Common use of Protection of Personal Data Clause in Contracts

Protection of Personal Data. Where any Personal Data are Processed in connection with the exercise of the Parties’ rights and obligations under this Framework Agreement, the Parties acknowledge that the Fund is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Fund to perform its obligations under this Framework Agreement; ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data; not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Goods and/or Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Fund (save where such disclosure or transfer is specifically authorised under this Framework Agreement); take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 22.5.2 and Clause 22.2 (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Fund or as otherwise permitted by this Framework Agreement; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Fund within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request), a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the Fund's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Fund with full cooperation and assistance (within the timescales reasonably required by the Fund) in relation to any complaint, communication or request made (as referred to at Clause 22.5.2(e), including by promptly providing: the Fund with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Fund to enable the Fund to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the Fund, on request by the Fund, with any Personal Data it holds in relation to a Data Subject; and if requested by the Fund, provide a written description of the measures that the Supplier has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 22.5.2 and provide to the Fund copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not Process or otherwise transfer any Personal Data in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “Restricted Countries”). If, after the Framework Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to anywhere outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a variation to the Fund which, if it is agreed by the Fund, shall be dealt with in accordance with Clause 17.1 (Variation Procedure) and Clauses 22.5.3(b) to 22.5.3(d); the Supplier shall set out in its proposal to the Fund for a Variation, details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the Fund’s compliance with the DPA; in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with the Fund, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Fund may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Framework Agreement or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Fund on such terms as may be required by the Fund; or a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Fund and the Supplier relating to the relevant Personal Data transfer, and the Supplier acknowledges that in each case, this may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Fund deems necessary for the purpose of protecting Personal Data. The Supplier shall use its reasonable endeavours to assist the Fund to comply with any obligations under the DPA and shall not perform its obligations under this Framework Agreement in such a way as to cause the Fund to breach any of the Fund’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations. Subject to Clause 244 (Marketing), the Supplier shall not: make any press announcements or publicise this Framework Agreement in any way; or use the Fund's name or brand in any promotion or marketing or announcement of Orders, without Approval (the decision of the Fund to Approve or not shall not be unreasonably withheld or delayed). Each Party acknowledges to the other that nothing in this Framework Agreement either expressly or by implication constitutes an approval and/or endorsement of any products or services of the other Party (including the Goods and/or Services) and each Party agrees not to conduct itself in such a way as to imply or express any such approval and/or endorsement. The Fund shall be entitled to publicise this Framework Agreement in accordance with any legal obligation upon the Fund, including any examination of this Framework Agreement by the National Audit Office pursuant to the National Audit Xxx 0000 or otherwise.

Protection of Personal Data. Where any Personal Data are Processed in connection with the exercise of the Parties’ rights and obligations under this Framework Agreement, the Parties acknowledge that the Fund Authority is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Fund Authority to perform its obligations under this Framework Agreement; ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data; not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Goods and/or Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Fund Authority (save where such disclosure or transfer is specifically authorised under this Framework Agreement); take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 22.5.2 26.5.2 and Clause 22.2 26.2 (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Fund Authority or as otherwise permitted by this Framework Agreement; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Fund Authority within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request), a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the FundAuthority's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Fund Authority with full cooperation and assistance (within the timescales reasonably required by the FundAuthority) in relation to any complaint, communication or request made (as referred to at Clause 22.5.2(e26.5.2(e), including by promptly providing: the Fund Authority with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Fund Authority to enable the Fund Authority to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the FundAuthority, on request by the FundAuthority, with any Personal Data it holds in relation to a Data Subject; and if requested by the FundAuthority, provide a written description of the measures that the Supplier has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 22.5.2 26.5.2 and provide to the Fund Authority copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not Process or otherwise transfer any Personal Data in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “Restricted Countries”). If, after the Framework Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to anywhere outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a variation to the Fund Authority which, if it is agreed by the FundAuthority, shall be dealt with in accordance with Clause 17.1 20.1 (Variation Procedure) and Clauses 22.5.3(b26.5.3(b) to 22.5.3(d26.5.3(d); the Supplier shall set out in its proposal to the Fund Authority for a Variation, details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the FundAuthority’s compliance with the DPA; in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with the FundAuthority, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Fund Authority may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Framework Agreement or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Fund Authority on such terms as may be required by the FundAuthority; or a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Fund Authority and the Supplier relating to the relevant Personal Data transfer, and the Supplier acknowledges that in each case, this may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Fund Authority deems necessary for the purpose of protecting Personal Data. The Supplier shall use its reasonable endeavours to assist the Fund Authority to comply with any obligations under the DPA and shall not perform its obligations under this Framework Agreement in such a way as to cause the Fund Authority to breach any of the FundAuthority’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations. Subject The Supplier must comply with the requirements set out in paragraph 6.10 of Annex A to Clause 244 part A of Framework Schedule 2 (Marketing), the Supplier shall not: make any press announcements or publicise this Framework Agreement in any way; or use the Fund's name or brand in any promotion or marketing or announcement of Orders, without Approval (the decision of the Fund to Approve or not shall not be unreasonably withheld or delayed). Each Party acknowledges to the other that nothing in this Framework Agreement either expressly or by implication constitutes an approval and/or endorsement of any products or services of the other Party (including the Goods and/or ServicesServices and Key Performance Indicators) and each Party agrees not ensure that its Sub-Contractors, where appropriate, comply with those requirements in order to conduct itself in such a way as to imply or express any such approval and/or endorsement. The Fund shall be entitled to publicise this Framework Agreement in accordance with any legal obligation upon the Fund, including any examination of this Framework Agreement by the National Audit Office pursuant to the National Audit Xxx 0000 or otherwisedemonstrate that they meet Cyber Essentials requirements.

Protection of Personal Data. Where any Personal Data are Processed in connection with the exercise of the Parties’ rights and obligations under this Framework Agreement, the Parties acknowledge that the Fund Authority is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Fund Authority to perform its obligations under this Framework Agreement; ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data; not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Goods and/or Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Fund Authority (save where such disclosure or transfer is specifically authorised under this Framework Agreement); take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 22.5.2 24.5.2 and Clause 22.2 24.2 (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Fund Authority or as otherwise permitted by this Framework Agreement; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Fund Authority within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request), a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the FundAuthority's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Fund Authority with full cooperation and assistance (within the timescales reasonably required by the FundAuthority) in relation to any complaint, communication or request made (as referred to at Clause 22.5.2(e24.5.2(e), including by promptly providing: the Fund Authority with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Fund Authority to enable the Fund Authority to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the FundAuthority, on request by the FundAuthority, with any Personal Data it holds in relation to a Data Subject; and if requested by the FundAuthority, provide a written description of the measures that the Supplier has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 22.5.2 24.5.2 and provide to the Fund Authority copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not Process or otherwise transfer cause or permit any Personal Data to be transferred in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “Restricted Countries”)) without the Approval of the Framework Authority. If, after the Framework Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to anywhere outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a variation to the Fund Authority which, if it is agreed by the FundAuthority, shall be dealt with in accordance with Clause 17.1 16.1 (Variation Procedure) and Clauses 22.5.3(b24.5.3(b) to 22.5.3(d24.5.3(d); the Supplier shall set out in its proposal to the Fund Authority for a Variation, details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the FundAuthority’s compliance with the DPA; in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with the FundAuthority, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Fund Authority may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Framework Agreement or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Fund Authority on such terms as may be required by the FundAuthority; or a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Fund Authority and the Supplier relating to the relevant Personal Data transfer, and the Supplier acknowledges that in each case, this may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Fund Authority deems necessary for the purpose of protecting Personal Data. The Supplier shall use its reasonable endeavours to assist the Fund Authority to comply with any obligations under the DPA and shall not perform its obligations under this Framework Agreement in such a way as to cause the Fund Authority to breach any of the FundAuthority’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations. Subject to Clause 244 (Marketing), the Supplier shall not: make any press announcements or publicise this Framework Agreement in any way; or use the Fund's name or brand in any promotion or marketing or announcement of Orders, without Approval (the decision of the Fund to Approve or not shall not be unreasonably withheld or delayed). Each Party acknowledges to the other that nothing in this Framework Agreement either expressly or by implication constitutes an approval and/or endorsement of any products or services of the other Party (including the Goods and/or Services) and each Party agrees not to conduct itself in such a way as to imply or express any such approval and/or endorsement. The Fund shall be entitled to publicise this Framework Agreement in accordance with any legal obligation upon the Fund, including any examination of this Framework Agreement by the National Audit Office pursuant to the National Audit Xxx 0000 or otherwise.

Protection of Personal Data. Where any Personal Data are Processed in connection with With respect to the exercise of the Parties’ parties' rights and obligations under this Framework Agreement, the Parties acknowledge parties agree that the Fund Authority is the Data Controller and that the Supplier Contractor is the Data Processor. The Supplier Contractor shall: Process the Personal Data only in accordance with instructions from the Fund Authority (which may be specific instructions or instructions of a general nature as set out in this Agreement or as otherwise notified by the Authority to perform its obligations under this Framework Agreementthe Contractor during the Term); ensure that at all times it has Process the Personal Data only to the extent, and in place such manner, as is necessary for the provision of the Services or as is required by Law or any Regulatory Body; implement appropriate technical and organisational measures to guard protect the Personal Data against unauthorised or unlawful Processing of the Personal Data and/or processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data; not disclose or transfer Data and having regard to the nature of the Personal Data which is to any third party or Supplier Personnel unless necessary for the provision of the Goods and/or Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Fund (save where such disclosure or transfer is specifically authorised under this Framework Agreement)be protected; take reasonable steps to ensure the reliability and integrity of any Supplier Contractor Personnel who have access to the Personal Data; obtain prior written consent from the Authority in order to transfer the Personal Data and to any Sub-contractors or Affiliates for the provision of the Services; ensure that all Contractor Personnel required to access the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 22.5.2 and Clause 22.2 (Confidentiality); Personal Data are informed of the confidential nature of the Personal Data and do not comply with the obligations set out in this clause; ensure that none of Contractor Personnel publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Fund or as otherwise permitted by this Framework Agreement; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA)Authority; notify the Fund Authority (within five (5[five] Working Days) Working Days if it receives: a request from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request), a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating have access to the Fundthat person's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a complaint or request from any third party for disclosure of Personal relating to the Authority's obligations under the Data where compliance with such request is required or purported to be required by LawProtection Legislation; provide the Fund Authority with full cooperation and assistance (within the timescales reasonably required by the Fund) in relation to any complaint, communication complaint or request made (as referred to at Clause 22.5.2(e)made, including by promptly providingby: providing the Fund Authority with full details and copies of the complaint, communication complaint or request; where applicable, such assistance as is reasonably requested by the Fund to enable the Fund to comply complying with the Data Subject Access Request a data access request within the relevant timescales set out in the DPAData Protection Legislation and in accordance with the Authority's instructions; and providing the Fund, on request by the Fund, Authority with any Personal Data it holds in relation to a Data SubjectSubject (within the timescales required by the Authority); and if providing the Authority with any information requested by the FundAuthority; permit the Authority or the Authority Representative (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit, in accordance with this Contract, the Contractor's data Processing activities (and/or those of its agents, subsidiaries and Sub-contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Contractor is in full compliance with its obligations under this Agreement; provide a written description of the measures that the Supplier has taken and technical and organisational security measures in place, methods employed by the Contractor for processing Personal Data (within the purpose of compliance with its obligations pursuant to this Clause 22.5.2 timescales required by the Authority); and provide to the Fund copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not Process or otherwise transfer any Personal Data in or to any country outside the European Economic Area or any country which is not determined without the prior written consent of the Authority and, where the Authority consents to be adequate by the European Commission pursuant a transfer, to Article 25(6) of Directive 95/46/EC (together “Restricted Countries”). If, after the Framework Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to anywhere outside the European Economic Area, the following provisions shall applycomply with: the Supplier shall propose obligations of a variation to Data Controller under the Fund which, if it is agreed by the Fund, shall be dealt with in accordance with Clause 17.1 (Variation Procedure) and Clauses 22.5.3(b) to 22.5.3(d); the Supplier shall Eighth Data Protection Principle set out in its proposal to the Fund for a Variation, details Schedule 1 of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure Protection Act 1998 by providing an adequate level of protection and adequate safeguards in respect of the to any Personal Data that will be Processed in and/or transferred is transferred; and any reasonable instructions notified to Restricted Countries so as to ensure it by the Fund’s compliance Authority. The Contractor shall comply at all times with the DPA; in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with the Fund, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Fund may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Framework Agreement or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Fund on such terms as may be required by the Fund; or a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Fund and the Supplier relating to the relevant Personal Data transfer, and the Supplier acknowledges that in each case, this may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Fund deems necessary for the purpose of protecting Personal Data. The Supplier shall use its reasonable endeavours to assist the Fund to comply with any obligations under the DPA Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Fund Authority to breach any of the Fund’s its applicable obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations. Subject to Clause 244 (Marketing), the Supplier shall not: make any press announcements or publicise this Framework Agreement in any way; or use the Fund's name or brand in any promotion or marketing or announcement of Orders, without Approval (the decision of the Fund to Approve or not shall not be unreasonably withheld or delayed). Each Party acknowledges to the other that nothing in this Framework Agreement either expressly or by implication constitutes an approval and/or endorsement of any products or services of the other Party (including the Goods and/or Services) and each Party agrees not to conduct itself in such a way as to imply or express any such approval and/or endorsement. The Fund shall be entitled to publicise this Framework Agreement in accordance with any legal obligation upon the Fund, including any examination of this Framework Agreement by the National Audit Office pursuant to the National Audit Xxx 0000 or otherwiseData Protection Legislation.

Protection of Personal Data. Where any Personal Data are Processed in connection with the exercise of the Parties’ rights and obligations under this Framework Agreement, the Parties acknowledge that the Fund Authority is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Fund Authority to perform its obligations under this Framework Agreement; ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data; not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Goods and/or Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Fund Authority (save where such disclosure or transfer is specifically authorised under this Framework Agreement); take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 22.5.2 63.4.2 and Clause 22.2 63.2 (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Fund Authority or as otherwise permitted by this Framework Agreement; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Fund Authority within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request), a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the FundAuthority's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Fund Authority with full cooperation and assistance (within the timescales reasonably required by the FundAuthority) in relation to any complaint, communication or request made (as referred to at Clause 22.5.2(e63.4.2(e), including by promptly providing: the Fund Authority with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Fund Authority to enable the Fund Authority to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the FundAuthority, on request by the FundAuthority, with any Personal Data it holds in relation to a Data Subject; and if requested by the FundAuthority, provide a written description of the measures that the Supplier has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 22.5.2 63.4.2 and provide to the Fund Authority copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not Process or otherwise transfer any Personal Data in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “a Restricted Countries”)Country. If, after the Framework Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to anywhere outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a variation to the Fund Authority which, if it is agreed by the FundAuthority, shall be dealt with in accordance with Clause 17.1 50.1 (Variation Procedure) and Clauses 22.5.3(b63.4.3(b) to 22.5.3(d63.4.3(d); the Supplier shall set out in its proposal to the Fund Authority for a Variation, details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the FundAuthority’s compliance with the DPA; in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with the FundAuthority, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Fund Authority may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Framework Agreement or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Fund Authority on such terms as may be required by the FundAuthority; or a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Fund Authority and the Supplier relating to the relevant Personal Data transfer, and the Supplier acknowledges that in each case, this may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Fund Authority deems necessary for the purpose of protecting Personal Data. The Supplier shall use its reasonable endeavours to assist the Fund Authority to comply with any obligations under the DPA and shall not perform its obligations under this Framework Agreement in such a way as to cause the Fund Authority to breach any of the FundAuthority’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations. Subject to Clause 244 (Marketing), the Supplier shall not: make any press announcements or publicise this Framework Agreement in any way; or use the Fund's name or brand in any promotion or marketing or announcement of Orders, without Approval (the decision of the Fund to Approve or not shall not be unreasonably withheld or delayed). Each Party acknowledges to the other that nothing in this Framework Agreement either expressly or by implication constitutes an approval and/or endorsement of any products or services of the other Party (including the Goods and/or Services) and each Party agrees not to conduct itself in such a way as to imply or express any such approval and/or endorsement. The Fund shall be entitled to publicise this Framework Agreement in accordance with any legal obligation upon the Fund, including any examination of this Framework Agreement by the National Audit Office pursuant to the National Audit Xxx 0000 or otherwise.

Protection of Personal Data. Where any Personal Data are Processed in connection with the exercise of the Parties’ rights and obligations under this Framework Agreement, the Parties acknowledge that the Fund Authority is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Fund Authority to perform its obligations under this Framework Agreement; ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data; not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Goods and/or Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Fund Authority (save where such disclosure or transfer is specifically authorised under this Framework Agreement); take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 22.5.2 27.4.2 and Clause 22.2 27.2 (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Fund Authority or as otherwise permitted by this Framework Agreement; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Fund Authority within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request), a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the FundAuthority's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Fund Authority with full cooperation and assistance (within the timescales reasonably required by the FundAuthority) in relation to any complaint, communication or request made (as referred to at Clause 22.5.2(e27.4.2(e), including by promptly providing: the Fund Authority with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Fund Authority to enable the Fund Authority to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the FundAuthority, on request by the FundAuthority, with any Personal Data it holds in relation to a Data Subject; and if requested by the FundAuthority, provide a written description of the measures that the Supplier has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 22.5.2 27.4.2 and provide to the Fund Authority copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not Process or otherwise transfer any Personal Data in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “a Restricted Countries”)Country. If, after the Framework Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to anywhere outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a variation to the Fund Authority which, if it is agreed by the FundAuthority, shall be dealt with in accordance with Clause 17.1 19.1 (Variation Procedure) and Clauses 22.5.3(b27.4.3(b) to 22.5.3(d27.4.3(d); the Supplier shall set out in its proposal to the Fund Authority for a Variation, details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the FundAuthority’s compliance with the DPA; in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with the FundAuthority, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Fund Authority may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Framework Agreement or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Fund Authority on such terms as may be required by the FundAuthority; or a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Fund Authority and the Supplier relating to the relevant Personal Data transfer, and the Supplier acknowledges that in each case, this may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Fund Authority deems necessary for the purpose of protecting Personal Data. The Supplier shall use its reasonable endeavours to assist the Fund Authority to comply with any obligations under the DPA and shall not perform its obligations under this Framework Agreement in such a way as to cause the Fund Authority to breach any of the FundAuthority’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations. Subject to Clause 244 29 (Marketing), the Supplier shall not: make any press announcements or publicise this Framework Agreement in any way; or use the FundAuthority's name or brand in any promotion or marketing or announcement of Orders, without Approval (the decision of the Fund Authority to Approve or not shall not be unreasonably withheld or delayed). Each Party acknowledges to the other that nothing in this Framework Agreement either expressly or by implication constitutes an approval and/or endorsement of any products or services of the other Party (including the Goods and/or Services) and each Party agrees not to conduct itself in such a way as to imply or express any such approval and/or endorsement. The Fund Authority shall be entitled to publicise this Framework Agreement in accordance with any legal obligation upon the FundAuthority, including any examination of this Framework Agreement by the National Audit Office pursuant to the National Audit Xxx Acx 0000 or xr otherwise.

Protection of Personal Data. Where any Personal Data are Processed in connection with the exercise of the Parties’ rights and obligations under this Framework Agreement, the Parties acknowledge that the Fund Authority is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Fund Authority to perform its obligations under this Framework Agreement; ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data; not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Goods and/or Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Fund Authority (save where such disclosure or transfer is specifically authorised under this Framework Agreement); take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 22.5.2 24.5.2 and Clause 22.2 24.2 (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Fund Authority or as otherwise permitted by this Framework Agreement; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Fund Authority within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request), a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the FundAuthority's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Fund Authority with full cooperation and assistance (within the timescales reasonably required by the FundAuthority) in relation to any complaint, communication or request made (as referred to at Clause 22.5.2(e24.5.2(d)(iv), including by promptly providing: the Fund Authority with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Fund Authority to enable the Fund Authority to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the FundAuthority, on request by the FundAuthority, with any Personal Data it holds in relation to a Data Subject; and if requested by the FundAuthority, provide a written description of the measures that the Supplier has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 22.5.2 24.5.2 and provide to the Fund Authority copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not Process or otherwise transfer any Personal Data in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “Restricted Countries”). If, after the Framework Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to anywhere outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a variation to the Fund which, if it is agreed by the Fund, shall be dealt with in accordance with Clause 17.1 (Variation Procedure) and Clauses 22.5.3(b) to 22.5.3(d); the Supplier shall set out in its proposal to the Fund for a Variation, details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the Fund’s compliance with the DPA; in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with the Fund, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Fund may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Framework Agreement or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Fund on such terms as may be required by the Fund; or a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Fund and the Supplier relating to the relevant Personal Data transfer, and the Supplier acknowledges that in each case, this may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Fund deems necessary for the purpose of protecting Personal Data. The Supplier shall use its reasonable endeavours to assist the Fund to comply with any obligations under the DPA and shall not perform its obligations under this Framework Agreement in such a way as to cause the Fund to breach any of the Fund’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations. Subject to Clause 244 (Marketing), the Supplier shall not: make any press announcements or publicise this Framework Agreement in any way; or use the Fund's name or brand in any promotion or marketing or announcement of Orders, without Approval (the decision of the Fund to Approve or not shall not be unreasonably withheld or delayed). Each Party acknowledges to the other that nothing in this Framework Agreement either expressly or by implication constitutes an approval and/or endorsement of any products or services of the other Party (including the Goods and/or Services) and each Party agrees not to conduct itself in such a way as to imply or express any such approval and/or endorsement. The Fund shall be entitled to publicise this Framework Agreement in accordance with any legal obligation upon the Fund, including any examination of this Framework Agreement by the National Audit Office pursuant to the National Audit Xxx 0000 or otherwise.

Protection of Personal Data. 27.4.1 Where any Personal Data are Processed in connection with the exercise of the Parties’ rights and obligations under this Framework Agreement, the Parties acknowledge that the Fund Authority is the Data Controller and that the Supplier is the Data Processor. . 27.4.2 The Supplier shall: : (a) Process the Personal Data only in accordance with instructions from the Fund Authority to perform its obligations under this Framework Agreement; ; (b) ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data; ; (c) not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Goods and/or Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Fund Authority (save where such disclosure or transfer is specifically authorised under this Framework Agreement); ; (d) take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: : (i) are aware of and comply with the Supplier’s Suppliers duties under this Clause 22.5.2 27.4.2 and Clause 22.2 27.2 (Confidentiality); ; (ii) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Fund Authority or as otherwise permitted by this Framework Agreement; and and (iii) have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPAGDPR); ; (e) notify the Fund Authority within five (5) Working Days if it receives: : (i) from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request), a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the FundAuthority's obligations under the DPA; GDPR; (ii) any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or or (iii) a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; ; (f) provide the Fund Authority with full cooperation and assistance (within the timescales reasonably required by the FundAuthority) in relation to any complaint, communication or request made (as referred to at Clause 22.5.2(e27.4.2(e), including by promptly providing: : (i) the Fund Authority with full details and copies of the complaint, communication or request; ; (ii) where applicable, such assistance as is reasonably requested by the Fund Authority to enable the Fund Authority to comply with the Data Subject Access Request within the relevant timescales set out in the DPAGDPR; and and (iii) the FundAuthority, on request by the FundAuthority, with any Personal Data it holds in relation to a Data Subject; and and (g) if requested by the FundAuthority, provide a written description of the measures that the Supplier has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 22.5.2 27.4.2 and provide to the Fund Authority copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. . 27.4.3 The Supplier shall not Process or otherwise transfer any Personal Data in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “a Restricted Countries”)Country. If, after the Framework Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to anywhere outside the European Economic Area, the following provisions shall apply: : (a) the Supplier shall propose a variation to the Fund Authority which, if it is agreed by the FundAuthority, shall be dealt with in accordance with Clause 17.1 19.1 (Variation Procedure) and Clauses 22.5.3(b27.4.3(b) to 22.5.3(d27.4.3(d); ; (b) the Supplier shall set out in its proposal to the Fund Authority for a Variation, details of the following: : (i) the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; ; (ii) the Restricted Countries to which the Personal Data will be transferred and/or Processed; and and (iii) any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; ; (iv) how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the FundAuthority’s compliance with the DPA; GDPR; (c) in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with the FundAuthority, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and and (d) the Supplier shall comply with such other instructions and shall carry out such other actions as the Fund Authority may notify in writing, including: : (i) incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPAGDPR) into this Framework Agreement or a separate data processing agreement between the Parties; and and (ii) procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: : (A) a direct data processing agreement with the Fund Authority on such terms as may be required by the FundAuthority; or or (B) a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Fund Authority and the Supplier relating to the relevant Personal Data transfer, and the Supplier acknowledges that in each case, this may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPAGDPR) and technical and organisation measures which the Fund Authority deems necessary for the purpose of protecting Personal Data. . 27.4.4 The Supplier shall use its reasonable endeavours to assist the Fund Authority to comply with any obligations under the DPA GDPR and shall not perform its obligations under this Framework Agreement in such a way as to cause the Fund Authority to breach any of the FundAuthority’s obligations under the DPA GDPR to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations. Subject to Clause 244 (Marketing), the Supplier shall not: make any press announcements or publicise this Framework Agreement in any way; or use the Fund's name or brand in any promotion or marketing or announcement of Orders, without Approval (the decision of the Fund to Approve or not shall not be unreasonably withheld or delayed). Each Party acknowledges to the other that nothing in this Framework Agreement either expressly or by implication constitutes an approval and/or endorsement of any products or services of the other Party (including the Goods and/or Services) and each Party agrees not to conduct itself in such a way as to imply or express any such approval and/or endorsement. The Fund shall be entitled to publicise this Framework Agreement in accordance with any legal obligation upon the Fund, including any examination of this Framework Agreement by the National Audit Office pursuant to the National Audit Xxx 0000 or otherwise.

Protection of Personal Data. Where any Personal Data are Processed in connection with the exercise of 25.1 With respect to the Parties’ ' rights and obligations under this Framework Agreement, the Parties acknowledge that the Fund Authority is the a Data Controller and that the Supplier is the a Data Processor. . 25.2 The Supplier shall: : (a) Process the Personal Data only in accordance with instructions from the Fund Authority to perform its obligations under this Framework Agreement; ; (b) ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing processing of the Personal Data and/or accidental loss, destruction, destruction or damage to the Personal Data; , including the measures as are set out in Clause 22 (Authority Data and Security Requirements); (c) not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Goods and/or Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Fund Authority (save where such disclosure or transfer is specifically authorised under this Framework Agreement); ; (d) take all reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: : (i) are aware of and comply with the Supplier’s duties under this Clause 22.5.2 25 and Clause 22.2 Clauses 23 (Confidentiality) and 22 (Authority Data and Security Requirements); ; (ii) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Fund Authority or as otherwise permitted by this Framework Agreement; and and (iii) have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); ; (e) notify the Fund Authority within five (5) 5 Working Days if it receives: : (i) from a Data Subject (or third party on their behalf): (A) a Data Subject Access Request (or purported Data Subject Access Request), ; (B) a request to rectify, block or erase any Personal Data or Data; or (C) any other request, complaint or communication relating to the FundAuthority's obligations under the DPA; ; (ii) any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or or (iii) a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; ; (f) provide the Fund Authority with full cooperation and assistance (within the timescales reasonably required by the FundAuthority) in relation to any complaint, communication or request made (as referred to at in Clause 22.5.2(e25.2(e), including by promptly providing: : (i) the Fund Authority with full details and copies of the complaint, communication or request; ; (ii) where applicable, such assistance as is reasonably requested by the Fund Authority to enable the Fund Authority to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and and (iii) the FundAuthority, on request by the FundAuthority, with any Personal Data it holds in relation to a Data Subject; and and (g) if requested by the FundAuthority, provide a written description of the measures that the Supplier it has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 22.5.2 25 and provide to the Fund Authority copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not Process or otherwise transfer any Personal Data in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “Restricted Countries”). If, after the Framework Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to anywhere outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a variation to the Fund which, if it is agreed by the Fund, shall be dealt with in accordance with Clause 17.1 (Variation Procedure) and Clauses 22.5.3(b) to 22.5.3(d); the Supplier shall set out in its proposal to the Fund for a Variation, details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the Fund’s compliance with the DPA; in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with the Fund, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Fund may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Framework Agreement or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Fund on such terms as may be required by the Fund; or a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Fund and the Supplier relating to the relevant Personal Data transfer, and the Supplier acknowledges that in each case, this may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Fund deems necessary for the purpose of protecting Personal Data. The Supplier shall use its reasonable endeavours to assist the Fund to comply with any obligations under the DPA and shall not perform its obligations under this Framework Agreement in such a way as to cause the Fund to breach any of the Fund’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations. Subject to Clause 244 (Marketing), the Supplier shall not: make any press announcements or publicise this Framework Agreement in any way; or use the Fund's name or brand in any promotion or marketing or announcement of Orders, without Approval (the decision of the Fund to Approve or not shall not be unreasonably withheld or delayed). Each Party acknowledges to the other that nothing in this Framework Agreement either expressly or by implication constitutes an approval and/or endorsement of any products or services of the other Party (including the Goods and/or Services) and each Party agrees not to conduct itself in such a way as to imply or express any such approval and/or endorsement. The Fund shall be entitled to publicise this Framework Agreement in accordance with any legal obligation upon the Fund, including any examination of this Framework Agreement by the National Audit Office pursuant to the National Audit Xxx 0000 or otherwise.

Protection of Personal Data. Where any Personal Data are Processed in connection with the exercise of the Parties’ rights and obligations under this Framework Agreement, the Parties acknowledge that the Fund Authority is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Fund Authority to perform its obligations under this Framework Agreement; ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data; not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Goods and/or Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Fund Authority (save where such disclosure or transfer is specifically authorised under this Framework Agreement); take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 22.5.2 60.5.2 and Clause 22.2 60.2 (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Fund Authority or as otherwise permitted by this Framework Agreement; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Fund Authority within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request), a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the FundAuthority's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Fund Authority with full cooperation and assistance (within the timescales reasonably required by the FundAuthority) in relation to any complaint, communication or request made (as referred to at Clause 22.5.2(e)60.5.10, including by promptly providing: the Fund Authority with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Fund Authority to enable the Fund Authority to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the FundAuthority, on request by the FundAuthority, with any Personal Data it holds in relation to a Data Subject; and if requested by the FundAuthority, provide a written description of the measures that the Supplier has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 22.5.2 60.5.2 and provide to the Fund Authority copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not Process or otherwise transfer any Personal Data in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “Restricted Countries”). If, after the Framework Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to anywhere outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a variation to the Fund Authority which, if it is agreed by the FundAuthority, shall be dealt with in accordance with Clause 17.1 46.1 (Variation Procedure) and Clauses 22.5.3(b) 60.5.21 to 22.5.3(d)60.5.27; the Supplier shall set out in its proposal to the Fund Authority for a Variation, details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the FundAuthority’s compliance with the DPA; in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with the FundAuthority, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Fund Authority may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Framework Agreement or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Fund Authority on such terms as may be required by the FundAuthority; or a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Fund Authority and the Supplier relating to the relevant Personal Data transfer, and the Supplier acknowledges that in each case, this may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Fund Authority deems necessary for the purpose of protecting Personal Data. The Supplier shall use its reasonable endeavours to assist the Fund Authority to comply with any obligations under the DPA and shall not perform its obligations under this Framework Agreement in such a way as to cause the Fund Authority to breach any of the FundAuthority’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations. Subject to Clause 244 (Marketing), the Supplier shall not: make any press announcements or publicise this Framework Agreement in any way; or use the Fund's name or brand in any promotion or marketing or announcement of Orders, without Approval (the decision of the Fund to Approve or not shall not be unreasonably withheld or delayed). Each Party acknowledges to the other that nothing in this Framework Agreement either expressly or by implication constitutes an approval and/or endorsement of any products or services of the other Party (including the Goods and/or Services) and each Party agrees not to conduct itself in such a way as to imply or express any such approval and/or endorsement. The Fund shall be entitled to publicise this Framework Agreement in accordance with any legal obligation upon the Fund, including any examination of this Framework Agreement by the National Audit Office pursuant to the National Audit Xxx 0000 or otherwise.

Protection of Personal Data. Where any Personal Data are Processed in connection with the exercise of With respect to the Parties’ ' rights and obligations under this Framework Agreementthe Contract, the Parties acknowledge agree that the Fund Authority is the Data Controller and that the Supplier Contractor is the Data Processor. The Supplier Contractor shall: Process the Personal Data only in accordance with instructions from the Fund Authority (which may be specific instructions or instructions of a general nature as set out in the Contract or as otherwise notified by the Authority to perform its obligations under this the Contractor during the Term) and the Contractor shall at the very least comply with the provisions of Schedule 8 (Information Security) and HM Government Security Framework Agreementas updated from time to time; ensure that at all times it has Process the Personal Data only to the extent, and in place such manner, as is necessary for the provision of the Services or as is required by Legislation or any Regulatory Body; implement appropriate technical and organisational measures to guard protect the Personal Data against unauthorised or unlawful Processing of the Personal Data and/or processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data; not disclose or transfer Data and having regard to the nature of the Personal Data which is to be protected and in any third party or Supplier Personnel unless necessary for event the provision measures shall not be of the Goods and/or Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Fund a lesser standard than that set out in Schedule 8 (save where such disclosure or transfer is specifically authorised under this Framework AgreementInformation Security); take reasonable steps to ensure the reliability and integrity of any Supplier Personnel Contractor’s Staff who have access to the Personal Data; obtain prior written consent from the Authority in order to transfer the Personal Data and to any sub-contractors or affiliates for the provision of the Services; ensure that all Contractor’s Staff required to access the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 22.5.2 and Clause 22.2 (Confidentiality); Personal Data are informed of the confidential nature of the Personal Data and do not comply with the obligations set out in this clause 69.2; ensure that none of the Contractor’s Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Fund or as otherwise permitted by this Framework Agreement; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA)Authority; notify the Fund Authority (within five (5Business Days) Working Days if it receives: a request from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request), a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating have access to the Fundthat person's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a complaint or request from any third party for disclosure of Personal relating to the Authority's obligations under the Data where compliance with such request is required or purported to be required by LawProtection Legislation; provide the Fund Authority with full cooperation co-operation and assistance (within the timescales reasonably required by the Fund) in relation to any complaint, communication complaint or request made (as referred to at Clause 22.5.2(e)made, including by promptly providingby: providing the Fund Authority with full details and copies of the complaint, communication complaint or request; where applicable, such assistance as is reasonably requested by the Fund to enable the Fund to comply complying with the Data Subject Access Request a data access request within the relevant timescales set out in the DPAData Protection Legislation and in accordance with the Authority's instructions; and providing the Fund, on request by the Fund, Authority with any Personal Data it holds in relation to a Data Subject, within the timescales required by the Authority; and if providing the Authority with any information requested by the FundAuthority; permit the Authority (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit, the Contractor's data Processing activities (and/or those of the Contractor’s Staff) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Contractor is in full compliance with its obligations under the Contract; provide a written description of the measures that the Supplier has taken and technical and organisational security measures in place, methods employed by the Contractor for processing Personal Data (within the purpose of compliance with its obligations pursuant to this Clause 22.5.2 timescales reasonably required by the Authority); and provide to the Fund copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not Process or otherwise transfer any Personal Data in or to any country outside the European Economic Area or any country which is not determined without the prior written consent of the Authority and, where the Authority consents to be adequate by the European Commission pursuant a transfer, to Article 25(6) of Directive 95/46/EC (together “Restricted Countries”). If, after the Framework Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to anywhere outside the European Economic Area, the following provisions shall applycomply with: the Supplier shall propose obligations of a variation to Data Controller under the Fund which, if it is agreed by the Fund, shall be dealt with in accordance with Clause 17.1 (Variation Procedure) and Clauses 22.5.3(b) to 22.5.3(d); the Supplier shall Eighth Data Protection Principle set out in its proposal to the Fund for a Variation, details Schedule 1 of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure Protection Act 1998 by providing an adequate level of protection and adequate safeguards in respect of the to any Personal Data that will be Processed in and/or transferred is transferred; and any reasonable instructions notified to Restricted Countries so as to ensure it by the Fund’s compliance Authority. The Contractor shall comply at all times with the DPA; in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with the Fund, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Fund may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Framework Agreement or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Fund on such terms as may be required by the Fund; or a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Fund and the Supplier relating to the relevant Personal Data transfer, and the Supplier acknowledges that in each case, this may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Fund deems necessary for the purpose of protecting Personal Data. The Supplier shall use its reasonable endeavours to assist the Fund to comply with any obligations under the DPA Protection Legislation and shall not perform its obligations under this Framework Agreement the Contract in such a way as to cause the Fund Authority to breach any of the Fund’s its applicable obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations. Subject to Clause 244 (Marketing), the Supplier shall not: make any press announcements or publicise this Framework Agreement in any way; or use the Fund's name or brand in any promotion or marketing or announcement of Orders, without Approval (the decision of the Fund to Approve or not shall not be unreasonably withheld or delayed). Each Party acknowledges to the other that nothing in this Framework Agreement either expressly or by implication constitutes an approval and/or endorsement of any products or services of the other Party (including the Goods and/or Services) and each Party agrees not to conduct itself in such a way as to imply or express any such approval and/or endorsement. The Fund shall be entitled to publicise this Framework Agreement in accordance with any legal obligation upon the Fund, including any examination of this Framework Agreement by the National Audit Office pursuant to the National Audit Xxx 0000 or otherwiseData Protection Legislation.

Protection of Personal Data. Where any Personal Data are Processed in connection with the exercise of the Parties’ rights and obligations under this Framework Agreement, the Parties acknowledge that the Fund Authority is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Fund Authority to perform its obligations under this Framework Agreement; ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data; not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Goods and/or Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Fund Authority (save where such disclosure or transfer is specifically authorised under this Framework Agreement); take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 22.5.2 26.5.2 and Clause 22.2 26.2 (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Fund Authority or as otherwise permitted by this Framework Agreement; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Fund Authority within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request), a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the FundAuthority's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Fund Authority with full cooperation and assistance (within the timescales reasonably required by the FundAuthority) in relation to any complaint, communication or request made (as referred to at Clause 22.5.2(e26.5.2(e), including by promptly providing: the Fund Authority with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Fund Authority to enable the Fund Authority to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the FundAuthority, on request by the FundAuthority, with any Personal Data it holds in relation to a Data Subject; and if requested by the FundAuthority, provide a written description of the measures that the Supplier has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 22.5.2 26.5.2 and provide to the Fund Authority copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not Process or otherwise transfer any Personal Data in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “Restricted Countries”). If, after the Framework Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to anywhere outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a variation to the Fund Authority which, if it is agreed by the FundAuthority, shall be dealt with in accordance with Clause 17.1 18.1 (Variation Procedure) and Clauses 22.5.3(b26.5.3(b) to 22.5.3(d26.5.3(d); the Supplier shall set out in its proposal to the Fund Authority for a Variation, details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the FundAuthority’s compliance with the DPA; in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with the FundAuthority, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Fund Authority may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Framework Agreement or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Fund Authority on such terms as may be required by the FundAuthority; or a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Fund Authority and the Supplier relating to the relevant Personal Data transfer, and the Supplier acknowledges that in each case, this may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Fund Authority deems necessary for the purpose of protecting Personal Data. The Supplier shall use its reasonable endeavours to assist the Fund Authority to comply with any obligations under the DPA and shall not perform its obligations under this Framework Agreement in such a way as to cause the Fund Authority to breach any of the FundAuthority’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations. Subject to Clause 244 The Supplier must comply with the Cyber Essentials requirements set out in paragraph 9 of Part A of Framework Schedule 2 (Marketing), the Supplier shall not: make any press announcements or publicise this Framework Agreement in any way; or use the Fund's name or brand in any promotion or marketing or announcement of Orders, without Approval (the decision of the Fund to Approve or not shall not be unreasonably withheld or delayed). Each Party acknowledges to the other that nothing in this Framework Agreement either expressly or by implication constitutes an approval and/or endorsement of any products or services of the other Party (including the Goods and/or ServicesServices and Key Performance Indicators) and each Party agrees not ensure that its Sub-Contractors, where appropriate, comply with those requirements in order to conduct itself in such a way as to imply or express any such approval and/or endorsement. The Fund shall be entitled to publicise this Framework Agreement in accordance demonstrate compliance with any legal obligation upon the Fund, including any examination of this Framework Agreement technical requirements prescribed by the National Audit Office pursuant to the National Audit Xxx 0000 or otherwiseCyber Essentials.

Protection of Personal Data. Where any Personal Data are Processed in connection with the exercise of the Parties’ rights and obligations under this Framework AgreementContract , the Parties acknowledge that the Fund Customer is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Fund Customer to perform its obligations under this Framework AgreementContract ; ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data, including the measures as are set out in Clauses 34.1 (Security Requirements) and 34.2 (Protection of Customer Data); not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Goods and/or Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Fund Customer (save where such disclosure or transfer is specifically authorised under this Framework Agreement); Contract ) take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s Suppliers duties under this Clause 22.5.2 34.6.2 and Clause 22.2 Clauses 34.1 (Security Requirements), 34.2 (Protection of Customer Data) and 34.3 (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Fund Customer or as otherwise permitted by this Framework AgreementContract ; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Fund Customer within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request), ) a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the FundCustomer's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Fund Customer with full cooperation and assistance (within the timescales reasonably required by the FundCustomer) in relation to any complaint, communication or request made (as referred to at Clause 22.5.2(e34.6.2(e)), including by promptly providing: the Fund Customer with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Fund Customer to enable the Fund Customer to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the FundCustomer, on request by the FundCustomer, with any Personal Data it holds in relation to a Data Subject; and if requested by the FundCustomer, provide a written description of the measures that the Supplier has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 22.5.2 34.6.2 and provide to the Fund Customer copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not Process or otherwise transfer any Personal Data in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “Restricted Countries”). If, after the Framework Contract Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to anywhere any outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a variation Variation to the Fund Customer which, if it is agreed by the FundCustomer, shall be dealt with in accordance with Clause 17.1 (the Variation Procedure) Procedure and Clauses 22.5.3(b34.6.3(b) to 22.5.3(d34.6.3(c); the Supplier shall set out in its proposal to the Fund Customer for a Variation, Variation details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the FundCustomer’s compliance with the DPA; in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with the Fundthen-current Customer, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Fund Customer may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Framework Agreement Contract or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Fund Customer on such terms as may be required by the FundCustomer; or a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Fund Customer and the Supplier Sub-Contractor relating to the relevant Personal Data transfer, and in each case which the Supplier acknowledges that in each case, this may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Fund Customer deems necessary for the purpose of protecting Personal Data. The Supplier shall use its reasonable endeavours to assist the Fund Customer to comply with any obligations under the DPA and shall not perform its obligations under this Framework Agreement Contract in such a way as to cause the Fund Customer to breach any of the FundCustomer’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations. Subject to Clause 244 (Marketing), the Supplier shall not: make any press announcements or publicise this Framework Agreement in any way; or use the Fund's name or brand in any promotion or marketing or announcement of Orders, without Approval (the decision of the Fund to Approve or not shall not be unreasonably withheld or delayed). Each Party acknowledges to the other that nothing in this Framework Agreement either expressly or by implication constitutes an approval and/or endorsement of any products or services of the other Party (including the Goods and/or Services) and each Party agrees not to conduct itself in such a way as to imply or express any such approval and/or endorsement. The Fund shall be entitled to publicise this Framework Agreement in accordance with any legal obligation upon the Fund, including any examination of this Framework Agreement by the National Audit Office pursuant to the National Audit Xxx 0000 or otherwise.

Protection of Personal Data. 28.6.1 Where any Personal Data are Processed in connection with the exercise of the Parties’ rights and obligations under this Framework AgreementContract, the Parties acknowledge that the Fund Authority is the Data Controller and that the Supplier is the Data Processor. . 28.6.2 The Supplier shall: : (a) Process the Personal Data only in accordance with instructions from the Fund Authority to perform its obligations under this Framework Agreement; Contract; (b) ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data; , including the measures as are set out in Clauses 28.1 (Security Requirements) and 28.2 (Protection of Authority Data); (c) not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Goods and/or Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Fund Authority (save where such disclosure or transfer is specifically authorised under this Framework AgreementContract); ; (d) take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: : (i) are aware of and comply with the Supplier’s duties under this Clause 22.5.2 28.6.2 and Clause 22.2 Clauses 28.1 (Security Requirements), 28.2 (Protection of Authority Data) and 28.3 (Confidentiality); ; (ii) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Fund Authority or as otherwise permitted by this Framework AgreementContract; and and (iii) have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); ; (e) notify the Fund Authority within five (5) Working Days if it receives: : (i) from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request), ) a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the FundAuthority's obligations under the DPA; ; (ii) any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or or (iii) a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; ; (f) provide the Fund Authority with full cooperation and assistance (within the timescales reasonably required by the FundAuthority) in relation to any complaint, communication or request made (as referred to at Clause 22.5.2(e28.6.2(e)), including by promptly providing: : (i) the Fund Authority with full details and copies of the complaint, communication or request; ; (ii) where applicable, such assistance as is reasonably requested by the Fund Authority to enable the Fund Authority to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and and (iii) the FundAuthority, on request by the FundAuthority, with any Personal Data it holds in relation to a Data Subject; and and (g) if requested by the FundAuthority, provide a written description of the measures that the Supplier has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 22.5.2 28.6.2 and provide to the Fund Authority copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. . 28.6.3 The Supplier shall not Process or otherwise transfer any Personal Data in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “Restricted Countries”). If, after the Framework Contract Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to anywhere any outside the European Economic Area, the following provisions shall apply: : (a) the Supplier shall propose a variation Variation to the Fund Authority which, if it is agreed by the FundAuthority, shall be dealt with in accordance with Clause 17.1 (the Variation Procedure) Procedure and Clauses 22.5.3(b28.6.3(b) to 22.5.3(d28.6.3(d); ; (b) the Supplier shall set out in its proposal to the Fund Authority for a Variation, Variation details of the following: : (i) the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; ; (ii) the Restricted Countries to which the Personal Data will be transferred and/or Processed; and and (iii) any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; ; (c) how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the FundAuthority’s compliance with the DPA; ; (d) in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with the Fundthen-current Authority, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and and (e) the Supplier shall comply with such other instructions and shall carry out such other actions as the Fund Authority may notify in writing, including: : (i) incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Framework Agreement Contract or a separate data processing agreement between the Parties; and and (ii) procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: : (A) a direct data processing agreement with the Fund Authority on such terms as may be required by the FundAuthority; or or (B) a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Fund Authority and the Supplier Sub-Contractor relating to the relevant Personal Data transfer, and in each case which the Supplier acknowledges that in each case, this may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Fund Authority deems necessary for the purpose of protecting Personal Data. . 28.6.4 The Supplier shall use its reasonable endeavours to assist the Fund Authority to comply with any obligations under the DPA and shall not perform its obligations under this Framework Agreement Contract in such a way as to cause the Fund Authority to breach any of the FundAuthority’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations. Subject to Clause 244 (Marketing), the Supplier shall not: make any press announcements or publicise this Framework Agreement in any way; or use the Fund's name or brand in any promotion or marketing or announcement of Orders, without Approval (the decision of the Fund to Approve or not shall not be unreasonably withheld or delayed). Each Party acknowledges to the other that nothing in this Framework Agreement either expressly or by implication constitutes an approval and/or endorsement of any products or services of the other Party (including the Goods and/or Services) and each Party agrees not to conduct itself in such a way as to imply or express any such approval and/or endorsement. The Fund shall be entitled to publicise this Framework Agreement in accordance with any legal obligation upon the Fund, including any examination of this Framework Agreement by the National Audit Office pursuant to the National Audit Xxx 0000 or otherwise.

Protection of Personal Data. 25.6.1 Where any Personal Data are Processed in connection with the exercise of the Parties’ rights and obligations under this Framework AgreementContract, the Parties acknowledge that the Fund Authority is the Data Controller and that the Supplier is the Data Processor. . 25.6.2 The Supplier shall: : (a) Process the Personal Data only in accordance with instructions from the Fund Authority to perform its obligations under this Framework Agreement; Contract; (b) ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data; , including the measures as are set out in Clauses 25.1 (Security Requirements) and 25.2 (Protection of Authority Data); (c) not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Goods and/or Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Fund Authority (save where such disclosure or transfer is specifically authorised under this Framework AgreementContract); ; (d) take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: : (i) are aware of and comply with the Supplier’s duties under this Clause 22.5.2 25.6.2 and Clause 22.2 Clauses 25.1 (Security Requirements), 25.2 (Protection of Authority Data) and 25.3 (Confidentiality); ; (ii) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Fund Authority or as otherwise permitted by this Framework AgreementContract; and and (iii) have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); ; (e) notify the Fund Authority within five (5) Working Days if it receives: : (i) from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request), ) a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the FundAuthority's obligations under the DPA; ; (ii) any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Fund with full cooperation and assistance (within the timescales reasonably required by the Fund) in relation to any complaint, communication or request made (as referred to at Clause 22.5.2(e), including by promptly providing: the Fund with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Fund to enable the Fund to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the Fund, on request by the Fund, with any Personal Data it holds in relation to a Data Subject; and if requested by the Fund, provide a written description of the measures that the Supplier has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 22.5.2 and provide to the Fund copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not Process or otherwise transfer any Personal Data in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “Restricted Countries”). If, after the Framework Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to anywhere outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a variation to the Fund which, if it is agreed by the Fund, shall be dealt with in accordance with Clause 17.1 (Variation Procedure) and Clauses 22.5.3(b) to 22.5.3(d); the Supplier shall set out in its proposal to the Fund for a Variation, details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the Fund’s compliance with the DPA; in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with the Fund, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Fund may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Framework Agreement or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Fund on such terms as may be required by the Fund; or a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Fund and the Supplier relating to the relevant Personal Data transfer, and the Supplier acknowledges that in each case, this may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Fund deems necessary for the purpose of protecting Personal Data. The Supplier shall use its reasonable endeavours to assist the Fund to comply with any obligations under the DPA and shall not perform its obligations under this Framework Agreement in such a way as to cause the Fund to breach any of the Fund’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations. Subject to Clause 244 (Marketing), the Supplier shall not: make any press announcements or publicise this Framework Agreement in any way; or use the Fund's name or brand in any promotion or marketing or announcement of Orders, without Approval (the decision of the Fund to Approve or not shall not be unreasonably withheld or delayed). Each Party acknowledges to the other that nothing in this Framework Agreement either expressly or by implication constitutes an approval and/or endorsement of any products or services of the other Party (including the Goods and/or Services) and each Party agrees not to conduct itself in such a way as to imply or express any such approval and/or endorsement. The Fund shall be entitled to publicise this Framework Agreement in accordance with any legal obligation upon the Fund, including any examination of this Framework Agreement by the National Audit Office pursuant to the National Audit Xxx 0000 or otherwise.or

Protection of Personal Data. 25.5.1 Where any Personal Data are Processed in connection with the exercise of the Parties’ rights and obligations under this Framework Agreement, the Parties acknowledge that the Fund Authority is the Data Controller and that the Supplier is the Data Processor. . 25.5.2 The Supplier shall: : (a) Process the Personal Data only in accordance with instructions from the Fund Authority to perform its obligations under this Framework Agreement; ; (b) ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data; ; (c) not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Goods and/or Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Fund Authority (save where such disclosure or transfer is specifically authorised under this Framework Agreement); ; (d) take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: : (i) are aware of and comply with the Supplier’s duties under this Clause 22.5.2 25.5.2 and Clause 22.2 25.2 (Confidentiality); ; (ii) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Fund Authority or as otherwise permitted by this Framework Agreement; and and (iii) have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); ; (e) notify the Fund Authority within five (5) Working Days if it receives: : (i) from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request), a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the FundAuthority's obligations under the DPA; ; (ii) any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or or (iii) a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; ; (f) provide the Fund Authority with full cooperation and assistance (within the timescales reasonably required by the FundAuthority) in relation to any complaint, communication or request made (as referred to at Clause 22.5.2(e25.5.2(e), including by promptly providing: : (i) the Fund Authority with full details and copies of the complaint, communication or request; ; (ii) where applicable, such assistance as is reasonably requested by the Fund Authority to enable the Fund Authority to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and and (iii) the FundAuthority, on request by the FundAuthority, with any Personal Data it holds in relation to a Data Subject; and and (g) if requested by the FundAuthority, provide a written description of the measures that the Supplier has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 22.5.2 25.5.2 and provide to the Fund Authority copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. . 25.5.3 The Supplier shall not Process or otherwise transfer any Personal Data in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “Restricted Countries”). If, after the Framework Commencement Date, the Supplier or any Sub-Sub- Contractor wishes to Process and/or transfer any Personal Data in or to anywhere outside the European Economic Area, the following provisions shall apply: : (a) the Supplier shall propose a variation to the Fund Authority which, if it is agreed by the FundAuthority, shall be dealt with in accordance with Clause 17.1 18.1 (Variation Procedure) and Clauses 22.5.3(b25.5.3(b) to 22.5.3(d25.5.3(d); ; (b) the Supplier shall set out in its proposal to the Fund Authority for a Variation, details of the following: : (i) the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; ; (ii) the Restricted Countries to which the Personal Data will be transferred and/or Processed; and and (iii) any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; ; (iv) how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the FundAuthority’s compliance with the DPA; ; (c) in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with the FundAuthority, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and and (d) the Supplier shall comply with such other instructions and shall carry out such other actions as the Fund Authority may notify in writing, including: : (i) incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Framework Agreement or a separate data processing agreement between the Parties; and and (ii) procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: : (A) a direct data processing agreement with the Fund Authority on such terms as may be required by the FundAuthority; or or (B) a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Fund Authority and the Supplier relating to the relevant Personal Data transfer, and the Supplier acknowledges that in each case, this may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Fund Authority deems necessary for the purpose of protecting Personal Data. . 25.5.4 The Supplier shall use its reasonable endeavours to assist the Fund Authority to comply with any obligations under the DPA and shall not perform its obligations under this Framework Agreement in such a way as to cause the Fund Authority to breach any of the FundAuthority’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations. Subject to Clause 244 (Marketing), the Supplier shall not: make any press announcements or publicise this Framework Agreement in any way; or use the Fund's name or brand in any promotion or marketing or announcement of Orders, without Approval (the decision of the Fund to Approve or not shall not be unreasonably withheld or delayed). Each Party acknowledges to the other that nothing in this Framework Agreement either expressly or by implication constitutes an approval and/or endorsement of any products or services of the other Party (including the Goods and/or Services25.5.5 Cyber Essentials Requirements Performance Indicators) and each Party agrees not ensure that its Sub-Contractors, where appropriate, comply with those requirements in order to conduct itself in such a way as to imply or express any such approval and/or endorsement. The Fund shall be entitled to publicise this Framework Agreement in accordance demonstrate compliance with any legal obligation upon the Fund, including any examination of this Framework Agreement technical requirements prescribed by the National Audit Office pursuant to the National Audit Xxx 0000 or otherwiseCyber Essentials.

Protection of Personal Data. Where any Personal Data are Processed in connection with the exercise of the Parties’ rights and obligations under this Framework AgreementCall Off Contract, the Parties acknowledge that the Fund Customer is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Fund Customer to perform its obligations under this Framework AgreementCall Off Contract; ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data, including the measures as are set out in Clauses (Security Requirements) and (Protection of Customer Data); not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Goods and/or Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Fund Customer (save where such disclosure or transfer is specifically authorised under this Framework Agreement); Call Off Contract) take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 22.5.2 39.1.31 and Clause 22.2 Clauses (Security Requirements), (Protection of Customer Data) and (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Fund Customer or as otherwise permitted by this Framework AgreementCall Off Contract; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Fund Customer within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request), ) a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the FundCustomer's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Fund Customer with full cooperation and assistance (within the timescales reasonably required by the FundCustomer) in relation to any complaint, communication or request made (as referred to at Clause 22.5.2(e39.(e)), including by promptly providing: the Fund Customer with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Fund Customer to enable the Fund Customer to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the FundCustomer, on request by the FundCustomer, with any Personal Data it holds in relation to a Data Subject; and if requested by the FundCustomer, provide a written description of the measures that the Supplier has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 22.5.2 39.1.31 and provide to the Fund Customer copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not Process or otherwise transfer any Personal Data in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “a Restricted Countries”)Country. If, after the Framework Call Off Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to anywhere any outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a variation Variation to the Fund Customer which, if it is agreed by the FundCustomer, shall be dealt with in accordance with Clause 17.1 (the Variation Procedure) Procedure and Clauses 22.5.3(b39.(b) to 22.5.3(d39.(c); the Supplier shall set out in its proposal to the Fund Customer for a Variation, Variation details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the FundCustomer’s compliance with the DPA; in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with the Fundthen-current Customer, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Fund Customer may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Framework Agreement Call Off Contract or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Fund Customer on such terms as may be required by the FundCustomer; or a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Fund Customer and the Supplier Sub-Contractor relating to the relevant Personal Data transfer, and in each case which the Supplier acknowledges that in each case, this may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Fund Customer deems necessary for the purpose of protecting Personal Data. The Supplier shall use its reasonable endeavours to assist the Fund Customer to comply with any obligations under the DPA and shall not perform its obligations under this Framework Agreement Call Off Contract in such a way as to cause the Fund Customer to breach any of the FundCustomer’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations. Subject to Clause 244 (Marketing), the Supplier shall not: make any press announcements or publicise this Framework Agreement in any way; or use the Fund's name or brand in any promotion or marketing or announcement of Orders, without Approval (the decision of the Fund to Approve or not shall not be unreasonably withheld or delayed). Each Party acknowledges to the other that nothing in this Framework Agreement either expressly or by implication constitutes an approval and/or endorsement of any products or services of the other Party (including the Goods and/or Services) and each Party agrees not to conduct itself in such a way as to imply or express any such approval and/or endorsement. The Fund shall be entitled to publicise this Framework Agreement in accordance with any legal obligation upon the Fund, including any examination of this Framework Agreement by the National Audit Office pursuant to the National Audit Xxx 0000 or otherwise.

Protection of Personal Data. Where any Personal Data are Processed in connection with the exercise of the Parties’ rights and obligations under this Framework AgreementCall Off Contract, the Parties acknowledge that the Fund Customer is the Data Controller and that the Supplier is the Data Processor. Notwithstanding clause 34.5.1 the Supplier shall comply with its obligations under the DPA. The Supplier shall: Process the Personal Data only in accordance with instructions from the Fund Customer to perform its obligations under this Framework AgreementCall Off Contract; ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data, including the measures as are set out in Clauses 34.1 (Security Requirements) and 34.2 (Protection of Customer Data); not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Goods and/or Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Fund Customer (save where such disclosure or transfer is specifically authorised under this Framework Agreement); Call Off Contract) take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 22.5.2 34.5.3 and Clause 22.2 Clauses 34.1 (Security Requirements), 34.2 (Protection of Customer Data) and 34.3 (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Fund Customer or as otherwise permitted by this Framework AgreementCall Off Contract; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Fund Customer within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request), ) a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the FundCustomer's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Fund Customer with full cooperation and assistance (within the timescales reasonably required by the FundCustomer) in relation to any complaint, communication or request made (as referred to at Clause 22.5.2(e34.(e)), including by promptly providing: the Fund Customer with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Fund Customer to enable the Fund Customer to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the FundCustomer, on request by the FundCustomer, with any Personal Data it holds in relation to a Data Subject; and if requested by the FundCustomer, provide a written description of the measures that the Supplier has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 22.5.2 34.5.3 and provide to the Fund Customer copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not Process or otherwise transfer any Personal Data in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “a Restricted Countries”)Country. If, after the Framework Call Off Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to anywhere any outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a variation Variation to the Fund Customer which, if it is agreed by the FundCustomer, shall be dealt with in accordance with Clause 17.1 (the Variation Procedure) Procedure and Clauses 22.5.3(b34.(b) to 22.5.3(d34.(c); the Supplier shall set out in its proposal to the Fund Customer for a Variation, Variation details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the FundCustomer’s compliance with the DPA; in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with the Fundthen-current Customer, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Fund Customer may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Framework Agreement Call Off Contract or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Fund Customer on such terms as may be required by the FundCustomer; or a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Fund Customer and the Supplier Sub-Contractor relating to the relevant Personal Data transfer, and in each case which the Supplier acknowledges that in each case, this may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Fund Customer deems necessary for the purpose of protecting Personal Data. The Supplier shall use its reasonable endeavours to assist the Fund Customer to comply with any obligations under the DPA and DPA. The Supplier shall not perform its obligations under this Framework Agreement Call Off Contract in such a way as to cause the Fund Customer to breach any of the FundCustomer’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations. Subject to Clause 244 (Marketing), the Supplier shall not: make any press announcements or publicise this Framework Agreement in any way; or use the Fund's name or brand in any promotion or marketing or announcement of Orders, without Approval (the decision of the Fund to Approve or not shall not be unreasonably withheld or delayed). Each Party acknowledges to the other that nothing in this Framework Agreement either expressly or by implication constitutes an approval and/or endorsement of any products or services of the other Party (including the Goods and/or Services) and each Party agrees not to conduct itself in such a way as to imply or express any such approval and/or endorsement. The Fund shall be entitled to publicise this Framework Agreement in accordance with any legal obligation upon the Fund, including any examination of this Framework Agreement by the National Audit Office pursuant to the National Audit Xxx 0000 or otherwise.

Protection of Personal Data. Where any Personal Data are Processed in connection with the exercise of the Parties’ rights and obligations under this Framework AgreementCall Off Contract, the Parties acknowledge that the Fund Customer is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Fund Customer to perform its obligations under this Framework AgreementCall Off Contract; ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data, including the measures as are set out in Clauses 24.1 (Security Requirements) and 24.2 (Protection of Customer Data); not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Goods and/or Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Fund Customer (save where such disclosure or transfer is specifically authorised under this Framework Agreement); Call Off Contract) take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 22.5.2 24.6.2 and Clause 22.2 Clauses 24.1 (Security Requirements), 24.2 (Protection of Customer Data) and 24.3 (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Fund Customer or as otherwise permitted by this Framework AgreementCall Off Contract; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Fund Customer within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request), ) a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the FundCustomer's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Fund Customer with full cooperation and assistance (within the timescales reasonably required by the FundCustomer) in relation to any complaint, communication or request made (as referred to at Clause 22.5.2(e24.6.2(e)), including by promptly providing: the Fund Customer with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Fund Customer to enable the Fund Customer to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the FundCustomer, on request by the FundCustomer, with any Personal Data it holds in relation to a Data Subject; and if requested by the FundCustomer, provide a written description of the measures that the Supplier has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 22.5.2 24.6.2 and provide to the Fund Customer copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not Process or otherwise transfer any Personal Data in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “Restricted Countries”). If, after the Framework Call Off Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to anywhere any outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a variation Variation to the Fund Customer which, if it is agreed by the FundCustomer, shall be dealt with in accordance with Clause 17.1 (the Variation Procedure) Procedure and Clauses 22.5.3(b24.6.3(b) to 22.5.3(d24.6.3(c); the Supplier shall set out in its proposal to the Fund Customer for a Variation, Variation details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; and how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the FundCustomer’s compliance with the DPA; in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with the Fundcurrent Customer, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Fund Customer may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Framework Agreement Call Off Contract or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Fund on such terms as may be required by the Fund; or a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Fund and the Supplier relating to the relevant Personal Data transfer, and the Supplier acknowledges that in each case, this may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Fund deems necessary for the purpose of protecting Personal Data. The Supplier shall use its reasonable endeavours to assist the Fund to comply with any obligations under the DPA and shall not perform its obligations under this Framework Agreement in such a way as to cause the Fund to breach any of the Fund’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations. Subject to Clause 244 (Marketing), the Supplier shall not: make any press announcements or publicise this Framework Agreement in any way; or use the Fund's name or brand in any promotion or marketing or announcement of Orders, without Approval (the decision of the Fund to Approve or not shall not be unreasonably withheld or delayed). Each Party acknowledges to the other that nothing in this Framework Agreement either expressly or by implication constitutes an approval and/or endorsement of any products or services of the other Party (including the Goods and/or Services) and each Party agrees not to conduct itself in such a way as to imply or express any such approval and/or endorsement. The Fund shall be entitled to publicise this Framework Agreement in accordance with any legal obligation upon the Fund, including any examination of this Framework Agreement by the National Audit Office pursuant to the National Audit Xxx 0000 or otherwise.:

Protection of Personal Data. Where any Personal Data are Processed in connection with the exercise of the Parties’ rights and obligations under this Framework Agreement, the Parties acknowledge that the Fund Authority is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Fund Authority to perform its obligations under this Framework Agreement; ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data; not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Goods and/or Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Fund Authority (save where such disclosure or transfer is specifically authorised under this Framework Agreement); take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 22.5.2 26.5.2 and Clause 22.2 26.2 (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Fund Authority or as otherwise permitted by this Framework Agreement; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Fund Authority within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request), a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the FundAuthority's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Fund Authority with full cooperation and assistance (within the timescales reasonably required by the FundAuthority) in relation to any complaint, communication or request made (as referred to at Clause 22.5.2(e26.5.2(e), including by promptly providing: the Fund Authority with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Fund Authority to enable the Fund Authority to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the FundAuthority, on request by the FundAuthority, with any Personal Data it holds in relation to a Data Subject; and if requested by the FundAuthority, provide a written description of the measures that the Supplier has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 22.5.2 26.5.2 and provide to the Fund Authority copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not Process or otherwise transfer any Personal Data in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “Restricted Countries”). If, after the Framework Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to anywhere outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a variation to the Fund Authority which, if it is agreed by the FundAuthority, shall be dealt with in accordance with Clause 17.1 18.1 (Variation Procedure) and Clauses 22.5.3(b26.5.3(b) to 22.5.3(d26.5.3(e); the Supplier shall set out in its proposal to the Fund Authority for a Variation, details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the FundAuthority’s compliance with the DPA; in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with the FundAuthority, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Fund Authority may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Framework Agreement or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Fund Authority on such terms as may be required by the FundAuthority; or a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Fund Authority and the Supplier relating to the relevant Personal Data transfer, and the Supplier acknowledges that in each case, this may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Fund Authority deems necessary for the purpose of protecting Personal Data. The Supplier shall use its reasonable endeavours to assist the Fund Authority to comply with any obligations under the DPA and shall not perform its obligations under this Framework Agreement in such a way as to cause the Fund Authority to breach any of the FundAuthority’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations. Subject to Clause 244 (Marketing), the Supplier shall not: make any press announcements or publicise this Framework Agreement in any way; or use the Fund's name or brand in any promotion or marketing or announcement of Orders, without Approval (the decision of the Fund to Approve or not shall not be unreasonably withheld or delayed). Each Party acknowledges to the other that nothing in this Framework Agreement either expressly or by implication constitutes an approval and/or endorsement of any products or services of the other Party (including the Goods and/or Services) and each Party agrees not to conduct itself in such a way as to imply or express any such approval and/or endorsement. The Fund shall be entitled to publicise this Framework Agreement in accordance with any legal obligation upon the Fund, including any examination of this Framework Agreement by the National Audit Office pursuant to the National Audit Xxx 0000 or otherwise.

Protection of Personal Data. 27.6.1 Where any Personal Data are Processed in connection with the exercise of the Parties’ rights and obligations under this Framework AgreementContract, the Parties acknowledge that the Fund Authority is the Data Controller and that the Supplier is the Data Processor. . 27.6.2 The Supplier shall: : (a) Process the Personal Data only in accordance with instructions from the Fund Authority to perform its obligations under this Framework Agreement; Contract; (b) ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data; , including the measures as are set out in Clauses 27.1 (Security Requirements) and 27.2 (Protection of Authority Data); (c) not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Goods and/or Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Fund Authority (save where such disclosure or transfer is specifically authorised under this Framework AgreementContract); (d) take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: : (i) are aware of and comply with the Supplier’s duties under this Clause 22.5.2 27.6.2 and Clause 22.2 Clauses 27.1 (Security Requirements), 27.2 (Protection of Authority Data) and 27.3 (Confidentiality); ; (ii) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Fund Authority or as otherwise permitted by this Framework AgreementContract; and and (iii) have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); ; (e) notify the Fund Authority within five (5) Working Days if it receives: : (i) from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request), ) a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the FundAuthority's obligations under the DPA; ; (ii) any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or or (iii) a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; ; (f) provide the Fund Authority with full cooperation and assistance (within the timescales reasonably required by the FundAuthority) in relation to any complaint, communication or request made (as referred to at Clause 22.5.2(e27.6.2(e)), including by promptly providing: : (i) the Fund Authority with full details and copies of the complaint, communication or request; ; (ii) where applicable, such assistance as is reasonably requested by the Fund Authority to enable the Fund Authority to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and and (iii) the FundAuthority, on request by the FundAuthority, with any Personal Data it holds in relation to a Data Subject; and and (g) if requested by the FundAuthority, provide a written description of the measures that the Supplier it has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 22.5.2 27.6.2 and provide to the Fund Authority copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall . (h) not Process or otherwise transfer any Personal Data in or to any country outside the European Economic Area or any country which is not determined United Kingdom without the prior written consent of the Authority and, where the Authority consents to be adequate by a transfer, to comply with: (i) the European Commission pursuant to Article 25(6) obligations of Directive 95/46/EC (together “Restricted Countries”). If, after a Data Controller under the Framework Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Eight Data in or to anywhere outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a variation to the Fund which, if it is agreed by the Fund, shall be dealt with in accordance with Clause 17.1 (Variation Procedure) and Clauses 22.5.3(b) to 22.5.3(d); the Supplier shall Protection Principle set out in its proposal to the Fund for a Variation, details Schedule 1 of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure Protection Act 1998 by providing an adequate level of protection and adequate safeguards in respect of the to any Personal Data that will be Processed in and/or transferred is transferred; and (ii) any reasonable instructions notified to Restricted Countries so as to ensure the Fund’s compliance with the DPA; in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with the Fund, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Fund may notify in writing, including: incorporating standard and/or model clauses (which are approved it by the European Commission as offering adequate safeguards under the DPA) into this Framework Agreement or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Fund on such terms as may be required by the Fund; or a data processing agreement with the Supplier on terms Authority which are equivalent to those agreed between the Fund and the Supplier relating to the relevant Personal Data transfer, and (the Supplier acknowledges that in each case, this and agrees) may include the incorporation of conditions for processing Personal Data outside the United Kingdom set out in the Cabinet Office model contract provisions for services (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Fund deems necessary for the purpose of protecting Personal Data. xxxxx://xxx.xxx.xx/government/publications/model-services- contract). 27.6.3 The Supplier shall use its reasonable endeavours to assist the Fund Authority to comply with any obligations under the DPA and shall not perform its obligations under this Framework Agreement Contract in such a way as to cause the Fund Authority to breach any of the FundAuthority’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations. Subject to Clause 244 (Marketing), the Supplier shall not: make any press announcements or publicise this Framework Agreement in any way; or use the Fund's name or brand in any promotion or marketing or announcement of Orders, without Approval (the decision of the Fund to Approve or not shall not be unreasonably withheld or delayed). Each Party acknowledges to the other that nothing in this Framework Agreement either expressly or by implication constitutes an approval and/or endorsement of any products or services of the other Party (including the Goods and/or Services) and each Party agrees not to conduct itself in such a way as to imply or express any such approval and/or endorsement. The Fund shall be entitled to publicise this Framework Agreement in accordance with any legal obligation upon the Fund, including any examination of this Framework Agreement by the National Audit Office pursuant to the National Audit Xxx 0000 or otherwise.

Protection of Personal Data. Where any Personal Data are Processed in connection with 29.1 With respect to the exercise of the Parties’ parties' rights and obligations under this Framework Agreement, the Parties acknowledge parties agree that the Fund DCC is either the Data Controller or the Data Processor and that the Supplier Contractor is the Data Processor. The Supplier parties agree that the Contractor is a sub-Data Processor where the DCC acts as a Data Processor. 29.2 The Contractor shall: : 29.2.1 Process the Personal Data only in accordance with instructions from the Fund DCC (which may be specific instructions or instructions of a general nature as set out in this Agreement or as otherwise notified by the DCC to perform its the Contractor during the Service Period). Any such instructions which are inconsistent with the parties' rights and obligations under this Framework Agreement; ensure that at all times it has Agreement shall be dealt with in place accordance with the Change Control Procedure; 29.2.2 Process the Personal Data only to the extent, and in such manner, as is necessary for the provision of the Services or as is required by Law; 29.2.3 implement appropriate technical and organisational measures to guard protect the Personal Data against unauthorised or unlawful Processing of the Personal Data and/or and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data; not disclose or transfer Data and having regard to the nature of the Personal Data which is to any third party or Supplier Personnel unless necessary for the provision of the Goods and/or Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Fund (save where such disclosure or transfer is specifically authorised under this Framework Agreement); be protected; 29.2.4 take reasonable steps to ensure the reliability and integrity of any Supplier Contractor Personnel who have access to the Personal Data; 29.2.5 obtain prior written consent from the DCC in order to transfer the Personal Data and to any Sub-contractors or Affiliates for the provision of the Services, such consent not to be unreasonably withheld or delayed; 29.2.6 ensure that all Contractor Personnel required to access the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 22.5.2 and Clause 22.2 (Confidentiality); Personal Data are informed of the confidential nature of the Personal Data and do not comply with the obligations set out in this Clause 29; 29.2.7 ensure that none of the Contractor Personnel publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Fund or as otherwise permitted by this Framework Agreement; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); DCC; 29.2.8 notify the Fund DCC (within five (5) Working Days Days) if it receives: : 29.2.8.1 a request from a Data Subject (or third party on their behalf) to have access to that person's Personal Data; or 29.2.8.2 a Data Subject Access Request (or purported Data Subject Access Request), a request to rectify, block or erase any Personal Data or any other request, complaint or communication request relating to the FundDCC's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; Protection Legislation; 29.2.9 provide the Fund DCC with full cooperation co-operation and assistance (within the timescales reasonably required by the Fund) in relation to any complaint, communication complaint or request made (as referred to at Clause 22.5.2(e)made, including by promptly providing: by: 29.2.9.1 providing the Fund DCC with full details and copies of the complaint, communication complaint or request; where applicable, such assistance as is reasonably requested by ; 29.2.9.2 enabling the Fund to enable the Fund DCC to comply with the Data Subject Access Request a data access request within the relevant timescales set out in the DPA; Data Protection Legislation and in accordance with the Fund, on request by DCC's instructions; 29.2.9.3 providing the Fund, DCC with any Personal Data it holds in relation to a Data SubjectSubject as a result of this Agreement (within the timescales required by the DCC); and if and 29.2.9.4 providing the DCC with any information requested by the Fund, DCC; 29.2.10 provide a written description of the measures that the Supplier has taken and technical and organisational security measures in place, methods employed by the Contractor for Processing Personal Data (within the purpose of compliance with its obligations pursuant to this Clause 22.5.2 and provide to timescales reasonably required by the Fund copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall DCC); and 29.2.11 not Process or otherwise transfer any Personal Data in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “Restricted Countries”)Area. If, after the Framework Commencement Effective Date, the Supplier Contractor (or any Sub-Contractor contractor) wishes to Process and/or transfer any Personal Data in or to anywhere outside the European Economic Area, the following provisions shall apply: : 29.2.11.1 the Supplier Contractor shall propose submit a variation Change Request to the Fund which, if it is agreed by the Fund, DCC which shall be dealt with in accordance with the Change Control Procedure and this Clause 17.1 (Variation Procedure) and Clauses 22.5.3(b) to 22.5.3(d); 29.2.11; 29.2.11.2 the Supplier Contractor shall set out in its proposal to the Fund for a Variation, Change Request and/or Impact Assessment appropriate details of the following: : (a) the Personal Data which will be Processed and/or transferred to outside the European Economic Area; (b) the country or countries in which the Personal Data will be Processed and/or Processed in or to any Restricted Countries; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and outside the European Economic Area; (c) any Sub-Contractors contractors or other third parties who will be Processing and/or receiving transferring Personal Data in Restricted Countriesoutside the European Economic Area; and (d) how the Supplier Contractor will ensure an adequate level of protection and adequate safeguards (in accordance with the Data Protection Legislation and in particular so as to ensure the DCC's compliance with the Data Protection Legislation) in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure outside the Fund’s compliance with the DPA; European Economic Area; 29.2.11.3 in providing and evaluating the VariationChange Request and Impact Assessment, the Parties parties shall ensure that they have regard to and comply with the Fund, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice then current Guidance on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countriesoutside the European Economic Area and/or overseas generally; and and 29.2.11.4 the Supplier Contractor shall comply with such other instructions and shall carry out such other actions as the Fund DCC may notify in writing, including: : (a) incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPAData Protection Legislation) into in this Framework Agreement or a separate data processing agreement between the Partiesparties; and and (b) procuring that any Sub-Contractor contractor or other third party who will be Processing and/or receiving or accessing transferring the Personal Data in any Restricted Countries either outside the European Economic Area enters into: into a direct data processing agreement with the Fund DCC on such terms as may be required by the Fund; or a data processing agreement with DCC, which the Supplier on terms which are equivalent to those agreed between the Fund and the Supplier relating to the relevant Personal Data transfer, and the Supplier Contractor acknowledges that in each case, this may include the incorporation of standard and/or model contract provisions clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which Data Protection Legislation). 29.3 The Contractor shall comply at all times with the Fund deems necessary for the purpose of protecting Personal Data. The Supplier shall use its reasonable endeavours to assist the Fund to comply with any obligations under the DPA Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Fund DCC to breach any of the Fund’s its applicable obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations. Subject to Clause 244 (Marketing), the Supplier shall not: make any press announcements or publicise this Framework Agreement in any way; or use the Fund's name or brand in any promotion or marketing or announcement of Orders, without Approval (the decision of the Fund to Approve or not shall not be unreasonably withheld or delayed). Each Party acknowledges to the other that nothing in this Framework Agreement either expressly or by implication constitutes an approval and/or endorsement of any products or services of the other Party (including the Goods and/or Services) and each Party agrees not to conduct itself in such a way as to imply or express any such approval and/or endorsement. The Fund shall be entitled to publicise this Framework Agreement in accordance with any legal obligation upon the Fund, including any examination of this Framework Agreement by the National Audit Office pursuant to the National Audit Xxx 0000 or otherwiseData Protection Legislation.

Protection of Personal Data. Where any Personal Data are Processed in connection with 2.1 With respect to the exercise of the Parties’ parties' rights and obligations under this Framework Agreementagreement, the Parties acknowledge parties agree that the Fund CLARITY is the Data Controller and that the Supplier Client is the Data Processor. . 2.2 The Supplier Client shall: Process : (a) process the Personal Data only in accordance with instructions from CLARITY (which may be specific instructions or instructions of a general nature as set out in this agreement or as otherwise notified by Clarity to the Fund Client during the term of this agreement); (b) process the Personal Data only to perform its obligations under this Framework Agreement; ensure that at all times it has the extent, and in place such manner, as is necessary for the provision of the Services or as is required by law or any regulatory body; (c) implement appropriate technical and organisational measures to guard protect the Personal Data against unauthorised or unlawful Processing of the Personal Data and/or processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data; not disclose or transfer Data and having regard to the nature of the Personal Data which is to any third party or Supplier Personnel unless necessary for the provision of the Goods and/or Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Fund be protected; (save where such disclosure or transfer is specifically authorised under this Framework Agreement); d) take reasonable steps to ensure the reliability and integrity of any Supplier Personnel Staff who have access to the Personal Data; (e) obtain prior written consent from Clarity in order to transfer the Personal Data and to any Sub- Contractors or affiliates for the provision of the Services; (f) ensure that all Staff required to access the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 22.5.2 and Clause 22.2 (Confidentiality); Personal Data are informed of the confidential nature of the Personal Data and do not comply with the obligations set out in this clause 2; (g) ensure that none of the Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Fund or as otherwise permitted by this Framework Agreement; and have undergone adequate training in the useXxxxxxx; (h) notify Clarity (within 48 working hours), care, protection and handling of personal data (as defined in the DPA); notify the Fund within five (5) Working Days if it receives: : (i) a request from a Data Subject to have access to that person’s Personal Data; or (or third party on their behalfii) a Data Subject Access Request (or purported Data Subject Access Request), a request to rectify, block or erase any Personal Data or any other request, complaint or communication request relating to the Fund's Clarity’s obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; Protection Legislation; (i) provide the Fund Clarity with full cooperation co-operation and assistance (within the timescales reasonably required by the Fund) in relation to any complaint, communication complaint or request made (as referred to at Clause 22.5.2(e)made, including by promptly providing: the Fund by: (i) providing Clarity with full details and copies of the complaint, communication complaint or request; where applicable, such assistance as is reasonably requested by the Fund to enable the Fund to comply ; (ii) complying with the Data Subject Access Request a data access request within the relevant timescales set out in the DPA; Data Protection Legislation and the Fund, on request by the Fund, in accordance with Clarity’s instructions; (iii) providing Clarity with any Personal Data it holds in relation to a Data SubjectSubject (within the timescales required by Clarity); and if and (iv) providing Clarity with any information requested by Xxxxxxx; (j) permit Clarity or Clarity’s representative (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit, the FundClient's data processing activities (and/or those of its agents, subsidiaries and Sub-contractors) and comply with all reasonable requests or directions by Clarity to enable Clarity to verify and/or procure that the Client is in full compliance with its obligations under this agreement; (k) provide a written description of the measures that the Supplier has taken and technical and organisational security measures in place, methods employed by the Client for processing Personal Data (within the purpose of compliance with its obligations pursuant to this Clause 22.5.2 and provide to the Fund copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall timescales required by C Clarity); and (l) not Process or otherwise transfer any Personal Data in or to any country outside the European Economic Area or any country which is not determined without the prior written consent of Clarity and, where Clarity consents to be adequate by a transfer, to comply with: (i) the European Commission pursuant to Article 25(6) obligations of Directive 95/46/EC (together “Restricted Countries”). If, after a Data Controller under the Framework Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Eighth Data in or to anywhere outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a variation to the Fund which, if it is agreed by the Fund, shall be dealt with in accordance with Clause 17.1 (Variation Procedure) and Clauses 22.5.3(b) to 22.5.3(d); the Supplier shall Protection Principle set out in its proposal to the Fund for a Variation, details Schedule 1 of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure Protection Act 1998 by providing an adequate level of protection and adequate safeguards in respect of the to any Personal Data that will be Processed in and/or transferred is transferred; and (ii) any reasonable instructions notified to Restricted Countries so as to ensure the Fund’s compliance it by Xxxxxxx. 2.3 The Client shall comply at all times with the DPA; in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with the Fund, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Fund may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Framework Agreement or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Fund on such terms as may be required by the Fund; or a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Fund and the Supplier relating to the relevant Personal Data transfer, and the Supplier acknowledges that in each case, this may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Fund deems necessary for the purpose of protecting Personal Data. The Supplier shall use its reasonable endeavours to assist the Fund to comply with any obligations under the DPA Protection Legislation and shall not perform its obligations under this Framework Agreement agreement in such a way as to cause the Fund Clarity to breach any of the Fund’s its applicable obligations under the DPA Data Protection Legislation. 2.4 The Client warrants that it will perform its obligations under this Agreement in a professional manner to the extent the Supplier is awarehighest standards of skill and care, or ought reasonably to have been awareusing suitably qualified Staff, and that the same would be a breach of such obligations. Subject to Clause 244 (Marketing), the Supplier shall not: make any press announcements or publicise this Framework Agreement in any way; or use the Fund's name or brand in any promotion or marketing or announcement of Orders, without Approval (the decision of the Fund to Approve or not shall not be unreasonably withheld or delayed). Each Party acknowledges to the other that nothing in this Framework Agreement either expressly or by implication constitutes an approval and/or endorsement of any products or services of the other Party (including the Goods and/or Services) and each Party agrees not to conduct itself in such a way as to imply or express any such approval and/or endorsement. The Fund shall be entitled to publicise this Framework Agreement in accordance with any legal obligation upon the Fund, including any examination of this Framework Agreement by the National Audit Office pursuant to the National Audit Xxx 0000 or otherwise.it

Protection of Personal Data. Where any Personal Data are Processed in connection with the exercise of the Parties’ rights and obligations under this Framework Agreement, the Parties acknowledge that the Fund is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Fund to perform its obligations under this Framework Agreement; ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data; not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Goods and/or Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Fund (save where such disclosure or transfer is specifically authorised under this Framework Agreement); take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 22.5.2 21.5.2 and Clause 22.2 21.2 (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Fund or as otherwise permitted by this Framework Agreement; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Fund within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request), a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the Fund's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority the Fund in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Fund with full cooperation and assistance (within the timescales reasonably required by the Fund) in relation to any complaint, communication or request made (as referred to at Clause 22.5.2(e21.5.2(e), including by promptly providing: the Fund with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Fund to enable the Fund to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the Fund, on request by the Fund, with any Personal Data it holds in relation to a Data Subject; and if requested by the Fund, provide a written description of the measures that the Supplier has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 22.5.2 21.5.2 and provide to the Fund copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not Process or otherwise transfer any Personal Data in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “Restricted Countries”). If, after the Framework Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to anywhere outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a variation to the Fund which, if it is agreed by the Fund, shall be dealt with in accordance with Clause 17.1 16.1 (Variation Procedure) and Clauses 22.5.3(b21.5.3(b) to 22.5.3(d21.5.3(d); the Supplier shall set out in its proposal to the Fund for a Variation, details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the Fund’s compliance with the DPA; in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with the Fund, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Fund may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Framework Agreement or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Fund on such terms as may be required by the Fund; or a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Fund and the Supplier relating to the relevant Personal Data transfer, and the Supplier acknowledges that in each case, this may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Fund deems necessary for the purpose of protecting Personal Data. The Supplier shall use its reasonable endeavours to assist the Fund to comply with any obligations under the DPA and shall not perform its obligations under this Framework Agreement in such a way as to cause the Fund to breach any of the Fund’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations. Subject to Clause 244 (Marketing), the Supplier shall not: make any press announcements or publicise this Framework Agreement in any way; or use the Fund's name or brand in any promotion or marketing or announcement of Orders, without Approval (the decision of the Fund to Approve or not shall not be unreasonably withheld or delayed). Each Party acknowledges to the other that nothing in this Framework Agreement either expressly or by implication constitutes an approval and/or endorsement of any products or services of the other Party (including the Goods and/or Services) and each Party agrees not to conduct itself in such a way as to imply or express any such approval and/or endorsement. The Fund shall be entitled to publicise this Framework Agreement in accordance with any legal obligation upon the Fund, including any examination of this Framework Agreement by the National Audit Office pursuant to the National Audit Xxx 0000 or otherwise.

Protection of Personal Data. Where any Personal Data are is Processed in connection with the exercise of the Parties’ rights and obligations under this Framework Agreement, the Parties acknowledge that the Fund Authority is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Fund Authority to perform its obligations under this Framework Agreement; ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data; not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Goods and/or Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Fund Authority (save where such disclosure or transfer is specifically authorised under this Framework Agreement); take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 22.5.2 44.5.2 and Clause 22.2 44.2 (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Fund Authority or as otherwise permitted by this Framework Agreement; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Fund Authority within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request), a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the FundAuthority's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Fund Authority with full cooperation and assistance (within the timescales reasonably required by the FundAuthority) in relation to any complaint, communication or request made (as referred to at Clause 22.5.2(e44.5.2(e), including by promptly providing: the Fund Authority with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Fund Authority to enable the Fund Authority to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the FundAuthority, on request by the FundAuthority, with any Personal Data it holds in relation to a Data Subject; and if requested by the FundAuthority, provide a written description of the measures that the Supplier has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 22.5.2 44.5.2 and provide to the Fund Authority copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not Process or otherwise transfer any Personal Data in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “Restricted Countries”). If, after the Framework Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to anywhere outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a variation to the Fund which, if it is agreed by the Fund, shall be dealt with in accordance with Clause 17.1 (Variation Procedure) and Clauses 22.5.3(b) to 22.5.3(d); the Supplier shall set out in its proposal to the Fund for a Variation, details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the Fund’s compliance with the DPA; in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with the Fund, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Fund may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Framework Agreement or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Fund on such terms as may be required by the Fund; or a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Fund and the Supplier relating to the relevant Personal Data transfer, and the Supplier acknowledges that in each case, this may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Fund deems necessary for the purpose of protecting Personal Data. The Supplier shall use its reasonable endeavours to assist the Fund to comply with any obligations under the DPA and shall not perform its obligations under this Framework Agreement in such a way as to cause the Fund to breach any of the Fund’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations. Subject to Clause 244 (Marketing), the Supplier shall not: make any press announcements or publicise this Framework Agreement in any way; or use the Fund's name or brand in any promotion or marketing or announcement of Orders, without Approval (the decision of the Fund to Approve or not shall not be unreasonably withheld or delayed). Each Party acknowledges to the other that nothing in this Framework Agreement either expressly or by implication constitutes an approval and/or endorsement of any products or services of the other Party (including the Goods and/or Services) and each Party agrees not to conduct itself in such a way as to imply or express any such approval and/or endorsement. The Fund shall be entitled to publicise this Framework Agreement in accordance with any legal obligation upon the Fund, including any examination of this Framework Agreement by the National Audit Office pursuant to the National Audit Xxx 0000 or otherwise.

Protection of Personal Data. Where any Personal Data are Processed in connection with the exercise of the Parties’ rights and obligations under this Framework Agreement, the Parties acknowledge that the Fund Authority is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Fund Authority to perform its obligations under this Framework Agreement; ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data; not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Goods and/or Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Fund Authority (save where such disclosure or transfer is specifically authorised under this Framework Agreement); take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 22.5.2 25.5.2 and Clause 22.2 25.2 (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Fund Authority or as otherwise permitted by this Framework Agreement; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Fund Authority within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request), a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the FundAuthority's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Fund Authority with full cooperation and assistance (within the timescales reasonably required by the FundAuthority) in relation to any complaint, communication or request made (as referred to at Clause 22.5.2(e25.5.2(e), including by promptly providing: the Fund Authority with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Fund Authority to enable the Fund Authority to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the FundAuthority, on request by the FundAuthority, with any Personal Data it holds in relation to a Data Subject; and if requested by the FundAuthority, provide a written description of the measures that the Supplier has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 22.5.2 25.5.2 and provide to the Fund Authority copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not Process or otherwise transfer any Personal Data in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “Restricted Countries”). If, after the Framework Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to anywhere outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a variation Variation to the Fund Authority which, if it is agreed by the FundAuthority, shall be dealt with in accordance with Clause 17.1 (Variation Procedure) and Clauses 22.5.3(b25.5.3(b) to 22.5.3(d25.5.3(d); the Supplier shall set out in its proposal to the Fund Authority for a Variation, details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the FundAuthority’s compliance with the DPA; in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with the FundAuthority, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Fund Authority may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Framework Agreement or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Fund Authority on such terms as may be required by the FundAuthority; or a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Fund Authority and the Supplier relating to the relevant Personal Data transfer, and the Supplier acknowledges that in each case, this may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Fund Authority deems necessary for the purpose of protecting Personal Data. The Supplier shall use its reasonable endeavours to assist the Fund Authority to comply with any obligations under the DPA and shall not perform its obligations under this Framework Agreement in such a way as to cause the Fund Authority to breach any of the FundAuthority’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations. Subject to Clause 244 (Marketing), the Supplier shall not: make any press announcements or publicise this Framework Agreement in any way; or use the Fund's name or brand in any promotion or marketing or announcement of Orders, without Approval (the decision of the Fund to Approve or not shall not be unreasonably withheld or delayed). Each Party acknowledges to the other that nothing in this Framework Agreement either expressly or by implication constitutes an approval and/or endorsement of any products or services of the other Party (including the Goods and/or Services) and each Party agrees not to conduct itself in such a way as to imply or express any such approval and/or endorsement. The Fund shall be entitled to publicise this Framework Agreement in accordance with any legal obligation upon the Fund, including any examination of this Framework Agreement by the National Audit Office pursuant to the National Audit Xxx 0000 or otherwise.

Protection of Personal Data. Where any Personal Data are Processed in connection with the exercise of the Parties’ rights and obligations under this Framework Agreement, the Parties acknowledge that the Fund Authority is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Fund Authority to perform its obligations under this Framework Agreement; ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data; not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Goods and/or Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Fund Authority (save where such disclosure or transfer is specifically authorised under this Framework Agreement); take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 22.5.2 24.5.2 and Clause 22.2 24.2 (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Fund Authority or as otherwise permitted by this Framework Agreement; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Fund Authority within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request), a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the FundAuthority's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Fund Authority with full cooperation and assistance (within the timescales reasonably required by the FundAuthority) in relation to any complaint, communication or request made (as referred to at Clause 22.5.2(e24.5.2(e), including by promptly providing: the Fund Authority with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Fund Authority to enable the Fund Authority to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the FundAuthority, on request by the FundAuthority, with any Personal Data it holds in relation to a Data Subject; and if requested by the FundAuthority, provide a written description of the measures that the Supplier has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 22.5.2 24.5.2 and provide to the Fund Authority copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not Process or otherwise transfer cause or permit any Personal Data to be transferred in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “Restricted Countries”)) without the Approval of the Authority. If, after the Framework Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to anywhere outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a variation to the Fund Authority which, if it is agreed by the FundAuthority, shall be dealt with in accordance with Clause 17.1 16.1 (Variation Procedure) and Clauses 22.5.3(b24.5.3(b) to 22.5.3(d24.5.3(d); the Supplier shall set out in its proposal to the Fund Authority for a Variation, details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the FundAuthority’s compliance with the DPA; in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with the FundAuthority, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Fund Authority may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Framework Agreement or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Fund Authority on such terms as may be required by the FundAuthority; or a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Fund Authority and the Supplier relating to the relevant Personal Data transfer, and the Supplier acknowledges that in each case, this may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Fund Authority deems necessary for the purpose of protecting Personal Data. The Supplier shall use its reasonable endeavours to assist the Fund Authority to comply with any obligations under the DPA and shall not perform its obligations under this Framework Agreement in such a way as to cause the Fund Authority to breach any of the FundAuthority’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations. Subject to Clause 244 (Marketing), the Supplier shall not: make any press announcements or publicise this Framework Agreement in any way; or use the Fund's name or brand in any promotion or marketing or announcement of Orders, without Approval (the decision of the Fund to Approve or not shall not be unreasonably withheld or delayed). Each Party acknowledges to the other that nothing in this Framework Agreement either expressly or by implication constitutes an approval and/or endorsement of any products or services of the other Party (including the Goods and/or Services) and each Party agrees not to conduct itself in such a way as to imply or express any such approval and/or endorsement. The Fund shall be entitled to publicise this Framework Agreement in accordance with any legal obligation upon the Fund, including any examination of this Framework Agreement by the National Audit Office pursuant to the National Audit Xxx 0000 or otherwise.

Protection of Personal Data. Where any Personal Data are Processed in connection with the exercise of the Parties’ rights and obligations under this Framework Lease Agreement, the Parties acknowledge that the Fund Customer is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Fund Customer to perform its obligations under this Framework Lease Agreement; ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data, including the measures as are set out in Clauses 43 (Security Requirements) and 43.2.3(c) (Protection of Customer Data); not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Goods and/or Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Fund Customer (save where such disclosure or transfer is specifically authorised under this Framework Lease Agreement); ) take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 22.5.2 43.2.30 and Clause 22.2 Clauses 43 (Security Requirements), 43.2.3(c)(Protection of Customer Data) and 43.2.11(c) (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Fund Customer or as otherwise permitted by this Framework Lease Agreement; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Fund Customer within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request), ) a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the FundCustomer's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Fund Customer with full cooperation and assistance (within the timescales reasonably required by the FundCustomer) in relation to any complaint, communication or request made (as referred to at Clause 22.5.2(e43.2.30(e)), including by promptly providing: the Fund Customer with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Fund Customer to enable the Fund Customer to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the FundCustomer, on request by the FundCustomer, with any Personal Data it holds in relation to a Data Subject; and if requested by the FundCustomer, provide a written description of the measures that the Supplier has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 22.5.2 43.2.30 and provide to the Fund Customer copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not Process or otherwise transfer any Personal Data in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “Restricted Countries”). If, after the Framework Lease Agreement Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to anywhere any outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a variation Variation to the Fund Customer which, if it is agreed by the FundCustomer, shall be dealt with in accordance with Clause 17.1 (the Variation Procedure) Procedure and Clauses 22.5.3(b43.2.31(b) to 22.5.3(d43.2.31(c); the Supplier shall set out in its proposal to the Fund Customer for a Variation, Variation details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the FundCustomer’s compliance with the DPA; in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with the Fundthen-current Customer, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Fund Customer may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Framework Lease Agreement or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Fund Customer on such terms as may be required by the FundCustomer; or a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Fund Customer and the Supplier Sub-Contractor relating to the relevant Personal Data transfer, and in each case which the Supplier acknowledges that in each case, this may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Fund Customer deems necessary for the purpose of protecting Personal Data. The Supplier shall use its reasonable endeavours to assist the Fund Customer to comply with any obligations under the DPA and shall not perform its obligations under this Framework Lease Agreement in such a way as to cause the Fund Customer to breach any of the FundCustomer’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations. Subject to Clause 244 (Marketing), the Supplier shall not: make any press announcements or publicise this Framework Agreement in any way; or use the Fund's name or brand in any promotion or marketing or announcement of Orders, without Approval (the decision of the Fund to Approve or not shall not be unreasonably withheld or delayed). Each Party acknowledges to the other that nothing in this Framework Agreement either expressly or by implication constitutes an approval and/or endorsement of any products or services of the other Party (including the Goods and/or Services) and each Party agrees not to conduct itself in such a way as to imply or express any such approval and/or endorsement. The Fund shall be entitled to publicise this Framework Agreement in accordance with any legal obligation upon the Fund, including any examination of this Framework Agreement by the National Audit Office pursuant to the National Audit Xxx 0000 or otherwise.

Protection of Personal Data. 27.4.1 Where any Personal Data are Processed in connection with the exercise of the Parties’ rights and obligations under this Framework Agreement, the Parties acknowledge that the Fund Authority is the Data Controller and that the Supplier is the Data Processor. . 27.4.2 The Supplier shall: : (a) Process the Personal Data only in accordance with instructions from the Fund Authority to perform its obligations under this Framework Agreement; ; (b) ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data; ; (c) not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Goods and/or Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Fund Authority (save where such disclosure or transfer is specifically authorised under this Framework Agreement); ; (d) take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: : (i) are aware of and comply with the Supplier’s Suppliers duties under this Clause 22.5.2 27.4.2 and Clause 22.2 27.2 (Confidentiality); ; (ii) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Fund Authority or as otherwise permitted by this Framework Agreement; and and (iii) have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); ; (e) notify the Fund Authority within five (5) Working Days if it receives: : (i) from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request), a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the FundAuthority's obligations under the DPA; ; (ii) any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or or (iii) a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; ; (f) provide the Fund Authority with full cooperation and assistance (within the timescales reasonably required by the FundAuthority) in relation to any complaint, communication or request made (as referred to at Clause 22.5.2(e27.4.2(e), including by promptly providing: : (i) the Fund Authority with full details and copies of the complaint, communication or request; ; (ii) where applicable, such assistance as is reasonably requested by the Fund Authority to enable the Fund Authority to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and and (iii) the FundAuthority, on request by the FundAuthority, with any Personal Data it holds in relation to a Data Subject; and and (g) if requested by the FundAuthority, provide a written description of the measures that the Supplier has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 22.5.2 27.4.2 and provide to the Fund Authority copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. . 27.4.3 The Supplier shall not Process or otherwise transfer any Personal Data in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “a Restricted Countries”)Country. If, after the Framework Commencement Date, the Supplier or any Sub-Sub- Contractor wishes to Process and/or transfer any Personal Data in or to anywhere outside the European Economic Area, the following provisions shall apply: : (a) the Supplier shall propose a variation to the Fund Authority which, if it is agreed by the FundAuthority, shall be dealt with in accordance with Clause 17.1 19.1 (Variation Procedure) and Clauses 22.5.3(b27.4.3(b) to 22.5.3(d27.4.3(d); ; (b) the Supplier shall set out in its proposal to the Fund Authority for a Variation, details of the following: : (i) the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; ; (ii) the Restricted Countries to which the Personal Data will be transferred and/or Processed; and and (iii) any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; ; (iv) how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the Fund’s compliance with the DPA; and/or (c) in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with the FundAuthority, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and and (d) the Supplier shall comply with such other instructions and shall carry out such other actions as the Fund Authority may notify in writing, including: : (i) incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Framework Agreement or a separate data processing agreement between the Parties; and and (ii) procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: : (A) a direct data processing agreement with the Fund Authority on such terms as may be required by the FundAuthority; or or (B) a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Fund Authority and the Supplier relating to the relevant Personal Data transfer, and the Supplier acknowledges that in each case, this may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Fund Authority deems necessary for the purpose of protecting Personal Data. . 27.4.4 The Supplier shall use its reasonable endeavours to assist the Fund Authority to comply with any obligations under the DPA and shall not perform its obligations under this Framework Agreement in such a way as to cause the Fund Authority to breach any of the FundAuthority’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations. Subject to Clause 244 (Marketing), the Supplier shall not: make any press announcements or publicise this Framework Agreement in any way; or use the Fund's name or brand in any promotion or marketing or announcement of Orders, without Approval (the decision of the Fund to Approve or not shall not be unreasonably withheld or delayed). Each Party acknowledges to the other that nothing in this Framework Agreement either expressly or by implication constitutes an approval and/or endorsement of any products or services of the other Party (including the Goods and/or Services) and each Party agrees not to conduct itself in such a way as to imply or express any such approval and/or endorsement. The Fund shall be entitled to publicise this Framework Agreement in accordance with any legal obligation upon the Fund, including any examination of this Framework Agreement by the National Audit Office pursuant to the National Audit Xxx 0000 or otherwise.

Protection of Personal Data. 25.5.1 Where any Personal Data are Processed in connection with the exercise of the Parties’ rights and obligations under this Framework Agreement, the Parties acknowledge that the Fund Authority is the Data Controller and that the Supplier is the Data Processor. . 25.5.2 The Supplier shall: : (a) Process the Personal Data only in accordance with instructions from the Fund Authority to perform its obligations under this Framework Agreement; ; (b) ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data; ; (c) not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Goods and/or Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Fund Authority (save where such disclosure or transfer is specifically authorised under this Framework Agreement); ; (d) take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: : (i) are aware of and comply with the Supplier’s duties under this Clause 22.5.2 25.5.2 and Clause 22.2 25.2 (Confidentiality); ; (ii) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Fund Authority or as otherwise permitted by this Framework Agreement; and and (iii) have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); ; (e) notify the Fund Authority within five (5) Working Days if it receives: : (i) from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request), a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the FundAuthority's obligations under the DPA; ; (ii) any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or or (iii) a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; ; (f) provide the Fund Authority with full cooperation and assistance (within the timescales reasonably required by the FundAuthority) in relation to any complaint, communication or request made (as referred to at Clause 22.5.2(e25.5.2(e), including by promptly providing: : (i) the Fund Authority with full details and copies of the complaint, communication or request; ; (ii) where applicable, such assistance as is reasonably requested by the Fund Authority to enable the Fund Authority to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and and (iii) the FundAuthority, on request by the FundAuthority, with any Personal Data it holds in relation to a Data Subject; and and (g) if requested by the FundAuthority, provide a written description of the measures that the Supplier has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 22.5.2 25.5.2 and provide to the Fund Authority copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. . 25.5.3 The Supplier shall not Process or otherwise transfer any Personal Data in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “Restricted Countries”). If, after the Framework Commencement Date, the Supplier or any Sub-Sub- Contractor wishes to Process and/or transfer any Personal Data in or to anywhere outside the European Economic Area, the following provisions shall apply: : (a) the Supplier shall propose a variation to the Fund Authority which, if it is agreed by the FundAuthority, shall be dealt with in accordance with Clause 17.1 18.1 (Variation Procedure) and Clauses 22.5.3(b25.5.3(b) to 22.5.3(d25.5.3(d); ; (b) the Supplier shall set out in its proposal to the Fund Authority for a Variation, details of the following: : (i) the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; ; (ii) the Restricted Countries to which the Personal Data will be transferred and/or Processed; and and (iii) any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; ; (iv) how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the FundAuthority’s compliance with the DPA; ; (c) in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with the FundAuthority, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and and (d) the Supplier shall comply with such other instructions and shall carry out such other actions as the Fund Authority may notify in writing, including: : (i) incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Framework Agreement or a separate data processing agreement between the Parties; and and (ii) procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: : (A) a direct data processing agreement with the Fund Authority on such terms as may be required by the FundAuthority; or or (B) a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Fund Authority and the Supplier relating to the relevant Personal Data transfer, and the Supplier acknowledges that in each case, this may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Fund Authority deems necessary for the purpose of protecting Personal Data. . 25.5.4 The Supplier shall use its reasonable endeavours to assist the Fund Authority to comply with any obligations under the DPA and shall not perform its obligations under this Framework Agreement in such a way as to cause the Fund Authority to breach any of the FundAuthority’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations. Subject to Clause 244 (Marketing), the Supplier shall not: make any press announcements or publicise this Framework Agreement in any way; or use the Fund's name or brand in any promotion or marketing or announcement of Orders, without Approval (the decision of the Fund to Approve or not shall not be unreasonably withheld or delayed). Each Party acknowledges to the other that nothing in this Framework Agreement either expressly or by implication constitutes an approval and/or endorsement of any products or services of the other Party (including the Goods and/or Services) and each Party agrees not to conduct itself in such a way as to imply or express any such approval and/or endorsement. The Fund shall be entitled to publicise this Framework Agreement in accordance with any legal obligation upon the Fund, including any examination of this Framework Agreement by the National Audit Office pursuant to the National Audit Xxx 0000 or otherwise.

Protection of Personal Data. 27.5.1. Where any Personal Data are Processed in connection with the exercise of the Parties’ rights and obligations under this Framework Agreement, the Parties acknowledge that the Fund Authority is the Data Controller and that the Supplier Provider is the Data Processor. 27.5.2. The Supplier Provider shall: : (a) Process the Personal Data only in accordance with instructions from the Fund Authority to perform its obligations under this Framework Agreement; ; (b) ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data; ; (c) not disclose or transfer the Personal Data to any third party or Supplier Provider Personnel unless necessary for the provision of the Goods and/or Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Fund Authority (save where such disclosure or transfer is specifically authorised under this Framework Agreement); ; (d) take reasonable steps to ensure the reliability and integrity of any Supplier Provider Personnel who have access to the Personal Data and ensure that the Supplier Provider Personnel: : i. are aware of and comply with the SupplierProvider’s duties under this Clause 22.5.2 27.5.2 and Clause 22.2 27.2 (Confidentiality); ; ii. are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Fund Authority or as otherwise permitted by this Framework Agreement; and and iii. have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); ; (e) notify the Fund Authority within five (5) Working Days if it receives: : i. from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request), a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the Fund's Authority’s obligations under the DPA; ; ii. any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or or iii. a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; ; (f) provide the Fund Authority with full cooperation and assistance (within the timescales reasonably required by the FundAuthority) in relation to any complaint, communication or request made (as referred to at Clause 22.5.2(e)27.5.2, including by promptly providing: : i. the Fund Authority with full details and copies of the complaint, communication or request; ; ii. where applicable, such assistance as is reasonably requested by the Fund Authority to enable the Fund Authority to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and and iii. the FundAuthority, on request by the FundAuthority, with any Personal Data it holds in relation to a Data Subject; and and (g) if requested by the FundAuthority, provide a written description of the measures that the Supplier Provider has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 22.5.2 27.5.2 and provide to the Fund Authority copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. 27.5.3. The Supplier Provider shall not Process or otherwise transfer any Personal Data in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “Restricted Countries”). If, after the Framework Commencement Date, the Supplier Provider or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to anywhere outside the European Economic Area, the following provisions shall apply: : (a) the Supplier Provider shall propose a variation to the Fund Authority which, if it is agreed by the FundAuthority, shall be dealt with in accordance with Clause 17.1 18.1 (Variation Procedure) and Clauses 22.5.3(b27.5.3 (b) to 22.5.3(d); the Supplier Provider shall set out in its proposal to the Fund Authority for a Variation, details of the following: : i. the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; ; ii. the Restricted Countries to which the Personal Data will be transferred and/or Processed; and and iii. any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; ; iv. how the Supplier Provider will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the FundAuthority’s compliance with the DPA; ; (c) in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with the FundAuthority, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and and (d) the Supplier Provider shall comply with such other instructions and shall carry out such other actions as the Fund Authority may notify in writing, including: : i. incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Framework Agreement or a separate data processing agreement between the Parties; and and ii. procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: : (a) a direct data processing agreement with the Fund Authority on such terms as may be required by the FundAuthority; or or (b) a data processing agreement with the Supplier Provider on terms which are equivalent to those agreed between the Fund Authority and the Supplier Provider relating to the relevant Personal Data transfer, and the Supplier Provider acknowledges that in each case, this may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Fund Authority deems necessary for the purpose of protecting Personal Data. 27.5.4. The Supplier Provider shall use its reasonable endeavours to assist the Fund Authority to comply with any obligations under the DPA and shall not perform its obligations under this Framework Agreement in such a way as to cause the Fund Authority to breach any of the FundAuthority’s obligations under the DPA to the extent the Supplier Provider is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations. Subject to Clause 244 (Marketing), the Supplier shall not: make any press announcements or publicise this Framework Agreement in any way; or use the Fund's name or brand in any promotion or marketing or announcement of Orders, without Approval (the decision of the Fund to Approve or not shall not be unreasonably withheld or delayed). Each Party acknowledges to the other that nothing in this Framework Agreement either expressly or by implication constitutes an approval and/or endorsement of any products or services of the other Party (including the Goods and/or Services) and each Party agrees not to conduct itself in such a way as to imply or express any such approval and/or endorsement. The Fund shall be entitled to publicise this Framework Agreement in accordance with any legal obligation upon the Fund, including any examination of this Framework Agreement by the National Audit Office pursuant to the National Audit Xxx 0000 or otherwise.

Protection of Personal Data. Where any Personal Data are Processed in connection with the exercise of the Parties’ rights and obligations under this Framework AgreementCall Off Contract, the Parties acknowledge that the Fund Customer is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Fund Customer to perform its obligations under this Framework AgreementCall Off Contract; ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data, including the measures as are set out in Clauses 43 (Security Requirements) and 43.2.3(c) (Protection of Customer Data); not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Goods and/or Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Fund Customer (save where such disclosure or transfer is specifically authorised under this Framework Agreement); Call Off Contract) take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 22.5.2 43.2.30 and Clause 22.2 Clauses 43 (Security Requirements), 43.2.3(c)(Protection of Customer Data) and 43.2.11(c) (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Fund Customer or as otherwise permitted by this Framework AgreementCall Off Contract; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Fund Customer within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request), ) a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the FundCustomer's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Fund Customer with full cooperation and assistance (within the timescales reasonably required by the FundCustomer) in relation to any complaint, communication or request made (as referred to at Clause 22.5.2(e43.2.30(e)), including by promptly providing: the Fund Customer with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Fund Customer to enable the Fund Customer to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the FundCustomer, on request by the FundCustomer, with any Personal Data it holds in relation to a Data Subject; and if requested by the FundCustomer, provide a written description of the measures that the Supplier has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 22.5.2 43.2.30 and provide to the Fund Customer copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not Process or otherwise transfer any Personal Data in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “Restricted Countries”). If, after the Framework Call Off Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to anywhere any outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a variation Variation to the Fund Customer which, if it is agreed by the FundCustomer, shall be dealt with in accordance with Clause 17.1 (the Variation Procedure) Procedure and Clauses 22.5.3(b43.2.31(b) to 22.5.3(d43.2.31(c); the Supplier shall set out in its proposal to the Fund Customer for a Variation, Variation details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the FundCustomer’s compliance with the DPA; in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with the Fundthen-current Customer, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Fund Customer may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Framework Agreement Call Off Contract or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Fund Customer on such terms as may be required by the FundCustomer; or a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Fund Customer and the Supplier Sub-Contractor relating to the relevant Personal Data transfer, and in each case which the Supplier acknowledges that in each case, this may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Fund Customer deems necessary for the purpose of protecting Personal Data. The Supplier shall use its reasonable endeavours to assist the Fund Customer to comply with any obligations under the DPA and shall not perform its obligations under this Framework Agreement Call Off Contract in such a way as to cause the Fund Customer to breach any of the FundCustomer’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations. Subject to Clause 244 (Marketing), the Supplier shall not: make any press announcements or publicise this Framework Agreement in any way; or use the Fund's name or brand in any promotion or marketing or announcement of Orders, without Approval (the decision of the Fund to Approve or not shall not be unreasonably withheld or delayed). Each Party acknowledges to the other that nothing in this Framework Agreement either expressly or by implication constitutes an approval and/or endorsement of any products or services of the other Party (including the Goods and/or Services) and each Party agrees not to conduct itself in such a way as to imply or express any such approval and/or endorsement. The Fund shall be entitled to publicise this Framework Agreement in accordance with any legal obligation upon the Fund, including any examination of this Framework Agreement by the National Audit Office pursuant to the National Audit Xxx 0000 or otherwise.

Protection of Personal Data. Where any Personal Data are Processed in connection with the exercise of the Parties’ rights and obligations under this Framework Agreement, the Parties acknowledge that the Fund Authority is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Fund Authority to perform its obligations under this Framework Agreement; ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data; not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Goods and/or Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Fund Authority (save where such disclosure or transfer is specifically authorised under this Framework Agreement); take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 22.5.2 and Clause 22.2 (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Fund Authority or as otherwise permitted by this Framework Agreement; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Fund Authority within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request), a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the FundAuthority's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Fund Authority with full cooperation and assistance (within the timescales reasonably required by the FundAuthority) in relation to any complaint, communication or request made (as referred to at Clause 22.5.2(e), including by promptly providing: the Fund Authority with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Fund Authority to enable the Fund Authority to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the FundAuthority, on request by the FundAuthority, with any Personal Data it holds in relation to a Data Subject; and if requested by the FundAuthority, provide a written description of the measures that the Supplier has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 22.5.2 and provide to the Fund Authority copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not Process or otherwise transfer cause or permit any Personal Data to be transferred in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “Restricted Countries”)) without the Approval of the Framework Authority. If, after the Framework Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to anywhere outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a variation to the Fund Authority which, if it is agreed by the FundAuthority, shall be dealt with in accordance with Clause 17.1 16.1 (Variation Procedure) and Clauses 22.5.3(b) to 22.5.3(d); the Supplier shall set out in its proposal to the Fund Authority for a Variation, details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the FundAuthority’s compliance with the DPA; in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with the FundAuthority, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Fund Authority may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Framework Agreement or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Fund Authority on such terms as may be required by the FundAuthority; or a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Fund Authority and the Supplier relating to the relevant Personal Data transfer, and the Supplier acknowledges that in each case, this may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Fund Authority deems necessary for the purpose of protecting Personal Data. The Supplier shall use its reasonable endeavours to assist the Fund Authority to comply with any obligations under the DPA and shall not perform its obligations under this Framework Agreement in such a way as to cause the Fund Authority to breach any of the FundAuthority’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations. Subject to Clause 244 (Marketing), the Supplier shall not: make any press announcements or publicise this Framework Agreement in any way; or use the Fund's name or brand in any promotion or marketing or announcement of Orders, without Approval (the decision of the Fund to Approve or not shall not be unreasonably withheld or delayed). Each Party acknowledges to the other that nothing in this Framework Agreement either expressly or by implication constitutes an approval and/or endorsement of any products or services of the other Party (including the Goods and/or Services) and each Party agrees not to conduct itself in such a way as to imply or express any such approval and/or endorsement. The Fund shall be entitled to publicise this Framework Agreement in accordance with any legal obligation upon the Fund, including any examination of this Framework Agreement by the National Audit Office pursuant to the National Audit Xxx 0000 or otherwise.

Protection of Personal Data. Where any Personal Data are Processed in connection with the exercise of the Parties’ rights and obligations under this Framework Agreement, the Parties acknowledge that the Fund Authority is the Data Controller and that the Supplier is the Data Processor. Notwithstanding clause Error: Reference source not found the Supplier shall comply with its obligations under the DPA. The Supplier shall: Process the Personal Data only in accordance with instructions from the Fund Authority to perform its obligations under this Framework Agreement; ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data; not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Goods and/or Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Fund Authority (save where such disclosure or transfer is specifically authorised under this Framework Agreement); take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 22.5.2 27.4.3 and Clause 22.2 27.2 (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Fund Authority or as otherwise permitted by this Framework Agreement; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Fund Authority within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request), a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the FundAuthority's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Fund Authority with full cooperation and assistance (within the timescales reasonably required by the FundAuthority) in relation to any complaint, communication or request made (as referred to at Clause 22.5.2(e27.4.3(e), including by promptly providing: the Fund Authority with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Fund Authority to enable the Fund Authority to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the FundAuthority, on request by the FundAuthority, with any Personal Data it holds in relation to a Data Subject; and if requested by the FundAuthority, provide a written description of the measures that the Supplier has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 22.5.2 27.4.3 and provide to the Fund Authority copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not Process or otherwise transfer any Personal Data in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “a Restricted Countries”)Country. If, after the Framework Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to anywhere outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a variation to the Fund Authority which, if it is agreed by the FundAuthority, shall be dealt with in accordance with Clause 17.1 19.1 (Variation Procedure) and Clauses 22.5.3(b27.4.4(b) to 22.5.3(d27.4.4(d); the Supplier shall set out in its proposal to the Fund Authority for a Variation, details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the FundAuthority’s compliance with the DPA; in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with the FundAuthority, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Fund Authority may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Framework Agreement or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Fund Authority on such terms as may be required by the FundAuthority; or a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Fund Authority and the Supplier relating to the relevant Personal Data transfer, and the Supplier acknowledges that in each case, this may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Fund Authority deems necessary for the purpose of protecting Personal Data. The Supplier shall use its reasonable endeavours to assist the Fund Authority to comply with any obligations under the DPA and shall not perform its obligations under this Framework Agreement in such a way as to cause the Fund Authority to breach any of the FundAuthority’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations. Subject to Clause 244 29 (Marketing), the Supplier shall not: make any press announcements or publicise this Framework Agreement in any way; or use the FundAuthority's name or brand in any promotion or marketing or announcement of Orders, without Approval (the decision of the Fund Authority to Approve or not shall not be unreasonably withheld or delayed). Each Party acknowledges to the other that nothing in this Framework Agreement either expressly or by implication constitutes an approval and/or endorsement of any products or services of the other Party (including the Goods and/or Services) and each Party agrees not to conduct itself in such a way as to imply or express any such approval and/or endorsement. The Fund Authority shall be entitled to publicise this Framework Agreement in accordance with any legal obligation upon the FundAuthority, including any examination of this Framework Agreement by the National Audit Office pursuant to the National Audit Xxx 0000 or otherwise.

Protection of Personal Data. 28.6.1 Where any Personal Data are Processed in connection with the exercise of the Parties’ rights and obligations under this Framework AgreementContract, the Parties acknowledge that the Fund Authority is the Data Controller and that the Supplier is the Data Processor. . 28.6.2 The Supplier shall: : (a) Process the Personal Data only in accordance with instructions from the Fund Authority to perform its obligations under this Framework Agreement; Contract; (b) ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data; , including the DH CRNCC Contract (Contract Terms) measures as are set out in Clauses 28.1 (Security Requirements) and 28.2 (Protection of Authority Data); (c) not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Goods and/or Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Fund Authority (save where such disclosure or transfer is specifically authorised under this Framework AgreementContract); (d) take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: : (i) are aware of and comply with the Supplier’s duties under this Clause 22.5.2 28.6.2 and Clause 22.2 Clauses 28.1 (Security Requirements), 28.2 (Protection of Authority Data) and 28.3 (Confidentiality); ; (ii) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Fund Authority or as otherwise permitted by this Framework AgreementContract; and and (iii) have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); ; (e) notify the Fund Authority within five (5) Working Days if it receives: : (i) from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request), ) a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the FundAuthority's obligations under the DPA; ; (ii) any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or or (iii) a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; ; (f) provide the Fund Authority with full cooperation and assistance (within the timescales reasonably required by the FundAuthority) in relation to any complaint, communication or request made (as referred to at Clause 22.5.2(e28.6.2(e)), including by promptly providing: : (i) the Fund Authority with full details and copies of the complaint, communication or request; ; (ii) where applicable, such assistance as is reasonably requested by the Fund Authority to enable the Fund Authority to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and DH CRNCC Contract (Contract Terms) (iii) the FundAuthority, on request by the FundAuthority, with any Personal Data it holds in relation to a Data Subject; and and (g) if requested by the FundAuthority, provide a written description of the measures that the Supplier has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 22.5.2 28.6.2 and provide to the Fund Authority copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. . 28.6.3 The Supplier shall not Process or otherwise transfer any Personal Data in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “Restricted Countries”). If, after the Framework Contract Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to anywhere any outside the European Economic Area, the following provisions shall apply: : (a) the Supplier shall propose a variation Variation to the Fund Authority which, if it is agreed by the FundAuthority, shall be dealt with in accordance with Clause 17.1 (the Variation Procedure) Procedure and Clauses 22.5.3(b28.6.3(b) to 22.5.3(d28.6.3(d); ; (b) the Supplier shall set out in its proposal to the Fund Authority for a Variation, Variation details of the following: : (i) the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; ; (ii) the Restricted Countries to which the Personal Data will be transferred and/or Processed; and and (iii) any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; ; (c) how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the FundAuthority’s compliance with the DPA; ; (d) in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with the Fundthen-current Authority, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and and (e) the Supplier shall comply with such other instructions and shall carry out such other actions as the Fund Authority may notify in writing, including: : (i) incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Framework Agreement DH CRNCC Contract (Contract Terms) Contract or a separate data processing agreement between the Parties; and and (ii) procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: : (A) a direct data processing agreement with the Fund Authority on such terms as may be required by the FundAuthority; or or (B) a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Fund Authority and the Supplier Sub-Contractor relating to the relevant Personal Data transfer, and in each case which the Supplier acknowledges that in each case, this may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Fund Authority deems necessary for the purpose of protecting Personal Data. . 28.6.4 The Supplier shall use its reasonable endeavours to assist the Fund Authority to comply with any obligations under the DPA and shall not perform its obligations under this Framework Agreement Contract in such a way as to cause the Fund Authority to breach any of the FundAuthority’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations. Subject to Clause 244 (Marketing), the Supplier shall not: make any press announcements or publicise this Framework Agreement in any way; or use the Fund's name or brand in any promotion or marketing or announcement of Orders, without Approval (the decision of the Fund to Approve or not shall not be unreasonably withheld or delayed). Each Party acknowledges to the other that nothing in this Framework Agreement either expressly or by implication constitutes an approval and/or endorsement of any products or services of the other Party (including the Goods and/or Services) and each Party agrees not to conduct itself in such a way as to imply or express any such approval and/or endorsement. The Fund shall be entitled to publicise this Framework Agreement in accordance with any legal obligation upon the Fund, including any examination of this Framework Agreement by the National Audit Office pursuant to the National Audit Xxx 0000 or otherwise.

Protection of Personal Data. Where any Personal Data are Processed in connection with the exercise of the Parties’ rights and obligations under this Framework Agreement, the Parties acknowledge that the Fund Authority is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Fund Authority to perform its obligations under this Framework Agreement; ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data; not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Goods and/or and Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Fund Authority (save where such disclosure or transfer is specifically authorised under this Framework Agreement); take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 22.5.2 27.5.2 and Clause 22.2 27.2 (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Fund Authority or as otherwise permitted by this Framework Agreement; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Fund Authority within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request), a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the FundAuthority's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Fund Authority with full cooperation and assistance (within the timescales reasonably required by the FundAuthority) in relation to any complaint, communication or request made (as referred to at Clause 22.5.2(e27.5.2(e), including by promptly providing: the Fund Authority with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Fund Authority to enable the Fund Authority to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the FundAuthority, on request by the FundAuthority, with any Personal Data it holds in relation to a Data Subject; and if requested by the FundAuthority, provide a written description of the measures that the Supplier has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 22.5.2 27.5.2 and provide to the Fund Authority copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not Process or otherwise transfer any Personal Data in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “Restricted Countries”). If, after the Framework Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to anywhere outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a variation to the Fund Authority which, if it is agreed by the FundAuthority, shall be dealt with in accordance with Clause 17.1 19.1 (Variation Procedure) and Clauses 22.5.3(b27.5.3(b) to 22.5.3(d27.5.3(d); the Supplier shall set out in its proposal to the Fund Authority for a Variation, details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the FundAuthority’s compliance with the DPA; in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with the FundAuthority, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Fund Authority may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Framework Agreement or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Fund Authority on such terms as may be required by the FundAuthority; or a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Fund Authority and the Supplier relating to the relevant Personal Data transfer, and the Supplier acknowledges that in each case, this may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Fund Authority deems necessary for the purpose of protecting Personal Data. The Supplier shall use its reasonable endeavours to assist the Fund Authority to comply with any obligations under the DPA and shall not perform its obligations under this Framework Agreement in such a way as to cause the Fund Authority to breach any of the FundAuthority’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations. Subject to Clause 244 29 (Marketing), the Supplier shall not: make any press announcements or publicise this Framework Agreement in any way; or use the FundAuthority's name or brand in any promotion or marketing or announcement of Orders, without Approval (the decision of the Fund Authority to Approve or not shall not be unreasonably withheld or delayed). Each Party acknowledges to the other that nothing in this Framework Agreement either expressly or by implication constitutes an approval and/or endorsement of any products or services of the other Party (including the Goods and/or and Services) and each Party agrees not to conduct itself in such a way as to imply or express any such approval and/or endorsement. The Fund Authority shall be entitled to publicise this Framework Agreement in accordance with any legal obligation upon the FundAuthority, including any examination of this Framework Agreement by the National Audit Office pursuant to the National Audit Xxx 0000 or otherwise.

Protection of Personal Data. Where any Personal Data are Processed in connection with the exercise of the Parties’ rights and obligations under this Framework Agreement, the Parties acknowledge that the Fund Authority is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Fund Authority to perform its obligations under this Framework Agreement; ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data; not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Goods and/or Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Fund Authority (save where such disclosure or transfer is specifically authorised under this Framework Agreement); take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 22.5.2 27.4.2 and Clause 22.2 27.2 (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Fund Authority or as otherwise permitted by this Framework Agreement; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Fund Authority within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request), a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the FundAuthority's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Fund Authority with full cooperation and assistance (within the timescales reasonably required by the FundAuthority) in relation to any complaint, communication or request made (as referred to at Clause 22.5.2(e27.4.2(e), including by promptly providing: the Fund Authority with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Fund Authority to enable the Fund Authority to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the FundAuthority, on request by the FundAuthority, with any Personal Data it holds in relation to a Data Subject; and if requested by the FundAuthority, provide a written description of the measures that the Supplier has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 22.5.2 27.4.2 and provide to the Fund Authority copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not Process or otherwise transfer any Personal Data in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “a Restricted Countries”)Country. If, after the Framework Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to anywhere outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a variation to the Fund Authority which, if it is agreed by the FundAuthority, shall be dealt with in accordance with Clause 17.1 19.1 (Variation Procedure) and Clauses 22.5.3(b27.4.3(b) to 22.5.3(d27.4.3(d); the Supplier shall set out in its proposal to the Fund Authority for a Variation, details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the FundAuthority’s compliance with the DPA; in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with the FundAuthority, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Fund Authority may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Framework Agreement or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Fund Authority on such terms as may be required by the FundAuthority; or a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Fund Authority and the Supplier relating to the relevant Personal Data transfer, and the Supplier acknowledges that in each case, this may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Fund Authority deems necessary for the purpose of protecting Personal Data. The Supplier shall use its reasonable endeavours to assist the Fund Authority to comply with any obligations under the DPA and shall not perform its obligations under this Framework Agreement in such a way as to cause the Fund Authority to breach any of the FundAuthority’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations. Subject to Clause 244 29 (Marketing), the Supplier shall not: make any press announcements or publicise this Framework Agreement in any way; or use the FundAuthority's name or brand in any promotion or marketing or announcement of Orders, without Approval (the decision of the Fund Authority to Approve or not shall not be unreasonably withheld or delayed). Each Party acknowledges to the other that nothing in this Framework Agreement either expressly or by implication constitutes an approval and/or endorsement of any products or services of the other Party (including the Goods and/or Services) and each Party agrees not to conduct itself in such a way as to imply or express any such approval and/or endorsement. The Fund Authority shall be entitled to publicise this Framework Agreement in accordance with any legal obligation upon the FundAuthority, including any examination of this Framework Agreement by the National Audit Office pursuant to the National Audit Xxx 0000 or otherwise.

Protection of Personal Data. Where any Personal Data are Processed in connection with the exercise of With respect to the Parties’ ' rights and obligations under this Framework Agreement, the Parties acknowledge agree that the Fund Commissioner is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Fund Commissioner (which may be specific instructions or instructions of a general nature as set out in this Agreement or as otherwise notified by the Commissioner to perform its obligations under this Framework Agreementthe Supplier during the Term); ensure that at all times it has Process the Personal Data only to the extent, and in place such manner, as is necessary for the provision of the Services or as is required by Law or any Regulatory Body; implement appropriate technical and organisational measures to guard protect the Personal Data against unauthorised or unlawful Processing of the Personal Data and/or processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data; not disclose or transfer Data and having regard to the nature of the Personal Data which is to any third party or Supplier Personnel unless necessary for the provision of the Goods and/or Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Fund (save where such disclosure or transfer is specifically authorised under this Framework Agreement)be protected; take reasonable steps to ensure the reliability and integrity of any Supplier Personnel Staff who have access to the Personal Data; obtain Approval in order to transfer the Personal Data and to any sub-contractors or Affiliates for the provision of the Services; ensure that all Staff required to access the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 22.5.2 and Clause 22.2 (Confidentiality); Personal Data are informed of the confidential nature of the Personal Data and do not comply with the obligations set out in this clause 23 (Protection of Personal Data); ensure that no Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Fund or as otherwise permitted by this Framework Agreement; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA)Commissioner; notify the Fund Commissioner (within five (5) Working Days Days) if it receives: a request from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request), a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating have access to the Fundthat person's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a complaint or request from any third party for disclosure of Personal relating to the Commissioner's obligations under the Data where compliance with such request is required or purported to be required by LawProtection Legislation; provide the Fund Commissioner with full cooperation and assistance (within the timescales reasonably required by the Fund) in relation to any complaint, communication complaint or request made (as referred to at Clause 22.5.2(e)made, including by promptly providingby: providing the Fund Commissioner with full details and copies of the complaint, communication complaint or request; where applicable, such assistance as is reasonably requested by the Fund to enable the Fund to comply complying with the Data Subject Access Request a data access request within the relevant timescales set out in the DPAData Protection Legislation and in accordance with the Commissioner's instructions; and providing the Fund, on request by the Fund, Commissioner with any Personal Data it holds in relation to a Data SubjectSubject (within the timescales required by the Commissioner); and if providing the Commissioner with any information requested by the FundCommissioner; permit the Commissioner or a Commissioner representative (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit the Supplier's data Processing activities (and/or those of its agents, subsidiaries and sub-contractors) and comply with all reasonable requests or directions by the Commissioner to enable the Commissioner to verify and/or procure that the Supplier is in full compliance with its obligations under this Agreement; on request, provide a written description of the measures that the Supplier has taken and technical and organisational security measures in place, methods employed by the Supplier for processing Personal Data (within the purpose of compliance with its obligations pursuant to this Clause 22.5.2 timescales required by the Commissioner); and provide to the Fund copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not Process or otherwise transfer any Personal Data in or to any country outside the European Economic Area or any country which is not determined without the prior written consent of the Commissioner and subject to the Supplier entering into a direct data processing agreement with the Commissioner on such terms as may be adequate required by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “Restricted Countries”). IfCommissioner, after the Framework Commencement Date, which the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to anywhere outside acknowledges may include the European Economic Area, the following provisions shall apply: the Supplier shall propose a variation to the Fund which, if it is agreed by the Fund, shall be dealt with in accordance with Clause 17.1 (Variation Procedure) and Clauses 22.5.3(b) to 22.5.3(d); the Supplier shall set out in its proposal to the Fund for a Variation, details incorporation of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the Fund’s compliance with the DPA; in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with the Fund, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Fund may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Framework Agreement or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Fund on such terms as may be required by the Fund; or a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Fund and the Supplier relating to the relevant Personal Data transfer, and the Supplier acknowledges that in each case, this may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Fund deems necessary for the purpose of protecting Personal DataProtection Legislation). The Supplier shall use its reasonable endeavours to assist comply at all times with the Fund to comply with any obligations under the DPA Data Protection Legislation and shall not perform its obligations under this Framework Agreement in such a way as to cause the Fund Commissioner to breach any of the Fund’s its applicable obligations under the DPA Data Protection Legislation. Freedom of Information The Supplier acknowledges that the Commissioner is subject to the extent requirements of the FOIA and the Environmental Information Regulations and shall assist and co-operate with the Commissioner to enable the Commissioner to comply with its Information disclosure obligations. The Supplier shall and shall procure that any sub-contractors shall: transfer to the Commissioner all Requests for Information that it receives as soon as practicable and in any event within two (2) Working Days of receiving a Request for Information; provide the Commissioner with a copy of all Information in its possession or power in the form that the Commissioner requires within five (5) Working Days (or such other period as the Commissioner may specify) of the Commissioner's request; and provide all necessary assistance as reasonably requested by the Commissioner to enable the Commissioner to respond to the Request for Information within the time for compliance set out in section 10 of the FOIA or Regulation 5 of the Environmental Information Regulations. The Commissioner shall be responsible for determining in its absolute discretion, and notwithstanding any other provision in this Agreement or any other agreement, whether any Information is exempt from disclosure in accordance with the provisions of the FOIA or the Environmental Information Regulations. In no event shall the Supplier is awarerespond directly to a Request for Information unless expressly authorised to do so by the Commissioner. The Supplier acknowledges that (notwithstanding the provisions of clause 25 (Confidential Information)) the Commissioner may be obliged under the FOIA or the Environmental Information Regulations or any statutory codes, or ought reasonably including the Code to have been aware, that the same would be a breach of such obligations. Subject to Clause 244 (Marketing), disclose information concerning the Supplier shall notor the Services in certain circumstances: make any press announcements or publicise this Framework Agreement in any waywithout consulting the Supplier; or use following consultation with the Fund's name or brand in any promotion or marketing or announcement of OrdersSupplier and having taken their views into account, without Approval (provided always that where clause 24.5.1 applies the decision of the Fund to Approve or not shall not be unreasonably withheld or delayed). Each Party acknowledges to the other that nothing in this Framework Agreement either expressly or by implication constitutes an approval and/or endorsement of any products or services of the other Party (including the Goods and/or Services) and each Party agrees not to conduct itself in such a way as to imply or express any such approval and/or endorsement. The Fund shall be entitled to publicise this Framework Agreement Commissioner shall, in accordance with any legal obligation upon recommendations of the FundCode, including any examination of this Framework Agreement by take reasonable steps, where appropriate, to give the National Audit Office pursuant Supplier advanced notice, or failing that, to draw the disclosure to the National Audit Xxx 0000 or otherwiseSupplier's attention after any such disclosure. The Supplier shall ensure that all Information is retained for disclosure and shall permit the Commissioner to inspect such records as requested from time to time.

Protection of Personal Data. Where any Personal Data are is Processed in connection with the exercise of the Parties’ rights and obligations under this Framework the Commercial Agreement, the Parties acknowledge that the Fund Authority is the Data Controller and that the Supplier is the Data Processor. The Supplier Supplier, including any Sub-Contractors shall: Process the Personal Data only in accordance with instructions from the Fund Authority to perform its obligations under this Framework the Commercial Agreement; ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data; not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Goods and/or Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Fund Authority (save where such disclosure or transfer is specifically authorised under this Framework the Commercial Agreement); take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 22.5.2 B14.2 and Clause 22.2 (Confidentiality)B11 above; are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Fund Authority or as otherwise permitted by this Framework the Commercial Agreement; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Fund Authority within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request), a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the FundAuthority's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Fund Authority with full cooperation and assistance (within the timescales reasonably required by the FundAuthority) in relation to any complaint, communication or request made (as referred to at Clause 22.5.2(e)B14.2(e) above, including by promptly providing: the Fund Authority with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Fund Authority to enable the Fund Authority to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the FundAuthority, on request by the FundAuthority, with any Personal Data it holds in relation to a Data Subject; and if requested by the FundAuthority, provide a written description of the measures that the Supplier has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 22.5.2 B14.2 and provide to the Fund Authority copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not not, without the consent of the Customer, Process or otherwise transfer any Personal Data in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together the “Restricted Countries”). If, after the Framework Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to anywhere outside the European Economic AreaArea (a “Restricted Data Transfer”) then, the following provisions shall applyapply in respect of such Restricted Data Transfer: the Supplier shall propose a variation inform the Customer that it wishes to the Fund which, if it is agreed Process or transfer Personal Data controlled by the Fund, shall be dealt with Customer in accordance with Clause 17.1 (Variation Procedure) and Clauses 22.5.3(b) or to 22.5.3(d)a Restricted Country; the Supplier shall set out in its proposal provide to the Fund for Customer, the following details relating to the Restricted Data Transfer in writing (a Variation, details of the following: “Data Transfer Notice”): the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors Contractor or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; and how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the FundCustomer’s compliance with the DPA; in providing and evaluating the VariationData Transfer Notice, the Parties shall ensure that they have regard to and comply with the FundCustomer, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Fund Customer may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Framework the Commercial Agreement or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Fund Customer on such terms as may be required by the FundCustomer; or a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Fund Customer and the Supplier relating to the relevant Personal Data transfer, and the Supplier acknowledges that in each case, this may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Fund Customer deems necessary for the purpose of protecting Personal Data. Upon receipt of a Data Transfer Notice, the Customer shall obtain approval from GSIRO in respect of the Restricted Data Transfer. If GSIRO and the Customer accept (i) the terms and information set out in the Data Transfer Notice; and (ii) the circumstances surrounding such proposed Restricted Data Transfer, then the Customer shall provide the Supplier with its written consent to such Restricted Data Transfer. However, if the requirement to seek GSIRO approval shall not apply if the Restricted Data Transfer relates to processing by an off shored third party service provider on an individual travel transactional basis (e.g., a Hotel outside the EEA). The Supplier will process the Customer’s Personal Identifiable Information (PII) and privacy related data in compliance with current UK legislation and in particular the Data Protection Act. Prior to completion of the Enabling Agreement the Supplier shall be required to support the Customer in obtaining the relevant Customer Data Controller’s approval. In support of this approval the Supplier shall be required to produce a Privacy Impact Assessment (PIA), to be agreed by the Customer before the Commencement Date of the Enabling Agreement. The Supplier shall use its reasonable endeavours to assist the Fund Authority to comply with any obligations under the DPA and shall not perform its obligations under this Framework the Commercial Agreement in such a way as to cause the Fund Authority to breach any of the FundAuthority’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations. Subject to Clause 244 (Marketing), the Publicity and Branding The Supplier shall not: make any press announcements or publicise this Framework the Commercial Agreement in any way; or use the FundAuthority's name or brand in any promotion or marketing or announcement of Ordersannouncement, without Approval (the decision of the Fund Authority to Approve or not shall not be unreasonably withheld or delayed). Each Party acknowledges to the other that nothing in this Framework the Commercial Agreement either expressly or by implication constitutes an approval and/or endorsement of any products or services of the other Party (including the Goods and/or Services) and each Party agrees not to conduct itself in such a way as to imply or express any such approval and/or endorsement. The Fund Authority shall be entitled to publicise this Framework the Commercial Agreement in accordance with any legal obligation upon the FundAuthority, including any examination of this Framework the Commercial Agreement by the National Audit Office pursuant to the National Audit Xxx 0000 Act 1983 or otherwise. All Publications The Supplier shall obtain the Authority's Approval prior to publishing any content in relation to the Commercial Agreement using any media, including on any electronic medium, if the content published requires updating the Supplier will ensure that such content is regularly maintained and updated. In the event that the Supplier fails to maintain or update the content, the Authority may give the Supplier notice to rectify the failure and if the failure is not rectified to the reasonable satisfaction of the Authority within one (1) Month of receipt of such notice, the Authority shall have the right to remove such content itself or require that the Supplier immediately arranges the removal of such content.

Protection of Personal Data. 34.6.1 Where any Personal Data are Processed in connection with the exercise of the Parties’ rights and obligations under this Framework AgreementCall Off Contract, the Parties acknowledge that the Fund Customer is the Data Controller and that the Supplier is the Data Processor. . 34.6.2 The Supplier shall: : (a) Process the Personal Data only in accordance with instructions from the Fund Customer to perform its obligations under this Framework Agreement; Call Off Contract; (b) ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data; , including the measures as are set out in Clauses 34.1 (Security Requirements) and 34.2 (Protection of Customer Data); (c) not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Goods and/or Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Fund Customer (save where such disclosure or transfer is specifically authorised under this Framework AgreementCall Off Contract); (d) take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: : (i) are aware of and comply with the Supplier’s duties under this Clause 22.5.2 34.6.2 and Clause 22.2 Clauses 34.1 (Security Requirements), 34.2 (Protection of Customer Data) and 34.3 (Confidentiality); ; (ii) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Fund Customer or as otherwise permitted by this Framework AgreementCall Off Contract; and and (iii) have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPAData Protection Legislation); ; (e) notify the Fund Customer within five (5) Working Days if it receives: : (i) from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request), ) a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the FundCustomer's obligations under the DPA; Data Protection Legislation; (ii) any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or or (iii) a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; ; (f) provide the Fund Customer with full cooperation and assistance (within the timescales reasonably required by the FundCustomer) in relation to any complaint, communication or request made (as referred to at Clause 22.5.2(e34.6.2(e)), including by promptly providing: : (i) the Fund Customer with full details and copies of the complaint, communication or request; ; (ii) where applicable, such assistance as is reasonably requested by the Fund Customer to enable the Fund Customer to comply with the Data Subject Access Request within the relevant timescales set out in the DPAData Protection Legislation; and and (iii) the FundCustomer, on request by the FundCustomer, with any Personal Data it holds in relation to a Data Subject; and and (g) if requested by the FundCustomer, provide a written description of the measures that the Supplier has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 22.5.2 34.6.2 and provide to the Fund Customer copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. . 34.6.3 The Supplier shall not Process or otherwise transfer any Personal Data in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “Restricted Countries”). If, after the Framework Call Off Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to anywhere any outside the European Economic Area, the following provisions shall apply: : (a) the Supplier shall propose a variation Variation to the Fund Customer which, if it is agreed by the FundCustomer, shall be dealt with in accordance with Clause 17.1 (the Variation Procedure) Procedure and Clauses 22.5.3(b34.6.3(b) to 22.5.3(d34.6.3(c); ; (b) the Supplier shall set out in its proposal to the Fund Customer for a Variation, Variation details of the following: : (i) the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; ; (ii) the Restricted Countries to which the Personal Data will be transferred and/or Processed; and and (iii) any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; ; (iv) how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the FundCustomer’s compliance with the DPA; Data Protection Legislation; (c) in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with the Fundthen-current Customer, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and and (d) the Supplier shall comply with such other instructions and shall carry out such other actions as the Fund Customer may notify in writing, including: : (i) incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPAData Protection Legislation) into this Framework Agreement Call Off Contract or a separate data processing agreement between the Parties; and and (ii) procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: : (A) a direct data processing agreement with the Fund Customer on such terms as may be required by the FundCustomer; or or (B) a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Fund Customer and the Supplier Sub-Contractor relating to the relevant Personal Data transfer, and the Supplier acknowledges that in each case, this may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Fund deems necessary for the purpose of protecting Personal Data. The Supplier shall use its reasonable endeavours to assist the Fund to comply with any obligations under the DPA and shall not perform its obligations under this Framework Agreement in such a way as to cause the Fund to breach any of the Fund’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations. Subject to Clause 244 (Marketing), the Supplier shall not: make any press announcements or publicise this Framework Agreement in any way; or use the Fund's name or brand in any promotion or marketing or announcement of Orders, without Approval (the decision of the Fund to Approve or not shall not be unreasonably withheld or delayed). Each Party acknowledges to the other that nothing in this Framework Agreement either expressly or by implication constitutes an approval and/or endorsement of any products or services of the other Party (including the Goods and/or Services) and each Party agrees not to conduct itself in such a way as to imply or express any such approval and/or endorsement. The Fund shall be entitled to publicise this Framework Agreement in accordance with any legal obligation upon the Fund, including any examination of this Framework Agreement by the National Audit Office pursuant to the National Audit Xxx 0000 or otherwise.and

Protection of Personal Data. Where any Personal Data are Processed in connection with the exercise of 23.1 With respect to the Parties’ ' rights and obligations under this Framework Agreement, the Parties acknowledge that the Fund Authority is the a Data Controller and that the Supplier is the a Data Processor. In addition, the Parties acknowledge that, for certain purposes for which the Supplier processes Personal Data pursuant to this Agreement, the Supplier may also be a Data Controller in respect of the Personal Data and to the extent that the Supplier is a Data Controller, the Supplier will, at all times, comply with its obligations under the DPA. 23.2 The Supplier shall: : (a) Process the Personal Data only in accordance with instructions from the Fund to Authority and perform its obligations under this Framework Agreement; ; (b) ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing processing of the Personal Data and/or accidental loss, destruction, destruction or damage to the Personal Data; , including the measures as are set out in Clause 20 (Authority Data and Security Requirements); (c) not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Goods and/or Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Fund Authority (save where such disclosure or transfer is specifically authorised under this Framework Agreement); ; (d) take all reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: : (i) are aware of and comply with the Supplier’s duties under this Clause 22.5.2 23 and Clause 22.2 Clauses 21 (Confidentiality) and 20 (Authority Data and Security Requirements); ; (ii) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Fund Authority or as otherwise permitted by this Framework Agreement; and and (iii) have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); ; (e) notify the Fund Authority within five (5) 5 Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request), a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the Fund's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Fund with full cooperation and assistance (within the timescales reasonably required by the Fund) in relation to any complaint, communication or request made (as referred to at Clause 22.5.2(e), including by promptly providing: the Fund with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Fund to enable the Fund to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the Fund, on request by the Fund, with any Personal Data it holds in relation to a Data Subject; and if requested by the Fund, provide a written description of the measures that the Supplier has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 22.5.2 and provide to the Fund copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not Process or otherwise transfer any Personal Data in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “Restricted Countries”). If, after the Framework Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to anywhere outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a variation to the Fund which, if it is agreed by the Fund, shall be dealt with in accordance with Clause 17.1 (Variation Procedure) and Clauses 22.5.3(b) to 22.5.3(d); the Supplier shall set out in its proposal to the Fund for a Variation, details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the Fund’s compliance with the DPA; in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with the Fund, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Fund may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Framework Agreement or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Fund on such terms as may be required by the Fund; or a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Fund and the Supplier relating to the relevant Personal Data transfer, and the Supplier acknowledges that in each case, this may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Fund deems necessary for the purpose of protecting Personal Data. The Supplier shall use its reasonable endeavours to assist the Fund to comply with any obligations under the DPA and shall not perform its obligations under this Framework Agreement in such a way as to cause the Fund to breach any of the Fund’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations. Subject to Clause 244 (Marketing), the Supplier shall not: make any press announcements or publicise this Framework Agreement in any way; or use the Fund's name or brand in any promotion or marketing or announcement of Orders, without Approval (the decision of the Fund to Approve or not shall not be unreasonably withheld or delayed). Each Party acknowledges to the other that nothing in this Framework Agreement either expressly or by implication constitutes an approval and/or endorsement of any products or services of the other Party (including the Goods and/or Services) and each Party agrees not to conduct itself in such a way as to imply or express any such approval and/or endorsement. The Fund shall be entitled to publicise this Framework Agreement in accordance with any legal obligation upon the Fund, including any examination of this Framework Agreement by the National Audit Office pursuant to the National Audit Xxx 0000 or otherwise.:

Protection of Personal Data. Where any Personal Data are Processed in connection with the exercise of the Parties’ rights and obligations under this Framework Agreement, the Parties acknowledge that the Fund Authority is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Fund Authority to perform its obligations under this Framework Agreement; ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data; not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Goods and/or and Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Fund Authority (save where such disclosure or transfer is specifically authorised under this Framework Agreement); take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 22.5.2 27.4.2 and Clause 22.2 27.2 (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Fund Authority or as otherwise permitted by this Framework Agreement; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPAGDPR); notify the Fund Authority within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request), a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the FundAuthority's obligations under the DPAGDPR; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Fund Authority with full cooperation and assistance (within the timescales reasonably required by the FundAuthority) in relation to any complaint, communication or request made (as referred to at Clause 22.5.2(e27.4.2(e), including by promptly providing: the Fund Authority with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Fund Authority to enable the Fund Authority to comply with the Data Subject Access Request within the relevant timescales set out in the DPAGDPR; and the FundAuthority, on request by the FundAuthority, with any Personal Data it holds in relation to a Data Subject; and if requested by the FundAuthority, provide a written description of the measures that the Supplier has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 22.5.2 27.4.2 and provide to the Fund Authority copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not Process or otherwise transfer any Personal Data in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “a Restricted Countries”)Country. If, after the Framework Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to anywhere outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a variation to the Fund Authority which, if it is agreed by the FundAuthority, shall be dealt with in accordance with Clause 17.1 19.1 (Variation Procedure) and Clauses 22.5.3(b27.4.3(b) to 22.5.3(d27.4.3(d); the Supplier shall set out in its proposal to the Fund Authority for a Variation, details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the FundAuthority’s compliance with the DPAGDPR; in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with the FundAuthority, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Fund Authority may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPAGDPR) into this Framework Agreement or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Fund Authority on such terms as may be required by the FundAuthority; or a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Fund Authority and the Supplier relating to the relevant Personal Data transfer, and the Supplier acknowledges that in each case, this may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPAGDPR) and technical and organisation measures which the Fund Authority deems necessary for the purpose of protecting Personal Data. The Supplier shall use its reasonable endeavours to assist the Fund Authority to comply with any obligations under the DPA GDPR and shall not perform its obligations under this Framework Agreement in such a way as to cause the Fund Authority to breach any of the FundAuthority’s obligations under the DPA GDPR to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations. Subject to Clause 244 29 (Marketing), the Supplier shall not: make any press announcements or publicise this Framework Agreement in any way; or use the FundAuthority's name or brand in any promotion or marketing or announcement of Orders, without Approval (the decision of the Fund Authority to Approve or not shall not be unreasonably withheld or delayed). Each Party acknowledges to the other that nothing in this Framework Agreement either expressly or by implication constitutes an approval and/or endorsement of any products or services of the other Party (including the Goods and/or and Services) and each Party agrees not to conduct itself in such a way as to imply or express any such approval and/or endorsement. The Fund Authority shall be entitled to publicise this Framework Agreement in accordance with any legal obligation upon the FundAuthority, including any examination of this Framework Agreement by the National Audit Office pursuant to the National Audit Xxx 0000 or otherwise.

Protection of Personal Data. Where any Personal Data are Processed in connection with the exercise of the Parties’ rights and obligations under this Framework Agreement, the Parties acknowledge that the Fund Authority is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Fund Authority to perform its obligations under this Framework Agreement; ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data; not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Goods and/or Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Fund Authority (save where such disclosure or transfer is specifically authorised under this Framework Agreement); take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 22.5.2 24.5.2 and Clause 22.2 24.2 (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Fund Authority or as otherwise permitted by this Framework Agreement; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Fund Authority within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request), a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the FundAuthority's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Fund Authority with full cooperation and assistance (within the timescales reasonably required by the FundAuthority) in relation to any complaint, communication or request made (as referred to at Clause 22.5.2(e24.5.2(e), including by promptly providing: the Fund Authority with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Fund Authority to enable the Fund Authority to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the FundAuthority, on request by the FundAuthority, with any Personal Data it holds in relation to a Data Subject; and if requested by the FundAuthority, provide a written description of the measures that the Supplier has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 22.5.2 24.5.2 and provide to the Fund Authority copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not Process or otherwise transfer any Personal Data in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “Restricted Countries”). If, after the Framework Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to anywhere outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a variation to the Fund Authority which, if it is agreed by the FundAuthority, shall be dealt with in accordance with Clause 17.1 16.1 (Variation Procedure) and Clauses 22.5.3(b24.5.3(b) to 22.5.3(d24.5.3(d); the Supplier shall set out in its proposal to the Fund Authority for a Variation, details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the FundAuthority’s compliance with the DPA; in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with the FundAuthority, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Fund Authority may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Framework Agreement or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Fund Authority on such terms as may be required by the FundAuthority; or a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Fund Authority and the Supplier relating to the relevant Personal Data transfer, and the Supplier acknowledges that in each case, this may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Fund Authority deems necessary for the purpose of protecting Personal Data. The Supplier shall use its reasonable endeavours to assist the Fund Authority to comply with any obligations under the DPA and shall not perform its obligations under this Framework Agreement in such a way as to cause the Fund Authority to breach any of the FundAuthority’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations. Subject to Clause 244 (Marketing), the Supplier shall not: make any press announcements or publicise this Framework Agreement in any way; or use the Fund's name or brand in any promotion or marketing or announcement of Orders, without Approval (the decision of the Fund to Approve or not shall not be unreasonably withheld or delayed). Each Party acknowledges to the other that nothing in this Framework Agreement either expressly or by implication constitutes an approval and/or endorsement of any products or services of the other Party (including the Goods and/or Services) and each Party agrees not to conduct itself in such a way as to imply or express any such approval and/or endorsement. The Fund shall be entitled to publicise this Framework Agreement in accordance with any legal obligation upon the Fund, including any examination of this Framework Agreement by the National Audit Office pursuant to the National Audit Xxx 0000 or otherwise.