Common use of Data Processor’s Obligations Clause in Contracts

Data Processor’s Obligations. 4.1. The Data Processor processes personal data under concluded agreements only, with the purpose, nature and scope of data processing being subject exclusively to the Data Controller’s direction. The Data Processor may not transfer personal data to third parties. The Data Processor shall, upon the Data Controller’s request, provide to the Data Controller all information on the Data Controller’s personal data and information. In its processing of data, the Data Processor may deviate from such directions only to the extent that the Data Controller has consented thereto in writing. 4.2. The Data Processor will assist the Data Controller with the implementation as well as the full and swift completion of controls. Where the Data Controller, based upon applicable data protection law, is obliged to inform an individual about the collection, processing or use of its personal data, the Data Processor shall assist the Data Controller in making this information. 4.3. The Data Controller shall retain title as to any carrier media provided to the Data Processor as well as any copies or reproductions thereof. The Data Processor shall store such media safely and protect them against unauthorised access by third parties. Documents and files containing personal data that are no longer needed must not be deleted without the Data Controller’s prior written consent. 4.4. The Data Processor hereby confirms that it has appointed a privacy officer, and undertakes to identify the privacy officer to the Data Controller in writing (electronic mail being admissible). 4.5. For the purpose of proper personal data processing, the Data Processor represents and warrants that all agreed measures will be implemented as intended. 4.6. The Data Processor must ensure that its enterprise and the course of its operations are aligned with the objective protecting the data processed on the Data Controller’s behalf as required – e.g., against unauthorised third- party access. Upon the Data Controller’s request, the Data Processor shall provide a comprehensive and current personal data protection and security program covering processing hereunder. The Data Processor will duly consult the Data Controller before implementing any changes to the system of procession the Data Controller’s data, provided such changes affect data security. 4.7. Data Processor will promptly notify the Data Controller if and when it deems the latter’s Direction to be in violation of applicable law, and the Data Processor shall place on hold the Data Controller’s Direction until the Direction is compliant, by the Data Controller. 4.8. The Data Processor is obliged to promptly inform the Data Controller of each violation of Data protection law provisions, contractual terms and/or the Data Controller’s Direction that has occurred in the course of its own or a third party’s processing of data. 4.9. The Data Controller’s consent is required for any data handled on the Data Controller’s behalf to be processed at a location other than the Data Processors’ – or any subcontractor’s – places of business. 4.10. The Data Processor must adequately label the data it processes on the Data Controller’s behalf. Insofar as data is processed for more than one purpose, the Data Processor must tag the data with the appropriate purpose. 4.11. The Data Processor must assist the Data Controller with the preparation of a list of procedures and will furnish the Data Controller with any required information in a suitable manner. 4.12. The Data Processor must inform the Data Controller without delay in case of a control or measures of the relevant Supervisory Authority. 4.13. The Data Processor shall be obliged to audit and verify the fulfilment of the above-entitled obligations and shall maintain an adequate documentation of such verification.

Data Processor’s Obligations. 4.11. The Data Processor processes personal data under concluded effective agreements only, with the purpose, nature and scope of data processing being subject exclusively to the Data Controller’s directiondirections. The Data Processor may not transfer personal data to third parties. The Data Processor shall, upon the Data Controller’s Controller´s request, provide to the Data Controller all information on the Data Controller’s Controller´s personal data and information. In its processing of data, the Data Processor may deviate from such directions only to the extent that the Data Controller has consented thereto in writing. 4.22. The Data Processor will assist the Data Controller with the implementation as well as the full and swift completion of controls. Where the Data Controller, based upon applicable data protection law, is obliged to inform an individual about the collection, processing or use of its personal data, the Data Processor shall assist the Data Controller in making this information. 4.33. The Data Controller shall retain title as to any carrier media provided to the Data Processor as well as any copies or reproductions thereof. The Data Processor shall store such media safely and protect them against unauthorised unauthorized access by third parties. Documents and files containing personal data that are no longer needed must not be deleted without the Data Controller’s prior written consent. 4.44. The Data Processor hereby confirms that it has appointed a privacy officer, and undertakes to identify the privacy officer to the Data Controller in writing (electronic mail being admissible). 4.55. For the purpose purposes of proper personal data processing, the Data Processor represents and warrants that all agreed measures will be implemented as intended. 4.66. The Data Processor must ensure that its enterprise and the course of its operations are aligned with the objective of protecting the data processed on the Data Controller’s behalf as required – e.g., against unauthorised third- unauthorized third-party access. Upon the Data Controller’s Controller´s request, the Data Processor shall provide a comprehensive and current personal data protection and security program covering processing hereunder. The Data Processor will duly consult the Data Controller before implementing any changes to the system of procession processing the Data Controller’s data, provided such changes affect data security. 4.77. The Data Processor will promptly notify the Data Controller if and when it deems the latter’s Direction directions to be in violation of applicable law, and the Data Processor shall place on hold the Data Controller’s Direction may put off following any such direction until the Direction it is compliant, confirmed or changed by the Data Controller. 4.88. The Data Processor is obliged obligated to promptly inform the Data Controller of each violation of Data protection law provisions, contractual terms and/or the Data Controller’s Direction directions that has occurred in the course of its own or a third party’s processing of data. 4.99. The Data Controller’s consent is required for any data handled on the Data Controller’s behalf to be processed at a location other than the Data Processors’ – or any subcontractor’s – places of business. 4.1010. The Data Processor must adequately label the data it processes on the Data Controller’s behalf. Insofar as data is processed for more than one purpose, the Data Processor must tag the data with the appropriate purpose. 4.1111. The Data Processor must assist the Data Controller with the preparation of a list of procedures and will furnish the Data Controller with any required information in a suitable manner. 4.1212. The Data Processor must inform the Data Controller without delay in case of a control or measures of the relevant Supervisory Authority. 4.1313. The Data Processor shall be obliged to audit and verify the fulfilment of the above-entitled obligations and shall maintain an adequate documentation of such verification.