Common use of Data Protection Compliance Clause in Contracts

Data Protection Compliance. 4.1 All instructions given by the Data Controller to the nominated Users and employees of the Data Processor shall at all times be in compliance with the Data Protection Act 2018 and other applicable laws. The Data Processor shall act only on instructions from the Data Controller unless the Data Processor is required by law to do otherwise. 4.2 The nominated Users and employees of the Data Processor shall promptly comply with any request from the Data Controller requiring them to amend, transfer, delete, or otherwise dispose of the Personal Data. 4.3 The nominated Users and employees of the Data Processor shall transfer all Personal Data to the Data Controller on the Data Controller’s request in the formats, at the times, and in compliance with the Data Controller’s instructions. 4.4 Both Parties shall comply at all times with the DATA PROTECTION ACT 2018 and other applicable laws and shall not perform their obligations under this Agreement or any other agreement or arrangement between themselves in such way as to cause either Party to breach any of its applicable obligations under the DATA PROTECTION ACT 2018. 4.5 The Data Controller hereby warrants, represents, and undertakes that the Personal Data shall comply with the DATA PROTECTION ACT 2018 in all respects including, but not limited to, its collection, holding, and processing. 4.6 The nominated Users and employees of the Data Processor agree to comply with any reasonable measures required by the Data Controller to ensure that its obligations under this Agreement are satisfactorily performed in accordance with any and all applicable legislation from time to time in force (including, but not limited to, the DATA PROTECTION ACT 2018) and any best practice guidance issued by the ICO. 4.7 The nominated Users and employees of the Data Processor shall provide all reasonable assistance (at the Data Controller’s cost) to the Data Controller in complying with its obligations under the DATA PROTECTION ACT 2018 with respect to the security of processing, the notification of personal data breaches, the conduct of data protection impact assessments, and in dealings with the ICO. 4.8 When processing the Personal Data on behalf of the Data Controller, the nominated Users and employees of the Data Processor shall: 4.8.1 not process the Personal Data outside the United Kingdom without the prior written consent of the Data Controller and, where the Data Controller consents to such a transfer to a country that is outside of the EEA, to comply with the obligations of Data Processors under the provisions applicable to transfers of Personal Data to third countries set out in Chapter 5 of the DATA PROTECTION ACT 2018 by providing an adequate level of protection to any Personal Data that is transferred; 4.8.2 not transfer any of the Personal Data to any third party without the written consent of the Data Controller and, in the event of such consent, the Personal Data shall be transferred strictly subject to the terms of a suitable agreement, as set out in Clause 10; 4.8.3 process the Personal Data only to the extent, and in such manner, as is necessary in order to comply with its obligations to the Data Controller or as may be required by law. 4.8.4 implement appropriate technical and organisational measures, as described in Schedule 3, and take all steps necessary to protect the Personal Data against unauthorised or unlawful processing, accidental loss, destruction, damage, alteration, or disclosure. 4.8.5 if so requested by the Data Controller (and within the timescales required by the Data Controller) supply further details of the technical and organisational systems in place to safeguard the security of the Personal Data held and to prevent unauthorised access; 4.8.6 keep detailed records of all processing activities carried out on the Personal Data in accordance with the requirements of Article 30(2) of the DATA PROTECTION ACT 2018; 4.8.7 make available to the Data Controller any and all such information as is reasonably required and necessary to demonstrate the nominated Users and employees of the Data Processor’s compliance with the DATA PROTECTION ACT 2018; 4.8.8 with notice, submit to audits and inspections and provide the Data Controller with any information reasonably required in order to assess and verify compliance with the provisions of this Agreement and both Parties’ compliance with the requirements of the DATA PROTECTION ACT 2018. The requirement to give notice will not apply if the Data Controller believes that the nominated Users and employees of the Data Processor are in breach of any of obligations under this Agreement or under the law; and 4.8.9 inform the Data Controller immediately if it is asked to do anything that infringes the DATA PROTECTION ACT 2018 or any other applicable data protection legislation.

Data Protection Compliance. 4.1 All instructions given Are you aware of and are you compliant with the provisions of Data Protection Laws (as defined in paragraph 7 below)? Have you registered with the Information Commissioners Office (ICO)? Yes Yes No No 1. This application is made by the Data Controller to intermediary named overleaf (“You”). Once accepted by Octopus Real Estate, which is the nominated Users trading name of each subsidiary company and employees of the Data Processor shall at all times be in compliance with the Data Protection Act 2018 and other applicable laws. The Data Processor shall act only on instructions from the Data Controller unless the Data Processor is required by law to do otherwise. 4.2 The nominated Users and employees of the Data Processor shall promptly comply with any request from the Data Controller requiring them to amend, transfer, delete, or otherwise dispose of the Personal Data. 4.3 The nominated Users and employees of the Data Processor shall transfer all Personal Data to the Data Controller on the Data Controller’s request in the formats, at the times, and in compliance with the Data Controller’s instructions. 4.4 Both Parties shall comply at all times with the DATA PROTECTION ACT 2018 and other applicable laws and shall not perform their obligations under this Agreement or any other agreement or arrangement between themselves in such way as to cause either Party to breach any of its applicable obligations under the DATA PROTECTION ACT 2018. 4.5 The Data Controller hereby warrants, represents, and undertakes that the Personal Data shall comply with the DATA PROTECTION ACT 2018 in all respects including, but not limited to, its collection, holding, and processing. 4.6 The nominated Users and employees of the Data Processor agree to comply with any reasonable measures required by the Data Controller to ensure that its obligations under this Agreement are satisfactorily performed in accordance with any and all applicable legislation subsidiary undertaking from time to time in force (of [Octopus Investments Limited], including, but not limited towithout limitation, Bridgeco Ltd, Fern Trading Ltd and Octopus Property Lending Ltd (“we/ us”), a contract will be created between You and Us which incorporates all the terms shown on any page of this document. 2. We reserve the right to reject any application for a loan. 3. We will pay commission in respect of completed deals on the scale agreed with your Octopus Business Development Manager. The commission payable may be varied from time to time and we will write to you with updates as appropriate. 4. If You need to make any changes to this agreement, please notify us in writing on company headed paper. 5. If You deal with any work requiring authorisation under the Financial Services and Markets Act or any other legislation, You must maintain proper authorisation from the Financial Conduct Authority and / or any other relevant body. You must produce these to us for inspection when requested. You must notify us of any correspondence you receive from any relevant enforcement or regulatory body which alleges any failure by You to observe their requirements. You must also notify us of any events known to You which might give rise to such correspondence if those events were known to the relevant authority or regulator. 6. Where You are introducing any loan to Us including Consumer Credit exempt loans You warrant that you will comply with all regulatory requirements and obligations. 7. You must ensure that all your advertising literature, application documents and all procedures whether relating to work before or after a loan is made comply with all requirements of the law and of regulatory bodies relating to the provision of loans. You will need to consider in particular the various provisions made under the Consumer Credit Act, the DATA PROTECTION ACT fair processing information provisions of the Data Protection ▇▇▇ ▇▇▇▇, the EU General Data Protection Regulation (Regulation (EU) 2016/679) (from and including 25 May 2018) any other applicable law in any relevant jurisdiction that applies to the processing of data relating to living persons, in each case as amended or replaced from time to time (“Data Protection Laws”), and any best practice the guidance issued by the ICO. 4.7 The nominated Users and employees Office of the Data Processor shall provide all reasonable assistance (at the Data Controller’s cost) to the Data Controller in complying with its obligations under the DATA PROTECTION ACT 2018 with respect to the security of processingInformation Commissioner, the notification of personal data breaches, the conduct of data protection impact assessments, and in dealings with the ICO. 4.8 When processing the Personal Data on behalf of the Data Controller, the nominated Users and employees of the Data Processor shall: 4.8.1 not process the Personal Data outside the United Kingdom without the prior written consent of the Data Controller and, where the Data Controller consents to such a transfer to a country that is outside of the EEA, to comply with the obligations of Data Processors under the provisions applicable to transfers of Personal Data to third countries set out in Chapter 5 of the DATA PROTECTION ACT 2018 by providing an adequate level of protection to any Personal Data that is transferred; 4.8.2 not transfer any of the Personal Data to any third party without the written consent of the Data Controller and, in the event of such consent, the Personal Data shall be transferred strictly subject to the terms of a suitable agreement, as set out in Clause 10; 4.8.3 process the Personal Data only to the extent, and in such manner, as is necessary in order to comply with its obligations to the Data Controller or as may be required by law. 4.8.4 implement appropriate technical and organisational measures, as described in Schedule 3, and take all steps necessary to protect the Personal Data against unauthorised or unlawful processing, accidental loss, destruction, damage, alteration, or disclosure. 4.8.5 if so requested by the Data Controller (and within the timescales required by the Data Controller) supply further details of the technical and organisational systems in place to safeguard the security of the Personal Data held and to prevent unauthorised access; 4.8.6 keep detailed records of all processing activities carried out on the Personal Data in accordance with the requirements of Article 30(2) of the DATA PROTECTION ACT 2018; 4.8.7 make available to the Data Controller any and all such information as is reasonably required and necessary to demonstrate the nominated Users and employees of the Data Processor’s compliance with the DATA PROTECTION ACT 2018; 4.8.8 with notice, submit to audits and inspections and provide the Data Controller with any information reasonably required in order to assess and verify compliance with the provisions of this Agreement the Financial Conduct Authority handbook and both Parties’ compliance with the requirements of the DATA PROTECTION ACT 2018all other relevant regulatory or trade bodies. The requirement It is understood that understand that: (i) Octopus Real Estate may pass information to give notice will not apply if the Data Controller believes that the nominated Users financial and employees of the Data Processor are other organisations involved in breach of any of obligations under this Agreement or under the lawfraud prevention to protect Octopus Real Estate from fraud and theft; and 4.8.9 inform the Data Controller immediately (ii) if it I/we give Octopus Real Estate false or inaccurate information and Octopus Real Estate suspect fraud, then Octopus Real Estate will record this. 8. The arrangement with us is asked to do anything that infringes the DATA PROTECTION ACT 2018 not an exclusive one, so you may if you wish deal with other lenders or packagers and we may deal with any other applicable data protection legislationintroducers as we wish. Both of us may at any time write to the other and end this arrangement, no notice period being necessary. On any such termination, we shall be under no obligation to continue processing or considering any application previously submitted through you. 9. If you break any of these terms, you will indemnify us against all losses arising from such failure or breach, including the reasonable administrative and other costs of dealing with them. This indemnity will include any actual loss suffered and the full cost of our administrative time involved in handling the complaint, as well as the full amount of any professional or other fees or disbursements incurred in the course of dealing with the complaint. 10. This agreement will be reviewed on a quarterly basis and will assessed based on the quality and volume of business transacted. I/We agree and authorise Octopus Real Estate to: (a) make searches of the records at fraud prevention agencies who may provide Octopus Real Estate with information; and, (b) make such enquiries of any person or organization, as Octopus Real Estate considers necessary in connection with this application; and, (c) pass information to financial and other organisations involved in fraud prevention to protect Octopus Real Estate from fraud and theft. (d) I/We understand that if I/we give Octopus Real Estate false or inaccurate information and Octopus Real Estate suspect fraud, then Octopus Real Estate will record this.

Data Protection Compliance. 4.1 All instructions given by the Data Controller to the nominated Users Processor shall be made in writing and employees of the Data Processor shall at all times be in compliance with the Data Protection Act 2018 and other applicable lawsLegislation. The Data Processor shall act only on such written instructions from the Data Controller unless the Data Processor is required by law to do otherwiseotherwise (as per Article 29 of the UK GDPR). 4.2 The nominated Users and employees of the Data Processor shall promptly comply with any request from the Data Controller requiring them the Processor to amend, transfer, delete, or otherwise dispose of the Personal Data, or to stop, mitigate, or remedy any unauthorised processing. 4.3 The nominated Users and employees of the Data Processor shall transfer all Personal Data to the Data Controller on the Data Controller’s request in the formats, at the times, and in compliance with with, the Data Controller’s written instructions. 4.4 Both Parties shall comply at all times with the DATA PROTECTION ACT 2018 and other applicable laws Data Protection Legislation and shall not perform their obligations under this Agreement or any other agreement or arrangement between themselves them in such way as to cause either Party to breach any of its applicable obligations under the DATA PROTECTION ACT 2018Data Protection Legislation. 4.5 The Data Controller hereby warrants, represents, and undertakes that the Personal Data shall comply with the DATA PROTECTION ACT 2018 Data Protection Legislation in all respects including, but not limited to, its collection, holding, and processing, and that the Controller has in place all necessary and appropriate consents and notices to enable the lawful transfer of the Personal Data to the Processor. 4.6 The nominated Users and employees of the Data Processor agree agrees to comply with any reasonable measures required by the Data Controller to ensure that its obligations under this Agreement are satisfactorily performed in accordance with any and all applicable legislation from time to time in force (including, but not limited to, the DATA PROTECTION ACT 2018) Data Protection Legislation and any best practice guidance issued by the ICOCommissioner. 4.7 The nominated Users and employees of the Data Processor shall provide all reasonable assistance (at the Data Controller’s cost) to the Data Controller in complying with its obligations under the DATA PROTECTION ACT 2018 Data Protection Legislation with respect to the security of processing, the notification of personal data breachesPersonal Data Breaches, the conduct of data protection impact assessments, and in dealings with the ICOCommissioner. What is reasonable, for the purposes of this sub-Clause 4.7 shall take account of the nature of the Processor’s processing and the information available to the Processor. 4.8 The Processor shall notify the Controller in a timely manner of any changes to the Data Protection Legislation that may adversely affect its performance of the Services or of its obligations under this Agreement. 4.9 When processing the Personal Data on behalf of the Data Controller, the nominated Users and employees of the Data Processor shall: 4.8.1 4.9.1 not process transfer the Personal Data outside the United Kingdom without the prior written consent of the Data Controller and, where the Data Controller consents to such a transfer to a country that is outside of the EEA, to comply with the obligations of Data Processors under the provisions applicable to transfers of Personal Data to third countries set out in Chapter 5 of the DATA PROTECTION ACT 2018 by providing an adequate level of protection to any Personal Data that is transferredController; 4.8.2 4.9.2 not transfer any of the Personal Data to any third party without the written consent of the Data Controller and, in the event of such consent, the Personal Data shall be transferred strictly subject to the terms of a suitable agreement, as set out in Clause 1011; 4.8.3 4.9.3 process the Personal Data only to the extent, and in such manner, as is necessary in order to comply with its obligations to the Data Controller or as may be required by law (in which case, the Processor shall inform the Controller of the legal requirement in question before processing the Personal Data for that purpose unless prohibited from doing so by law.); 4.8.4 4.9.4 implement appropriate technical and organisational measures, as including those described in Schedule 3, and take all steps necessary to protect the Personal Data against unauthorised accidental, unauthorised, or unlawful processing, access, copying, modification, reproduction, display, or distribution of the Personal Data, and against its accidental or unlawful loss, destruction, damage, alteration, disclosure, or disclosure.damage. The Processor shall inform the Controller in advance of any changes to such measures; 4.8.5 4.9.5 implement measures to ensure a level of security proportionate to the risks involved including, as appropriate: a) the pseudonymisation and encryption of Personal Data; b) the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services; c) the ability to restore the availability and access to the Personal Data in a timely manner in the event of a physical or technical incident; and d) a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing; 4.9.6 if so requested by the Data Controller (and within the timescales required by the Data Controller) supply further details of the technical and organisational systems in place to safeguard the security of the Personal Data held and to prevent unauthorised access; 4.8.6 4.9.7 keep detailed complete and accurate records of and information concerning all processing activities carried out on the Personal Data in accordance order to demonstrate its compliance with this Agreement and the requirements of Article 30(2) of the DATA PROTECTION ACT 2018Data Protection Legislation; 4.8.7 4.9.8 make available to the Data Controller any and all such information as is reasonably required and necessary to demonstrate the nominated Users and employees of the Data Processor’s compliance with the DATA PROTECTION ACT 2018Data Protection Legislation; 4.8.8 4.9.9 with reasonable prior notice, submit to audits and inspections and provide the Data Controller with any information reasonably required in order to assess and verify compliance with the provisions of this Agreement and both Parties’ compliance with the requirements of the DATA PROTECTION ACT 2018Data Protection Legislation. The requirement to give notice will not apply if the Data Controller believes that the nominated Users and employees of the Data Processor are is in breach of any of its obligations under this Agreement or under the law; and 4.8.9 4.9.10 inform the Data Controller immediately if it is asked to do anything that infringes the DATA PROTECTION ACT 2018 or any other applicable data protection legislationData Protection Legislation.

Data Protection Compliance. 4.1 All instructions given Are you aware of and are you compliant with the provisions of Data Protection Laws (as defined in paragraph 7 below)? Yes No Have you registered with the Information Commissioners Office (ICO)? Yes No 1. This application is made by the Data Controller to intermediary named overleaf (“You”). Once accepted by Octopus Real Estate, which is the nominated Users trading name of each subsidiary company and employees of the Data Processor shall at all times be in compliance with the Data Protection Act 2018 and other applicable laws. The Data Processor shall act only on instructions from the Data Controller unless the Data Processor is required by law to do otherwise. 4.2 The nominated Users and employees of the Data Processor shall promptly comply with any request from the Data Controller requiring them to amend, transfer, delete, or otherwise dispose of the Personal Data. 4.3 The nominated Users and employees of the Data Processor shall transfer all Personal Data to the Data Controller on the Data Controller’s request in the formats, at the times, and in compliance with the Data Controller’s instructions. 4.4 Both Parties shall comply at all times with the DATA PROTECTION ACT 2018 and other applicable laws and shall not perform their obligations under this Agreement or any other agreement or arrangement between themselves in such way as to cause either Party to breach any of its applicable obligations under the DATA PROTECTION ACT 2018. 4.5 The Data Controller hereby warrants, represents, and undertakes that the Personal Data shall comply with the DATA PROTECTION ACT 2018 in all respects including, but not limited to, its collection, holding, and processing. 4.6 The nominated Users and employees of the Data Processor agree to comply with any reasonable measures required by the Data Controller to ensure that its obligations under this Agreement are satisfactorily performed in accordance with any and all applicable legislation subsidiary undertaking from time to time in force (of [Octopus Investments Limited], including, but not limited towithout limitation, Bridgeco Ltd, Fern Trading Ltd and Octopus Property Lending Ltd (“we/us”), a contract will be created between You and Us which incorporates all the terms shown on any page of this document. 2. We reserve the right to reject any application for a loan. 3. We will pay commission in respect of completed deals on the scale agreed with your Octopus Business Development Manager. The commission payable may be varied from time to time and we will write to you with updates as appropriate. 4. If You need to make any changes to this agreement, please notify us in writing on company headed paper. 5. If You deal with any work requiring authorisation under the Financial Services and Markets Act or any other legislation, You must maintain proper authorisation from the Financial Conduct Authority and /or any other relevant body. You must produce these to us for inspection when requested. You must notify us of any correspondence you receive from any relevant enforcement or regulatory body which alleges any failure by You to observe their requirements. You must also notify us of any events known to You which might give rise to such correspondence if those events were known to the relevant authority or regulator. 6. Where You are introducing any loan to Us including Consumer Credit exempt loans You warrant that you will comply with all regulatory requirements and obligations. 7. You must ensure that all your advertising literature, application documents and all procedures whether relating to work before or after a loan is made comply with all requirements of the law and of regulatory bodies relating to the provision of loans. You will need to consider in particular the various provisions made under the Consumer Credit Act, the DATA PROTECTION ACT fair processing information provisions of the Data Protection ▇▇▇ ▇▇▇▇, the EU General Data Protection Regulation (Regulation (EU) 2016/679) (from and including 25 May 2018) any other applicable law in any relevant jurisdiction that applies to the processing of data relating to living persons, in each case as amended or replaced from time to time (“Data Protection Laws”), and any best practice the guidance issued by the ICO. 4.7 The nominated Users and employees Office of the Data Processor shall provide all reasonable assistance (at the Data Controller’s cost) to the Data Controller in complying with its obligations under the DATA PROTECTION ACT 2018 with respect to the security of processingInformation Commissioner, the notification of personal data breaches, the conduct of data protection impact assessments, and in dealings with the ICO. 4.8 When processing the Personal Data on behalf of the Data Controller, the nominated Users and employees of the Data Processor shall: 4.8.1 not process the Personal Data outside the United Kingdom without the prior written consent of the Data Controller and, where the Data Controller consents to such a transfer to a country that is outside of the EEA, to comply with the obligations of Data Processors under the provisions applicable to transfers of Personal Data to third countries set out in Chapter 5 of the DATA PROTECTION ACT 2018 by providing an adequate level of protection to any Personal Data that is transferred; 4.8.2 not transfer any of the Personal Data to any third party without the written consent of the Data Controller and, in the event of such consent, the Personal Data shall be transferred strictly subject to the terms of a suitable agreement, as set out in Clause 10; 4.8.3 process the Personal Data only to the extent, and in such manner, as is necessary in order to comply with its obligations to the Data Controller or as may be required by law. 4.8.4 implement appropriate technical and organisational measures, as described in Schedule 3, and take all steps necessary to protect the Personal Data against unauthorised or unlawful processing, accidental loss, destruction, damage, alteration, or disclosure. 4.8.5 if so requested by the Data Controller (and within the timescales required by the Data Controller) supply further details of the technical and organisational systems in place to safeguard the security of the Personal Data held and to prevent unauthorised access; 4.8.6 keep detailed records of all processing activities carried out on the Personal Data in accordance with the requirements of Article 30(2) of the DATA PROTECTION ACT 2018; 4.8.7 make available to the Data Controller any and all such information as is reasonably required and necessary to demonstrate the nominated Users and employees of the Data Processor’s compliance with the DATA PROTECTION ACT 2018; 4.8.8 with notice, submit to audits and inspections and provide the Data Controller with any information reasonably required in order to assess and verify compliance with the provisions of this Agreement the Financial Conduct Authority handbook and both Parties’ compliance with the requirements of the DATA PROTECTION ACT 2018all other relevant regulatory or trade bodies. The requirement It is understood that understand that: (i) Octopus Real Estate may pass information to give notice will not apply if the Data Controller believes that the nominated Users financial and employees of the Data Processor are other organisations involved in breach of any of obligations under this Agreement or under the lawfraud prevention to protect Octopus Real Estate from fraud and theft; and 4.8.9 inform the Data Controller immediately (ii) if it I/we give Octopus Real Estate false or inaccurate information and Octopus Real Estate suspect fraud, then Octopus Real Estate will record this. 8. The arrangement with us is asked to do anything that infringes the DATA PROTECTION ACT 2018 not an exclusive one, so you may if you wish deal with other lenders or packagers and we may deal with any other applicable data protection legislationintroducers as we wish. Both of us may at any time write to the other and end this arrangement, no notice period being necessary. On any such termination, we shall be under no obligation to continue processing or considering any application previously submitted through you. 9. If you break any of these terms, you will indemnify us against all losses arising from such failure or breach, including the reasonable administrative and other costs of dealing with them. This indemnity will include any actual loss suffered and the full cost of our administrative time involved in handling the complaint, as well as the full amount of any professional or other fees or disbursements incurred in the course of dealing with the complaint. 10. This agreement will be reviewed on a quarterly basis and will assessed based on the quality and volume of business transacted. I/We agree and authorise Octopus Real Estate to: (a) make searches of the records at fraud prevention agencies who may provide Octopus Real Estate with information; and, (b) make such enquiries of any person or organization, as Octopus Real Estate considers necessary in connection with this application; and, (c) pass information to financial and other organisations involved in fraud prevention to protect Octopus Real Estate from fraud and theft. (d) I/We understand that if I/we give Octopus Real Estate false or inaccurate information and Octopus Real Estate suspect fraud, then Octopus Real Estate will record this.