Common use of DATA PROTECTION AND DATA PROCESSING Clause in Contracts

DATA PROTECTION AND DATA PROCESSING. 10.1. For the purposes of this Agreement, both parties may receive Personal Data. Where the parties receive Personal Data as Data Controllers each party agrees to comply with the current Data Protection Legislation. 10.2. Throughout the commercial relationship of the parties, each party will be processing the Personal Data of the other’s employees in order to facilitate contact and co-operation between the parties. 10.3. Notwithstanding the Personal Data described in Clause 10.2, the Customer will, acting as Data Controller be passing Personal Data to the Supplier as Data Processor pursuant to this Agreement. 10.4. Where a party receives Personal Data as a Data Processor, that party shall: 10.4.1. act solely on the instructions of the party sending the Personal Data in relation to the processing of that Personal Data. In the event that a legal requirement prevents the Data Processor from complying with such instructions the Data Processor shall, unless such legal requirement prohibits it from doing so, inform the other party of the relevant legal requirement before carrying out the relevant processing activities; ▇▇.▇.▇. ▇▇ all times, ensure that the necessary technical and organisational measures are in place to prevent unauthorised and unlawful processing or disclosure of such Personal Data and such measures shall include taking reasonable steps to ensure the reliability of any of its staff who may have access to Personal Data and ensuring that such staff are subject to appropriate confidentiality undertakings. The Data Processor shall, save where prohibited by law and as soon as reasonably practical, notify the other party of any legal obligation which requires the Data Processor to disclose the Personal Data to a third party; 10.4.3. not transfer the Personal Data outside of the European Economic Area (as such term is commonly understood) or to any third party without the other party’s written consent; 10.4.4. send to the other party any communications received from individuals in relation to their Personal Data as soon as reasonably practicable. The Data Processor shall provide reasonable co-operation to the other party in relation to any individuals exercising their rights under the Data Protection Legislation; 10.4.5. give the other party reasonable assistance in relation to its compliance with Data Protection Legislation; 10.4.6. take reasonable steps to ensure the confidentiality, integrity, availability and resilience of processing systems and services associated with the processing of Personal Data; 10.4.7. co-operate with and provide such information and access to any facilities, premises or equipment from or on which Personal Data is, has been, or is to be processed pursuant to this Agreement (including any such facilities, premises or equipment used by staff and / or sub-contractors) as the other party may reasonably require enabling it to monitor compliance by the Data Processor with the obligations in this Agreement; 10.4.8. notify the other party without undue delay and assist the other party with any investigation into and remediation of a Personal Data Breach. The Data Processor shall also provide the other party with reasonable assistance with any notifications made to relevant authorities and / or individuals in relation to a Personal Data Breach; 10.4.9. not subcontract any of its obligations under this Agreement regarding the processing of Personal Data to a third party (a “Sub- Processor”) without the prior written consent of the other party. The Data Processor shall be liable for the acts and omissions of the Sub-Processor as if they were the acts or omissions of the Data Processor itself and the Data Processor shall ensure that there is a written contract executed between the Data Processor and the Sub-Processor that contains equivalent protections for the Personal Data as are set out in this Agreement; 10.4.10. immediately cease processing the Personal Data and immediately supply any Personal Data to the other party or delete the Personal Data in accordance with the other party’s instructions; and 10.4.11. submit to audits and inspections carried out directly upon it by a supervisory authority or the Data Controller (no more often than once every twelve (12) months or as the Data Controller reasonably believes necessary, based on evidence and providing such evidence in notification to the Processor), and co-operate in any audits and inspections carried out upon the Data Controller; and 10.4.12. inform the Data Controller immediately of any requests made of it that would involve infringing Data Protection Legislation. 10.5. The Processor shall maintain and keep up to date records detailing the location of all Controller data (including Personal Data) together with details of any third parties with whom the Processor has shared any Controller data. 10.6. Nothing in this agreement relieves a Data Processor of its own direct obligations under Data Protection Legislation and Data Processor’s should be aware of the following additional obligations: ▇▇.▇.▇. ▇▇ co-operate with supervisory authorities as reasonably required; ▇▇.▇.▇. ▇▇ keep records of its own processing activities; ▇▇.▇.▇. ▇▇ employ a Data Protection Officer (if applicable) 10.7.The schedule of processing activities is detailed in Schedule 1.

DATA PROTECTION AND DATA PROCESSING. 10.18.1. For the purposes of this Agreement, both parties may receive Personal Data. Where the parties receive Personal Data as Data Controllers each party agrees to comply with the current Data Protection Legislation. 10.28.2. Throughout the commercial relationship of the parties, each party will be processing the Personal Data of the other’s employees in order to facilitate contact and co-operation between the parties. 10.38.3. Notwithstanding the Personal Data described in Clause 10.28.2, the Customer will, acting as Data Controller be passing Personal Data to the Supplier QGate as Data Processor pursuant to this Agreement. 10.48.4. Where a party QGate receives Personal Data as a Data Processor, that party QGate shall: 10.4.18.4.1. act solely on the instructions of the party sending the Personal Data Customer in relation to the processing of that Personal Data. In the event that a legal requirement prevents the Data Processor QGate from complying with such instructions the Data Processor QGate shall, unless such legal requirement prohibits it from doing so, inform the other party Customer of the relevant legal requirement before carrying out the relevant processing activities; ▇▇.▇.▇8.4.2. ▇▇ at all times, ensure that the necessary technical and organisational measures are in place to prevent unauthorised and unlawful processing or disclosure of such Personal Data and such measures shall include taking reasonable steps to ensure the reliability of any of its staff who may have access to Personal Data and ensuring that such staff are subject to appropriate confidentiality undertakings. The Data Processor QGate shall, save where prohibited by law and as soon as reasonably practical, notify the other party of any legal obligation which requires the Data Processor QGate to disclose the Personal Data to a third party; 10.4.38.4.3. not transfer the Personal Data outside of the European Economic Area (as such term is commonly understood) or to any third party without the other partyCustomer’s written consent; 10.4.48.4.4. send to the other party any communications received from individuals in relation to their Personal Data as soon as reasonably practicable. The Data Processor QGate shall provide reasonable co-operation to the other party in relation to any individuals exercising their rights under the Data Protection LegislationLegislation ; 10.4.58.4.5. give the other party Customer reasonable assistance in relation to its compliance with Data Protection Legislation; 10.4.68.4.6. take reasonable steps to ensure the confidentiality, integrity, availability and resilience of processing systems and services associated with the processing of Personal Data; 10.4.78.4.7. co-operate with and provide such information and access to any facilities, premises or equipment from or on which Personal Data is, has been, or is to be processed pursuant to this Agreement (including any such facilities, premises or equipment used by staff and / or sub-contractors) as the other party may reasonably require enabling it to monitor compliance by the Data Processor QGate with the obligations in this Agreement; 10.4.88.4.8. notify the other party Customer without undue delay and assist the other party Customer with any investigation into and remediation of a an actual or suspected Personal Data Breach. The Data Processor QGate shall also provide the other party Customer with reasonable assistance with any notifications made to relevant authorities and / or individuals in relation to a Personal Data Breach; 10.4.98.4.9. not subcontract any of its obligations under this Agreement regarding the processing of Personal Data to a third party (a “Sub- Processor”) without the prior written consent of the other partyCustomer. The Data Processor QGate shall be liable for the acts and omissions of the Sub-Sub- Processor as if they were the acts or omissions of the Data Processor QGate itself and the Data Processor QGate shall ensure that there is a written contract executed between the Data Processor QGate and the Sub-Processor that contains equivalent protections for the Personal Data as are set out in this Agreement; 10.4.108.4.10. immediately cease processing the Personal Data and immediately supply any Personal Data to the other party or delete the Personal Data in accordance with the other party’s instructions; and 10.4.118.4.11. submit to audits and inspections carried out directly upon it by a supervisory authority or the Data Controller Customer (no more often than once every twelve (12) months or as the Data Controller Customer reasonably believes necessary, based on evidence and providing such evidence in notification to the Processor), and co-operate in any audits and inspections carried out upon the Data ControllerCustomer; and 10.4.128.4.12. inform the Data Controller Customer immediately of any requests made of it that would involve infringing Data Protection Legislation. 10.58.5. The Processor shall maintain and keep up to date records detailing the location of all Controller Customer data (including Personal Data) together with details of any third parties with whom the Processor QGate has shared any Controller Customer data. 10.68.6. Nothing in this agreement relieves a Data Processor QGate of its own direct obligations under Data Protection Legislation and Data Processor’s should be aware QGate shall comply with of the following additional obligations: ▇▇.▇.▇8.6.1. ▇▇ To co-operate with supervisory authorities as reasonably required; ▇▇.▇.▇8.6.2. ▇▇ To keep records of its own processing activities; ▇▇.▇.▇8.6.3. ▇▇ To employ a Data Protection Officer (if applicable) 10.7.The ) 8.7. The schedule of processing activities is detailed in Schedule 1. 8.8. QGate shall (and shall ensure that all persons acting on its behalf and all QGate Personnel shall), promptly following the Customer’s written request, either securely delete or securely return all Personal Data to the Customer in such form as the Customer reasonably requests. 8.9. QGate shall (and shall ensure that all persons acting on its behalf and all QGate Personnel shall), following written confirmation by the Customer that it has received a functional copy of all Personal Data, securely delete all the Personal Data promptly after the earlier of: 8.9.1. the end of the provision of the relevant Services or Support related to processing of such Personal Data; or 8.9.2. once processing by the QGate of any Personal Data is no longer required for the purpose of QGate’s performance of its relevant obligations under this Agreement, 8.10. (unless storage of any data is required by Applicable Law and, if so, QGate shall inform the Customer of any such requirement).