Common use of DATA PROCESSING OBLIGATIONS Clause in Contracts

DATA PROCESSING OBLIGATIONS. 4.1. From the Commencement Date, where NBI processes Customer Personal Data provided to it by or on behalf of the RSP, as a processor in connection with the Processing Purposes, NBI agrees that it: 4.1.1. shall process Customer Personal Data only for the Processing Purposes in connection with the provision of the Services, as described in Schedule 1 of this DPA, or as subsequently instructed in writing from time to time by the RSP; 4.1.2. shall ensure that it shall not transfer the Customer Personal Data outside the European Economic Area (“EEA”) without the express written instructions of the RSP and where such instructions are received by NBI, such transfers of Customer Personal Data shall be undertaken in accordance with the Data Protection Laws; 4.1.3. shall ensure that all Relevant Personnel authorised to be involved in the processing of Customer Personal Data for and on behalf of NBI have committed themselves to a duty of confidentiality in respect of Customer Personal Data; 4.1.4. shall implement appropriate technical and organisational measures in accordance with Article 32 of the GDPR to ensure the security of Customer Personal Data, in particular as described in Minimum Security Requirements under Data Processing Schedule 2 of this DPA; 4.1.5. shall only engage sub-contract or outsource the processing of Customer Personal Data under this DPA to any other person or Third Party processor (“Sub- processor”) subject to: having notified the RSP of the identity of such Sub-processor and obtaining the written authorisation of the RSP before engaging any such Sub-processor; and NBI putting in place binding contractual terms with such Sub-processor on terms no less onerous than those contained in this DPA; 4.1.6. taking into account the nature of the processing of Customer Data, NBI shall reasonably assist the RSP in meeting its responsibilities as a controller by putting in place appropriate technical and organisational measures to enable NBI to provide reasonable assistance on request from RSP in responding to any data subject requests received by the RSP in accordance with the Data Protection Laws; 4.1.7. on becoming aware of a “personal data breach” (as such term is defined in the Data Protection Laws) affecting the Customer Personal Data, NBI shall notify the RSP without undue delay and in any event within a period of 24 hours using the following contact details: RSP email addresses [⚫] [⚫] RSP phone number [⚫] [⚫] 4.1.8. on becoming aware of a personal data breach affecting Customer Personal Data, NBI shall provide reasonable assistance to the RSP in investigating and remediating any such incident(s); 4.1.9. depending on the nature of the processing activities, NBI shall not retain Customer Personal Data for any longer than is necessary having regard to the Processing Purposes; 4.1.10. on request, NBI shall reasonably assist the RSP in ensuring compliance with the RSP’s obligations to comply with Articles 32 to 36 of the GDPR (inclusive); 4.1.11. based on written instructions of the RSP, either return of securely delete the Customer Personal Data on the termination of the Agreement and relevant processing of Customer Personal Data. If NBI has not received instructions from RSP return or delete the Customer Personal Data within received within 25 Working Days of the effective date of termination of the Agreement, NBI shall by default delete the Customer Personal Data. 4.1.12. on written request, it shall make available to the RSP all information strictly necessary for the WSP/RSP to demonstrate compliance with its obligations under Article 28 of the GDPR, including records of the processing undertaken by NBI of the Customer Personal Data, on receipt of reasonable notice of not less than 10 Working Days; 4.1.13. on written request from the RSP, NBI shall contribute to audits, including inspections, conducted by or on behalf of the RSP of NBI’s relevant data processing facilities, data files, procedures or documentation as is strictly necessary for the RSP to demonstrate its compliance with the Data Protection Laws as they relate to the processing of Customer Personal Data. Any such right of audit is subject to the conditions that: (i) the RSP shall provide notice of not less than 20 Working Days in advance of any such audit; (ii) any such auditor nominated by the RSP must be independent, impartial and suitably qualified and must be acceptable to NBI and not, in NBI’s reasonable opinion, present any conflict of interest or be a competitor of NBI; (iii) any such auditor, including a Third Party auditor nominated by the RSP, must commit itself to a written duty of confidentiality; and (iv) the RSP shall be permitted to undertake no more than one such audit in any 12- month period (save in exceptional circumstances, where the RSP is compelled to do so based on binding request from a Supervisory Authority). 4.2. For the purposes of Clause 4.1.5 above, the RSP hereby authorises the appointment of the appointed NBI connection company as Sub-processor on behalf of NBI to process Customer Personal Data for the purposes of providing certain of the Services. 4.3. Any additional costs incurred by NBI (which in NBI’s sole discretion exceed the costs reasonably contemplated by it) in order to ensure compliance with clauses 4.1.6, 4.1.8 and 4.1.10 shall be at the expense of the RSP. NBI shall provide written evidence in support of such costs incurred by it when requesting re-imbursement of such costs.

DATA PROCESSING OBLIGATIONS. 4.1. From the Commencement Date, where NBI processes Customer Personal Data provided to it by or on behalf of the RSP, as a processor in connection with the Processing Purposes, NBI agrees that it: 4.1.1. shall process Customer Personal Data only for the Processing Purposes in connection with the provision of the Services, as described in Schedule 1 of this DPA, or as subsequently instructed in writing from time to time by the RSP; 4.1.2. shall ensure that it shall not transfer the Customer Personal Data outside the European Economic Area (“EEA”) without the express written instructions of the RSP and where such instructions are received by NBI, such transfers of Customer Personal Data shall be undertaken in accordance with the Data Protection Laws; 4.1.3. shall ensure that all Relevant Personnel authorised to be involved in the processing of Customer Personal Data for and on behalf of NBI have committed themselves to a duty of confidentiality in respect of Customer Personal Data; 4.1.4. shall implement appropriate technical and organisational measures in accordance with Article 32 of the GDPR to ensure the security of Customer Personal Data, in particular as described in Minimum Security Requirements under Data Processing Schedule 2 of this DPA; 4.1.5. shall only engage sub-contract or outsource the processing of Customer Personal Data under this DPA to any other person or Third Party processor (“Sub- Sub-processor”) subject to: : (i) having notified the RSP of the identity of such Sub-processor and obtaining the written authorisation of the RSP before engaging any such Sub-processor; and and 4.1.7. (ii) NBI putting in place binding contractual terms with such Sub-processor on terms no less onerous than those contained in this DPA; 4.1.64.1.8. taking into account the nature of the processing of Customer Data, NBI shall reasonably assist the RSP in meeting its responsibilities as a controller by putting in place appropriate technical and organisational measures to enable NBI to provide reasonable assistance on request from RSP in responding to any data subject requests received by the RSP in accordance with the Data Protection Laws; 4.1.74.1.9. on becoming aware of a “personal data breach” (as such term is defined in the Data Protection Laws) affecting the Customer Personal Data, NBI shall notify the RSP without undue delay and in any event within a period of 24 [24] hours using the following contact details: RSP email addresses [⚫] [⚫] RSP phone number [⚫] [⚫] 4.1.84.1.10. on becoming aware of a personal data breach affecting Customer Personal Data, NBI shall provide reasonable assistance to the RSP in investigating and remediating any such incident(s); 4.1.94.1.11. depending on the nature of the processing activities, NBI shall not retain Customer Personal Data for any longer than is necessary having regard to the Processing Purposes; 4.1.104.1.12. on request, NBI shall reasonably assist the RSP in ensuring compliance with the RSP’s obligations to comply with Articles 32 to 36 of the GDPR (inclusive); 4.1.114.1.13. based on written instructions of the RSP, either return of securely delete the Customer Personal Data on the termination of the Agreement and relevant processing of Customer Personal Data. If NBI has not received instructions from RSP return or delete the Customer Personal Data within received within 25 Working Days of the effective date of termination of the Agreement, NBI shall by default delete the Customer Personal Data.; 4.1.124.1.14. on written request, it shall make makes available to the RSP all information strictly necessary for the WSP/RSP to demonstrate compliance with its obligations under Article 28 of the GDPR, including records of the processing undertaken by NBI of the Customer Personal Data, on receipt of reasonable notice of not less than 10 Working Days; 4.1.134.1.15. on written request from the RSP, NBI shall contribute to audits, including inspections, conducted by or on behalf of the RSP of NBI’s relevant data processing facilities, data files, procedures or documentation as is strictly necessary for the RSP to demonstrate its compliance with the Data Protection Laws as they relate to the processing of Customer Personal Data. Any such right of audit is subject to the conditions that: (i) the RSP shall provide notice of not less than 20 Working Days in advance of any such audit; (ii) any such auditor nominated by the RSP must be independent, impartial and suitably qualified and must be acceptable to NBI and not, in NBI’s reasonable opinion, present any conflict of interest or be a competitor of NBI; (iii) any such auditor, including a Third Party third party auditor nominated by the RSP, must commit itself to a written duty of confidentiality; and (iv) the RSP shall be permitted to undertake no more than one such audit in any 12- 12-month period (save in exceptional circumstances, where the RSP is compelled to do so based on binding request from a Supervisory Authority). 4.24.1.16. For the purposes of Clause 4.1.5 5.15 above, the RSP hereby authorises the appointment of the appointed NBI connection company as Sub-processor on behalf of NBI to process Customer Personal Data for the purposes of providing certain of the Services. 4.34.1.17. Any additional costs incurred by NBI (which in NBI’s sole discretion exceed the costs reasonably contemplated by it) in order to ensure compliance with clauses Clauses 4.1.6, 4.1.8 and 4.1.10 shall be at the expense of the RSP. NBI shall provide written evidence in support of such costs incurred by it when requesting re-imbursement of such costs.

DATA PROCESSING OBLIGATIONS. 4.1. From the Commencement Date, where NBI processes Customer Personal Data provided to it by or on behalf of the RSP, as a processor in connection with the Processing Purposes, NBI agrees that it: 4.1.1. shall process Customer Personal Data only for the Processing Purposes in connection with the provision of the Services, as described in Schedule 1 of this DPA, or as subsequently instructed in writing from time to time by the RSP; 4.1.2. shall ensure that it shall not transfer the Customer Personal Data outside the European Economic Area (“EEA”) without the express written instructions of the RSP and where such instructions are received by NBI, such transfers of Customer Personal Data shall be undertaken in accordance with the Data Protection Laws; 4.1.3. shall ensure that all Relevant Personnel authorised to be involved in the processing of Customer Personal Data for and on behalf of NBI have committed themselves to a duty of confidentiality in respect of Customer Personal Data; 4.1.4. shall implement appropriate technical and organisational measures in accordance with Article 32 of the GDPR to ensure the security of Customer Personal Data, in particular as described in Minimum Security Requirements under Data Processing Schedule 2 of this DPA; 4.1.5. shall only engage sub-contract or outsource the processing of Customer Personal Data under this DPA to any other person or Third Party processor (“Sub- Sub-processor”) subject to: : (i) having notified the RSP of the identity of such Sub-processor and obtaining the written authorisation of the RSP before engaging any such Sub-processor; and and 4.1.7. (ii) NBI putting in place binding contractual terms with such Sub-processor on terms no less onerous than those contained in this DPA; 4.1.64.1.8. taking into account the nature of the processing of Customer Data, NBI shall reasonably assist the RSP in meeting its responsibilities as a controller by putting in place appropriate technical and organisational measures to enable NBI to provide reasonable assistance on request from RSP in responding to any data subject requests received by the RSP in accordance with the Data Protection Laws; 4.1.74.1.9. on becoming aware of a “personal data breach” (as such term is defined in the Data Protection Laws) affecting the Customer Personal Data, NBI shall notify the RSP without undue delay and in any event within a period of 24 [24] hours using the following contact details: RSP email addresses [⚫] [⚫] RSP phone number [⚫] [⚫] 4.1.84.1.10. on becoming aware of a personal data breach affecting Customer Personal Data, NBI shall provide reasonable assistance to the RSP in investigating and remediating any such incident(s); 4.1.94.1.11. depending on the nature of the processing activities, NBI shall not retain Customer Personal Data for any longer than is necessary having regard to the Processing Purposes; 4.1.104.1.12. on request, NBI shall reasonably assist the RSP in ensuring compliance with the RSP’s obligations to comply with Articles 32 to 36 of the GDPR (inclusive); 4.1.114.1.13. based on written instructions of the RSP, either return of securely delete the Customer Personal Data on the termination of the Agreement and relevant processing of Customer Personal Data. If NBI has not received instructions from RSP return or delete the Customer Personal Data within received within 25 Working Days of the effective date of termination of the Agreement, NBI shall by default delete the Customer Personal Data.; 4.1.124.1.14. on written request, it shall make makes available to the RSP all information strictly necessary for the WSP/RSP to demonstrate compliance with its obligations under Article 28 of the GDPR, including records of the processing undertaken by NBI of the Customer Personal Data, on receipt of reasonable notice of not less than 10 Working Days; 4.1.134.1.15. on written request from the RSP, NBI shall contribute to audits, including inspections, conducted by or on behalf of the RSP of NBI’s relevant data processing facilities, data files, procedures or documentation as is strictly necessary for the RSP to demonstrate its compliance with the Data Protection Laws as they relate to the processing of Customer Personal Data. Any such right of audit is subject to the conditions that: (i) the RSP shall provide notice of not less than 20 Working Days in advance of any such audit; (ii) any such auditor nominated by the RSP must be independent, impartial and suitably qualified and must be acceptable to NBI and not, in NBI’s reasonable opinion, present any conflict of interest or be a competitor of NBI; (iii) any such auditor, including a Third Party third party auditor nominated by the RSP, must commit itself to a written duty of confidentiality; and (iv) the RSP shall be permitted to undertake no more than one such audit in any 12- 12-month period (save in exceptional circumstances, where the RSP is compelled to do so based on binding request from a Supervisory Authority). 4.24.1.16. For the purposes of Clause 4.1.5 5.15 above, the RSP hereby authorises the appointment of the appointed NBI connection company as Sub-processor on behalf of NBI to process Customer Personal Data for the purposes of providing certain of the Services. 4.34.1.17. Any additional costs incurred by NBI (which in NBI’s sole discretion view, acting reasonably, exceed the costs reasonably contemplated by it) in order to ensure compliance with clauses Clauses 4.1.6, 4.1.8 and 4.1.10 shall be at the expense of the RSP. NBI shall provide written evidence in support of such costs incurred by it when requesting re-re- imbursement of such costs.

DATA PROCESSING OBLIGATIONS. 4.1. From the Commencement Date, where NBI processes Customer Personal Data provided to it by or on behalf of the RSP, as a processor in connection with the Processing Purposes, NBI agrees that it: 4.1.1. shall process Customer Personal Data only for the Processing Purposes in connection with the provision of the Services, as described in Schedule 1 of this DPA, or as subsequently instructed in writing from time to time by the RSP; 4.1.2. shall ensure that it shall not transfer the Customer Personal Data outside the European Economic Area (“EEA”) without the express written instructions of the RSP and where such instructions are received by NBI, such transfers of Customer Personal Data shall be undertaken in accordance with the Data Protection Laws; 4.1.3. shall ensure that all Relevant Personnel authorised to be involved in the processing of Customer Personal Data for and on behalf of NBI have committed themselves to a duty of confidentiality in respect of Customer Personal Data; 4.1.4. shall implement appropriate technical and organisational measures in accordance with Article 32 of the GDPR to ensure the security of Customer Personal Data, in particular as described in Minimum Security Requirements under Data Processing Schedule 2 of this DPA; 4.1.5. shall only engage sub-contract or outsource the processing of Customer Personal Data under this DPA to any other person or Third Party processor (“Sub- processor”) subject to: : (i) having notified the RSP of the identity of such Sub-processor and obtaining the written authorisation of the RSP before engaging any such Sub-processor; and and (ii) NBI putting in place binding contractual terms with such Sub-processor on terms no less onerous than those contained in this DPA; 4.1.6. taking into account the nature of the processing of Customer Data, NBI shall reasonably assist the RSP in meeting its responsibilities as a controller by putting in place appropriate technical and organisational measures to enable NBI to provide reasonable assistance on request from RSP in responding to any data subject requests received by the RSP in accordance with the Data Protection Laws; 4.1.7. on becoming aware of a “personal data breach” (as such term is defined in the Data Protection Laws) affecting the Customer Personal Data, NBI shall notify the RSP without undue delay and in any event within a period of 24 hours using the following contact details: RSP email addresses [⚫] [⚫] RSP phone number [⚫] [⚫] 4.1.8. on becoming aware of a personal data breach affecting Customer Personal Data, NBI shall provide reasonable assistance to the RSP in investigating and remediating any such incident(s); 4.1.9. depending on the nature of the processing activities, NBI shall not retain Customer Personal Data for any longer than is necessary having regard to the Processing Purposes; 4.1.10. on request, NBI shall reasonably assist the RSP in ensuring compliance with the RSP’s obligations to comply with Articles 32 to 36 of the GDPR (inclusive); 4.1.11. based on written instructions of the RSP, either return of securely delete the Customer Personal Data on the termination of the Agreement and relevant processing of Customer Personal Data. If NBI has not received instructions from RSP return or delete the Customer Personal Data within received within 25 Working Days of the effective date of termination of the Agreement, NBI shall by default delete the Customer Personal Data. 4.1.12. on written request, it shall make available to the RSP all information strictly necessary for the WSP/RSP to demonstrate compliance with its obligations under Article 28 of the GDPR, including records of the processing undertaken by NBI of the Customer Personal Data, on receipt of reasonable notice of not less than 10 Working Days; 4.1.13. on written request from the RSP, NBI shall contribute to audits, including inspections, conducted by or on behalf of the RSP of NBI’s relevant data processing facilities, data files, procedures or documentation as is strictly necessary for the RSP to demonstrate its compliance with the Data Protection Laws as they relate to the processing of Customer Personal Data. Any such right of audit is subject to the conditions that: (i) the RSP shall provide notice of not less than 20 Working Days in advance of any such audit; (ii) any such auditor nominated by the RSP must be independent, impartial and suitably qualified and must be acceptable to NBI and not, in NBI’s reasonable opinion, present any conflict of interest or be a competitor of NBI; (iii) any such auditor, including a Third Party auditor nominated by the RSP, must commit itself to a written duty of confidentiality; and (iv) the RSP shall be permitted to undertake no more than one such audit in any 12- month period (save in exceptional circumstances, where the RSP is compelled to do so based on binding request from a Supervisory Authority). 4.2. For the purposes of Clause 4.1.5 above, the RSP hereby authorises the appointment of the appointed NBI connection company as Sub-processor on behalf of NBI to process Customer Personal Data for the purposes of providing certain of the Services. 4.3. Any additional costs incurred by NBI (which in NBI’s sole discretion view, acting reasonably exceed the costs reasonably contemplated by it) in order to ensure compliance with clauses 4.1.6, 4.1.8 and 4.1.10 shall be at the expense of the RSP. NBI shall provide written evidence in support of such costs incurred by it when requesting re-imbursement of such costs.

DATA PROCESSING OBLIGATIONS. 4.1. From the Commencement Date, where NBI processes Customer Personal Data provided to it by or on behalf of the RSP, as a processor in connection with the Processing Purposes, NBI agrees that it: 4.1.1. shall process Customer Personal Data only for the Processing Purposes in connection with the provision of the Services, as described in Schedule 1 of this DPA, or as subsequently instructed in writing from time to time by the RSP; 4.1.2. shall ensure that it shall not transfer the Customer Personal Data outside the European Economic Area (“EEA”) without the express written instructions of the RSP and where such instructions are received by NBI, such transfers of Customer Personal Data shall be undertaken in accordance with the Data Protection Laws; 4.1.3. shall ensure that all Relevant Personnel authorised to be involved in the processing of Customer Personal Data for and on behalf of NBI have committed themselves to a duty of confidentiality in respect of Customer Personal Data; 4.1.4. shall implement appropriate technical and organisational measures in accordance with Article 32 of the GDPR to ensure the security of Customer Personal Data, in particular as described in Minimum Security Requirements under Data Processing Schedule 2 of this DPA; 4.1.5. shall only engage sub-contract or outsource the processing of Customer Personal Data under this DPA to any other person or Third Party processor (“Sub- processor”) subject to: : (i) having notified the RSP of the identity of such Sub-processor and obtaining the written authorisation of the RSP before engaging any such Sub-processor; and and (ii) NBI putting in place binding contractual terms with such Sub-processor on terms no less onerous than those contained in this DPA; 4.1.6. taking into account the nature of the processing of Customer Data, NBI shall reasonably assist the RSP in meeting its responsibilities as a controller by putting in place appropriate technical and organisational measures to enable NBI to provide reasonable assistance on request from RSP in responding to any data subject requests received by the RSP in accordance with the Data Protection Laws; 4.1.7. on becoming aware of a “personal data breach” (as such term is defined in the Data Protection Laws) affecting the Customer Personal Data, NBI shall notify the RSP without undue delay and in any event within a period of 24 hours using the following contact details: RSP email addresses [⚫] [⚫] RSP phone number [⚫] [⚫] 4.1.8. on becoming aware of a personal data breach affecting Customer Personal Data, NBI shall provide reasonable assistance to the RSP in investigating and remediating any such incident(s); 4.1.9. depending on the nature of the processing activities, NBI shall not retain Customer Personal Data for any longer than is necessary having regard to the Processing Purposes; 4.1.10. on request, NBI shall reasonably assist the RSP in ensuring compliance with the RSP’s obligations to comply with Articles 32 to 36 of the GDPR (inclusive); 4.1.11. based on written instructions of the RSP, either return of securely delete the Customer Personal Data on the termination of the Agreement and relevant processing of Customer Personal Data. If NBI has not received instructions from RSP return or delete the Customer Personal Data within received within 25 Working Days of the effective date of termination of the Agreement, NBI shall by default delete the Customer Personal Data. 4.1.12. on written request, it shall make available to the RSP all information strictly necessary for the WSP/RSP to demonstrate compliance with its obligations under Article 28 of the GDPR, including records of the processing undertaken by NBI of the Customer Personal Data, on receipt of reasonable notice of not less than 10 Working Days; 4.1.13. on written request from the RSP, NBI shall contribute to audits, including inspections, conducted by or on behalf of the RSP of NBI’s relevant data processing facilities, data files, procedures or documentation as is strictly necessary for the RSP to demonstrate its compliance with the Data Protection Laws as they relate to the processing of Customer Personal Data. Any such right of audit is subject to the conditions that: (i) the RSP shall provide notice of not less than 20 Working Days in advance of any such audit; (ii) any such auditor nominated by the RSP must be independent, impartial and suitably qualified and must be acceptable to NBI and not, in NBI’s reasonable opinion, present any conflict of interest or be a competitor of NBI; (iii) any such auditor, including a Third Party auditor nominated by the RSP, must commit itself to a written duty of confidentiality; and (iv) the RSP shall be permitted to undertake no more than one such audit in any 12- month period (save in exceptional circumstances, where the RSP is compelled to do so based on binding request from a Supervisory Authority). 4.2. For the purposes of Clause 4.1.5 above, the RSP hereby authorises the appointment of the appointed NBI connection company as Sub-processor on behalf of NBI to process Customer Personal Data for the purposes of providing certain of the Services. 4.3. Any additional costs incurred by NBI (which in NBI’s sole view, acting reasonablysole discretion exceed the costs reasonably contemplated by it) in order to ensure compliance with clauses 4.1.6, 4.1.8 and 4.1.10 shall be at the expense of the RSP. NBI shall provide written evidence in support of such costs incurred by it when requesting re-imbursement of such costs.

DATA PROCESSING OBLIGATIONS. 4.1. From the Commencement Date, where NBI processes Customer Personal Data provided to it by or on behalf of the RSP, as a processor in connection with the Processing Purposes, NBI agrees that it: 4.1.1. shall process Customer Personal Data only for the Processing Purposes in connection with the provision of the Services, as described in Schedule 1 of this DPA, or as subsequently instructed in writing from time to time by the RSP; 4.1.2. shall ensure that it shall not transfer the Customer Personal Data outside the European Economic Area (“EEA”) without the express written instructions of the RSP and where such instructions are received by NBI, such transfers of Customer Personal Data shall be undertaken in accordance with the Data Protection Laws; 4.1.3. shall ensure that all Relevant Personnel authorised to be involved in the processing of Customer Personal Data for and on behalf of NBI have committed themselves to a duty of confidentiality in respect of Customer Personal Data; 4.1.4. shall implement appropriate technical and organisational measures in accordance with Article 32 of the GDPR to ensure the security of Customer Personal Data, in particular as described in Minimum Security Requirements under Data Processing Schedule 2 of this DPA; 4.1.5. shall only engage sub-contract or outsource the processing of Customer Personal Data under this DPA to any other person or Third Party processor (“Sub- Sub-processor”) subject to: : (i) having notified the RSP of the identity of such Sub-processor and obtaining the written authorisation of the RSP before engaging any such Sub-processor; and and 4.1.7. (ii) NBI putting in place binding contractual terms with such Sub-processor on terms no less onerous than those contained in this DPA; 4.1.64.1.8. taking into account the nature of the processing of Customer Data, NBI shall reasonably assist the RSP in meeting its responsibilities as a controller by putting in place appropriate technical and organisational measures to enable NBI to provide reasonable assistance on request from RSP in responding to any data subject requests received by the RSP in accordance with the Data Protection Laws; 4.1.74.1.9. on becoming aware of a “personal data breach” (as such term is defined in the Data Protection Laws) affecting the Customer Personal Data, NBI shall notify the RSP without undue delay and in any event within a period of 24 [24] hours using the following contact details: RSP email addresses [⚫] [⚫] RSP phone number [⚫] [⚫] 4.1.84.1.10. on becoming aware of a personal data breach affecting Customer Personal Data, NBI shall provide reasonable assistance to the RSP in investigating and remediating any such incident(s); 4.1.94.1.11. depending on the nature of the processing activities, NBI shall not retain Customer Personal Data for any longer than is necessary having regard to the Processing Purposes; 4.1.104.1.12. on request, NBI shall reasonably assist the RSP in ensuring compliance with the RSP’s obligations to comply with Articles 32 to 36 of the GDPR (inclusive); 4.1.114.1.13. based on written instructions of the RSP, either return of securely delete the Customer Personal Data on the termination of the Agreement and relevant processing of Customer Personal Data. If NBI has not received instructions from RSP return or delete the Customer Personal Data within received within 25 Working Days of the effective date of termination of the Agreement, NBI shall by default delete the Customer Personal Data.; 4.1.124.1.14. on written request, it shall make makes available to the RSP all information strictly necessary for the WSP/RSP to demonstrate compliance with its obligations under Article 28 of the GDPR, including records of the processing undertaken by NBI of the Customer Personal Data, on receipt of reasonable notice of not less than 10 Working Days; 4.1.134.1.15. on written request from the RSP, NBI shall contribute to audits, including inspections, conducted by or on behalf of the RSP of NBI’s relevant data processing facilities, data files, procedures or documentation as is strictly necessary for the RSP to demonstrate its compliance with the Data Protection Laws as they relate to the processing of Customer Personal Data. Any such right of audit is subject to the conditions that: (i) the RSP shall provide notice of not less than 20 Working Days in advance of any such audit; (ii) any such auditor nominated by the RSP must be independent, impartial and suitably qualified and must be acceptable to NBI and not, in NBI’s reasonable opinion, present any conflict of interest or be a competitor of NBI; (iii) any such auditor, including a Third Party third party auditor nominated by the RSP, must commit itself to a written duty of confidentiality; and (iv) the RSP shall be permitted to undertake no more than one such audit in any 12- 12-month period (save in exceptional circumstances, where the RSP is compelled to do so based on binding request from a Supervisory Authority). 4.24.1.16. For the purposes of Clause 4.1.5 5.15 above, the RSP hereby authorises the appointment of the appointed NBI connection company as Sub-processor on behalf of NBI to process Customer Personal Data for the purposes of providing certain of the Services. 4.34.1.17. Any additional costs incurred by NBI (which in NBI’s sole discretion view, acting reasonablysole discretion, exceed the costs reasonably contemplated by it) in order to ensure compliance with clauses Clauses 4.1.6, 4.1.8 and 4.1.10 shall be at the expense of the RSP. NBI shall provide written evidence in support of such costs incurred by it when requesting re-imbursement of such costs.