Common use of DATA PROTECTION AND FREEDOM OF INFORMATION Clause in Contracts

DATA PROTECTION AND FREEDOM OF INFORMATION. If and to the extent that the Supplier (for the purpose of this Clause 8, the ‘Data Processor’) processes any Personal Data on behalf of LSE under this Agreement (for the purpose of this clause 8, the Data Controller’) the Data Processor undertakes to the Data Controller that the Data Processor: Will comply with all Data Protection legislation comply with the obligations imposed on the Data Controller by the Security Data Protection Principle, namely: to only Process Personal Data for and on behalf of the Data Controller for the purpose of performing this Agreement and in accordance with this Agreement (and where necessary only on instructions from the Data Controller to ensure compliance with Data Protection Legislation); where applicable, to provide all reasonable assistance to the Data Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Data Controller, include: a systematic description of the envisaged processing operations and the purpose of the processing; an assessment of the necessity and proportionality of the processing operations in relation to the Services; an assessment of the risks to the rights and freedoms of Data Subjects; and the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. to maintain Protective Measures which have been reviewed and approved by the Data Controller sufficient to comply at least with the obligations imposed on the Data Controller by the Security Data Protection Principle These measures will protect against a data loss event having taken into account: the nature of the data to be protected; the harm that might result from a Data Loss Event; the state of technological development; and the cost of implementing any measures; to allow representatives of the Data Controller to audit the Data Processor's compliance with the requirements of this Clause 8.1.2 on reasonable notice and/or, at the option of the Data Controller, on request to provide the Data Controller with evidence of its compliance with such requirements; to not engage another processor without prior specific or general written authorisation of the Data Controller; where applicable, shall not transfer any Personal Data outside the European Economic Area without the prior written consent of the Data Controller and that the following conditions are fulfilled: the Data Controller or the Data Processor has provided appropriate safeguards in relation to the transfer (in accordance with Data Protection legislation) as determined by the Data Controller; the Data Subject has enforceable rights and effective legal remedies; the Data Processor complies with its obligations under the DPA by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Data Controller in meeting its obligations); and the Data Processor complies with any reasonable instructions notified to it in advance by the Data Controller with respect to the processing of the Personal Data; The Data Processor shall assist the Data Controller to comply with any obligations imposed on the Data Controller by the DPA in relation to any Personal Data Processed by the Data Processor including: providing the Data Controller with reasonable assistance in complying with any subject access request served on the Data Controller under the DPA and by immediately informing the Data Controller if it considers any of the Data Controller’s instructions to infringe the DPA; promptly inform the Data Controller about the receipt of any subject access request received by the Data Processor in relation to Personal Data Processed pursuant to this Agreement; and not disclose any Personal Data in response to a data subject access request without first consulting with and obtaining the written consent of the Data Controller. The Data Processor shall notify the Data Controller immediately if it: receives a Data Subject Access Request (or purported Data Subject Access Request); receives a request to rectify, block or erase any Personal Data; receives any other request, complaint or communication relating to either Party's obligations under Data Protection Legislation; receives any communication from the ICO or any other regulatory authority in connection with Personal Data processed under this Agreement; receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or becomes aware of a Data Loss Event. The Data Processor shall assist the Data Controller in complying with their obligations under Data Protection Legislation regarding any complaint, communication or request by promptly providing: the Data Controller with full details and copies of the complaint, communication or request; such assistance as is reasonably requested by the Data Controller to enable the Data Controller to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation; the Data Controller, at its request, with any Personal Data it holds in relation to a Data Subject; assistance, as requested by the Data Controller, following any Data Loss Event; assistance, as requested by the Data Controller, with respect to any request from the ICO , or any consultation by the Data Controller with the ICO. The Data Processor shall maintain complete and accurate records and information to demonstrate its compliance with this clause. The Data Processor shall not sub-contract any of its obligations or rights under this Contract without the prior written consent of the Data Controller (such consent not to be unreasonably withheld). In the event that the Data Processor appoints a Sub-Processor (with the written consent of the Data Controller), the Data Processor shall: enter into a Sub-processing Agreement with the Sub-Processor which shall impose upon the Sub-Processor the same obligations as are imposed upon the Data Processor by this Agreement and which shall permit both the Data Processor and the Data Controller to enforce those obligations; and ensure that the Sub-Processor complies fully with its obligations under the Sub-Processing Agreement and the DPA. In the event that a Sub-Processor fails to meet its obligations under any Sub-Processing Agreement, the Data Processor shall remain fully liable to the Data Controller for failing to meet its obligations under this Agreement. On expiry or termination of the Agreement, the Data Processor shall immediately cease processing the Personal Data and, at the Data Controller’s option or direction, arrange for the prompt and safe return and/or destruction of all of the Personal Data with all copies in its possession or control and, where requested by the Data Controller, certify that such destruction or return has taken place. The Data Processor agrees to indemnify the Data Controller in full with respect to any claims it may receive from the Data Controller relating to all direct liabilities, costs, monetary penalties, expenses (including legal expenses), damages or any other claims (‘the losses’) imposed on the Data Controller from the ICO (or such successor organisation or regulator thereof ) as a result of the Data Processor’s breach (this includes any act or a omission by the Data Processor) of Data Protection legislation and/or any other obligations set out under this clause 8. The Supplier shall assist and cooperate with LSE to enable it to comply with its obligations under FOIA. In particular, the Supplier shall: transfer to LSE all requests for Information pursuant to FOIA that it receives as soon as practicable and in any event within two (2) Business Days of receiving the request; and provide LSE with assistance in complying with requests for Information received pursuant to FOIA including the provision of Information held on behalf of LSE and covered by the request in the form that LSE requires. Such assistance shall be provided promptly and in any event within three (3) Business Days of LSE making a request to the Supplier to provide any necessary Information or assistance. As soon as reasonably practicable following receipt of a request for assistance under sub clause 8.10, the Supplier shall: notify LSE whether it holds the Information covered by the request on behalf of LSE, provided that LSE shall not be obliged to display a copy of the request to the Supplier; if it does so hold the Information, provide all such Information covered by the request to LSE; and demonstrate to the satisfaction of LSE the steps taken by the Supplier to comply with its obligations under this sub Clause 8.11 In no event shall the Supplier respond directly to a request for Information unless expressly authorised to do so by LSE. The Supplier acknowledges that LSE may, and/or may be obliged to, disclose any information received from the Supplier including any Commercially Sensitive Information. Notwithstanding the provisions of Clause 8.13 and subject to Clause 8.16 LSE shall consult with the Supplier prior to responding to any request under FOIA for Commercially Sensitive Information received by LSE from the Supplier. LSE shall take account of any response received from the Supplier pursuant to Clause 8.14 but, notwithstanding this, LSE shall be responsible for determining in its absolute discretion and, notwithstanding any other provision in this Contract or any other Contract, whether the Commercially Sensitive Information and/or any other Information is exempt from disclosure in accordance with the provisions of FOIA. The Supplier acknowledges that LSE may be obliged under FOIA to disclose information concerning the Supplier or the Services: in certain circumstances without consulting the Supplier; or following consultation with the Supplier and having taken its views into account,

DATA PROTECTION AND FREEDOM OF INFORMATION. If and to the extent that the Supplier (for the purpose of this Clause 8, the ‘Data Processor’) processes any Personal Data on behalf of LSE under this Agreement (for the purpose of this clause 8, the Data Controller’) the Data Processor undertakes to the Data Controller that the Data Processor: Will comply with all Data Protection legislation comply with the obligations imposed on the Data Controller by the Security Data Protection Principle, namely: to only Process Personal Data for and on behalf of the Data Controller for the purpose of performing this Agreement and in accordance with this Agreement (and where necessary only on instructions from the Data Controller to ensure compliance with Data Protection Legislation); where applicable, to provide all reasonable assistance to the Data Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Data Controller, include: a systematic description of the envisaged processing operations and the purpose of the processing; an assessment of the necessity and proportionality of the processing operations in relation to the Services; an assessment of the risks to the rights and freedoms of Data Subjects; and the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. to maintain Protective Measures which have been reviewed and approved by the Data Controller sufficient to comply at least with the obligations imposed on the Data Controller by the Security Data Protection Principle These measures will protect against a data loss event having taken into account: the nature of the data to be protected; the harm that might result from a Data Loss Event; the state of technological development; and the cost of implementing any measures; to allow representatives of the Data Controller to audit the Data Processor's compliance with the requirements of this Clause 8.1.2 on reasonable notice and/or, at the option of the Data Controller, on request to provide the Data Controller with evidence of its compliance with such requirements; to not engage another processor without prior specific or general written authorisation of the Data Controller; where applicable, shall not transfer any Personal Data outside the European Economic Area without the prior written consent of the Data Controller and that the following conditions are fulfilled: the Data Controller or the Data Processor has provided appropriate safeguards in relation to the transfer (in accordance with Data Protection legislation) as determined by the Data Controller; the Data Subject has enforceable rights and effective legal remedies; the Data Processor complies with its obligations under the DPA by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Data Controller in meeting its obligations); and the Data Processor complies with any reasonable instructions notified to it in advance by the Data Controller with respect to the processing of the Personal Data; The Data Processor shall assist the Data Controller to comply with any obligations imposed on the Data Controller by the DPA in relation to any Personal Data Processed by the Data Processor including: providing the Data Controller with reasonable assistance in complying with any subject access request served on the Data Controller under the DPA and by immediately informing the Data Controller if it considers any of the Data Controller’s instructions to infringe the DPA; promptly inform the Data Controller about the receipt of any subject access request received by the Data Processor in relation to Personal Data Processed pursuant to this Agreement; and not disclose any Personal Data in response to a data subject access request without first consulting with and obtaining the written consent of the Data Controller. The Data Processor shall notify the Data Controller immediately if it: receives a Data Subject Access Request (or purported Data Subject Access Request); receives a request to rectify, block or erase any Personal Data; receives any other request, complaint or communication relating to either Party's obligations under Data Protection Legislation; receives any communication from the ICO or any other regulatory authority in connection with Personal Data processed under this Agreement; receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or becomes aware of a Data Loss Event. The Data Processor shall assist the Data Controller in complying with their obligations under Data Protection Legislation regarding any complaint, communication or request by promptly providing: the Data Controller with full details and copies of the complaint, communication or request; such assistance as is reasonably requested by the Data Controller to enable the Data Controller to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation; the Data Controller, at its request, with any Personal Data it holds in relation to a Data Subject; assistance, as requested by the Data Controller, following any Data Loss Event; assistance, as requested by the Data Controller, with respect to any request from the ICO , or any consultation by the Data Controller with the ICO. The Data Processor shall maintain complete and accurate records and information to demonstrate its compliance with this clause. The Data Processor shall not sub-contract any of its obligations or rights under this Contract without the prior written consent of the Data Controller (such consent not to be unreasonably withheld). In the event that the Data Processor appoints a Sub-Processor (with the written consent of the Data Controller), the Data Processor shall: enter into a Sub-processing Agreement with the Sub-Processor which shall impose upon the Sub-Processor the same obligations as are imposed upon the Data Processor by this Agreement and which shall permit both the Data Processor and the Data Controller to enforce those obligations; and ensure that the Sub-Processor complies fully with its obligations under the Sub-Processing Agreement and the DPA. In the event that a Sub-Processor fails to meet its obligations under any Sub-Processing Agreement, the Data Processor shall remain fully liable to the Data Controller for failing to meet its obligations under this Agreement. On expiry or termination of the Agreement, the Data Processor shall immediately cease processing the Personal Data and, at the Data Controller’s option or direction, arrange for the prompt and safe return and/or destruction of all of the Personal Data with all copies in its possession or control and, where requested by the Data Controller, certify that such destruction or return has taken place. The Data Processor agrees to indemnify the Data Controller in full with respect to any claims it may receive from the Data Controller relating to all direct liabilities, costs, monetary penalties, expenses (including legal expenses), damages or any other claims (‘the losses’) imposed on the Data Controller from the ICO (or such successor organisation or regulator thereof ) as a result of the Data Processor’s breach (this includes any act or a omission by the Data Processor) of Data Protection legislation and/or any other obligations set out under this clause 8. The Supplier shall assist and cooperate with LSE to enable it to comply with its obligations under FOIA. In particular, the Supplier shall: transfer to LSE all requests for Information pursuant to FOIA that it receives as soon as practicable and in any event within two (2) Business Days of receiving the request; and provide LSE with assistance in complying with requests for Information received pursuant to FOIA including the provision of Information held on behalf of LSE and covered by the request in the form that LSE requires. Such assistance shall be provided promptly and in any event within three (3) Business Days of LSE making a request to the Supplier to provide any necessary Information or assistance. As soon as reasonably practicable following receipt of a request for assistance under sub clause 8.10, the Supplier shall: notify LSE whether it holds the Information covered by the request on behalf of LSE, provided that LSE shall not be obliged to display a copy of the request to the Supplier; if it does so hold the Information, provide all such Information covered by the request to LSE; and demonstrate to the satisfaction of LSE the steps taken by the Supplier to comply with its obligations under this sub Clause 8.11 In no event shall the Supplier respond directly to a request for Information unless expressly authorised to do so by LSE. The Supplier acknowledges that LSE may, and/or may be obliged to, disclose any information received from the Supplier including any Commercially Sensitive Information. Notwithstanding the provisions of Clause 8.13 and subject to Clause 8.16 LSE shall consult with the Supplier prior to responding to any request under FOIA for Commercially Sensitive Information received by LSE from the Supplier. LSE shall take account of any response received from the Supplier pursuant to Clause 8.14 but, notwithstanding this, LSE shall be responsible for determining in its absolute discretion and, notwithstanding any other provision in this Contract or any other Contract, whether the Commercially Sensitive Information and/or any other Information is exempt from disclosure in accordance with the provisions of FOIA. The Supplier acknowledges that LSE may be obliged under FOIA to disclose information concerning the Supplier or the Services: in certain circumstances without consulting the Supplier; or following consultation with the Supplier and having taken its views into account,

DATA PROTECTION AND FREEDOM OF INFORMATION. If and to the extent that the Supplier (for the purpose of this Clause 89, the ‘Data Processor’) processes any Personal Data on behalf of LSE under this Agreement (for the purpose of this clause 89, the Data Controller’) the Data Processor undertakes to the Data Controller that the Data Processor: Will comply with all Data Protection legislation comply with the obligations imposed on the Data Controller by the Security Data Protection Principle, namely: to only Process Personal Data for and on behalf of the Data Controller for the purpose of performing this Agreement and in accordance with this Agreement (and where necessary only on instructions from the Data Controller to ensure compliance with Data Protection Legislation); where applicable, to provide all reasonable assistance to the Data Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Data Controller, include: a systematic description of the envisaged processing operations and the purpose of the processing; an assessment of the necessity and proportionality of the processing operations in relation to the Services; an assessment of the risks to the rights and freedoms of Data Subjects; and the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. to maintain Protective Measures which have been reviewed and approved by the Data Controller sufficient to comply at least with the obligations imposed on the Data Controller by the Security Data Protection Principle These measures will protect against a data loss event having taken into account: the nature of the data to be protected; the harm that might result from a Data Loss Event; the state of technological development; and the cost of implementing any measures; to allow representatives of the Data Controller to audit the Data Processor's compliance with the requirements of this Clause 8.1.2 9.1.2 on reasonable notice and/or, at the option of the Data Controller, on request to provide the Data Controller with evidence of its compliance with such requirements; to not engage another processor without prior specific or general written authorisation of the Data Controller; where applicable, shall not transfer any Personal Data outside the European Economic Area without the prior written consent of the Data Controller and that the following conditions are fulfilled: the Data Controller or the Data Processor has provided appropriate safeguards in relation to the transfer (in accordance with Data Protection legislation) as determined by the Data Controller; the Data Subject has enforceable rights and effective legal remedies; the Data Processor complies with its obligations under the DPA by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Data Controller in meeting its obligations); and the Data Processor complies with any reasonable instructions notified to it in advance by the Data Controller with respect to the processing of the Personal Data; The Data Processor shall assist the Data Controller to comply with any obligations imposed on the Data Controller by the DPA in relation to any Personal Data Processed by the Data Processor including: providing the Data Controller with reasonable assistance in complying with any subject access request served on the Data Controller under the DPA and by immediately informing the Data Controller if it considers any of the Data Controller’s instructions to infringe the DPA; promptly inform the Data Controller about the receipt of any subject access request received by the Data Processor in relation to Personal Data Processed pursuant to this Agreement; and not disclose any Personal Data in response to a data subject access request without first consulting with and obtaining the written consent of the Data Controller. The Data Processor shall notify the Data Controller immediately if it: receives a Data Subject Access Request (or purported Data Subject Access Request); receives a request to rectify, block or erase any Personal Data; receives any other request, complaint or communication relating to either Party's obligations under Data Protection Legislation; receives any communication from the ICO or any other regulatory authority in connection with Personal Data processed under this Agreement; receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or becomes aware of a Data Loss Event. The Data Processor shall assist the Data Controller in complying with their obligations under Data Protection Legislation regarding any complaint, communication or request by promptly providing: the Data Controller with full details and copies of the complaint, communication or request; such assistance as is reasonably requested by the Data Controller to enable the Data Controller to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation; the Data Controller, at its request, with any Personal Data it holds in relation to a Data Subject; assistance, as requested by the Data Controller, following any Data Loss Event; assistance, as requested by the Data Controller, with respect to any request from the ICO , or any consultation by the Data Controller with the ICO. The Data Processor shall maintain complete and accurate records and information to demonstrate its compliance with this clause. The Data Processor shall not sub-contract any of its obligations or rights under this Contract without the prior written consent of the Data Controller (such consent not to be unreasonably withheld). In the event that the Data Processor appoints a Sub-Processor (with the written consent of the Data Controller), the Data Processor shall: enter into a Sub-processing Agreement with the Sub-Processor which shall impose upon the Sub-Processor the same obligations as are imposed upon the Data Processor by this Agreement and which shall permit both the Data Processor and the Data Controller to enforce those obligations; and ensure that the Sub-Processor complies fully with its obligations under the Sub-Processing Agreement and the DPA. In the event that a Sub-Processor fails to meet its obligations under any Sub-Processing Agreement, the Data Processor shall remain fully liable to the Data Controller for failing to meet its obligations under this Agreement. On expiry or termination of the Agreement, the Data Processor shall immediately cease processing the Personal Data and, at the Data Controller’s option or direction, arrange for the prompt and safe return and/or destruction of all of the Personal Data with all copies in its possession or control and, where requested by the Data Controller, certify that such destruction or return has taken place. The Data Processor agrees to indemnify the Data Controller in full with respect to any claims it may receive from the Data Controller relating to all direct liabilities, costs, monetary penalties, expenses (including legal expenses), damages or any other claims (‘the losses’) imposed on the Data Controller from the ICO (or such successor organisation or regulator thereof ) as a result of the Data Processor’s breach (this includes any act or a omission by the Data Processor) of Data Protection legislation and/or any other obligations set out under this clause 8. The Supplier shall assist and cooperate with LSE to enable it to comply with its obligations under FOIA. In particular, the Supplier shall: transfer to LSE all requests for Information pursuant to FOIA that it receives as soon as practicable and in any event within two (2) Business Days of receiving the request; and provide LSE with assistance in complying with requests for Information received pursuant to FOIA including the provision of Information held on behalf of LSE and covered by the request in the form that LSE requires. Such assistance shall be provided promptly and in any event within three (3) Business Days of LSE making a request to the Supplier to provide any necessary Information or assistance. As soon as reasonably practicable following receipt of a request for assistance under sub clause 8.109.10, the Supplier shall: notify LSE whether it holds the Information covered by the request on behalf of LSE, provided that LSE shall not be obliged to display a copy of the request to the Supplier; if it does so hold the Information, provide all such Information covered by the request to LSE; and demonstrate to the satisfaction of LSE the steps taken by the Supplier to comply with its obligations under this sub Clause 8.11 9.11 In no event shall the Supplier respond directly to a request for Information unless expressly authorised to do so by LSE. The Supplier acknowledges that LSE may, and/or may be obliged to, disclose any information received from the Supplier including any Commercially Sensitive Information. Notwithstanding the provisions of Clause 8.13 9.13 and subject to Clause 8.16 9.16 LSE shall consult with the Supplier prior to responding to any request under FOIA for Commercially Sensitive Information received by LSE from the Supplier. LSE shall take account of any response received from the Supplier pursuant to Clause 8.14 9.14 but, notwithstanding this, LSE shall be responsible for determining in its absolute discretion and, notwithstanding any other provision in this Contract or any other Contract, whether the Commercially Sensitive Information and/or any other Information is exempt from disclosure in accordance with the provisions of FOIA. The Supplier acknowledges that LSE may be obliged under FOIA to disclose information concerning the Supplier or the Services: in certain circumstances without consulting the Supplier; or following consultation with the Supplier and having taken its views into account,

DATA PROTECTION AND FREEDOM OF INFORMATION. If and to the extent that the Supplier (for the purpose of this Clause 816, the ‘Data Processor’) processes any Personal Data on behalf of LSE under this Agreement (for the purpose of this clause 816, the Data Controller’) the Data Processor undertakes to the Data Controller that the Data Processor: Will comply with all Data Protection legislation comply with the obligations imposed on the Data Controller by the Security Data Protection Principle, namely: to only Process Personal Data for and on behalf of the Data Controller for the purpose of performing this Agreement and in accordance with this Agreement (and where necessary only on instructions from the Data Controller to ensure compliance with Data Protection Legislation); where applicable, to provide all reasonable assistance to the Data Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Data Controller, include: a systematic description of the envisaged processing operations and the purpose of the processing; an assessment of the necessity and proportionality of the processing operations in relation to the Services; an assessment of the risks to the rights and freedoms of Data Subjects; and the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data. to maintain Protective Measures which have been reviewed and approved by the Data Controller sufficient to comply at least with the obligations imposed on the Data Controller by the Security Data Protection Principle These measures will protect against a data loss event having taken into account: the nature of the data to be protected; the harm that might result from a Data Loss Event; the state of technological development; and the cost of implementing any measures; to allow representatives of the Data Controller to audit the Data Processor's compliance with the requirements of this Clause 8.1.2 16.1.2 on reasonable notice and/or, at the option of the Data Controller, on request to provide the Data Controller with evidence of its compliance with such requirements; to not engage another processor without prior specific or general written authorisation of the Data Controller; where applicable, shall not transfer any Personal Data outside the European Economic Area without the prior written consent of the Data Controller and that the following conditions are fulfilled: the Data Controller or the Data Processor has provided appropriate safeguards in relation to the transfer (in accordance with Data Protection legislation) as determined by the Data Controller; the Data Subject has enforceable rights and effective legal remedies; the Data Processor complies with its obligations under the DPA by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Data Controller in meeting its obligations); and the Data Processor complies with any reasonable instructions notified to it in advance by the Data Controller with respect to the processing of the Personal Data; The Data Processor shall assist the Data Controller to comply with any obligations imposed on the Data Controller by the DPA in relation to any Personal Data Processed by the Data Processor including: providing the Data Controller with reasonable assistance in complying with any subject access request served on the Data Controller under the DPA and by immediately informing the Data Controller if it considers any of the Data Controller’s instructions to infringe the DPA; promptly inform the Data Controller about the receipt of any subject access request received by the Data Processor in relation to Personal Data Processed pursuant to this Agreement; and not disclose any Personal Data in response to a data subject access request without first consulting with and obtaining the written consent of the Data Controller. The Data Processor shall notify the Data Controller immediately if it: receives a Data Subject Access Request (or purported Data Subject Access Request); receives a request to rectify, block or erase any Personal Data; receives any other request, complaint or communication relating to either Party's obligations under Data Protection Legislation; receives any communication from the ICO or any other regulatory authority in connection with Personal Data processed under this Agreement; receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or becomes aware of a Data Loss Event. The Data Processor shall assist the Data Controller in complying with their obligations under Data Protection Legislation regarding any complaint, communication or request by promptly providing: the Data Controller with full details and copies of the complaint, communication or request; such assistance as is reasonably requested by the Data Controller to enable the Data Controller to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation; the Data Controller, at its request, with any Personal Data it holds in relation to a Data Subject; assistance, as requested by the Data Controller, following any Data Loss Event; assistance, as requested by the Data Controller, with respect to any request from the ICO , or any consultation by the Data Controller with the ICO. The Data Processor shall maintain complete and accurate records and information to demonstrate its compliance with this clause. The Data Processor shall not sub-contract any of its obligations or rights under this Contract without the prior written consent of the Data Controller (such consent not to be unreasonably withheld). In the event that the Data Processor appoints a Sub-Processor (with the written consent of the Data Controller), the Data Processor shall: enter into a Sub-processing Agreement with the Sub-Processor which shall impose upon the Sub-Processor the same obligations as are imposed upon the Data Processor by this Agreement and which shall permit both the Data Processor and the Data Controller to enforce those obligations; and ensure that the Sub-Processor complies fully with its obligations under the Sub-Processing Agreement and the DPA. In the event that a Sub-Processor fails to meet its obligations under any Sub-Processing Agreement, the Data Processor shall remain fully liable to the Data Controller for failing to meet its obligations under this Agreement. On expiry or termination of the Agreement, the Data Processor shall immediately cease processing the Personal Data and, at the Data Controller’s option or direction, arrange for the prompt and safe return and/or destruction of all of the Personal Data with all copies in its possession or control and, where requested by the Data Controller, certify that such destruction or return has taken place. The Data Processor agrees to indemnify the Data Controller in full with respect to any claims it may receive from the Data Controller relating to all direct liabilities, costs, monetary penalties, expenses (including legal expenses), damages or any other claims (‘the losses’) imposed on the Data Controller from the ICO (or such successor organisation or regulator thereof ) as a result of the Data Processor’s breach (this includes any act or a omission by the Data Processor) of Data Protection legislation and/or any other obligations set out under this clause 816. The Supplier shall assist and cooperate with LSE to enable it to comply with its obligations under FOIA. In particular, the Supplier shall: transfer to LSE all requests for Information pursuant to FOIA that it receives as soon as practicable and in any event within two (2) Business Days of receiving the request; and provide LSE with assistance in complying with requests for Information received pursuant to FOIA including the provision of Information held on behalf of LSE and covered by the request in the form that LSE requires. Such assistance shall be provided promptly and in any event within three (3) Business Days of LSE making a request to the Supplier to provide any necessary Information or assistance. As soon as reasonably practicable following receipt of a request for assistance under sub clause 8.1016.10, the Supplier shall: notify LSE whether it holds the Information covered by the request on behalf of LSE, provided that LSE shall not be obliged to display a copy of the request to the Supplier; if it does so hold the Information, provide all such Information covered by the request to LSE; and demonstrate to the satisfaction of LSE the steps taken by the Supplier to comply with its obligations under this sub Clause 8.11 16.11 In no event shall the Supplier respond directly to a request for Information unless expressly authorised to do so by LSE. The Supplier acknowledges that LSE may, and/or may be obliged to, disclose any information received from the Supplier including any Commercially Sensitive Information. Notwithstanding the provisions of Clause 8.13 16.13 and subject to Clause 8.16 16.16 LSE shall consult with the Supplier prior to responding to any request under FOIA for Commercially Sensitive Information received by LSE from the Supplier. LSE shall take account of any response received from the Supplier pursuant to Clause 8.14 but, notwithstanding this, LSE shall be responsible for determining in its absolute discretion and, notwithstanding any other provision in this Contract or any other Contract, whether the Commercially Sensitive Information and/or any other Information is exempt from disclosure in accordance with the provisions of FOIA. The Supplier acknowledges that LSE may be obliged under FOIA to disclose information concerning the Supplier or the Services: in certain circumstances without consulting the Supplier; or following consultation with the Supplier and having taken its views into account,