Common use of Security of Clause in Contracts

Security of. processing 1. Article 32 GDPR stipulates that, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural per- sons, the data controller and data processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. The data controller shall evaluate the risks to the rights and freedoms of natural per- sons inherent in the processing and implement measures to mitigate those risks. De- pending on their relevance, the measures may include the following: a. Pseudonymisation and encryption of personal data; b. the ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services; ner in the event of a physical or technical incident; d. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the pro- cessing. 2. According to Article 32 GDPR, the data processor shall also – independently from the data controller – evaluate the risks to the rights and freedoms of natural persons in- herent in the processing and implement measures to mitigate those risks. To this ef- fect, the data controller shall provide the data processor with all information necessary to identify and evaluate such risks. 3. Furthermore, the data processor shall assist the data controller in ensuring compli- ance with the data controller’s obligations pursuant to Articles 32 GDPR, by inter alia providing the data controller with information concerning the technical and organisa- tional measures already implemented by the data processor pursuant to Article 32 GDPR along with all other information necessary for the data controller to comply with the data controller’s obligation under Article 32 GDPR. If subsequently – in the assessment of the data controller – mitigation of the identified risks require further measures to be implemented by the data processor, than those already implemented by the data processor pursuant to Article 32 GDPR, the data controller shall specify these additional measures to be implemented in Appendix C.

Security of. processing 1. Article 32 GDPR stipulates that, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural per- sonspersons, the data controller Data Controller and data processor Data Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. The data controller Data Controller shall evaluate the risks to the rights and freedoms of natural per- sons persons inherent in the processing and implement measures to mitigate those risks. De- pending Depending on their relevance, the measures may include the following: a. Pseudonymisation and encryption of personal data; b. the The ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services; ner c. The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; d. a A process for regularly testing, assessing assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the pro- cessing.processing 2. According to Article 32 GDPR, the data processor Data Processor shall also – - independently from the data controller – Data Controller - evaluate the risks to the rights and freedoms of natural persons in- herent inherent in the processing and implement measures to mitigate those risks. To this ef- fecteffect, the data controller Data Controller shall provide the data processor Data Processor with all information necessary to identify and evaluate such risks. 3. Furthermore, the data processor Data Processor shall assist the data controller Data Controller in ensuring compli- ance compliance with the data controllerData Controller’s obligations pursuant to Articles 32 GDPR, by inter alia providing the data controller Data Controller with information concerning the technical and organisa- tional organisational measures already implemented by the data processor Data Processor pursuant to Article 32 GDPR along with all other information necessary for the data controller Data Controller to comply with the data controllerData Controller’s obligation under Article 32 GDPR. If subsequently – - in the assessment of the data controller – Data Controller - mitigation of the identified risks require requires further measures to be implemented by the data processorData Processor, than those already implemented by the data processor Data Processor pursuant to Article 32 GDPR, the data controller Data Controller shall specify these additional measures to be implemented in Appendix C.

Security of. processing 1. Article 32 GDPR stipulates that, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural per- sonspersons, the data controller and data processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. The data controller shall evaluate the risks to the rights and freedoms of natural per- sons persons inherent in the processing and implement measures to mitigate those risks. De- pending Depending on their relevance, the measures may include the following: a. Pseudonymisation and encryption of personal data; b. the ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services; ner ; c. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; d. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the pro- cessingprocessing. 2. According to Article 32 GDPR, the data processor shall also – independently from the data controller – evaluate the risks to the rights and freedoms of natural persons in- herent inherent in the processing and implement measures to mitigate those risks. To this ef- fecteffect, the data controller shall provide the data processor with all information necessary to identify and evaluate such risks. 3. Furthermore, the data processor shall assist the data controller in ensuring compli- ance compliance with the data controller’s obligations pursuant to Articles 32 GDPR, by inter alia providing the data controller with information concerning the technical and organisa- tional organisational measures already implemented by the data processor pursuant to Article 32 GDPR along with and – against separate remuneration to the data processor – all other information necessary for the data controller to comply with the data controller’s obligation under Article 32 GDPR. Any separate remuneration to the data processor in accordance with the aforementioned is calculated on the basis of the time spent by the data processor in procuring the information, and the data processor's generally applicable hourly rates. Furthermore, the data processor is entitled to have any external expenses it may incur in procuring the information, including expenses in relation to any necessary assistance from sub-processors, covered by the data controller. If subsequently – in the assessment of the data controller – mitigation of the identified risks require requires further measures to be implemented by the data processor, processor than those already implemented by the data processor pursuant to Article 32 of the GDPR, the data controller shall specify these additional measures to be implemented in Appendix C.C. If the data controller, after having entered into the Clauses, argues that additional measures should be implemented other than those which are already, at the time of entering into the Clauses, specified in appendix C (or which the data processor otherwise may already have implemented), it is to be discussed between the parties whether an agreement on implementing such additional measures, including a timetable and remuneration to the data processor for such implementation (as well as a possible increase of the ongoing remuneration that the data controller pays for the services in accordance with the Main Agreement) can be reached. If the parties cannot come to an agreement, the data controller must, if the data controller cannot accept that processing of personal data takes place without implementation of the measures in question, instruct the data processor to cease further processing of the personal data. In such circumstances, Clause 4.2.b.ii above applies.

Security of. processing 1. Article 32 GDPR stipulates that, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural per- sonspersons, the data controller and data processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. The data controller shall evaluate the risks to the rights and freedoms of natural per- sons persons inherent in the processing and implement measures to mitigate those risks. De- pending Depending on their relevance, the measures may include the following: a. Pseudonymisation and encryption of personal data; b. the ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services; ner ; c. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; d. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the pro- cessingprocessing. 2. According to Article 32 GDPR, the data processor shall also – independently from the data controller – evaluate the risks to the rights and freedoms of natural persons in- herent inherent in the processing and implement measures to mitigate those risks. To this ef- fecteffect, the data controller shall provide the data processor with all information necessary to identify and evaluate such risks. 3. Furthermore, the data processor shall assist the data controller in ensuring compli- ance compliance with the data controller’s obligations pursuant to Articles 32 GDPR, by inter alia providing the data controller with information concerning the technical and organisa- tional organisational measures already implemented by the data processor pursuant to Article 32 GDPR along with all other information necessary for the data controller to comply with the data controller’s obligation under Article 32 GDPR. If subsequently – in the assessment of the data controller – mitigation of the identified risks require further measures to be implemented by the data processor, than those already implemented by the data processor pursuant to Article 32 GDPR, the data controller shall specify these additional measures to be implemented in Appendix C.

Security of. processing 1. Article 32 GDPR stipulates that, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural per- sonspersons, the data controller and data processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. The data controller shall evaluate the risks to the rights and freedoms of natural per- sons persons inherent in the processing and implement measures to mitigate those risks. De- pending Depending on their relevance, the measures may include the following:: ASSEMBLY VOTING APS RINGAGER 4C, 0.XX 2605 BRØNDBY TEL: +00 00000000 – @: XXXX@XXXX.XX – CVR: 25600665 a. Pseudonymisation and encryption of personal data; b. the ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services; ner ; c. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; d. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the pro- cessingprocessing. 2. According to Article 32 GDPR, the data processor shall also – independently from the data controller – evaluate the risks to the rights and freedoms of natural persons in- herent inherent in the processing and implement measures to mitigate those risks. To this ef- fecteffect, the data controller shall provide the data processor with all information necessary to identify and evaluate such risks. 3. Furthermore, the data processor shall assist the data controller in ensuring compli- ance compliance with the data controller’s obligations pursuant to Articles 32 GDPR, by inter alia providing the data controller with information concerning the technical and organisa- tional organisational measures already implemented by the data processor pursuant to Article 32 GDPR along with all other information necessary for the data controller to comply with the data controller’s obligation under Article 32 GDPR. If subsequently – in the assessment of the data controller – mitigation of the identified risks require further measures to be implemented by the data processor, than those already implemented by the data processor pursuant to Article 32 GDPR, the data controller shall specify these additional measures to be implemented in Appendix C.