Common use of Controller to Controller Terms Clause in Contracts

Controller to Controller Terms. Where OpenPayd and Customer process the Shared Data as independent controllers under or otherwise in connection with the Terms, the provisions set out this Section 5 will apply to the processing of Shared Data, in addition to Section 4 Basic terms. In case of any conflict between the provisions in Section 4 and in Section 5, Section 5 will prevail. 5.1. Customer represents and warrants to OpenPayd that it has a lawful ground to disclose all Shared Data under or in connection with the Terms. 5.2. Customer and OpenPayd each acknowledge and agree that it acts as independent data controller, or the equivalent under Data Protection Law in relation to the Shared Data it processes under or in connection with the Terms. Each shall comply with its respective obligations under the Data Protection Law. 5.3. Customer and OpenPayd shall each ensure that access to Shared Data is limited to Customer’s or the OpenPayd’s staff, who have a reasonable need to access Shared Data to enable Customer and OpenPayd to perform its respective duties under the Terms. 5.4. If Customer or OpenPayd receive or become aware of any of the following, it shall notify without any undue delay the other Party of: (i) any breach of security or unauthorised access to Disclosed Personal Data without undue delay after becoming aware of such incident; and (ii) any complaint, inquiry or request from a data subject or data protection authority regarding Shared Data, unless such notice is prohibited by applicable law. 5.5. Customer and OpenPayd shall refrain from notifying or responding to any data subject or data protection authority on behalf of the other Party unless (i) specifically requested to do so by the other Party in writing or (ii) if required by the Data Protection Law. 5.6. Each Party acknowledges and agrees that the other Party, at its sole discretion, may disclose any Shared Data or other transaction-related information to the relevant regulatory authorities or to third parties in order to perform their obligations under the Terms and/or legal/regulatory obligations under the relevant law, including but not limited to anti- money laundering, fraud monitoring, sanctions, or as may otherwise be required by the relevant law or court order, for which the other Party shall be notified in advance that such disclosure has been made, if permitted by law. Furthermore, such disclosure may be made without a prior notice to any regulatory authority that exercises regulatory or supervisory authority with respect to a Party’s operations, where such disclosure is made to satisfy routine governmental audit or examination requirements or as part of informational submissions required to be made to such regulatory authority in the ordinary course of business. 5.7. In respect of its processing of Shared Data, each Party warrants, represents and undertakes that: a) it shall provide data subjects with all of the information, in a concise, transparent, easy to understand format using clear and plain language, required under the Data Protection Law to ensure that the data subjects understand how their personal data will be processed by the respective Party; b) it shall take all appropriate technical and organisational measures against unauthorised or unlawful processing of the Disclosed Personal Data and against accidental loss or destruction of, or damage to the Disclosed Personal Data, including (without limitation) by: i. taking reasonable steps to ensure the reliability of any staff who have access to the Shared Data; ii. ensuring a level of security appropriate to the nature of the Shared Data and the risks that are presented by its processing. iii. any data transfers of Shared Data to a country or a territory not deemed as an Adequate Country will be subject to Appropriate Safeguards.

Controller to Controller Terms. Where OpenPayd With respect to the Controller Services, each Party represents, warrants, and Customer process covenants that: (a) it is a Data Controller as to Personal Data with respect to the Shared Processing of Personal Data under the Agreement, as independent controllers under or applicable; (b) all Personal Data will be collected, transferred, and otherwise Processed in connection accordance with the Termsapplicable laws, the provisions set out this Section 5 will including Applicable Data Protection Laws as they apply to each Party, respectively; (c) it will, upon request of the processing respective other Party, provide that other Party with copies of Shared Dataall relevant data protection laws or references to them (where relevant, in addition to Section 4 Basic terms. In case and not including legal advice); and (d) it is not aware of the existence of any conflict between local laws that would have a substantial adverse effect on the provisions in Section 4 and in Section 5, Section 5 will prevailobligations provided for under this Addendum. 5.1. Customer represents and warrants to OpenPayd that it has a lawful ground to disclose all Shared Data under or in connection with the Terms. 5.2. Customer and OpenPayd each acknowledge and agree that it acts as independent data controller, or the equivalent under Data Protection Law in relation to the Shared Data it processes under or in connection with the Terms. Each shall comply with its respective obligations under the Data Protection Law. 5.3. Customer and OpenPayd shall each ensure that access to Shared Data (e) Processing is limited to Customer’s or the OpenPayd’s staff, who have a reasonable need to access Shared Data to enable Customer and OpenPayd that which is reasonably necessary to perform its respective duties the Services under the Termsapplicable Agreement(s). 5.4. If (f) the Processing of Customer or OpenPayd receive or become aware of any Personal Data for the purposes set out in the Service Agreement(s) shall be performed only on lawful grounds, as provided by Applicable Data Protection Laws including, without limitation, Article 6 of the followingGDPR, as further limited by Article 9 of the GDPR, as applicable. (g) persons they authorize to Process Customer Personal Data must have committed themselves to confidentiality or be under an appropriate statutory or professional obligation of confidentiality. (h) Customer Personal Data will not be further processed in a manner that is incompatible with the purposes for which it shall notify without any undue delay was originally collected by the other Party of: Data Controller sharing the Personal Data. (i) any breach To the extent that a disclosure of security or unauthorised access to Disclosed Customer Personal Data without undue delay after becoming aware of such incident; and (ii) any complaint, inquiry or request from a data subject or data protection authority regarding Shared Data, unless such notice is prohibited by applicable law. 5.5. Customer and OpenPayd shall refrain from notifying or responding to any data subject or data protection authority on behalf of the other Party unless (i) specifically requested to do so by the other Party in writing or (ii) if required by among the Data Controllers qualifies as a sale under Applicable Data Protection Law. 5.6. Each Party acknowledges and agrees that Laws, each Data Controller must comply with the other Party, at its sole discretion, may disclose any Shared obligations associated with the sale of Personal Data or other transaction-related information to the relevant regulatory authorities or to third parties in order to perform their obligations under the Terms and/or legal/regulatory obligations under the relevant law, including but not limited to anti- money laundering, fraud monitoring, sanctions, or as may otherwise be required by the relevant law or court order, for which the other Party shall be notified in advance that such disclosure has been made, if permitted by law. Furthermore, such disclosure may be made without a prior notice to any regulatory authority that exercises regulatory or supervisory authority with respect to a Party’s operations, where such disclosure is made to satisfy routine governmental audit or examination requirements or as part of informational submissions required to be made to such regulatory authority in the ordinary course of business. 5.7. In respect of its processing of Shared Data, each Party warrants, represents and undertakes that: a) it shall provide data subjects with all of the information, in a concise, transparent, easy to understand format using clear and plain language, required under the Applicable Data Protection Law to ensure that the data subjects understand how their personal data will be processed by the respective Party; b) it shall take all appropriate technical and organisational measures against unauthorised or unlawful processing of the Disclosed Personal Data and against accidental loss or destruction of, or damage to the Disclosed Personal Data, including (without limitation) by: i. taking reasonable steps to ensure the reliability of any staff who have access to the Shared Data; ii. ensuring a level of security appropriate to the nature of the Shared Data and the risks that are presented by its processingLaws. iii. any data transfers of Shared Data to a country or a territory not deemed as an Adequate Country will be subject to Appropriate Safeguards.

Controller to Controller Terms. Where OpenPayd a. With respect to the Controller Services, each Party represents, warrants, and Customer process covenants that: • it is a Data Controller as to Personal Data with respect to the Shared Processing of Personal Data under the Agreement, as independent controllers under or applicable; • all Personal Data will be collected, transferred, and otherwise Processed in connection accordance with the Termsapplicable laws, including Applicable Data Protection Laws, as they apply to each Party, respectively; and such Party will, upon request of the provisions respective other Party, provide that other Party with copies of all Applicable Data Protection Laws or references to them (where relevant, and not including legal advice); and • it is not aware of the existence of any local laws that would have a substantial adverse effect on the obligations provided for under this Addendum. b. With respect to the Controller Services, each Party agrees that: • the Processing of Customer Personal Data for the purposes set out this Section 5 in the Agreement(s) shall be performed only on lawful grounds, as provided by Applicable Data Protection Laws including, without limitation, Article 6 of the GDPR, as further limited by Article 9 of the GDPR, as applicable. • persons they authorize to Process Customer Personal Data must have committed themselves to confidentiality or be under an appropriate statutory or professional obligation of confidentiality. • Customer Personal Data will apply to the processing of Shared Data, not be further processed in addition to Section 4 Basic terms. In case of any conflict between the provisions in Section 4 and in Section 5, Section 5 will prevail. 5.1. Customer represents and warrants to OpenPayd a manner that it has a lawful ground to disclose all Shared Data under or in connection is incompatible with the Terms. 5.2. Customer and OpenPayd each acknowledge and agree that purposes for which it acts as independent data controller, or the equivalent under Data Protection Law in relation to the Shared Data it processes under or in connection with the Terms. Each shall comply with its respective obligations under the Data Protection Law. 5.3. Customer and OpenPayd shall each ensure that access to Shared Data is limited to Customer’s or the OpenPayd’s staff, who have a reasonable need to access Shared Data to enable Customer and OpenPayd to perform its respective duties under the Terms. 5.4. If Customer or OpenPayd receive or become aware of any of the following, it shall notify without any undue delay the other Party of: (i) any breach of security or unauthorised access to Disclosed Personal Data without undue delay after becoming aware of such incident; and (ii) any complaint, inquiry or request from a data subject or data protection authority regarding Shared Data, unless such notice is prohibited by applicable law. 5.5. Customer and OpenPayd shall refrain from notifying or responding to any data subject or data protection authority on behalf of the other Party unless (i) specifically requested to do so by the other Party in writing or (ii) if required was originally collected by the Data Controller sharing the Personal Data. • To the extent that a disclosure of Customer Personal Data among the Data Controllers qualifies as a sale under Applicable Data Protection Law. 5.6. Each Party acknowledges and agrees that Laws, each Data Controller must comply with the other Party, at its sole discretion, may disclose any Shared obligations associated with the sale of Personal Data or other transaction-related information to the relevant regulatory authorities or to third parties in order to perform their obligations under the Terms and/or legal/regulatory obligations under the relevant law, including but not limited to anti- money laundering, fraud monitoring, sanctions, or as may otherwise be required by the relevant law or court order, for which the other Party shall be notified in advance that such disclosure has been made, if permitted by law. Furthermore, such disclosure may be made without a prior notice to any regulatory authority that exercises regulatory or supervisory authority with respect to a Party’s operations, where such disclosure is made to satisfy routine governmental audit or examination requirements or as part of informational submissions required to be made to such regulatory authority in the ordinary course of business. 5.7. In respect of its processing of Shared Data, each Party warrants, represents and undertakes that: a) it shall provide data subjects with all of the information, in a concise, transparent, easy to understand format using clear and plain language, required under the Applicable Data Protection Law to ensure that the data subjects understand how their personal data will be processed by the respective Party; b) it shall take all appropriate technical and organisational measures against unauthorised or unlawful processing of the Disclosed Personal Data and against accidental loss or destruction of, or damage to the Disclosed Personal Data, including (without limitation) by: i. taking reasonable steps to ensure the reliability of any staff who have access to the Shared Data; ii. ensuring a level of security appropriate to the nature of the Shared Data and the risks that are presented by its processingLaws. iii. any data transfers of Shared Data to a country or a territory not deemed as an Adequate Country will be subject to Appropriate Safeguards.