right of access services relating to their Personal Data, the right to rectification, the right to erasure (or right to be forgotten), the right to restriction of processing, the right to data portability, the right to object, the right not to be subject to decisions based on an automated decision-making process. In particular, the Processor will be required to take the necessary technical and organizational measures to allow the timely transmission to the Controller delete existing copies unless EU or Maltese law requires storage of the aforementioned requestspersonal data; (vi) Ensure that the personnel who will carry out the processing activities are adequately trained in the protection of personal data and bound by confidentiality obligations with regard to the processing of Personal Data of the Controller; (vii) on the basis of the information at its disposal and following receipt of a written request by the Data Controller, assist the latter in fulfilling its obligations under the Privacy Law, with particular reference to the implementation of technical and organizational measures, the performance of the necessary activities following a Data Breach, and the performance of a data protection impact assessment; (viii) make 3.1.9. Make available to the Data Controller all the information required in order necessary to demonstrate the compliance with its the obligations pursuant laid down in this Clause 2 and in the applicable data protection law(s) and allow for and contribute to the Privacy Law; (ix) assist the Data Controller in carrying out the audit activitiesaudits, including any inspections carried out inspections, conducted by the Data Controller and/or or another subject appointed auditor mandated by the Data Controller. In this regard, the Data Processor shall immediately inform the Data Controller if, in its opinion, an instruction in connection with point (h) of the first subparagraph of Article 28 of the GDPR infringes the GDPR or other EU or Maltese data protection provisions; 3.1.10. Take all such measures necessary to ensure that processing will meet the requirements of the GDPR and ensure the protection of the rights of data subjects.

Processor’s Obligations. 5.1. The Processor shall fulfill all the obligations set forth by the Agreement and this DAP, and, specifically, it shall: (i) follow the instructions of the Data Controller based on the functionality of the Platform and carry out only the processing activities on Personal Data agreed with the Data Controller and indicated by the latter, and strictly necessary to execute the Agreement and the DAP; (ii) comply with the instructions given by the Data Controller related to safety regulations and with the Privacy Law, following the measures adopted by the Data Controller. (iii) request the Data Controller authorization if, in order to execute the Agreement, the Processor needs to carry out Processing activities on Personal Data other than those strictly related to the object of the Agreement; (iv) taking into account the nature, object, context, purpose of the Processing, as well as the possible risk for the rights and freedoms of the Data Subject, adopt the appropriate technical and organizational measures to ensure a level of security adequate to the risk and, in any case, the integrity, accuracy of the Personal Data processed and the lawfulness of the Processing; (v) Xxxxx Grant to the Data Controller the possibility of complying with requests to exercise the rights of the Data Subject, including, by way of example, the right of access to their Personal Data, the right to rectification, the right to erasure (or right to be forgotten), the right to restriction of processing, the right to data portability, the right to object, the right not to be subject to decisions based on an automated decision-making process. In particular, the Processor will be required to take the necessary technical and organizational measures to allow the timely transmission to the Controller of the aforementioned requests; (vi) Ensure that the personnel who will carry out the processing activities are adequately trained in the protection of personal data and bound by confidentiality obligations with regard to the processing of Personal Data of the Controller; (vii) on the basis of the information at its disposal and following receipt of a written request by the Data Controller, assist the latter in fulfilling its obligations under the Privacy Law, with particular reference to the implementation of technical and organizational measures, the performance of the necessary activities following a Data Breach, and the performance of a data protection impact assessment; (viii) make available to the Data Controller all the information required in order to demonstrate the compliance with its obligations pursuant to the Privacy Law; (ix) assist the Data Controller in carrying out the audit activities, including any inspections carried out by the Data Controller and/or another subject appointed by the Data Controller.