Common use of Supplier’s Obligations Clause in Contracts

Supplier’s Obligations. (1) Except where expressly permitted by Article 28 (3)(a) of the GDPR, Supplier shall process data subjects’ Data only within the scope of the statement of work and the instructions issued by Com- pany. Where Supplier believes that an instruction would be in breach of applicable law, Supplier shall notify Company of such belief without undue delay. Supplier shall be entitled to suspending performance on such instruction until Company confirms or modifies such instruction. (2) Supplier shall, within Supplier’s scope of responsibility, organise supplier’s internal organization, so it satisfies the specific requirements of data protection. Supplier shall implement technical and organizational measures to ensure the adequate protection of Company’s Data, which measures shall fulfill the requirements of the GDPR and specifically its Article 32. Supplier shall implement technical and organizational measures and safeguards that ensure ongoing confidentiality, integ- rity, availability, and resilience of processing systems and services. The company is familiar with these technical and organizational measures, and it shall be Company’s responsibility that such measures ensure a level of security appropriate to the risk. (3) Supplier reserves the right to modify the measures and safeguards implemented, provided, xxxx- ver, that the level of security shall not be less protective than initially agreed upon. (4) Supplier shall support Company, insofar as is agreed upon by the parties, and where possible for Supplier, in fulfilling data subjects’ requests and claims, as detailed in chapter III of the GDPR and in fulfilling the obligations enumerated in Articles 33 to 36 of the GDPR. (Note: The parties are free to agree upon remuneration for such support in the agreement.) (5) Supplier warrants that all employees involved in Contract Processing of Company’s Data and other such persons as may be involved in Contract Processing within Supplier’s scope of responsibi- lity shall be prohibited from processing Data outside the scope of the instructions. Furthermore, Supplier warrants that any person entitled to process Data on behalf of Controller has undertaken a commitment to secrecy or is subject to an appropriate statutory obligation to secrecy. All such secrecy obligations shall survive the termination or expiration of such Contract Processing. (6) Supplier shall notify Company, without undue delay, if Supplier becomes aware of breaches of the protection of personal data within Supplier’s scope of responsibility. Supplier shall implement the measures necessary for securing Data and for mitigating potential negative consequences for the data subject; the Supplier shall coordinate such efforts with Company without undue delay. (7) Supplier shall notify to Company the point of contact for any issues related to data protection ari- sing out of or in connection with the Agreement. (8) Supplier warrants that Supplier fulfills its obligations under Article 32 (1)(d) of the GDPR to imple- ment a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing. (9) Supplier shall correct or erase Data if so instructed by Company and where covered by the scope of the instructions permissible. Where an erasure, consistent with data protection requirements, or a corresponding restriction of processing is impossible, Supplier shall be based on Company’s instructions, and unless agreed upon differently in the Agreement, destroy, in compliance with data protection requirements, all carrier media, and other material or return the same to Company. (Note: The parties are free to agree upon remuneration for such support in the agreement.) In specific cases designated by Company, such Data shall be stored or handed over. The associa- xxx remuneration and protective measures shall be agreed upon separately unless already agreed upon in the Agreement. (Note: The parties are free to agree upon remuneration for such support in the agreement.) (10) Supplier shall, upon termination of Contract Processing and upon Company’s request, return all Data, carrier media and other materials to Company or delete the same. (11) Where a data subject asserts any claims against Company in accordance with Article 82 of the GDPR, Supplier shall support Company in defending against such claims, where possible. (Note: The parties are free to agree upon remuneration for such support in the agreement.)

Supplier’s Obligations. (1) Except where expressly permitted by Article 28 (3)(a) of the GDPR, Supplier shall process data subjects’ Data only within the scope of the statement of work and the instructions issued by Com- panyCompany. Where Supplier believes that an instruction would be in breach of applicable law, Supplier shall notify Company of such belief without undue delay. Supplier shall be entitled to suspending performance on such instruction until Company confirms or modifies such instruction. (2) Supplier shall, within Supplier’s scope of responsibility, organise supplier’s internal organization, organisation so it satisfies the specific requirements of data protection. Supplier shall implement technical and organizational organisational measures to ensure the adequate protection of Company’s Data, which measures shall fulfill fulfil the requirements of the GDPR and specifically its Article 32. Supplier shall implement technical and organizational organisational measures and safeguards that ensure ongoing confidentiality, integ- rityintegrity, availability, availability and resilience of processing systems and services. The company Company is familiar with these technical and organizational organisational measures, and it shall be Company’s responsibility that such measures ensure a level of security appropriate to the risk. (3) . With regard to compliance with the protective measures and safeguards agreed upon and their verified effectiveness, parties refer to the implemented appropriate technical and organisational measures as proof of the appropriate guarantees, as documented in exhibit 1 hereto. Supplier reserves the right to modify the measures and safeguards implemented, provided, xxxx- verhowever, that the level of security shall not be less protective than initially agreed upon. (43) Supplier shall support Company, insofar as is agreed upon by the parties, and where possible for Supplier, in fulfilling data subjects’ requests and claims, as detailed in chapter III of the GDPR and in fulfilling the obligations enumerated in Articles 33 to 36 of the GDPR. (Note: The parties are free to agree upon a remuneration for such support in the agreement.) (54) Supplier warrants that all employees involved in Contract Processing of Company’s Data and other such persons as may be involved in Contract Processing within Supplier’s scope of responsibi- lity responsibility shall be prohibited from processing Data outside the scope of the instructions. Furthermore, Supplier warrants that any person entitled to process Data on behalf of Controller has undertaken a commitment to secrecy or is subject to an appropriate statutory obligation to secrecy. All such secrecy obligations shall survive the termination or expiration of such Contract Processing. (65) Supplier shall notify Company, without undue delay, if Supplier becomes aware of breaches of the protection of personal data within Supplier’s scope of responsibility. Supplier shall implement the measures necessary for securing Data and for mitigating potential negative consequences for the data subject; the Supplier shall coordinate such efforts with Company without undue delay. (76) Supplier shall notify to Company the point of contact for any issues related to data protection ari- sing arising out of or in connection with the Agreement. (8) 7) Supplier warrants that Supplier fulfills its obligations under Article 32 (1)(d) of the GDPR to imple- ment implement a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational organisational measures for ensuring the security of the processing. (9) 8) Supplier shall correct or erase Data if so instructed by Company and where covered by the scope of the instructions permissible. Where an erasure, consistent with data protection requirements, or a corresponding restriction of processing is impossible, Supplier shall be shall, based on Company’s instructions, and unless agreed upon differently in the Agreement, destroy, in compliance with data protection requirements, all carrier media, media and other material or return the same to Company. (Note: The parties are free to agree upon a remuneration for such support in the agreement.) . In specific cases designated by Company, such Data shall be stored or handed over. The associa- xxx associated remuneration and protective measures shall be agreed upon separately separately, unless already agreed upon in the Agreement. (Note: The parties are free to agree upon a remuneration for such support in the agreement.) (109) Supplier shall, upon termination of Contract Processing and upon Company’s requestinstruction, return all Data, carrier media and other materials to Company or delete the same. In case of testing and discarded material no instruction shall be required. Company shall bear any extra cost caused by deviating requirements in returning or deleting data. (1110) Where a data subject asserts any claims against Company in accordance with Article 82 of the GDPR, Supplier shall support Company in defending against such claims, where possible. (Note: The parties are free to agree upon a remuneration for such support in the agreement.)

Supplier’s Obligations. (1) Except where expressly permitted Without prejudice to the generality of clause 2.1, the Supplier shall: 5.1 maintain and make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in the Data Protection Legislation and this data processing addendum and allow for and contribute to audits, including inspections, conducted by Article 28 (3)(a) the Customer or another auditor mandated by the Customer; 5.2 process the Protected Data only in accordance with written instructions given by the Customer unless the Supplier is required to process by Applicable Law. Where the Supplier is relying on Applicable Law as the basis for processing the Protected Data, the Supplier shall promptly notify the Customer of the GDPR, same before performing the processing required by Applicable Law unless such Applicable Law prohibits the Supplier shall process data subjects’ Data only within from notifying the scope Customer; 5.3 promptly inform the Customer in the event that the Supplier is of the statement opinion that the Customer instructions breach the Data Protection Legislation; 5.4 ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of work personal data and against accidental loss or destruction of, or damage to, personal data, appropriate to the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage and the instructions issued by Com- pany. Where Supplier believes nature of the personal data to be protected, having regard to the state of technological development and the cost of implementing any measures; 5.5 taking into account the nature of processing and the information available to the Supplier, provide the Customer with full co-operation and assistance in ensuring compliance with the obligations laid down in the Data Protection Legislation concerning security of processing breach notifications, impact assessments and consultations with supervisory authorities or regulators; 5.6 ensure that an instruction would be all personnel who have access to and/or process the Protected Data are obliged to keep the personal data confidential; 5.7 promptly inform the Customer of any complaints, requests or enquiries received from data subjects under the Data Protection Legislation, including but not limited to requests to access, correct, delete, block or restrict access to their personal data and co-operate with the Customer to ensure that such requests are handled in breach of applicable law, Supplier shall accordance with the Data Protection Legislation; 5.8 notify Company of such belief the Customer without undue delay. delay upon becoming aware of a personal data breach (the accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, or any other unlawful form of processing) and co-operate fully with the Customer to the extent required with regard to the notification of the data breach to the relevant supervisory authority and the communication of the data breach to the affected data subject(s); 5.9 at the Customer’s written direction, delete or return all of the Protected Data and copies thereof to the Customer on termination of the Main Agreement unless required by Applicable Law to store the personal data; 5.10 ensure that any Protected Data which may be transferred or stored outside of the EEA in order to carry out the Services and the Supplier’s other obligations under the Main Agreement are carried out in compliance with the Data Protection Legislation; and 5.11 the Supplier shall be entitled to suspending performance on engage a sub-contractor to perform any of the Services (each a “Sub-Processor”). The Supplier shall provide the Customer with reasonable prior notice of any intended changes concerning the addition or replacement of such instruction until Company confirms Sub-Processors. If, acting reasonably, the Customer decides to object to such sub-processing, then the Customer shall provide written details to the Supplier within seven (7) days of the date of the Supplier’s notification and the following shall apply: 5.11.1 the parties shall discuss the Customer’s concerns and the Supplier shall use reasonable endeavours to propose an alternative arrangement (along with any additional charges); and 5.11.2 if the parties agree an alternative arrangement, then any changes to the Services or modifies Charges (as defined in the Main Agreement) required to implement such instructionarrangement will be documented by the parties. (2) 5.12 where the Supplier shallengages a Sub-Processor, within Supplier’s scope of responsibility, organise supplier’s internal organization, so it satisfies shall comply with the specific requirements of following obligations: 5.12.1 the Supplier will enter with the Sub-Processor into a written agreement incorporating terms which are substantially similar to those set out in this data protection. Supplier shall processing addendum and which provide sufficient guarantees that the Sub- Processor will implement appropriate technical and organizational organisational measures to ensure in such a manner that the adequate protection of Company’s Data, which measures shall fulfill processing will meet the requirements of the GDPR and specifically its Article 32. Supplier shall implement technical and organizational measures and safeguards that ensure ongoing confidentiality, integ- rity, availability, and resilience of processing systems and services. The company is familiar with these technical and organizational measures, and it shall be Company’s responsibility that such measures ensure a level of security appropriate to the riskData Protection Legislation. (3) Supplier reserves 5.12.2 as between the right to modify Customer and the measures and safeguards implemented, provided, xxxx- ver, that the level of security shall not be less protective than initially agreed upon. (4) Supplier shall support Company, insofar as is agreed upon by the parties, and where possible for Supplier, in fulfilling data subjects’ requests and claims, as detailed in chapter III of the GDPR and in fulfilling the obligations enumerated in Articles 33 to 36 of the GDPR. (Note: The parties are free to agree upon remuneration for such support in the agreement.) (5) Supplier warrants that all employees involved in Contract Processing of Company’s Data and other such persons as may be involved in Contract Processing within Supplier’s scope of responsibi- lity shall be prohibited from processing Data outside the scope of the instructions. Furthermore, Supplier warrants that any person entitled to process Data on behalf of Controller has undertaken a commitment to secrecy or is subject to an appropriate statutory obligation to secrecy. All such secrecy obligations shall survive the termination or expiration of such Contract Processing. (6) Supplier shall notify Company, without undue delay, if Supplier becomes aware of breaches of the protection of personal data within Supplier’s scope of responsibility. Supplier shall implement the measures necessary for securing Data and for mitigating potential negative consequences for the data subject; the Supplier shall coordinate such efforts with Company without undue delay. (7) Supplier shall notify remain fully liable for all acts or omissions of any Sub-Processor appointed by it pursuant to Company this paragraph 5.12 as if they were the point of contact for any issues related to data protection ari- sing out of acts or in connection with the Agreement. (8) Supplier warrants that Supplier fulfills its obligations under Article 32 (1)(d) omissions of the GDPR to imple- ment a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processingSupplier. (9) Supplier shall correct or erase Data if so instructed by Company and where covered by the scope of the instructions permissible. Where an erasure, consistent with data protection requirements, or a corresponding restriction of processing is impossible, Supplier shall be based on Company’s instructions, and unless agreed upon differently in the Agreement, destroy, in compliance with data protection requirements, all carrier media, and other material or return the same to Company. (Note: The parties are free to agree upon remuneration for such support in the agreement.) In specific cases designated by Company, such Data shall be stored or handed over. The associa- xxx remuneration and protective measures shall be agreed upon separately unless already agreed upon in the Agreement. (Note: The parties are free to agree upon remuneration for such support in the agreement.) (10) Supplier shall, upon termination of Contract Processing and upon Company’s request, return all Data, carrier media and other materials to Company or delete the same. (11) Where a data subject asserts any claims against Company in accordance with Article 82 of the GDPR, Supplier shall support Company in defending against such claims, where possible. (Note: The parties are free to agree upon remuneration for such support in the agreement.)

Supplier’s Obligations. (1) 3.1. Except where expressly permitted by Article 28 (3)(a) of the GDPR, Supplier shall process data subjects’ Data only within the scope of the statement of work Agreement and the instructions issued by Com- panyCompany. Where Supplier believes that an instruction would be in breach of applicable law, Supplier shall notify Company of such belief without undue delay. Supplier shall be entitled to suspending performance on such instruction until Company confirms or modifies such instruction. (2) 3.2. Supplier shall, within Supplier’s scope of responsibility, organise organize supplier’s internal organization, organization so it satisfies the specific requirements of data protection. Supplier shall shall, in particular, implement technical and organizational measures to ensure the adequate protection of Company’s Data, which measures shall fulfill fulfil the requirements of the GDPR and specifically its Article 32. Supplier shall implement technical and organizational measures and safeguards that ensure ongoing confidentiality, integ- rityintegrity, availability, availability and resilience of processing systems and services. The company Company is familiar with these technical and organizational measures, and it shall be Company’s responsibility that such measures ensure a level of security appropriate to the risk. (3) . Supplier reserves the right to modify the measures and safeguards implemented, provided, xxxx- verhowever, that the level of security shall not be less protective than initially agreed upon. (4) 3.3. Supplier shall support Company, insofar as is agreed upon by the parties, and where reasonably possible for Supplier, in fulfilling data subjects’ requests and claims, as detailed in chapter III of the GDPR and in fulfilling the obligations enumerated in Articles 33 to 36 of the GDPR. 3.4. (Note: The parties are free to agree upon remuneration for such support in the agreement.) (5) Supplier warrants that all employees involved in Contract Data Processing of Company’s Data and other such persons as may be involved in Contract Data Processing within Supplier’s scope of responsibi- lity responsibility shall be prohibited from processing Data outside the scope of the instructions. Furthermore, Supplier warrants that any person entitled to process Data on behalf of Controller has undertaken a commitment to secrecy or is subject to an appropriate statutory obligation to secrecy. All such secrecy obligations shall survive the termination or expiration of such Contract Data Processing. (6) 3.5. Supplier shall notify Company, without undue delay, if Supplier becomes aware of breaches of the protection of personal data within Supplier’s scope of responsibility. Supplier shall implement the measures necessary for securing Data and for mitigating potential negative consequences for the data subject; the Supplier shall coordinate such efforts with Company without undue delay. (7) 3.6. Supplier shall notify to Company the point of contact for any issues related to data protection ari- sing arising out of or in connection with the Agreement. (8) 3.7. Supplier warrants that Supplier fulfills fulfils its obligations under Article 32 (1)(d) of the GDPR to imple- ment implement a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing. (9) 3.8. Supplier shall correct or erase Data if so instructed by Company and where covered by the scope of the instructions permissible. Where an erasure, consistent with data protection requirements, or a corresponding restriction of processing is impossible, Supplier shall be shall, based on Company’s instructions, and unless agreed upon differently in the Agreement, destroy, in compliance with data protection requirements, all carrier media, media and other material or return the same to Company. (Note: The parties are free to agree upon remuneration for such support in the agreement.) In specific cases designated by Company, such Data shall be stored or handed over. The associa- xxx associated remuneration and protective measures shall be agreed upon separately separately, unless already agreed upon in the Agreement. 3.9. (Note: The parties are free to agree upon remuneration for such support in the agreement.) (10) Supplier shall, upon termination of Contract Data Processing and upon Company’s requestfurther instruction, return all Data, carrier media and other materials to Company or delete the same. In case of testing and discarded material no instruction shall be required. Company shall bear any extra cost caused by deviating requirements in returning or deleting data. (11) 3.10. Where a data subject asserts any claims against Company in accordance with Article 82 of the GDPR, Supplier shall support Company in defending against such claims, where possible. (Note: The parties are free to agree upon remuneration , and be reasonably compensated for such support in the agreementefforts.)

Supplier’s Obligations. (1) Except where expressly permitted by Article 28 (3)(a) of the GDPR, Supplier shall process data subjects’ Data only within the scope of the statement of work and the instructions issued by Com- panyCompany. Where Supplier believes that an instruction would be in breach of applicable law, Supplier shall notify Company of such belief without undue delay. Supplier shall be entitled to suspending performance on such instruction until Company confirms or modifies such instruction. (2) Supplier shall, within Supplier’s scope of responsibility, organise supplier’s internal organization, organisation so it satisfies the specific requirements of data protection. Supplier shall implement technical and organizational organisational measures to ensure the adequate protection of Company’s Data, which measures shall fulfill fulfil the requirements of the GDPR and specifically its Article 32. Supplier shall implement technical and organizational organisational measures and safeguards that ensure ongoing confidentiality, integ- rityintegrity, availability, availability and resilience of processing systems and services. The company Company is familiar with these technical and organizational organisational measures, and it shall be Company’s responsibility that such measures ensure a level of security appropriate to the risk. (3) . With regard to compliance with the protective measures and safeguards agreed upon and their verified effectiveness, parties refer to the implemented appropriate technical and organisational measures as proof of the appropriate guarantees, as documented in exhibit 1 hereto. Supplier reserves the right to modify the measures and safeguards implemented, provided, xxxx- verhowever, that the level of security shall not be less protective than initially agreed upon. (43) Supplier shall support Company, insofar as is agreed upon by the parties, and where possible for Supplier, in fulfilling data subjects’ requests and claims, as detailed in chapter III of the GDPR and in fulfilling the obligations enumerated in Articles 33 to 36 of the GDPR. (Note: The parties are free to agree upon a remuneration for such support in the agreement.) (54) Supplier warrants that all employees involved in Contract Processing of Company’s Data and other such persons as may be involved in Contract Processing within Supplier’s scope of responsibi- lity responsibility shall be prohibited from processing Data outside the scope of the instructions. Furthermore, Supplier warrants that any person entitled to process Data on behalf of Controller has undertaken a commitment to secrecy or is subject to an appropriate statutory obligation to secrecy. All such secrecy obligations shall survive the termination or expiration of such Contract Processing. (65) Supplier shall notify Company, without undue delay, if Supplier becomes aware of breaches of the protection of personal data within Supplier’s scope of responsibility. Supplier shall implement the measures necessary for securing Data and for mitigating potential negative consequences for the data subject; the Supplier shall coordinate such efforts efforts with Company without undue delay. (76) Supplier shall notify to Company the point of contact for any issues related to data protection ari- sing arising out of or in connection with the Agreement. (8) 7) Supplier warrants that Supplier fulfills its obligations under Article 32 (1)(d) of the GDPR to imple- ment implement a process for regularly testing, assessing and evaluating the effectiveness effectiveness of technical and organizational organisational measures for ensuring the security of the processing. (9) 8) Supplier shall correct or erase Data if so instructed by Company and where covered by the scope of the instructions permissible. Where an erasure, consistent with data protection requirements, or a corresponding restriction of processing is impossible, Supplier shall be shall, based on Company’s instructions, and unless agreed upon differently differently in the Agreement, destroy, in compliance with data protection requirements, all carrier media, media and other material or return the same to Company. (Note: The parties are free to agree upon a remuneration for such support in the agreement.) . In specific cases designated by Company, such Data shall be stored or handed over. The associa- xxx associated remuneration and protective measures shall be agreed upon separately separately, unless already agreed upon in the Agreement. (Note: The parties are free to agree upon a remuneration for such support in the agreement.) (109) Supplier shall, upon termination of Contract Processing and upon Company’s requestinstruction, return all Data, carrier media and other materials to Company or delete the same. In case of testing and discarded material no instruction shall be required. Company shall bear any extra cost caused by deviating requirements in returning or deleting data. (1110) Where a data subject asserts any claims against Company in accordance with Article 82 of the GDPR, Supplier shall support Company in defending against such claims, where possible. (Note: The parties are free to agree upon a remuneration for such support in the agreement.)

Supplier’s Obligations. (1) Except where expressly 3.1 Supplier shall Process VWGoA Data and access VWGoA Systems solely for the purpose of providing the Services in accordance with the Agreement and upon VWGoA’s written instructions, and not for any other purpose. Supplier shall not retain, use, or disclose the Personal Information for any purpose other than for the specific purpose of performing the Services specified in the Agreement or as otherwise permitted by Article 28 (3)(a) law, including retaining, using, or disclosing the Personal Information for a commercial purpose other than performing the Services. Without limiting the generality of the GDPRforegoing, Supplier agrees it shall not: (i) Sell or Share the Personal Information; (ii) retain, use, or disclose the Personal Information for any purpose other than for the specific purpose of performing the Services in accordance with the Agreement, including retaining, using, or disclosing the Personal Information for a commercial purpose other than providing Services specified in the Agreement; (iii) retain, use, or disclose the Personal Information outside of the direct business relationship between Supplier and VWGoA, or (iv) combine VWGoA Data, including Personal Information, with Personal Information it receives from another source except to perform business purposes permitted by Applicable Law. Supplier hereby certifies that it understands the restrictions set forth in this Section and will comply with them. 3.2 Supplier shall maintain records of Processing activities carried out pursuant to this DPSA, containing all relevant details required by Applicable Law, but at a minimum, the following: • the name and contact details of the Supplier and any other subcontractors and, where applicable, of the VWGoA’ or Supplier’s representative; • the categories of Processing carried out on behalf of VWGoA; • where applicable, information on cross-border transfers, including transfers of Personal Information to a third country or an international organization, including the identification of that third country or international organization and, in the case of transfers outside of the legally specified transfer mechanisms, the documentation of suitable safeguards for the Personal Information; • where possible, a general description of the technical and organizational security measures. • Supplier agrees to make such records available upon request to VWGoA and any relevant government authority. 3.3 Supplier shall provide information about Supplier and its Processing of VWGoA Data as reasonably requested by VWGoA for the purpose of assisting VWGoA in complying with its obligations under Applicable Law or contracts, including the exercise of Data Subject Rights (as defined in section 3.5 below) and Security Breach notification obligations as well as investigations. 3.4 Supplier shall immediately notify VWGoA of any requests, inquiries or complaints received about the Processing of Personal Information from third parties, including regulators, authorities, data subjects and law enforcement authorities. Supplier shall not respond to any such requests, inquiries or complaints except on the documented instructions of VWGoA or as required by Applicable Law and in all cases subject to the obligations in Section 3.6. 3.5 If VWGoA responds or allows the response to a request, inquiry or complaint (whether received through Supplier or by VWGoA directly), Supplier shall process provide VWGoA with reasonable cooperation and assistance in responding to any such request, inquiry or complaint in a manner that allows VWGoA to meet the legal timelines for response, including requests by data subjects’ subjects to access, amend, transfer, opt out of Sale or Sharing, delete or exercise other data subject rights around Personal Information (collectively, “Data only within the scope of the statement of work and the instructions issued by Com- pany. Where Supplier believes that an instruction would be in breach of applicable law, Supplier shall notify Company of such belief without undue delay. Supplier shall be entitled to suspending performance on such instruction until Company confirms or modifies such instructionSubject Rights”). (2) 3.6 If disclosure of VWGoA Data is required by Applicable Law or a compulsory legal process, Supplier shall, within Supplier’s scope of responsibility, organise supplier’s internal organization, so it satisfies the specific requirements of data protection. Supplier shall implement technical and organizational measures unless prohibited by Applicable Law or compulsory legal process: (i) notify VWGoA promptly in writing before complying with any such disclosure request in order to ensure the adequate protection of Company’s Data, which measures shall fulfill the requirements of the GDPR and specifically its Article 32. Supplier shall implement technical and organizational measures and safeguards that ensure ongoing confidentiality, integ- rity, availability, and resilience of processing systems and services. The company is familiar with these technical and organizational measures, and it shall be Company’s responsibility that such measures ensure a level of security appropriate provide VWGoA an opportunity to the risk. (3) Supplier reserves the right to modify the measures and safeguards implemented, provided, xxxx- ver, that the level of security shall not be less protective than initially agreed upon. (4) Supplier shall support Company, insofar as is agreed upon by the parties, and where possible for Supplier, in fulfilling data subjects’ requests and claims, as detailed in chapter III of the GDPR and in fulfilling the obligations enumerated in Articles 33 to 36 of the GDPR. (Note: The parties are free to agree upon remuneration for such support in the agreement.) (5) Supplier warrants that all employees involved in Contract Processing of Company’s Data and other such persons as may be involved in Contract Processing within Supplier’s scope of responsibi- lity shall be prohibited from processing Data outside the scope of the instructions. Furthermore, Supplier warrants that any person entitled to process Data on behalf of Controller has undertaken a commitment to secrecy or is subject to an appropriate statutory obligation to secrecy. All such secrecy obligations shall survive the termination or expiration of such Contract Processing. (6) Supplier shall notify Company, without undue delayintervene, if Supplier becomes aware appropriate; and (ii) disclose the minimum amount of breaches of the protection of personal data within Supplier’s scope of responsibility. Supplier shall implement the measures VWGoA Data necessary for securing Data and for mitigating potential negative consequences for the data subject; the Supplier shall coordinate such efforts to comply with Company without undue delay. (7) Supplier shall notify to Company the point of contact for any issues related to data protection ari- sing out of or in connection with the Agreement. (8) Supplier warrants that Supplier fulfills its obligations under Article 32 (1)(d) of the GDPR to imple- ment a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing. (9) Supplier shall correct or erase Data if so instructed by Company and where covered by the scope of the instructions permissible. Where an erasure, consistent with data protection requirements, Applicable Law or a corresponding restriction of processing is impossible, Supplier shall be based on Company’s instructions, and unless agreed upon differently in the Agreement, destroy, in compliance with data protection requirements, all carrier media, and other material or return the same to Company. (Note: The parties are free to agree upon remuneration for such support in the agreementcompulsory legal process.) In specific cases designated by Company, such Data shall be stored or handed over. The associa- xxx remuneration and protective measures shall be agreed upon separately unless already agreed upon in the Agreement. (Note: The parties are free to agree upon remuneration for such support in the agreement.) (10) Supplier shall, upon termination of Contract Processing and upon Company’s request, return all Data, carrier media and other materials to Company or delete the same. (11) Where a data subject asserts any claims against Company in accordance with Article 82 of the GDPR, Supplier shall support Company in defending against such claims, where possible. (Note: The parties are free to agree upon remuneration for such support in the agreement.)

Supplier’s Obligations. The Supplier will adhere to all rules and regulations as set and agreed by the End- User in particular those relating to health and safety. The End-User reserve the right to refuse the Supplier and/or any of the Suppliers personnel entry into its own Premises should these rules be breached. The Supplier may obtain or provide extra resources (1) Except where expressly permitted by Article 28 (3)(awhether in the form of equipment or personnel) of the GDPRrequisite standard in order to ensure that the Specified Service is completed in accordance with the Schedule, if, in the Supplier’s sole discretion, this is appropriate in order to comply with any agreed timetables or targets set out in the Schedule. The Supplier shall process data subjects’ Data only within the scope not be obliged to dedicate any particular members of the statement Supplier’s personnel to the performance of work the Specified Services and the instructions issued by Com- pany. Where Supplier believes that an instruction would be in breach of applicable law, Supplier shall notify Company of such belief without undue delay. Supplier shall be entitled to suspending performance on utilise such instruction until Company confirms or modifies such instruction. (2) Supplier shall, within Supplier’s scope of responsibility, organise supplier’s internal organization, so it satisfies individuals as the specific requirements of data protection. Supplier shall implement technical and organizational measures to ensure Suppliers considers suitable for the adequate protection of Company’s Data, which measures shall fulfill the requirements delivery of the GDPR services provided that such personnel have the requisite knowledge and specifically its Article 32experience to perform the Specified Services in accordance with this Agreement and the Schedule. Where the Supplier shall implement technical changes the personnel involved in the delivery or performance of a Specified Service, the other terms and organizational measures and safeguards that ensure ongoing confidentiality, integ- rity, availabilityconditions of this Agreement, and resilience of processing systems in particular (but not limited to) the Specified Sum and services. The company is familiar with these technical and organizational measures, and it shall be Company’s responsibility that such measures ensure a level of security appropriate to the risk. (3) Supplier reserves the right to modify the measures and safeguards implemented, provided, xxxx- ver, that the level of security shall not be less protective than initially agreed upon. (4) Supplier shall support Company, insofar as is agreed upon by the parties, and where possible for Supplier, in fulfilling data subjects’ requests and claims, as detailed in chapter III timetable of the GDPR and project, will remain unchanged, unless otherwise agreed by both parties in fulfilling writing. For the obligations enumerated in Articles 33 to 36 avoidance of the GDPR. (Note: The parties are free to agree upon remuneration for such support in the agreement.) (5) Supplier warrants that all employees involved in Contract Processing of Company’s Data and other such persons as may be involved in Contract Processing within Supplier’s scope of responsibi- lity shall be prohibited from processing Data outside the scope of the instructions. Furthermoredoubt, Supplier warrants that any person entitled to process Data on behalf of Controller has undertaken a commitment to secrecy or is subject to an appropriate statutory obligation to secrecy. All such secrecy obligations shall survive the termination or expiration of such Contract Processing. (6) Supplier shall notify Company, without undue delay, if Supplier becomes aware of breaches of the protection of personal data within Supplier’s scope of responsibility. Supplier shall implement the measures necessary for securing Data and for mitigating potential negative consequences for the data subject; the Supplier shall coordinate such efforts with Company without undue delay. (7be responsible for the payments and expenses of the substitute personnel. The Supplier warrants to the Client that no documents or other material and data or other information and devices or processes will be provided by the Supplier for use in the provision of the Specified Service(s) which infringe any third party intellectual property rights The Supplier shall notify to Company ensure that it has valid and adequate Professional Indemnity Insurance, Public Liability and Employer’s Liability Insurance in force throughout the point duration of contact for any issues related to data protection ari- sing out this Agreement with a minimum level of or in connection with the Agreementcover of £2,000,000. (8) Supplier warrants that Supplier fulfills its obligations under Article 32 (1)(d) of the GDPR to imple- ment a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing. (9) Supplier shall correct or erase Data if so instructed by Company and where covered by the scope of the instructions permissible. Where an erasure, consistent with data protection requirements, or a corresponding restriction of processing is impossible, Supplier shall be based on Company’s instructions, and unless agreed upon differently in the Agreement, destroy, in compliance with data protection requirements, all carrier media, and other material or return the same to Company. (Note: The parties are free to agree upon remuneration for such support in the agreement.) In specific cases designated by Company, such Data shall be stored or handed over. The associa- xxx remuneration and protective measures shall be agreed upon separately unless already agreed upon in the Agreement. (Note: The parties are free to agree upon remuneration for such support in the agreement.) (10) Supplier shall, upon termination of Contract Processing and upon Company’s request, return all Data, carrier media and other materials to Company or delete the same. (11) Where a data subject asserts any claims against Company in accordance with Article 82 of the GDPR, Supplier shall support Company in defending against such claims, where possible. (Note: The parties are free to agree upon remuneration for such support in the agreement.)

Supplier’s Obligations. (1) Except where expressly permitted The Supplier acknowledges and agrees that it will receive and process certain Personal Data in order and for as long as is necessary to provide the Services and to perform its obligations under this Contract. The Supplier acknowledges and agrees that it will: ensure that its internal operating systems only permit properly authorised staff to access Personal Data; designate a data protection officer if required by Article 28 (3)(a) the Data Protection Legislation; provide appropriate training to its staff with respect to: the correct handling of Personal Data so as to minimise the GDPR, Supplier shall process data subjects’ Data only within the scope risk of the statement of work security breaches; and the instructions issued by Com- pany. Where Supplier believes that an instruction would be in breach of applicable law, Supplier shall notify Company of such belief without undue delay. Supplier shall be entitled to suspending performance on such instruction until Company confirms or modifies such instruction. (2) Supplier shall, within Supplier’s scope of responsibility, organise supplier’s internal organization, so it satisfies the specific requirements of data protection. Supplier shall implement technical and organizational measures to ensure the adequate protection of Company’s Data, which measures shall fulfill the requirements of the GDPR and specifically its Article 32. Supplier shall implement technical and organizational measures and safeguards that ensure ongoing confidentiality, integ- rity, availability, and resilience of processing systems and services. The company is familiar applicable Data Protection Legislation; only process Personal Data in accordance with these technical and organizational measures, and it shall be Companythe Authority’s responsibility that such measures ensure a level of security appropriate written instructions including unless required to the risk. (3) Supplier reserves the right to modify the measures and safeguards implemented, provided, xxxx- ver, that the level of security shall not be less protective process Personal Data other than initially agreed upon. (4) Supplier shall support Company, insofar as is agreed upon instructed by the parties, and where possible for SupplierEuropean Union or Member State law, in fulfilling data subjects’ requests and claims, as detailed in chapter III of the GDPR and in fulfilling the obligations enumerated in Articles 33 to 36 of the GDPR. (Note: The parties are free to agree upon remuneration for such support in the agreement.) (5) Supplier warrants that all employees involved in Contract Processing of Company’s Data and other such persons as may be involved in Contract Processing within Supplier’s scope of responsibi- lity shall be prohibited from processing Data outside the scope of the instructions. Furthermore, Supplier warrants that any person entitled to process Data on behalf of Controller has undertaken a commitment to secrecy or is subject to an appropriate statutory obligation to secrecy. All such secrecy obligations shall survive the termination or expiration of such Contract Processing. (6) Supplier shall notify Company, without undue delay, if Supplier becomes aware of breaches of the protection of personal data within Supplier’s scope of responsibility. Supplier shall implement the measures necessary for securing Data and for mitigating potential negative consequences for the data subject; which case the Supplier shall coordinate inform the Authority in accordance with clause 13.14, except where prohibited by such efforts law from doing so and shall in any event, cease the processing pending receipt of further instructions from the Authority in relation to the processing; take such reasonable steps to ensure the reliability and integrity of its employees, agents, contractors etc. who have access to the Personal Data to ensure that they: are aware of and comply with Company without undue delay. (7) the Supplier’s duties under this clause; are subject to appropriate confidentiality undertakings with the Supplier shall notify or any sub-processor; are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to Company any third party unless directed in writing to do so by the point Authority or as otherwise permitted by this Contract; and have undergone adequate training in the use, care, protection and handling of contact for Personal Data as described above in clause 13.8.3. only use, reproduce or otherwise process any issues related to data protection ari- sing out of or Personal Data collected in connection with this Contract to the Agreement. (8) Supplier warrants that Supplier fulfills its obligations under Article 32 (1)(d) extent necessary; not modify, amend or alter the contents of the GDPR to imple- ment a Personal Data, except as directed by the Authority; not, without the Authority’s written approval, process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security any Personal Data on any of the processing. Supplier’s systems on which data (9including any Personal Data) Supplier shall correct or erase Data if so instructed by Company and where covered by the scope is processed for any person outside of the instructions permissible. Where an erasure, consistent with data protection requirements, or a corresponding restriction of processing is impossible, Supplier shall be based on CompanyAuthority; and ensure that only those staff who have been authorised to use the Supplier’s instructions, and unless agreed upon differently in systems have access to the Agreement, destroy, in compliance with data protection requirements, all carrier media, and other material or return the same to Company. (Note: The parties are free to agree upon remuneration for such support in the agreementsystems.) In specific cases designated by Company, such Data shall be stored or handed over. The associa- xxx remuneration and protective measures shall be agreed upon separately unless already agreed upon in the Agreement. (Note: The parties are free to agree upon remuneration for such support in the agreement.) (10) Supplier shall, upon termination of Contract Processing and upon Company’s request, return all Data, carrier media and other materials to Company or delete the same. (11) Where a data subject asserts any claims against Company in accordance with Article 82 of the GDPR, Supplier shall support Company in defending against such claims, where possible. (Note: The parties are free to agree upon remuneration for such support in the agreement.)

Supplier’s Obligations. (1) Except where expressly 3.1 Supplier shall Process VWGoA Data and access VWGoA Systems solely for the purpose of providing the Services in accordance with the Agreement and upon VWGoA’s written instructions, and not for any other purpose. Supplier shall not retain, use, or disclose the Personal Information for any purpose other than for the specific purpose of performing the Services specified in the Agreement or as otherwise permitted by Article 28 (3)(a) law, including retaining, using, or disclosing the Personal Information for a commercial purpose other than performing the Services. Without limiting the generality of the GDPRforegoing, Supplier agrees it shall not: (i) Sell or Share the Personal Information; (ii) retain, use, or disclose the Personal Information for any purpose other than for the specific purpose of performing the Services in accordance with the Agreement, including retaining, using, or disclosing the Personal Information for a commercial purpose other than providing Services specified in the Agreement; (iii) retain, use, or disclose the Personal Information outside of the direct business relationship between Supplier and VWGoA, or (iv) combine VWGoA Data, including Personal Information, with Personal Information it receives from another source except to perform business purposes permitted by Applicable Law. Supplier hereby certifies that it understands the restrictions set forth in this Section and will comply with them. 3.2 Supplier shall maintain records of Processing activities carried out pursuant to this DPSA, containing all relevant details required by Applicable Law, but at a minimum, the following: • the name and contact details of the Supplier and any other subcontractors and, where applicable, of the VWGoA’ or Supplier’s representative; • the categories of Processing carried out on behalf of VWGoA; • where applicable, information on cross-border transfers, including transfers of Personal Information to a third country or an international organization, including the identification of that third country or international organization and, in the case of transfers outside of the legally specified transfer mechanisms, the documentation of suitable safeguards for the Personal Information; • where possible, a general description of the technical and organizational security measures. • Supplier agrees to make such records available upon request to VWGoA and any relevant government authority. 3.3 Supplier shall provide information about Supplier and its Processing of VWGoA Data as reasonably requested by VWGoA for the purpose of assisting VWGoA in complying with its obligations under Applicable Law or contracts, including the exercise of Data Subject Rights (as defined in section 3.5 below) and Security Breach notification obligations as well as investigations. Supplier also shall provide VWGoA with reasonable assistance in complying with its obligations under Applicable Laws, including without limitation conducting data protection, privacy, or security risk assessments and consultations with VWGoA’s supervisory or regulatory authorities. 3.4 Supplier shall immediately notify VWGoA of any requests, inquiries or complaints received about the Processing of Personal Information from third parties, including regulators, authorities, data subjects and law enforcement authorities. Supplier shall not respond to any such requests, inquiries or complaints except on the documented instructions of VWGoA or as required by Applicable Law and in all cases subject to the obligations in Section 3.6. 3.5 If VWGoA responds or allows the response to a request, inquiry or complaint (whether received through Supplier or by VWGoA directly), Supplier shall process provide VWGoA with reasonable cooperation and assistance in responding to any such request, inquiry or complaint in a manner that allows VWGoA to meet the legal timelines for response, including requests by data subjectssubjects to access, amend, transfer, opt out of Sale or Sharing, delete or exercise other data subject rights around Personal Information (collectively, “Data Subject Rights”). In the event that VWGoA requests that Supplier delete Personal Information in connection with a Data Subject Rights’ Data only within the scope of the statement of work and the instructions issued by Com- pany. Where Supplier believes that an instruction would be in breach of applicable lawrequest, Supplier shall notify Company of its own subcontractors to delete such belief without undue delay. Supplier shall be entitled to suspending performance on Personal Information about the data subject, which is collected, used, Processed or retained by such instruction until Company confirms or modifies such instructionsubcontractor. (2) 3.6 If disclosure of VWGoA Data is required by Applicable Law or a compulsory legal process, Supplier shall, within Supplier’s scope of responsibility, organise supplier’s internal organization, so it satisfies the specific requirements of data protection. Supplier shall implement technical and organizational measures unless prohibited by Applicable Law or compulsory legal process: (i) notify VWGoA promptly in writing before complying with any such disclosure request in order to ensure the adequate protection of Company’s Data, which measures shall fulfill the requirements of the GDPR and specifically its Article 32. Supplier shall implement technical and organizational measures and safeguards that ensure ongoing confidentiality, integ- rity, availability, and resilience of processing systems and services. The company is familiar with these technical and organizational measures, and it shall be Company’s responsibility that such measures ensure a level of security appropriate provide VWGoA an opportunity to the risk. (3) Supplier reserves the right to modify the measures and safeguards implemented, provided, xxxx- ver, that the level of security shall not be less protective than initially agreed upon. (4) Supplier shall support Company, insofar as is agreed upon by the parties, and where possible for Supplier, in fulfilling data subjects’ requests and claims, as detailed in chapter III of the GDPR and in fulfilling the obligations enumerated in Articles 33 to 36 of the GDPR. (Note: The parties are free to agree upon remuneration for such support in the agreement.) (5) Supplier warrants that all employees involved in Contract Processing of Company’s Data and other such persons as may be involved in Contract Processing within Supplier’s scope of responsibi- lity shall be prohibited from processing Data outside the scope of the instructions. Furthermore, Supplier warrants that any person entitled to process Data on behalf of Controller has undertaken a commitment to secrecy or is subject to an appropriate statutory obligation to secrecy. All such secrecy obligations shall survive the termination or expiration of such Contract Processing. (6) Supplier shall notify Company, without undue delayintervene, if Supplier becomes aware appropriate; and (ii) disclose the minimum amount of breaches of the protection of personal data within Supplier’s scope of responsibility. Supplier shall implement the measures VWGoA Data necessary for securing Data and for mitigating potential negative consequences for the data subject; the Supplier shall coordinate such efforts to comply with Company without undue delay. (7) Supplier shall notify to Company the point of contact for any issues related to data protection ari- sing out of or in connection with the Agreement. (8) Supplier warrants that Supplier fulfills its obligations under Article 32 (1)(d) of the GDPR to imple- ment a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing. (9) Supplier shall correct or erase Data if so instructed by Company and where covered by the scope of the instructions permissible. Where an erasure, consistent with data protection requirements, Applicable Law or a corresponding restriction of processing is impossible, Supplier shall be based on Company’s instructions, and unless agreed upon differently in the Agreement, destroy, in compliance with data protection requirements, all carrier media, and other material or return the same to Company. (Note: The parties are free to agree upon remuneration for such support in the agreementcompulsory legal process.) In specific cases designated by Company, such Data shall be stored or handed over. The associa- xxx remuneration and protective measures shall be agreed upon separately unless already agreed upon in the Agreement. (Note: The parties are free to agree upon remuneration for such support in the agreement.) (10) Supplier shall, upon termination of Contract Processing and upon Company’s request, return all Data, carrier media and other materials to Company or delete the same. (11) Where a data subject asserts any claims against Company in accordance with Article 82 of the GDPR, Supplier shall support Company in defending against such claims, where possible. (Note: The parties are free to agree upon remuneration for such support in the agreement.)

Supplier’s Obligations. (1) Except where expressly permitted The Supplier acknowledges and agrees that it will receive and process certain Personal Data in order and for as long as is necessary to provide the Goods and to perform its obligations under this Contract. The Supplier acknowledges and agrees that it will: ensure that its internal operating systems only permit properly authorised staff to access Personal Data; designate a data protection officer if required by Article 28 (3)(a) the Data Protection Legislation; provide appropriate training to its staff with respect to: the correct handling of Personal Data so as to minimise the GDPR, Supplier shall process data subjects’ Data only within the scope risk of the statement of work security breaches; and the instructions issued by Com- pany. Where Supplier believes that an instruction would be in breach of applicable law, Supplier shall notify Company of such belief without undue delay. Supplier shall be entitled to suspending performance on such instruction until Company confirms or modifies such instruction. (2) Supplier shall, within Supplier’s scope of responsibility, organise supplier’s internal organization, so it satisfies the specific requirements of data protection. Supplier shall implement technical and organizational measures to ensure the adequate protection of Company’s Data, which measures shall fulfill the requirements of the GDPR and specifically its Article 32. Supplier shall implement technical and organizational measures and safeguards that ensure ongoing confidentiality, integ- rity, availability, and resilience of processing systems and services. The company is familiar applicable Data Protection Legislation; only process Personal Data in accordance with these technical and organizational measures, and it shall be Companythe Authority’s responsibility that such measures ensure a level of security appropriate written instructions including unless required to the risk. (3) Supplier reserves the right to modify the measures and safeguards implemented, provided, xxxx- ver, that the level of security shall not be less protective process Personal Data other than initially agreed upon. (4) Supplier shall support Company, insofar as is agreed upon instructed by the parties, and where possible for SupplierEuropean Union or Member State law, in fulfilling data subjects’ requests and claims, as detailed in chapter III of the GDPR and in fulfilling the obligations enumerated in Articles 33 to 36 of the GDPR. (Note: The parties are free to agree upon remuneration for such support in the agreement.) (5) Supplier warrants that all employees involved in Contract Processing of Company’s Data and other such persons as may be involved in Contract Processing within Supplier’s scope of responsibi- lity shall be prohibited from processing Data outside the scope of the instructions. Furthermore, Supplier warrants that any person entitled to process Data on behalf of Controller has undertaken a commitment to secrecy or is subject to an appropriate statutory obligation to secrecy. All such secrecy obligations shall survive the termination or expiration of such Contract Processing. (6) Supplier shall notify Company, without undue delay, if Supplier becomes aware of breaches of the protection of personal data within Supplier’s scope of responsibility. Supplier shall implement the measures necessary for securing Data and for mitigating potential negative consequences for the data subject; which case the Supplier shall coordinate inform the Authority in accordance with clause 14.14, except where prohibited by such efforts law from doing so and shall in any event, cease the processing pending receipt of further instructions from the Authority in relation to the processing; take such reasonable steps to ensure the reliability and integrity of its employees, agents, contractors etc. who have access to the Personal Data to ensure that they: are aware of and comply with Company without undue delay. (7) the Supplier’s duties under this clause; are subject to appropriate confidentiality undertakings with the Supplier shall notify or any sub-processor; are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to Company any third party unless directed in writing to do so by the point Authority or as otherwise permitted by this Contract; and have undergone adequate training in the use, care, protection and handling of contact for Personal Data as described above in Clause 14.8.3. only use, reproduce or otherwise process any issues related to data protection ari- sing out of or Personal Data collected in connection with this Contract to the Agreement. (8) Supplier warrants that Supplier fulfills its obligations under Article 32 (1)(d) extent necessary; not modify, amend or alter the contents of the GDPR to imple- ment a Personal Data, except as directed by the Authority; not, without the Authority’s written approval, process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security any Personal Data on any of the processing. Supplier’s systems on which data (9including any Personal Data) Supplier shall correct or erase Data if so instructed by Company and where covered by the scope is processed for any person outside of the instructions permissible. Where an erasure, consistent with data protection requirements, or a corresponding restriction of processing is impossible, Supplier shall be based on CompanyAuthority; and ensure that only those staff who have been authorised to use the Supplier’s instructions, and unless agreed upon differently in systems have access to the Agreement, destroy, in compliance with data protection requirements, all carrier media, and other material or return the same to Company. (Note: The parties are free to agree upon remuneration for such support in the agreementsystems.) In specific cases designated by Company, such Data shall be stored or handed over. The associa- xxx remuneration and protective measures shall be agreed upon separately unless already agreed upon in the Agreement. (Note: The parties are free to agree upon remuneration for such support in the agreement.) (10) Supplier shall, upon termination of Contract Processing and upon Company’s request, return all Data, carrier media and other materials to Company or delete the same. (11) Where a data subject asserts any claims against Company in accordance with Article 82 of the GDPR, Supplier shall support Company in defending against such claims, where possible. (Note: The parties are free to agree upon remuneration for such support in the agreement.)

Supplier’s Obligations. (1) Except where expressly permitted by Article 28 (3)(a) of the GDPR, Supplier shall process data subjects’ Data only within the scope of the statement of work work, the service agreement, this annex and the instructions issued by Com- pany. Company. (2) Where Supplier believes that an instruction would be in breach of applicable law, Supplier shall notify Company of such belief without undue delay. Supplier shall be entitled to suspending suspend performance on such instruction until Company confirms or modifies such instruction. Until then, the Supplier may continue processing on the basis of the previous instructions. (23) Supplier shall, within Supplier’s scope of responsibility, organise supplier’s internal organization, organisation so it satisfies the specific requirements of data protection. Supplier shall shall, within Supplier’s scope of responsibility, implement technical and organizational organisational measures to ensure the adequate protection of Company’s Data, which measures shall fulfill fulfil the requirements of the GDPR and specifically its Article 32. Supplier shall implement technical and organizational Details of the measures and safeguards that ensure ongoing confidentiality, integ- rity, availability, and resilience of processing systems and servicestaken are documented in Annex 1 to this annex. The company Company is familiar with these technical and organizational organisational measures, and it shall be Company’s responsibility that to decide if such measures ensure a level of security appropriate to the risk. (34) The technical and organisational measures are subject to technical progress and further development. Supplier reserves the right to modify the measures and safeguards implemented, provided, xxxx- verhowever, that the level of security shall not be less protective than initially agreed upon. (45) Supplier documented the implementation of the technical and organisational measures before the start of processing and submitted them to Company for inspection in Annex 1. If accepted by the Company, the documented measures become the basis of the contract. (6) Supplier shall support Company, insofar as is agreed upon by the parties, and where possible for Supplier, taking into account the type of processing and the information available to him, in fulfilling data subjects’ requests and claims, as detailed in chapter III of the GDPR and in fulfilling the obligations enumerated in Articles 33 to 36 of the GDPR. (Note: The parties are free Supplier is entitled to agree upon demand an appropriate remuneration from Company for such support in the agreementsupport.) (57) Supplier warrants that all employees involved in Contract Processing of Company’s Data and other such persons as may be involved in Contract Processing within Supplier’s scope of responsibi- lity responsibility shall be prohibited from processing Data outside the scope of the instructions. Furthermore, Supplier warrants that any person entitled to process Data on behalf of Controller has undertaken a commitment to secrecy or is subject to an appropriate statutory obligation to secrecy. All such secrecy obligations shall survive the termination or expiration of such Contract Processing. (6) 8) Supplier shall notify Company, without undue delay, if Supplier becomes aware of breaches of the protection of personal data within Supplier’s scope of responsibility. Supplier shall implement the measures necessary for securing Data and for mitigating potential negative consequences for the data subject; the Supplier shall coordinate such efforts with Company without undue delay. (79) 14 days after completion of the delivery of Data, Supplier shall notify to Company the point of contact for any issues related to data protection ari- sing out of delete such Data in its possession and processing or validation results generated in connection with the Agreementservice agreement containing personal data. (8) Supplier warrants that Supplier fulfills its obligations under Article 32 (1)(d) of the GDPR to imple- ment a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing. (9) Supplier shall correct or erase Data if so instructed by Company and where covered by the scope of the instructions permissible. Where an erasure, consistent with data protection requirements, or a corresponding restriction of processing is impossible, Supplier shall be based on Company’s instructions, and unless agreed upon differently in the Agreement, destroy, in compliance with data protection requirements, all carrier media, and other material or return the same to Company. (Note: The parties are free to agree upon remuneration for such support in the agreement.) In specific cases designated by Company, such Data shall be stored or handed over. The associa- xxx remuneration and protective measures shall be agreed upon separately unless already agreed upon in the Agreement. (Note: The parties are free to agree upon remuneration for such support in the agreement.) (10) Where required by law, Supplier shall, upon termination of Contract Processing and upon Company’s request, return all Data, carrier media and other materials to Company or delete the same. (11) Where shall appoint a data subject asserts any claims against Company protection officer in writing. Only a natural person who has a verifiable technical qualification and the necessary reliability in accordance with Article 82 of the GDPR, Supplier shall support Company in defending against such claims, where possible. (Note: The parties are free to agree upon remuneration for such support in the agreementstatutory provisions may be appointed data protection officer.)

Supplier’s Obligations. (1) Except where expressly permitted by Article 28 (3)(a) 4.1 The Supplier shall provide the Services and fulfil its obligations under this Agreement from the Commencement Date until the expiry of the GDPRTerm: 4.1.1 with the reasonable skill, care and diligence to be expected of a Supplier holding itself out as having the competence, expertise and resources necessary for the proper performance of the Services; 4.1.2 to the quality and standards required by the Technical Workscope, or where no quality or standard is so specified, to a good quality; 4.1.3 to comply with HS1 Operational Standards, HS1 Technical Standards and all equivalent standards; 4.1.4 to comply with all applicable Law and the Codes; 4.1.5 without compromising the safety of anyone on or about or using the Employer’s property and/or HS1 railway infrastructure; and 4.1.6 to comply with the Preliminaries. 4.2 The Supplier shall process data subjects’ Data only within hold an appropriate operating licence as issued by the scope Office of the statement Rail Regulator relating to the provision of work and the instructions issued by Com- pany. Where Supplier believes that an instruction would be in breach of applicable law, Services. 4.3 The Supplier shall notify Company of such belief without undue delay. perform the Services in accordance with the Employer’s Instructions and Contract Orders. 4.4 The Supplier shall be entitled to suspending performance on such instruction until Company confirms or modifies such instruction. (2) Supplier shall, within Supplier’s scope of responsibility, organise supplier’s internal organization, so it satisfies the specific requirements of data protection. Supplier shall implement technical and organizational measures to ensure the adequate protection of Company’s DataPlant is maintained, which measures shall fulfill calibrated and supplied in accordance with the requirements of the GDPR Technical Workscope and specifically its Article 32. so as to be fully available to undertake the Services envisaged by the Employer’s Clause 2.1 overall plans and specified by Clause 3 Contract Orders. 4.5 The Supplier shall implement technical permit the Employer to undertake detailed inspections of any maintenance records and organizational measures the Plant as and safeguards that ensure ongoing confidentiality, integ- rity, availability, and resilience of processing systems and services. The company is familiar when necessary to ascertain compliance with these technical and organizational measures, and it shall be Company’s responsibility that such measures ensure a level of security appropriate to the risk. (3) Supplier reserves the right to modify the measures and safeguards implemented, provided, xxxx- ver, that the level of security shall not be less protective than initially agreed upon. (4) Supplier shall support Company, insofar as is agreed upon by the parties, and where possible for Supplier, in fulfilling data subjects’ requests and claims, as detailed in chapter III requirements of the GDPR and in fulfilling Technical Workscope. Where such inspection identifies non-conformance with the obligations enumerated in Articles 33 to 36 of the GDPR. (Note: The parties are free to agree upon remuneration for such support Technical Workscope either in the agreement.) (5) Supplier warrants that all employees involved condition of an item of Plant or in Contract Processing of Company’s Data and other such persons as may be involved in Contract Processing within Supplier’s scope of responsibi- lity shall be prohibited from processing Data outside the scope of the instructions. Furthermore, Supplier warrants that any person entitled to process Data on behalf of Controller has undertaken a commitment to secrecy or is subject to an appropriate statutory obligation to secrecy. All such secrecy obligations shall survive the termination or expiration of such Contract Processing. (6) Supplier shall notify Company, without undue delay, if Supplier becomes aware of breaches of the protection of personal data within Supplier’s scope of responsibility. Supplier shall implement the measures necessary for securing Data and for mitigating potential negative consequences for the data subject; its maintenance then the Supplier shall coordinate produce and implement an action plan to rectify such efforts non-conformances without delay. Until rectification of the non-conformances has been accepted by the Employer’s Representative, he may issue a notice restricting (including, if appropriate, suspending) the use of the item of Plant. Any Services lost as a result of such restrictions unless due to the Employer or the Employer’s supplier’s acts or omissions shall be deemed to be due to the Use of Employer’s Plant Data from Plant Reports and meetings Remedy for failure to comply with Company without undue delayInstructions Indemnity for breach default of the Supplier for the purposes of calculating payments in accordance with the Pricing Documents. (7) 4.6 The Supplier shall notify to Company use the point of contact Employer’s Plant solely in connection with the Services and may not use the Employer’s Plant for any issues related other purposes without the prior written consent of the Employer. The Supplier shall not remove, deface or cover up any name-plate or identification xxxx or number on the Employer’s Plant nor shall it attempt to sell, mortgage, charge or otherwise deal with the Employer’s Plant. 4.7 Following delivery of each Shift and within the timescales stated in the Technical Workscope, the Supplier shall transfer to the Employer, in electronic form, all data protection ari- sing required by the Daily Work Returns and the Technical Workscope. The Supplier shall at all times work with the Employer to assist in the development of data capture and transfer. 4.8 The Supplier shall provide progress reports and attend meetings with the Employer’s Representative as required by the Preliminaries and in accordance with the Employer’s Instructions. 4.9 If the Supplier fails to perform the Services in accordance with this Agreement and the failure is due to the Supplier and not due to any act or omission of the Employer or the Employer’s supplier’s, then the Employer shall be entitled, in addition to any other remedy available to it, by notice to the Supplier to require the Supplier, at no additional cost to the Employer, to remedy such breach within the time stipulated in such notice, and if the Supplier fails to comply with such notice within the period specified by the Employer, the Employer may at its sole discretion employ another person to remedy such breach and the Employer may recover the additional costs incurred by it in so doing from the Supplier (provided that, in an emergency affecting safety, this provision shall apply without the requirement to give prior notice). 4.10 The Supplier shall indemnify the Employer and shall keep it indemnified against each and every liability which it may incur to any person whatsoever and against all damage, loss, expense, cost, claims or proceedings suffered or incurred by it to the extent that the same arises out of or in connection with any negligence or breach of duty by the Supplier, its employees, the Sub- Suppliers or other persons engaged by it in relation to this Agreement or any breach by the Supplier of its obligations under this Agreement. (8) 4.11 The Supplier warrants that shall have and maintain for the duration of the Term a separate Track Access Agreement with the Employer which shall cover the provision of the Service. 4.12 Subject to Clause [4.13 and 4.14] below, the Supplier fulfills shall communicate directly with HS1 Limited only if: 4.12.1 the Employer is in breach of its obligations under Article 32 Clause 33 of the Operator Agreement (1)(drelating to records and the auditing of records), 4.12.2 HS1 Limited notified the Employer of such breach as soon as was reasonably practicable following becoming aware of the same, 4.12.3 the Employer has not remedied such breach within 15 days (not including Saturdays, Sundays or bank holidays) of such notification, and 4.12.4 HS1 Limited wishes, acting reasonably, to obtain information in relation to the GDPR condition, maintenance, renewal or replacement of any asset comprised in the HS1 railway infrastructure and/or the operation of HS1 railway infrastructure only, provided that the Supplier shall not be entitled to imple- ment a process for regularly testing, assessing provide HS1 Limited with any documents or materials recording or containing information or data relating to (i) the Employer's or the Supplier's personnel or (ii) the costs and evaluating the effectiveness of technical and organizational measures for ensuring the security expenses of the processingEmployer in relation to the performance of the Employer’s obligations under the Operator Agreement and other financial arrangements of the Employer (including records of payments made by the Employer to the Supplier). (9) Supplier shall correct or erase Data if so instructed by Company and where covered by the scope 4.13 If HS1 Limited exercises its right to step in under Clause 6.1 of the instructions permissible. Where an erasure, consistent with data protection requirements, or a corresponding restriction of processing is impossible, Supplier shall be based on Company’s instructions, and unless agreed upon differently in the Operator Agreement, destroy, in compliance with data protection requirements, all carrier media, and other material or return the same to Company. (Note: The parties are free to agree upon remuneration for such support in the agreement.) In specific cases designated by Company, such Data shall be stored or handed over. The associa- xxx remuneration and protective measures shall be agreed upon separately unless already agreed upon in the Agreement. (Note: The parties are free to agree upon remuneration for such support in the agreement.) (10) Supplier shall, upon at HS1 Limited’s request and during the period of the step-in only, accept HS1 Limited’s direction of its performance of this Agreement in place of the Employer to the extent required for the purposes of exercising HS1 Limited's rights under Clause 6.1 of the Operator Agreement. 4.14 The Supplier agrees that, on termination of Contract Processing the Operator Agreement, either HS1 Limited or the Secretary of State for Transport shall be entitled to have the rights and upon Company’s request, return all Data, carrier media and other materials to Company or delete the same. (11) Where a data subject asserts any claims against Company in accordance with Article 82 obligations of the GDPREmployer under this Agreement novated to itself (or, Supplier shall support Company in defending against such claims, where possible. (Note: The parties are free to agree upon remuneration for such support in the agreementcase of HS1 Limited, such other party as HS1 Limited may direct).)” Access to the Routes, Sites and Employer’s property Compliance with Employer’s regulations Security Vetting Obstruction prohibited Health & Safety