Common use of Security and Confidentiality of Data Clause in Contracts

Security and Confidentiality of Data. 2.3.1 The Data Processor shall carry out the Processing in compliance with the Data Protection Legislation. 2.3.2 The Data Processor shall implement (and assist the Customer to implement) technical and organizational measures to safe guard the Data from unauthor- ized or unlawful Processing or accidental loss, destruction, or damage and acknowledges that it has implemented appropriate technical and organizational measures to prevent unauthorized or unlawful Processing, accidental loss, de- struction, damage or disclosure of the Data. 2.3.3 The Data Processor shall ensure that each of its employees, agents or sub- contractors are made aware of its obligations with regard to the security and protection of the Data and shall require that they: a) enter into binding obligations with the Data Processor in order to maintain an appropriate obligation of confidentiality and the levels of security and protection provided for in this Agreement. b) Process the Data solely on instructions from Customer; and c) is appropriately reliable, qualified and trained in relation to their Processing of Data. 2.3.4 The Data Processor shall not divulge the Data whether directly or indirectly to any person, firm, or company without the written consent of Customer, except to those of its employees who are engaged in the Processing of the Data and are subject to the binding obligations referred in 2.3.3 2.3.5 In the event that the Data Processor subcontracts any part of the Processing to a third party in accordance with 2.3.4 the Data Processor shall ensure that a written contract on the same terms as this Agreement is entered into by the subcontractor and that any subcontractor provides the Data Processor with a plan of the technical and organizational means it has adopted to prevent unau- thorized or unlawful Processing or accidental loss or destruction of the Data. The Data Processor will remain responsible for all acts and omissions of sub- contractor as if they were its own. 2.3.6 The Data Processor will Process the Data only on behalf of Customer and in compliance with Customer’s documented instructions and this Agreement or any other written agreement between the parties and if the Data Processor cannot provide such compliance for whatever reason the Data Processor will in- form Customer promptly of its inability to comply, in which case Customer shall be entitled to suspend the Processing of the Data and/or terminate this Agree- ment and the contract to which this Agreement is appended immediately upon serving written notice to the Data Processor. 2.3.7 The Data Processor may not, in any circumstances, transfer any of the Personal Data to any country or territory outside of the European Economic Area without the Customer’s prior written consent, which may be withheld at its absolute dis- cretion. xxxxx://xxxxx-xx.xxx/data-processing-agreement-sub-processors/ contains a list of sub processors to Queue-it. The list will be updated on an ongoing basis via the Suppliers web site and the Customer will be notified prior to the change. 2.3.8 The Data Processor shall notify the Customer without undue delay (and in any event no later than 24 hours) after becoming aware of a reasonably suspected, “near miss” or actual Data Security Incident. Where, and in so far as, it is not possible to provide all the relevant information at the same time, the infor- mation may be provided in phases without undue further delay, but the Data Processor may not delay notification on the basis that an investigation is in- complete or ongoing. 2.3.9 The Data Processor shall (if applicable) promptly notify the Customer of and assist the Customer in relation to: a) Any request for disclosure of the Data by a law enforcement authority un- less otherwise prohibited from so notifying; b) documenting, reporting or taking measures to address or mitigate any Da- ta Security Incident; c) Any request received seeking to exercise a Data Subject’s rights under the Data Protection Legislation; d) conducting privacy impact assessments of any Processing operations and consulting with any applicable supervisory authority or appropriate per- sons accordingly. 2.3.10 An authorized and individual Data Protection Manager from the Supplier will via the email address xxxxxxx@xxxxx-xx.xxx respond to enquiries from either a Data Subject or Customer relating to the Processing of the Data and will deal promptly and properly with any such enquiries and in any event within the time frames stipulated by the Data Protection Legislation. 2.3.11 The Data Processor will make available to the Customer all information neces- sary to demonstrate compliance with the obligations set out in this Agreement and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer. 2.3.12 The Data Processor will comply with all reasonable instructions from the Cus- tomer to rectify, delete and update any Data or files and will confirm to the Cus- tomer within a reasonable time that this has been done. 2.3.13 The Data Processor will comply with the rights of Data Subjects and allow the same rights of access, correction, blocking, suppression or deletion as reasona- xxx requested in writing by the Customer. 2.3.14 The Data Processor will not, and will procure that any subcontractors will not, make or permit any announcement in respect of the Data Security Incident to any person without the Customer’s prior written consent, which may be given, withheld or made subject to conditions at the Customer’s sole discretion.

Security and Confidentiality of Data. 2.3.1 The Data Processor shall carry out the Processing in compliance with the Data Protection Legislation. 2.3.2 The Data Processor shall implement (and assist the Customer to implement) technical and organizational measures to safe guard safeguard the Data from unauthor- ized or unlawful Processing or accidental loss, destruction, or damage and acknowledges con- firms that it has implemented appropriate technical and organizational measures to prevent unauthorized or unlawful Processing, accidental loss, de- struction, damage or disclosure of the Data. 2.3.3 The Data Processor shall ensure that each of its employees, agents or sub- contractors subcon- tractors are made aware of its obligations with regard to the security and protection pro- tection of the Data and shall require that they: a) enter into binding obligations with the Data Processor in order to maintain main- tain an appropriate obligation of confidentiality and the levels of security and protection provided for in this Agreement. b) Process the Data solely on instructions from Customer; and c) is Is appropriately reliable, qualified and trained in relation to their Processing Pro- cessing of Data. 2.3.4 The Data Processor shall not divulge the Data whether directly or indirectly to any person, firm, or company without the written consent of Customer, except to those of its employees who are engaged in the Processing of the Data and are subject to the binding obligations referred in 2.3.3 2.3.5 In the event that the Data Processor subcontracts any part of the Processing to a third party in accordance with 2.3.4 the Data Processor shall ensure that a written contract on the same terms as this Agreement is entered into by the subcontractor and that any subcontractor provides the Data Processor with a plan of the technical and organizational means it has adopted to prevent unau- thorized or unlawful Processing or accidental loss or destruction of the Data. The Data Processor will remain responsible for all acts and omissions of sub- contractor as if they were its own. 2.3.6 The Data Processor will Process the Data only on behalf of Customer and in compliance with Customer’s documented instructions and this Agreement or FRPSOLDQFH ZLWK &XVWRPHUȆV GRFXPHQWHG LQVW any other written agreement between the parties and if the Data Processor cannot provide such compliance for whatever reason the Data Processor will in- form Customer promptly of its inability to comply, in which case Customer shall be entitled to suspend the Processing of the Data and/or terminate this Agree- ment and the contract to which this Agreement is appended immediately upon serving written notice to the Data Processorif compliance with this Agreement is not restored within a reasonable time and in any event within one month following suspension. 2.3.7 The Data Processor may not, in any circumstances, transfer any of the Personal Data to any country or territory outside of the European Economic Area without the Customer’s prior written consent, which may be withheld at its absolute dis- &XVWRPHUȆV SULRU ZULWWHQ FRQVHQW dis - ZKLFK cretion. xxxxx://xxxxx-xx.xxx/data-processing-agreement-sub-processors/ contains a list of sub processors to Queue-itthe Data Processor. The list will be updated on an ongoing on- going basis via the Suppliers web site and the Customer will be notified prior to the change. 2.3.8 The Data Processor shall notify the Customer without undue delay (and in any event no later than 24 hours) after becoming aware of a reasonably suspected, “near miss” or actual Data Security Incident. Where, and in so far as, it is not ȉQHDU PLVVȊ RU DFWXDO 'DWD 6HFXULW\ ,QFLGH possible to provide all the relevant information at the same time, the infor- mation may be provided in phases without undue further delay, but the Data Processor may not delay notification on the basis that an investigation is in- complete or ongoing. 2.3.9 The Data Processor shall (if applicable) promptly notify the Customer of and assist the Customer in relation to: a) Any request for disclosure of the Data by a law enforcement authority un- less unless otherwise prohibited from so notifying; b) documentingDocumenting, reporting or taking measures to address or mitigate any Da- ta Data Security Incident; c) Any request received seeking to exercise a Data Subject’s rights under $Q\ UHTXHVW UHFHLYHG VHHNLQJ WR H[HUFLV the Data Protection Legislation; d) conducting Conducting privacy impact assessments of any Processing operations and consulting with any applicable supervisory authority or appropriate per- sons persons accordingly. 2.3.10 An authorized and individual Data Protection Manager from the Supplier will via the email address xxxxxxx@xxxxx-xx.xxx respond to enquiries from either a Data Subject or Customer relating to the Processing of the Data and will deal promptly and properly with any such enquiries and in any event within the time frames stipulated by the Data Protection Legislation. 2.3.11 The Data Processor will make available to the Customer all information neces- sary to demonstrate compliance with the obligations set out in this Agreement and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer. 2.3.12 The Data Processor will comply with all reasonable instructions from the Cus- tomer to rectify, delete and update any Data or files and will confirm to the Cus- tomer Customer within a reasonable time that this has been done. 2.3.13 The Data Processor will comply with the rights of Data Subjects and allow the same rights of access, correction, blocking, suppression or deletion as reasona- xxx reasonably requested in writing by the Customer. 2.3.14 The Data Processor will not, and will procure that any subcontractors will not, make or permit any announcement in respect of the Data Security Incident to any person without the Customer’s prior written consent, which may be given, &XVWRPHUȆV SULRU ZULWWHQ FRQVHQ withheld or made subject to conditions at the Customer’s sole discretion&XVWRPHUȆV oVn.ROH GLVFU

Security and Confidentiality of Data. 2.3.1 The Data Processor shall carry out the Processing in compliance with the Data Protection Legislation. 2.3.2 The Data Processor shall implement (and assist the Customer to implement) technical and organizational measures to safe guard safeguard the Data from unauthor- ized or unlawful Processing or accidental loss, destruction, or damage and acknowledges con- firms that it has implemented appropriate technical and organizational measures to prevent unauthorized or unlawful Processing, accidental loss, de- struction, damage or disclosure of the Data. 2.3.3 The Data Processor shall ensure that each of its employees, agents or sub- contractors subcon- tractors are made aware of its obligations with regard to the security and protection pro- tection of the Data and shall require that they: a) enter into binding obligations with the Data Processor in order to maintain main- tain an appropriate obligation of confidentiality and the levels of security and protection provided for in this Agreement. b) Process the Data solely on instructions from Customer; and c) is Is appropriately reliable, qualified and trained in relation to their Processing Pro- cessing of Data. 2.3.4 The Data Processor shall not divulge the Data whether directly or indirectly to any person, firm, or company without the written consent of Customer, except to those of its employees who are engaged in the Processing of the Data and are subject to the binding obligations referred in 2.3.3 2.3.5 In the event that the Data Processor subcontracts any part of the Processing to a third party in accordance with 2.3.4 the Data Processor shall ensure that a written contract on the same terms as this Agreement is entered into by the subcontractor and that any subcontractor provides the Data Processor with a plan of the technical and organizational means it has adopted to prevent unau- thorized or unlawful Processing or accidental loss or destruction of the Data. The Data Processor will remain responsible for all acts and omissions of sub- contractor as if they were its own. 2.3.6 The Data Processor will Process the Data only on behalf of Customer and in compliance with Customer’s documented instructions and this Agreement or any other written agreement between the parties and if the Data Processor cannot provide such compliance for whatever reason the Data Processor will in- form Customer promptly of its inability to comply, in which case Customer shall be entitled to suspend the Processing of the Data and/or terminate this Agree- ment and the contract to which this Agreement is appended immediately upon serving written notice to the Data Processorif compliance with this Agreement is not restored within a reasonable time and in any event within one month following suspension. 2.3.7 The Data Processor may not, in any circumstances, transfer any of the Personal Data to any country or territory outside of the European Economic Area without the Customer’s prior written consent, which may be withheld at its absolute dis- cretion. xxxxx://xxxxx-xx.xxx/data-processing-agreement-sub-processors/ contains a list of sub processors to Queue-itthe Data Processor. The list will be updated on an ongoing on- going basis via the Suppliers web site and the Customer will be notified prior to the change. 2.3.8 The Data Processor shall notify the Customer without undue delay (and in any event no later than 24 hours) after becoming aware of a reasonably suspected, “near miss” or actual Data Security Incident. Where, and in so far as, it is not possible to provide all the relevant information at the same time, the infor- mation may be provided in phases without undue further delay, but the Data Processor may not delay notification on the basis that an investigation is in- complete or ongoing. 2.3.9 The Data Processor shall (if applicable) promptly notify the Customer of and assist the Customer in relation to: a) Any request for disclosure of the Data by a law enforcement authority un- less unless otherwise prohibited from so notifying; b) documentingDocumenting, reporting or taking measures to address or mitigate any Da- ta Data Security Incident; c) Any request received seeking to exercise a Data Subject’s rights under the Data Protection Legislation; d) conducting Conducting privacy impact assessments of any Processing operations and consulting with any applicable supervisory authority or appropriate per- sons persons accordingly. 2.3.10 An authorized and individual Data Protection Manager from the Supplier will via the email address xxxxxxx@xxxxx-xx.xxx respond to enquiries from either a Data Subject or Customer relating to the Processing of the Data and will deal promptly and properly with any such enquiries and in any event within the time frames stipulated by the Data Protection Legislation. 2.3.11 The Data Processor will make available to the Customer all information neces- sary to demonstrate compliance with the obligations set out in this Agreement and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer. 2.3.12 The Data Processor will comply with all reasonable instructions from the Cus- tomer to rectify, delete and update any Data or files and will confirm to the Cus- tomer Customer within a reasonable time that this has been done. 2.3.13 The Data Processor will comply with the rights of Data Subjects and allow the same rights of access, correction, blocking, suppression or deletion as reasona- xxx reasonably requested in writing by the Customer. 2.3.14 The Data Processor will not, and will procure that any subcontractors will not, make or permit any announcement in respect of the Data Security Incident to any person without the Customer’s prior written consent, which may be given, withheld or made subject to conditions at the Customer’s sole discretion.

Security and Confidentiality of Data. 2.3.1 The Data Processor shall carry out the Processing in compliance with the Data Protection Legislation. 2.3.2 The Data Processor shall implement (and assist the Customer to implement) technical and organizational measures to safe guard the Data from unauthor- ized unauthorized or unlawful Processing or accidental loss, destruction, or damage and acknowledges acknowl- edges that it has implemented appropriate technical and organizational measures to prevent unauthorized or unlawful Processing, accidental loss, de- struction, damage or disclosure of the Data. 2.3.3 The Data Processor shall ensure that each of its employees, agents or sub- contractors subcon- tractors are made aware of its obligations with regard to the security and protection pro- tection of the Data and shall require that they: a) enter into binding obligations with the Data Processor in order to maintain an appropriate obligation of confidentiality and the levels of security and protection provided for in this Agreement. b) Process the Data solely on instructions from Customer; and c) is appropriately reliable, qualified and trained in relation to their Processing of Data. 2.3.4 The Data Processor shall not divulge the Data whether directly or indirectly to any person, firm, or company without the written consent of Customer, except to those of its employees who are engaged in the Processing of the Data and are subject to the binding obligations referred in 2.3.3 2.3.5 In the event that the Data Processor subcontracts any part of the Processing to a third party in accordance with 2.3.4 the Data Processor shall ensure that a written writ- ten contract on the same terms as this Agreement is entered into by the subcontractor subcon- tractor and that any subcontractor provides the Data Processor with a plan of the technical and organizational means it has adopted to prevent unau- thorized unauthorized or unlawful Processing or accidental loss or destruction of the Data. The Data Processor Pro- cessor will remain responsible for all acts and omissions of sub- contractor subcontractor as if they were its own. 2.3.6 The Data Processor will Process the Data only on behalf of Customer and in compliance com- pliance with Customer’s documented instructions and this Agreement or any other written agreement between the parties and if the Data Processor cannot provide such compliance for whatever reason the Data Processor will in- form Customer inform Cus- tomer promptly of its inability to comply, in which case Customer shall be entitled enti- tled to suspend the Processing of the Data and/or terminate this Agree- ment Agreement and the contract to which this Agreement is appended immediately upon serving written notice to the Data Processor. 2.3.7 The Data Processor may not, in any circumstances, transfer any of the Personal Data to any country or territory outside of the European Economic Area without the Customer’s prior written consent, which may be withheld at its absolute dis- cretion. xxxxx://xxxxx-xx.xxx/data-processing-agreement-sub-processors/ contains a list of sub processors to Queue-it. The list will be updated on an ongoing basis via the Suppliers web site and the Customer will be notified prior to the change. 2.3.8 The Data Processor shall notify the Customer without undue delay (and in any event no later than 24 hours) after becoming aware of a reasonably suspected, “near miss” or actual Data Security Incident. Where, and in so far as, it is not possible pos- sible to provide all the relevant information at the same time, the infor- mation information may be provided in phases without undue further delay, but the Data Processor may not delay notification on the basis that an investigation is in- complete incomplete or ongoingon- going. 2.3.9 The Data Processor shall (if applicable) promptly notify the Customer of and assist the Customer in relation to: a) Any request for disclosure of the Data by a law enforcement authority un- less otherwise prohibited from so notifying; b) documenting, reporting or taking measures to address or mitigate any Da- ta Data Security Incident; c) Any request received seeking to exercise a Data Subject’s rights under the Data Protection Legislation; d) conducting privacy impact assessments of any Processing operations and consulting with any applicable supervisory authority or appropriate per- sons persons accordingly. 2.3.10 An authorized and individual Data Protection Manager from the Supplier will via the email address xxxxxxx@xxxxx-xx.xxx respond to enquiries from either a Data Subject or Customer relating to the Processing of the Data and will deal promptly prompt- ly and properly with any such enquiries and in any event within the time frames stipulated by the Data Protection Legislation. 2.3.11 The Data Processor will make available to the Customer all information neces- sary to demonstrate compliance with the obligations set out in this Agreement and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer. 2.3.12 The Data Processor will comply with all reasonable instructions from the Cus- tomer to rectify, delete and update any Data or files and will confirm to the Cus- tomer within a reasonable time that this has been done. 2.3.13 The Data Processor will comply with the rights of Data Subjects and allow the same rights of access, correction, blocking, suppression or deletion as reasona- xxx reasonably requested in writing by the Customer. 2.3.14 The Data Processor will not, and will procure that any subcontractors will not, make or permit any announcement in respect of the Data Security Incident to any person without the Customer’s prior written consent, which may be given, withheld or made subject to conditions at the Customer’s sole discretion.