Common use of Data Processing Clause in Contracts

Data Processing. In the provision of Services, Protiviti (the “Processor”) may be Processing Personal Data on behalf of the other party (the “Controller”). In these circumstances, Protiviti will: (i) Process Personal Data only to the extent, and in such a manner as is necessary, for the performance or receipt of the Services under these Terms and Conditions and only on reasonable written instructions from the Controller, including with regard to transfers of Personal Data to a third country or an international organisation, unless required to do so by European Union or English law. In such case, the Processor will inform Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest, (ii) ensure that persons authorised to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, (iii) take all measures required by Data Protection Law relating to data security, (iv) not engage another party to Process Personal Data without the Controller’s prior written authorisation, and if such authorisation is granted, take those measures required pursuant to the Data Protection Law, (v) taking into account the nature of the Processing, assist Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to requests for exercising the Data Subject’s rights laid down in the Data Protection Law, (vi) assist Controller in ensuring its compliance with data security, Personal Data Breach, data protection impact assessments, and engaging in other consultations, pursuant to Data Protection Law (taking into account the nature of processing and the information available to the Data Processor), (vii) not keep the Personal Data it receives under these Terms and Conditions for longer than required for the execution of these Terms and Conditions, unless European Union or English law requires storage of the Personal Data, and will promptly comply with any commercially reasonable request from Controller requiring Processor to amend, transfer, or delete the Personal Data, to the extent that the Controller does not have the ability to do so itself, (viii) subject to the confidentiality restrictions herein, make available to Controller all information necessary to demonstrate compliance with Data Protection Law and allow for and contribute to audits, including inspections, conducted by Controller, and (ix) immediately inform Controller if, in its opinion, an instruction from Controller infringes Data Protection Law that is applicable to Processor. The subject matter and duration of the Processing, the nature and purpose of the Processing, and the type of Personal Data and categories of Data Subjects will be described in the Arrangement Letter, or other written agreement signed by the parties. Each party represents that it has obtained the proper consent from all Data Subjects to the disclosure and transfer of Personal Data under these Terms and Conditions. In addition, Client acknowledges that Protiviti may use this information as part of its client account opening and general administration process (e.g., in order to carry out anti-money laundering, conflict and financial checks, invoicing, or debt recovery). For these purposes, the information may be transferred to or accessible from Protiviti’s offices around the world.

Data Processing. In The Data Processor agrees to process the provision of Services, Protiviti (the “Processor”) may be Processing Personal Data on behalf of the other party (the “Controller”). In these circumstances, Protiviti will: (i) Process Personal Data only to the extentwhich this Supplementary Agreement applies, and in such a manner as is necessary, for particular the performance or receipt of the Services under these Terms and Conditions and only on reasonable written instructions from the Controller, including with regard to transfers of Personal Data to a third country or an international organisation, unless required to do so by European Union or English law. In such case, the Processor will inform Controller of agrees that legal requirement before processing, unless that law prohibits such information on important grounds of public interest, (ii) ensure that persons authorised to Process it shall: process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation in accordance with the terms and conditions set out in this Supplementary Agreement and where the standards imposed by the data protection legislation regulating the Data Processor processing of confidentiality, (iii) take all measures required by Data Protection Law relating to data security, (iv) not engage another party to Process the Personal Data without are higher than those prescribed in this Supplementary Agreement, then in accordance with such legislation; process the Personal Data strictly in accordance with the purposes relevant to the Services in the manner specified from time to time by the Data Controller’s ; and for no other purpose or in any other manner except with the express prior written authorisationconsent of the Data Controller; implement appropriate technical and organisational measures to safeguard the Personal Data from unauthorised or unlawful processing or accidental loss, and if such authorisation is granteddestruction or damage in compliance with best industry standards, take those measures required pursuant having regard to the Data Protection Law, (v) taking into account state of technological development and the cost of implementing any measures, such measures shall ensure a level of security appropriate to the harm that might result from unauthorised or unlawful processing or accidental loss, destruction or damage and to the nature of the ProcessingPersonal Data to be protected; in accordance with Article 13 of UNHCR General Conditions of Contract for the Provision of Services (Annex A to the Main Agreement), assist regard Personal Data as confidential data and not disclose such data without the prior written authorization of the Data Controller to any person other than to its employees, agents or subcontractors to whom disclosure is necessary for the performance of the Services, except (subject to Section 2.2 below) as may be required by appropriate any law or regulation affecting the Data Processor; implement technical and organisational measuresmeasures to procure the confidentiality, insofar as this is possibleprivacy, for the fulfilment integrity, availability, accuracy and security of the Controller’s obligation to respond to requests for exercising the Data Subject’s rights laid down in the Data Protection Law, (vi) assist Controller in ensuring its compliance with data security, Personal Data Breachincluding establishing organisational policies for employees, data protection impact assessments, agents and engaging in other consultations, pursuant to Data Protection Law (taking into account the nature of processing and the information available to subcontractors aimed at complying with the Data Processor), (vii) not keep ’s duties to safeguard the Personal Data it receives in accordance with this Supplementary Agreement; implement backup processes as agreed between the Data Controller and Data Processor to procure the availability of the Personal Data at all times and ensure that the Data Controller will have access to such backup of the Personal Data as is reasonably required by the Data Controller; ensure that any disclosure to an employee, agent or subcontractor is subject to a binding legal obligation to comply with the obligations of the Data Processor under these Terms this Supplementary Agreement including compliance with relevant technical and Conditions for longer than required organisational measures for the execution of these Terms confidentiality, privacy, integrity, availability, accuracy and Conditions, unless European Union or English law requires storage security of the Personal Data. For the avoidance of doubt, any agreement, contract or other arrangement with an employee, agent or subcontractor shall not relieve the Data Processor of its obligation to comply fully with this Supplementary Agreement, and will promptly the Data Processor shall remain fully responsible and liable for ensuring full compliance with this Supplementary Agreement; comply with any commercially reasonable request from the Data Controller requiring Processor to amend, transfer, transfer or delete Personal Data; provide a copy of all or specified Personal Data held by it in a format and or a media reasonably specified by the Data Controller within reasonable timeframes as agreed between the Parties; should the Data Processor receive any complaint, notice or communication which relates directly or indirectly to the processing of the Personal Data or to either Party’s compliance with applicable law, immediately notify the Data Controller and provide the Data Controller with full co-operation and assistance in relation to any complaints, notices or communications; promptly inform the Data Controller if any Personal Data is lost or destroyed or becomes damaged, corrupted or unstable and at the request of the Data Controller, restore such Personal Data at its own expense; in the event of the exercise by Data Subjects of any rights in relation to their Personal Data, inform the Data Controller as soon as possible, assist the Data Controller with all data subject information requests or complaints which may be received from any Data Subject in relation to any Personal Data; not use the Personal Data of Data Subjects to contact, communicate or otherwise engage with the Data Subjects including transmission of any marketing or other commercial communications to the Data Subjects, except in accordance with the written consent of the Data Controller or to comply with a court order. For the avoidance of doubt, the Data Processor is not prohibited from contact, communication or engaging with the Data Subject in so far as this does not involve processing of Personal Data and the Data Processor procures that the promotion or offer of services is not in any manner associated to the Data Controller or the Data Controller’s services; not process or transfer the Personal Data outside of the country of its registered office except with the express prior written consent of the Data Controller pursuant to a request in writing from the Data Processor to the Data Controller. Under no circumstance shall any data be shared with beneficiaries’ country of origin; permit and procure that its data processing facilities, procedures and documentation be submitted for scrutiny by the Data Controller or its authorised representatives, on request, in order to audit or otherwise ascertain compliance with the terms of this Agreement; advise the Data Controller of any significant change in the risk of unauthorised or unlawful processing or accidental loss, destruction or damage of Personal Data; and If pursuant to any law or regulation affecting the Data Processor, Personal Data is sought by any governmental body, the Data Processor shall: promptly notify the Data Controller of this fact and consult with the Data Controller regarding the Data Processor’s response to the demand or request by such governmental body; inform such governmental body that such Personal Data is privileged due to the status of the Data Controller as a subsidiary organ of the United Nations, as a result of which it enjoys certain privileges and immunities as set forth in the Convention on the Privileges and Immunities of the United Nations (the “General Convention”); request such governmental body either to redirect the relevant request for disclosure directly to the Data Controller or to grant the Data Controller the opportunity to present its position regarding the privileges status of such Personal Data; cooperate with the Data Controller’s reasonable requests in connection with efforts by the Data Controller to ensure that its privileges and immunities are upheld and, to the extent that permissible by law, seek to contest or challenge the Controller does not have demand or request based on, inter alia, the ability to do so itself, (viii) subject to the confidentiality restrictions herein, make available to Controller all information necessary to demonstrate compliance with Data Protection Law and allow for and contribute to auditsController’s status, including inspectionsits privileges and immunities; where the Data Processor is prohibited by applicable law or the governmental body from notifying the Data Controller of a governmental body’s request for such Personal Data, conducted by Controllernotify the Data Controller promptly upon the lapse, and (ix) immediately inform termination, removal or modification of such prohibition; provide the Data Controller ifwith true, in its opinioncorrect and complete copies of the governmental body’s demands and requests, an instruction from the Data Processor’s responses thereto, and keep the Data Controller infringes Data Protection Law that is applicable to Processorinformed of all developments and communications with the governmental body. The subject matter obligations and duration restrictions in Section 2.1 and Section 2.2 of this Supplementary Agreement shall be effective during the Processingterm of this Supplementary Agreement, the nature and purpose of the Processingincluding any extension thereof, and shall remain effective following any termination of this Supplementary Agreement, unless otherwise agreed between the type of Personal Data and categories of Data Subjects will be described Parties in the Arrangement Letter, or other written agreement signed by the parties. Each party represents that it has obtained the proper consent from all Data Subjects to the disclosure and transfer of Personal Data under these Terms and Conditions. In addition, Client acknowledges that Protiviti may use this information as part of its client account opening and general administration process (e.g., in order to carry out anti-money laundering, conflict and financial checks, invoicing, or debt recovery). For these purposes, the information may be transferred to or accessible from Protiviti’s offices around the worldwriting.

Data Processing. In 2.1 The parties agree that as between them, for the provision purpose of Servicesthe Data Protection Legislation, Protiviti Buyer shall be deemed the controller and Cimple shall be deemed the processor in relation to any Controller’s Data processed by Cimple (or its Sub-processors) under this DP Annex or for the “Processor”purpose of these T&Cs and it shall be the responsibility of Buyer to ensure compliance with the obligations imposed by the Data Protection Legislation on the controller of the Controller’s Data. 2.2 Cimple shall process the Controller’s Data in accordance with this DP Annex (including the Data Processing Details) may be Processing Personal and Applicable Laws and solely for the Permitted Purposes. 2.3 Cimple shall process the Controller’s Data on behalf of the other party (the “Controller”). In these circumstances, Protiviti will: (i) Process Personal Data only to the extent, Buyer and in such accordance with the written instructions of Buyer unless required otherwise by law or upon the requirement of a manner governmental authority under Applicable Law. For the avoidance of doubt, Buyer hereby authorises Cimple to process the Controller’s Data as set out in the Data Processing Details and as required to fulfil Cimple’s obligations under these T&Cs. 2.4 In the event that Cimple is necessary, for required by law in upon the performance or receipt requirement of a governmental authority under Applicable Law to carry out any processing of the Services under these Terms and Conditions and only on reasonable Controller’s Data not in accordance with the written instructions from the Controllerof Buyer, including with regard to transfers of Personal Data to a third country or an international organisation, unless required to do so by European Union or English law. In such case, the Processor will Cimple shall inform Controller Buyer of that legal requirement before carrying out the processing, unless that law prohibits such information on important grounds of public interest,. (ii) ensure that persons authorised to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, (iii) take all measures required by Data Protection Law relating to data security, (iv) not engage another party to Process Personal Data without 2.5 Cimple shall treat the Controller’s prior written authorisation, and if such authorisation is granted, take those measures required pursuant to the Data Protection Law, (v) taking into account the nature processed under this DP Annex as Buyer Confidential Information in accordance with clause 16 of the ProcessingT&Cs and shall ensure that its employees, assist Controller consultants, Sub-processors, affiliates and other persons authorised by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of Cimple to process the Controller’s obligation to respond to requests for exercising Data are bound by confidentiality obligations (whether contractual or imposed under Applicable Law) in respect of the Data Subject’s rights laid down processing of such data. 2.6 Buyer acknowledges and agrees that, in the Data Protection Law, (vi) assist Controller in ensuring its compliance with data security, respect of any Personal Data Breachreceived from Buyer, data protection impact assessmentsCimple will rely on Buyer and that it is Buyer’s sole responsibility to ensure that the Controller’s Data is and will remain accurate, up-to-date, relevant and engaging in other consultations, pursuant to Data Protection Law (taking into account suitable for the nature purpose of processing and the information available to the Data Processor), (vii) not keep the Personal Data it receives under these Terms and Conditions for longer than required for the execution of these Terms and Conditions, unless European Union or English law requires storage of the Personal Data, and will promptly comply with any commercially reasonable request from Controller requiring Processor to amend, transfer, or delete the Personal Data, to the extent that the Controller does not have the ability to do so itself, (viii) subject to the confidentiality restrictions herein, make available to Controller all information necessary to demonstrate compliance with Data Protection Law and allow for and contribute to audits, including inspections, conducted by Controller, and (ix) immediately inform Controller if, in its opinion, an instruction from Controller infringes Data Protection Law that is applicable to Processor. The subject matter and duration of the Processing, the nature and purpose of the Processing, and the type of Personal Data and categories of Data Subjects will be described in the Arrangement Letter, or other written agreement signed by the parties. Each party represents that it has obtained the proper consent from all Data Subjects to the disclosure and transfer of Personal Data under these Terms and Conditions. In addition, Client acknowledges that Protiviti may use this information as part of its client account opening and general administration process (e.g., is processed for lawful purposes in order to carry out anti-money laundering, conflict and financial checks, invoicing, or debt recovery). For these purposes, the information may be transferred to or accessible from Protiviti’s offices around the worldaccordance with Applicable Laws.

Data Processing. In 1. Processor shall: a) process the provision of Services, Protiviti (the “Processor”) may be Processing Personal Data on behalf of the other party (the “Controller”). In these circumstances, Protiviti will: only (i) Process Personal Data only to the extent, and in such a manner as is necessary, for the performance or receipt of the Services under these Terms and Conditions and only on reasonable written documented instructions from the Controller, including with regard to transfers of Personal Data to a third country as further specified in the Agreement, or an international organisation, unless (ii) where required to do so by European Union or English law. In such caseMember State law to which Processor is subject, the in which case Processor will shall inform Controller of that legal requirement before processingin advance, unless that law prohibits such information on important grounds of public interest,prohibited by law; (iib) ensure that persons authorised authorized to Process process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, (iii; c) take all measures required by Data Protection Law relating of Processor pursuant to data security, (iv) not engage another party to Process Personal Data without Article 32 of the Controller’s prior written authorisationGDPR; where Citrix acts as Processor, and if such authorisation is granted, take those the measures required pursuant are described in Exhibit 2 below, “Citrix Services Security Exhibit”; d) respect the conditions referred to the Data Protection Law,in Article 4 for engaging another processor; (ve) taking into account the nature of the Processing, assist provide Controller by appropriate technical and organisational measures, insofar as this is possible, for reasonable assistance in the fulfilment of the Controller’s obligation to respond to requests for exercising the Data Subject’s data subject's rights laid down in Chapter III of the Data Protection Law,GDPR; (vif) assist Controller in ensuring its Controller’s compliance with data security, Personal Data Breach, data protection impact assessments, and engaging in other consultations, the obligations pursuant to Data Protection Law (Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to Citrix; g) return or provide an opportunity for Controller to retrieve all Personal Data after the termination of the Agreement and delete existing copies as follows: Controller shall have thirty (30) calendar days to download its Personal Data after termination of the Agreement and must contact the Processor),’s technical support for download access and instructions. Should Controller not contact Processor’s technical support for this purpose within thirty (30) calendar days after the termination of the Agreement, Processor shall delete Controller Personal Data promptly once that Personal Data is no longer accessible by Controller, except for (viii) not keep secure back-ups deleted in the Personal Data it receives under these Terms ordinary course, and Conditions for longer than (ii) retention as required for by applicable law; in the execution event of either (i) or (ii), Processor will continue to comply with the relevant provisions of these GDPR Terms and Conditions, unless European Union or English law requires storage of the Personal Data, and will promptly comply with any commercially reasonable request from Controller requiring Processor to amend, transfer, or delete the Personal Data, to the extent that the Controller does not have the ability to do so itself,until such data has been deleted; (viiih) subject to the confidentiality restrictions herein, make available to Controller all information necessary to demonstrate compliance with Data Protection Law the obligations laid down in Article 28 of the GDPR and allow for and contribute to auditsaudits by Controller or Controller third-party auditor, including inspections, conducted by Controller, andin accordance with Article 10 below; (ixi) immediately inform Controller if, in its Processor’s opinion, an any instruction from infringes the GDPR or other Union or Member State data protection provisions, provided that Processor shall have no obligation to independently inspect or verify Controller infringes use or processing of Personal Data; and j) inform Controller of and provide Controller reasonable assistance in meeting Controller’s obligations in regard to any Personal Data Protection Law that is applicable to Processorbreach, in accordance with Article 8 below. 2. The subject matter and duration of the ProcessingWhere Processor engages another processor for carrying out specific processing activities on Controller behalf, the nature and purpose same data protection obligations as set out in these GDPR Terms shall be imposed on that other processor as applicable by way of the Processing, and the type of Personal Data and categories of Data Subjects will be described in the Arrangement Lettera contract, or other written agreement signed by legal act under Union or Member State law, providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the partiesprocessing will meet the applicable requirements of the GDPR. Each party represents Where that it has obtained other processor fails to fulfil its data protection obligations, Processor shall remain responsible for the proper consent from all Data Subjects to the disclosure and transfer performance of Personal Data under these Terms and Conditions. In addition, Client acknowledges that Protiviti may use this information as part of its client account opening and general administration process (e.g., in order to carry out anti-money laundering, conflict and financial checks, invoicing, or debt recovery). For these purposes, the information may be transferred to or accessible from Protiviti’s offices around the worldother processor's obligations.