Common use of Supplier Obligations Clause in Contracts

Supplier Obligations. The Supplier shall process Protected Data only in accordance with L&P’s documented instructions. These may be specific instructions or instructions of a general nature as set out or provided for in the Agreement. For the avoidance of doubt, nothing in this Schedule shall prevent the Supplier from processing Protected Data where it is required to do so under applicable EU or English law. In such circumstances, the Supplier shall notify L&P in advance of that legal requirement unless applicable law prohibits such notification on important grounds of public interest. The Supplier shall inform L&P immediately if, in its reasonable opinion, an instruction issued in accordance with paragraph 2.1 would result in either Party breaching Data Protection Legislation. All Protected Data shall be treated as strictly confidential by the Supplier and may not be copied, disclosed or processed in any way (i) without the express authority of L&P or (ii) unless required by law or any relevant regulatory body (as described in paragraph 2.1 above). The Supplier warrants that all individuals who it authorises to process Protected Data on behalf of L&P, including employees and contractors, are obliged to protect the confidentiality of such Protected Data. Where the Supplier processes Protected Data (whether stored in the form of physical or electronic records) on behalf of L&P it shall: process Protected Data only to the extent, and in such a manner, as is necessary in order to comply with its obligations under the Agreement; implement appropriate technical and organisational measures to protect the Protected Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure in compliance with obligations set out in Data Protection Legislation, including, where appropriate: the pseudonymisation and encryption of Protected Data; ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services; restoring the availability and access to Protected Data in the event of a physical or technical incident; and regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring security of the processing; in furtherance of its obligations in paragraph 2.5.2, implement and maintain as a minimum the security measures set out in the Data Processing Particulars; if so requested by L&P, within a reasonable timeframe supply details of the technical and organisational measures in place to safeguard the Protected Data, and otherwise make available to L&P all information necessary to demonstrate compliance with the obligations set out in clause 14, this Schedule 5, the Data Processing Particulars and the Data Protection Legislation; and on reasonable prior notice, permit persons authorised by L&P to enter any premises on which Protected Data is processed on behalf of L&P and to inspect the Supplier’s systems to ensure that sufficient security measures are in place. L&P acknowledges that the Supplier may rely on Subprocessors for its processing of Protected Data, or certain aspects of such processing. On entering into this Data Processing Agreement, L&P hereby approves the use by Supplier of those Subprocessors set out in the Data Processing Particulars Data Security Breach. Without prejudice to paragraph 3.1 above, the Supplier shall not transfer or disclose any Protected Data to any party or sub-contract any processing function without verifying that the Subprocessor provides sufficient guarantees to protect the Protected Data. The Supplier shall provide reasonable prior written notice to L&P where the Supplier wishes to engage a Subprocessor (in addition to an Approved Subprocessor) to process the Protected Data and shall provide, upon L&P’s request, the identity and location of the Subprocessor and a description of the processing to be subcontracted or outsourced to such Subprocessor. Having received notice of the Supplier’s intention to engage a Subprocessor to process the Protected Data pursuant to paragraph 3.3 above, if L&P reasonably believes that such Subprocessor presents an unreasonable risk to L&P or prevents (or may prevent) L&P from complying with Data Protection Legislation, L&P may, within thirty (30) days of receiving such notice from the Supplier: notify the Supplier that it objects to the Subprocessor and ask the Supplier to provide an alternative third party contractor which the Supplier shall in good faith seek to achieve; and/ or on no less than thirty (30) days written notice to the Supplier, terminate the Agreement and receive a pro rata refund of any unused Charges paid in advance for the remainder of the duration of the Agreement. If L&P does not object to the use of a Subprocessor notified to L&P by the Supplier within thirty (30) days of L&P receiving such notice from the Supplier, the Supplier may proceed to engage the Subprocessor and then shall enter into a written contract with the Subprocessor which (i) contains obligations that are at least as protective of Protected Data as those contained in this Schedule 5, (ii) permits both L&P and the Supplier to enforce those obligations, (iii) is governed by English law, and (iv) automatically terminates upon termination of this Agreement. For the avoidance of doubt, the Supplier remains fully liable to L&P for the performance of the obligations of any Subprocessor (including Approved Subprocessors).

Supplier Obligations. The Without limiting its obligations under Section 2, Supplier shall process Protected shall: (a) Process such Personal Data only in accordance with L&P’s documented instructions. These may be specific the instructions or instructions of a general nature as that are set out or provided for in the Agreement. For the avoidance of doubt, nothing forth in this Schedule shall prevent Agreement and Exhibit 1 to this Appendix or are otherwise agreed to by the Supplier from processing Protected Data where it is required Parties in writing including as to do so under applicable EU or English law. In such circumstancesthe subject-matter and duration of the Processing, the nature and purpose of the Processing, the type of Personal Data and categories of Data Subjects; (b) ensure that Supplier’s employees, agents and contractors who Process such Personal Data are subject to written obligations of confidentiality; (c) implement the technical and organizational security measures that are set forth in this Agreement and Exhibit 1 to this Appendix to ensure a level of security appropriate to the risk, taking into account: (i) the state of the art, costs of implementation, nature, scope, context and purposes of the Processing; and (ii) the risks of accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to such Personal Data that is Processed with respect to all Processing of Personal Data; (d) not have such Personal Data Processed by another natural or legal person except to the extent that Supplier has: • received the prior specific or general written authorization of AT&T for such Processing; • imposed on such other natural or legal person data protection obligations that are the same in all material respects as those set forth in this Appendix, to the extent required pursuant to Data Privacy Laws; • with respect to Sub-Data Processors for which Supplier has received general written authorization, informed AT&T in writing of any changes concerning the addition or replacement of such Sub-Data Processors and obtained AT&T’s written consent prior to allowing Processing by such Sub-Data Processor; (e) notify AT&T in writing through its business contact of any communications or requests in relation to Personal Data received from Data Subjects, Supervisory Authorities or other third parties without undue delay following receipt of such communications or requests. Supplier shall provide such notices via e-mail to its business contact with a copy to xxxxxxxxxxxxx@xxx.xxx with the subject line stating “URGENT—Personal Data Related.” (f) taking into account the nature of Supplier’s Processing activities, assist AT&T at AT&T’s reasonable request to enable the (i) Data Controller to fulfill its obligations to respond to requests by Data Subjects in relation to their rights under Data Privacy Laws, and (ii) Data Controller (and if different, AT&T) to fulfill its obligations to respond to requests by Supervisory Authorities and other third parties; (g) taking into account the nature of Supplier’s Processing of such Personal Data and information available to Supplier: • notify L&P AT&T by calling AT&T Asset Protection (at [***] within the U.S. or [***] outside the U.S.) of any Personal Data Breach without undue delay after becoming aware of such breach; and • without undue delay provide reasonable assistance to AT&T in relation to any obligations of the Data Controller (including under Data Privacy Laws) in relation to: • a Personal Data Breach; and • the performance of data protection impact assessments by the Data Controller. To the extent that the assistance required of Supplier under subsections (f) and (g) above may require Supplier to incur substantial costs, Supplier will notify AT&T in advance of incurring such costs and the Parties will negotiate in good faith the fees, if any, to be paid to Supplier for such assistance. (h) securely delete all such Personal Data, including all existing copies (or, to the extent AT&T reasonably requests, securely return the Personal Data and copies to AT&T in a commonly used data format (to be agreed by the Parties acting reasonably), when no longer needed for the purposes for which it was collected, which shall be within [***] of the end of the term of this Agreement at the latest unless otherwise reasonably requested by AT&T, provided, however, that legal requirement unless no such deletion will be required to the extent that (a) applicable law prohibits requires storage of such notification on important grounds of public interest. The data beyond such period; or (b) AT&T instructs Supplier shall inform L&P immediately if, in its reasonable opinion, an instruction issued in accordance with paragraph 2.1 would result in either Party breaching Data Protection Legislation. All Protected Data shall be treated as strictly confidential by the Supplier and may not be copied, disclosed or processed in any way writing to retain such data beyond such period; and (i) without the express authority of L&P or (ii) unless required by law or any relevant regulatory body (as described in paragraph 2.1 above). The Supplier warrants that all individuals who it authorises to process Protected Data on behalf of L&Pat AT&T’s request, including employees and contractors, are obliged to protect the confidentiality of such Protected Data. Where the Supplier processes Protected Data (whether stored in the form of physical or electronic records) on behalf of L&P it shall: process Protected Data only to the extent, and in such a manner, as is necessary in order to comply with its obligations under the Agreement; implement appropriate technical and organisational measures to protect the Protected Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure in compliance with obligations set out in Data Protection Legislation, including, where appropriate: the pseudonymisation and encryption of Protected Data; ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services; restoring the availability and access to Protected Data in the event of a physical or technical incident; and regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring security of the processing; in furtherance of its obligations in paragraph 2.5.2, implement and maintain as a minimum the security measures set out in the Data Processing Particulars; if so requested by L&P, within a reasonable timeframe supply details of the technical and organisational measures in place to safeguard the Protected Data, and otherwise make available to L&P AT&T all information necessary to demonstrate compliance with the Supplier’s obligations set out in clause 14, under this Schedule 5, the Data Processing Particulars and the Data Protection Legislation; and on reasonable prior notice, permit persons authorised by L&P to enter any premises on which Protected Data is processed on behalf of L&P and to inspect Appendix concerning the Supplier’s systems data security and privacy procedures relating to ensure that sufficient security measures are in place. L&P acknowledges that the Supplier may rely on Subprocessors for its processing of Protected DataPersonal Data for the purpose of demonstrating compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Data Controller or certain aspects another auditor mandated by the Data Controller in accordance with Section 3.31 of such processing. On entering into this Data Processing Agreement, L&P hereby approves the use by Supplier of those Subprocessors set out in the Data Processing Particulars Data Security Breach. Without prejudice to paragraph 3.1 above, the provided that Supplier shall not transfer or disclose any Protected Data to any party or sub-contract any processing function without verifying that the Subprocessor provides sufficient guarantees to protect the Protected Data. The Supplier shall provide reasonable prior written notice to L&P where the Supplier wishes to engage a Subprocessor (notify AT&T in addition to an Approved Subprocessor) to process the Protected Data and shall provide, upon L&P’s request, the identity and location of the Subprocessor and a description of the processing to be subcontracted or outsourced to such Subprocessor. Having received notice of the Supplier’s intention to engage a Subprocessor to process the Protected Data pursuant to paragraph 3.3 above, writing if L&P reasonably it believes that such Subprocessor presents an unreasonable risk to L&P or prevents (or may prevent) L&P from complying with Data Protection Legislation, L&P may, within thirty (30) days of receiving such notice from the Supplier: notify the Supplier that it objects to the Subprocessor and ask the Supplier to provide an alternative third party contractor which the Supplier shall in good faith seek that the exercise of rights under this Section 3.1(i) would infringe Data Privacy Laws. Supplier agrees that AT&T has the right under the GDPR to achievedisclose some or all of the information contained in, or obtained in connection with, this Appendix to : • Data Controllers, Supervisory Authorities, Data Subjects; and/ or on no less than thirty (30) days written notice and • other third parties to the Supplierextent required under Data Privacy Laws; and (j) provide and keep current its processing-related information, terminate the Agreement and receive a pro rata refund of any unused Charges paid in advance for the remainder of the duration of the Agreement. If L&P does not object to the use of a Subprocessor notified to L&P by the Supplier within thirty (30) days of L&P receiving such notice from the Supplier, the Supplier may proceed to engage the Subprocessor and then shall enter into a written contract with the Subprocessor which (i) contains obligations that are at least as protective of Protected Data as those contained in this Schedule 5, (ii) permits both L&P and the Supplier to enforce those obligations, (iii) is governed by English lawProtection Officer information, and (iv) automatically terminates upon termination point of this Agreement. For the avoidance of doubt, the Supplier remains fully liable contact information in a medium and form acceptable to L&P for the performance of the obligations of any Subprocessor (including Approved Subprocessors).AT&T.

Supplier Obligations. The Without limiting its obligations under Section 2, Supplier shall process Protected shall: (a) Process such Personal Data only in accordance with L&P’s documented instructions. These may be specific the instructions or instructions of a general nature as that are set out or provided for in the Agreement. For the avoidance of doubt, nothing forth in this Schedule shall prevent Agreement and Exhibit 1 to this Appendix or are otherwise agreed to by the Supplier from processing Protected Data where it is required Parties in writing including as to do so under applicable EU or English law. In such circumstancesthe subject-matter and duration of the Processing, the Supplier shall notify L&P nature and purpose of the Processing, the type of Personal Data and categories of Data Subjects; (b) ensure that Supplier’s employees, agents and contractors who Process such Personal Data are subject to written obligations of confidentiality; (c) implement the technical and organizational security measures that are set forth in advance this Agreement and Exhibit 1 to this Appendix to ensure a level of that legal requirement unless applicable law prohibits such notification on important grounds of public interest. The Supplier shall inform L&P immediately ifsecurity appropriate to the risk, in its reasonable opinion, an instruction issued in accordance with paragraph 2.1 would result in either Party breaching Data Protection Legislation. All Protected Data shall be treated as strictly confidential by the Supplier and may not be copied, disclosed or processed in any way taking into account: (i) without the express authority state of L&P or the art, costs of implementation, nature, scope, context and purposes of the Processing; and (ii) unless the risks of accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to such Personal Data that is Processed with respect to all Processing of Personal Data; (d) not have such Personal Data Processed by another natural or legal person except to the extent that Supplier has: • received the prior specific or general written authorization of AT&T for such Processing; • imposed on such other natural or legal person data protection obligations that are the same in all material respects as those set forth in this Appendix, to the extent required by law pursuant to Data Privacy Laws; • with respect to Sub-Data Processors for which Supplier has received general written authorization, informed AT&T in writing of any changes concerning the addition or any relevant regulatory body (as described in paragraph 2.1 above). The Supplier warrants that all individuals who it authorises to process Protected Data on behalf of L&P, including employees and contractors, are obliged to protect the confidentiality replacement of such Protected Data. Where the Supplier processes Protected Sub-Data Processors and obtained AT&T’s written consent prior to allowing Processing by such Sub-Data Processor; (whether stored e) notify AT&T in the form writing through its business contact of physical any communications or electronic records) on behalf of L&P it shall: process Protected requests in relation to Personal Data only to the extentreceived from Data Subjects, and in such a manner, as is necessary in order to comply with its obligations under the Agreement; implement appropriate technical and organisational measures to protect the Protected Data against unauthorised Supervisory Authorities or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure in compliance with obligations set out in Data Protection Legislation, including, where appropriate: the pseudonymisation and encryption of Protected Data; ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services; restoring the availability and access to Protected Data in the event of a physical or technical incident; and regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring security of the processing; in furtherance of its obligations in paragraph 2.5.2, implement and maintain as a minimum the security measures set out in the Data Processing Particulars; if so requested by L&P, within a reasonable timeframe supply details of the technical and organisational measures in place to safeguard the Protected Data, and otherwise make available to L&P all information necessary to demonstrate compliance with the obligations set out in clause 14, this Schedule 5, the Data Processing Particulars and the Data Protection Legislation; and on reasonable prior notice, permit persons authorised by L&P to enter any premises on which Protected Data is processed on behalf of L&P and to inspect the Supplier’s systems to ensure that sufficient security measures are in place. L&P acknowledges that the Supplier may rely on Subprocessors for its processing of Protected Data, or certain aspects other third parties without undue delay following receipt of such processingcommunications or requests. On entering into this Data Processing Agreement, L&P hereby approves the use by Supplier of those Subprocessors set out in the Data Processing Particulars Data Security Breach. Without prejudice to paragraph 3.1 above, the Supplier shall not transfer or disclose any Protected Data to any party or sub-contract any processing function without verifying that the Subprocessor provides sufficient guarantees to protect the Protected Data. The Supplier shall provide reasonable prior written notice such notices via e-mail to L&P where its business contact with a copy to xxxxxxxxxxxxx@xxx.xxx with the Supplier wishes to engage a Subprocessor subject line stating “URGENT—Personal Data Related.” (in addition to an Approved Subprocessorf) to process taking into account the Protected Data and shall provide, upon L&P’s request, the identity and location nature of the Subprocessor and a description of the processing to be subcontracted or outsourced to such Subprocessor. Having received notice of the Supplier’s intention Processing activities, assist AT&T at AT&T’s reasonable request to engage a Subprocessor to process enable the Protected Data pursuant to paragraph 3.3 above, if L&P reasonably believes that such Subprocessor presents an unreasonable risk to L&P or prevents (or may prevent) L&P from complying with Data Protection Legislation, L&P may, within thirty (30) days of receiving such notice from the Supplier: notify the Supplier that it objects to the Subprocessor and ask the Supplier to provide an alternative third party contractor which the Supplier shall in good faith seek to achieve; and/ or on no less than thirty (30) days written notice to the Supplier, terminate the Agreement and receive a pro rata refund of any unused Charges paid in advance for the remainder of the duration of the Agreement. If L&P does not object to the use of a Subprocessor notified to L&P by the Supplier within thirty (30) days of L&P receiving such notice from the Supplier, the Supplier may proceed to engage the Subprocessor and then shall enter into a written contract with the Subprocessor which (i) contains Data Controller to fulfill its obligations that are at least as protective of Protected to respond to requests by Data as those contained Subjects in this Schedule 5relation to their rights under Data Privacy Laws, and (ii) permits both L&P Data Controller (and the Supplier if different, AT&T) to enforce those obligations, (iii) is governed fulfill its obligations to respond to requests by English law, Supervisory Authorities and (iv) automatically terminates upon termination of this Agreement. For the avoidance of doubt, the Supplier remains fully liable to L&P for the performance of the obligations of any Subprocessor (including Approved Subprocessors).other third parties;