Common use of Data Protection Compliance Clause in Contracts

Data Protection Compliance. All instructions given by the Data Controller to the Data Processor shall be made in writing and shall at all times be in compliance with the GDPR and other applicable laws. The Data Processor shall act only on such written instructions from the Data Controller unless the Data Processor is required by law to do otherwise (as per Article 29 of the GDPR). The Data Processor shall promptly comply with any request from the Data Controller requiring the Data Processor to amend, transfer, delete, or otherwise dispose of the Personal Data. The Data Processor shall transfer all Personal Data to the Data Controller on the Data Controller’s request in the formats, at the times, and in compliance with the Data Controller’s written instructions. Both Parties shall comply at all times with the GDPR and other applicable laws and shall not perform their obligations under this Agreement or any other agreement or arrangement between themselves in such way as to cause either Party to breach any of its applicable obligations under the GDPR. The Data Controller hereby warrants, represents, and undertakes that the Personal Data shall comply with the GDPR in all respects including, but not limited to, its collection, holding, and processing. The Data Processor agrees to comply with any reasonable measures required by the Data Controller to ensure that its obligations under this Agreement are satisfactorily performed in accordance with any and all applicable legislation from time to time in force (including, but not limited to, the GDPR) and any best practice guidance issued by the ICO. The Data Processor shall provide all reasonable assistance (at the Data Controller’s cost) to the Data Controller in complying with its obligations under the GDPR with respect to the security of processing, the notification of personal data breaches, the conduct of data protection impact assessments, and in dealings with the ICO. When processing the Personal Data on behalf of the Data Controller, the Data Processor shall: not process the Personal Data outside the United Kingdom without the prior written consent of the Data Controller and, where the Data Controller consents to such a transfer to a country that is outside of the EEA, to comply with the obligations of Data Processors under the provisions applicable to transfers of Personal Data to third countries set out in Chapter 5 of the GDPR by providing an adequate level of protection to any Personal Data that is transferred; not transfer any of the Personal Data to any third party without the written consent of the Data Controller and, in the event of such consent, the Personal Data shall be transferred strictly subject to the terms of a suitable agreement, as set out in Clause 10; process the Personal Data only to the extent, and in such manner, as is necessary in order to comply with its obligations to the Data Controller or as may be required by law (in which case, the Data Processor shall inform the Data Controller of the legal requirement in question before processing the Personal Data for that purpose unless prohibited from doing so by law); implement appropriate technical and organisational measures, as described in Schedule 1, and take all steps necessary to protect the Personal Data against unauthorised or unlawful processing, accidental loss, destruction, damage, alteration, or disclosure. The Data Processor shall inform the Data Controller in advance of any changes to such measures; if so requested by the Data Controller (and within the timescales required by the Data Controller) supply further details of the technical and organisational systems in place to safeguard the security of the Personal Data held and to prevent unauthorised access; make available to the Data Controller any and all such information as is reasonably required and necessary to demonstrate the Data Processor’s compliance with the GDPR; on reasonable prior notice, submit to audits and inspections and provide the Data Controller with any information reasonably required in order to assess and verify compliance with the provisions of this Agreement and both Parties’ compliance with the requirements of the GDPR. The requirement to give notice will not apply if the Data Controller believes that the Data Processor is in breach of any of its obligations under this Agreement or under the law; and inform the Data Controller immediately if it is asked to do anything that infringes the GDPR or any other applicable data protection legislation. The Data Processor shall , at the Data Controller’s cost, assist the Data Controller in complying with its obligations under the GDPR. In particular, the following shall apply to data subject access requests, complaints, and data breaches. The Data Processor shall notify the Data Controller without undue delay if it receives: a subject access request from a data subject; or any other complaint or request relating to the processing of the Personal Data. The Data Processor shall ,at the Data Controller’s cost, cooperate fully with the Data Controller and assist as required in relation to any subject access request, complaint, or other request, including by: providing the Data Controller with full details of the complaint or request; providing the necessary information and assistance in order to comply with a subject access request; providing the Data Controller with any Personal Data it holds in relation to a data subject (within the timescales required by the Data Controller); and providing the Data Controller with any other information requested by the Data Controller. The Data Processor shall notify the Data Controller immediately if it becomes aware of any form of Personal Data breach, including any unauthorised or unlawful processing, loss of, damage to, or destruction of any of the Personal Data. The Data Controller has appointed a Data Protection Officer in accordance with Article 37 of the GDPR, whose details are as follows: ▇▇▇▇ ▇▇▇▇▇▇ contactable at ▇▇▇▇▇▇▇@▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇.▇▇▇

Data Protection Compliance. All instructions given by the Data Controller Client to the Data Processor Cappfinity shall be made in writing and shall at all times be in compliance with the GDPR and other applicable lawsData Protection Law. The Data Processor Cappfinity shall act only on such written instructions from the Data Controller Client unless the Data Processor Cappfinity is required by law to do otherwise (as per Article 29 of the GDPR)otherwise. The Data Processor Cappfinity shall promptly comply with any request from the Data Controller Client requiring the Data Processor Cappfinity to amend, transfer, delete, or otherwise dispose of the Personal Data. The Data Processor Cappfinity shall transfer all Personal Data to the Data Controller Client on the Data ControllerClient’s request in the standard formats, at the times, and in compliance with the Data ControllerClient’s written instructions. Both Parties shall comply at all times with the GDPR Data Protection Law and other applicable laws and shall not perform their obligations under this Agreement or any other agreement or arrangement between themselves in such way as to cause either Party to breach any of its applicable obligations under the GDPRdata protection law. The Data Controller hereby warrants, represents, and undertakes that the Personal Data shall comply with the GDPR in all respects including, but not limited to, its collection, holding, and processing. The Data Processor Cappfinity agrees to comply with any reasonable measures required by the Data Controller Client to ensure that its obligations under this Agreement are satisfactorily performed in accordance with any and all applicable legislation from time to time in force (including, but not limited to, the GDPR) and any best practice guidance issued by the ICOapplicable supervisory authority. The Data Processor Cappfinity shall provide all reasonable assistance (at the Data Controller’s cost) to the Data Controller Client in complying with its obligations under the GDPR with Data Protection Law respect to the security of processing, the notification of personal data breaches, the conduct of data protection impact assessments, and in dealings with the ICOsupervisory authorities. When processing the Personal Data on behalf of the Data ControllerClient, the Data Processor Cappfinity shall: not process the Personal Data outside the United Kingdom without the prior written consent of the Data Controller and, where the Data Controller consents to such a transfer to a country that is outside of the EEA, to comply with the obligations of Data Processors under the provisions applicable to transfers of Personal Data to third countries set out in Chapter 5 of the GDPR by providing an adequate level of protection to any Personal Data that is transferred; not transfer any of the Personal Data to any third party without the written consent of the Data Controller Client and, in the event of such consent, the Personal Data shall be transferred strictly subject to the terms of a suitable agreement, as set out in Clause 10; process the Personal Data only to the extent, and in such manner, as is necessary in order to comply with its obligations to the Data Controller Client or as may be required by law (in which case, the Data Processor Cappfinity shall inform the Data Controller Client of the legal requirement in question before processing the Personal Data for that purpose unless prohibited from doing so by law); implement appropriate technical and organisational measures, as described in Schedule 1, measures and take all steps necessary to protect the Personal Data against any unauthorised processing, including any accidental or unlawful processing, accidental loss, destruction, damage, alteration, disclosure or disclosureaccess. The In assessing the appropriate level of security, the Parties shall take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risks for Data Processor Subjects. Cappfinity shall at least implement the technical and organisational measures specified in Schedule 2 and shall inform the Data Controller Client in advance of any material changes to such measures; : if so requested by the Data Controller Client acting reasonably (and within the timescales required by the Data ControllerClient) supply further details of the technical and organisational systems in place to safeguard the security of the Personal Data held and to prevent unauthorised access; make available to the Data Controller Client any and all such information as is reasonably required and necessary to demonstrate the Data ProcessorCappfinity’s compliance with the GDPRData Protection Law; on reasonable prior notice, submit to audits and inspections and provide the Data Controller Client with any information reasonably required in order to assess and verify compliance with the provisions of this Agreement and both Parties’ compliance with the requirements of the GDPR. The requirement to give notice will not apply if the Data Controller believes that the Data Processor is in breach of any of its obligations under this Agreement or under the data protection law; and promptly inform the Data Controller immediately Client if it is asked to do anything that it reasonably believes infringes the GDPR or any other applicable data protection legislation, and be under no obligation to follow such instruction until the matter is resolved in good-faith between the Parties. The Data Processor Cappfinity shall , at the Data Controller’s cost, assist the Data Controller Client in complying with its obligations under the GDPRData Protection Law. In particular, the following shall apply to data subject access requests, complaints, and data breaches. The Data Processor Cappfinity shall notify the Data Controller Client without undue delay if it receives: a subject access request from a data subject; or any other complaint or request relating to the processing of the Personal Data. The Data Processor Cappfinity shall ,at the Data Controller’s cost, cooperate fully with the Data Controller Client and assist as reasonably required in relation to any subject access request, complaint, or other request, including by: providing the Data Controller Client with full details of the complaint or request; providing the necessary information and assistance in order to comply with a subject access request; providing the Data Controller Client with any Personal Data it holds in relation to a data subject (within the timescales required by the Data Controller)upon reasonable notice; and providing the Data Controller Client with any other information reasonably requested by the Data ControllerClient. The Data Processor Cappfinity shall notify the Data Controller immediately Client without undue delay if it becomes aware of any form of Personal Data breach, including any unauthorised or unlawful processing, loss of, damage to, or destruction of any of the Personal Data. The Data Controller has appointed a Cappfinity shall provide reasonable assistance with any Data Protection Officer in accordance with Article 37 Impact Assessments (DPIAs) requested by the Client upon reasonable written notice. Cappfinity shall indemnify the Client against all losses suffered or incurred by the Client arising out of the GDPRfailure by Cappfinity or its employees or agents to comply with its obligations under this Agreement (“Claims”). Each party acknowledges that Claims include any claim or action brought by a data subject arising from Cappfinity’s breach of its obligations under this Agreement. Each Party’s and all of its affiliates’ liability, whose details are as follows: ▇▇▇▇ ▇▇▇▇▇▇ contactable at ▇▇▇▇▇▇▇@▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇taken together in the aggregate, arising out of or related to this Agreement, and all data processing agreements between affiliates of Client and Cappfinity, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of the Cappfinity Standard Terms, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its affiliates under the Cappfinity Standard Terms and all data processing agreements together. For the avoidance of doubt, Cappfinity's and its affiliates’ total liability for all claims from the Client and all of its affiliates arising out of or related to the Cappfinity Standard Terms and each data processing agreement shall apply in the aggregate for all claims under both the Cappfinity Standard Terms and all data processing agreements established under the Cappfinity Standard Terms, including by Client and its affiliates and, in particular, shall not be understood to apply individually and severally to Client and/or to any affiliate that is a contractual party to any such data processing agreement. Also for the avoidance of doubt, each reference to the Agreement in this Agreement means this Agreement including its schedules and appendices.▇▇▇

Data Protection Compliance. All instructions given by the Data Controller to the Data Processor shall be made in writing and shall at all times be in compliance with the GDPR and other applicable laws. The Data Processor shall act only on such written instructions from the Data Controller unless the Data Processor is required by law to do otherwise (as per Article 29 of the GDPR). The Data Processor a. Journey shall promptly comply with any request from the Data Controller Customer requiring the Data Processor Journey to amend, transfer, delete, or otherwise dispose of the Personal Data. The Data Processor . b. Journey shall transfer all Personal Data to the Data Controller Customer on the Data Controller’s their request in the formats, at the times, and in compliance with the Data ControllerCustomer’s written instructions. . c. Both Parties shall comply at all times with the GDPR and other applicable laws and shall not perform their obligations under this Agreement or any other agreement or arrangement between themselves in such way as to cause either Party to breach any of its applicable obligations under the GDPR. . d. The Data Controller Customer hereby warrants, represents, and undertakes that the Personal Data shall comply with the GDPR in all respects including, but not limited to, its collection, holding, and processing. The Data Processor . e. Each Party agrees to comply with any reasonable measures required by the Data Controller other Party to ensure that its obligations under this Agreement are satisfactorily performed in accordance with any and all applicable legislation from time to time in force (including, but not limited to, the GDPR) and any best practice guidance issued by the ICO. The Data Processor . f. Each Party shall provide all reasonable assistance (at the Data Controller’s cost) to the Data Controller other Party in complying with its obligations under the GDPR with respect to the security of processing, the notification of personal data breaches, the conduct of data protection impact assessments, and in dealings with the ICO. . g. When processing the Personal Data on behalf of the Data ControllerCustomer, the Data Processor Journey shall: not process the : i. where Personal Data outside the United Kingdom without the prior written consent of the Data Controller and, where the Data Controller consents to such a transfer to a country that is transferred and processed outside of the EEA, European Economic Area to comply facilitate the provision of services with the obligations of Data Processors Customer, Journey will take suitable steps in order to ensure that your personal data is treated just as safely and securely as it would be within the UK and under the provisions applicable GDPR. Journey check all security features and back up requirements of any processors to transfers of Personal Data to third countries set out in Chapter 5 of the GDPR by providing an adequate level of protection to any Personal Data that is transferred; discharge this duty; ii. not transfer any of the Personal Data to any third party without the written consent of the Data Controller and, in the event of such consent, the Personal Data shall be transferred strictly subject to the terms of a suitable agreement, as set out in Clause 10; Customer; iii. process the Personal Data only to the extent, and in such manner, as is necessary in order to comply with its obligations to the Data Controller Customer or as may be required by law (in which case, the Data Processor shall inform the Data Controller of the legal requirement in question before processing the Personal Data for that purpose unless prohibited from doing so by law); ; iv. implement appropriate technical and organisational measures, as described in Schedule 12, and take all steps necessary to protect the Personal Data against unauthorised or unlawful processing, accidental loss, destruction, damage, alteration, or disclosure. The Data Processor shall inform the Data Controller in advance of any changes to such measures; ; v. if so requested by the Data Controller (and within the timescales required by the Data Controller) Customer supply further details of the technical and organisational systems in place to safeguard the security of the Personal Data held and to prevent unauthorised access; ; vi. make available to the Data Controller Customer any and all such information as is reasonably required and necessary to demonstrate the Data ProcessorJourney’s compliance with the GDPR; ; vii. on reasonable prior notice, submit to audits and inspections and provide the Data Controller Customer with any information reasonably required in order to assess and verify compliance with the provisions of this Agreement and both Parties’ compliance with the requirements of the GDPR. viii. The requirement to give notice will not apply if the Data Controller believes that the Data Processor is in breach of any of its obligations under this Agreement or under the law; and inform the Data Controller Customer immediately if it is asked to do anything that infringes the GDPR or any other applicable data protection legislation. The Data Processor shall , at the Data Controller’s cost, assist the Data Controller in complying with its obligations under the GDPR. In particular, the following shall apply to data subject access requests, complaints, and data breaches. The Data Processor shall notify the Data Controller without undue delay if it receives: a subject access request from a data subject; or any other complaint or request relating to the processing of the Personal Data. The Data Processor shall ,at the Data Controller’s cost, cooperate fully with the Data Controller and assist as required in relation to any subject access request, complaint, or other request, including by: providing the Data Controller with full details of the complaint or request; providing the necessary information and assistance in order to comply with a subject access request; providing the Data Controller with any Personal Data it holds in relation to a data subject (within the timescales required by the Data Controller); and providing the Data Controller with any other information requested by the Data Controller. The Data Processor shall notify the Data Controller immediately if it becomes aware of any form of Personal Data breach, including any unauthorised or unlawful processing, loss of, damage to, or destruction of any of the Personal Data. The Data Controller has appointed a Data Protection Officer in accordance with Article 37 of the GDPR, whose details are as follows: ▇▇▇▇ ▇▇▇▇▇▇ contactable at ▇▇▇▇▇▇▇@▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇.▇▇▇

Data Protection Compliance. All instructions given by the Data Controller Client to the Data Processor Cappfinity shall be made in writing and shall at all times be in compliance with the GDPR and other applicable lawsData Protection Law. The Data Processor Cappfinity shall act only on such written instructions from the Data Controller Client unless the Data Processor Cappfinity is required by law to do otherwise (as per Article 29 of the GDPR)otherwise. The Data Processor Cappfinity shall promptly comply with any request from the Data Controller Client requiring the Data Processor Cappfinity to amend, transfer, delete, or otherwise dispose of the Personal Data. The Data Processor Cappfinity shall transfer all Personal Data to the Data Controller Client on the Data ControllerClient’s request in the standard formats, at the times, and in compliance with the Data ControllerClient’s written instructions. Both Parties shall comply at all times with the GDPR Data Protection Law and other applicable laws and shall not perform their obligations under this Agreement or any other agreement or arrangement between themselves in such way as to cause either Party to breach any of its applicable obligations under the GDPRdata protection law. The Data Controller hereby warrants, represents, and undertakes that the Personal Data shall comply with the GDPR in all respects including, but not limited to, its collection, holding, and processing. The Data Processor Cappfinity agrees to comply with any reasonable measures required by the Data Controller Client to ensure that its obligations under this Agreement are satisfactorily performed in accordance with any and all applicable legislation from time to time in force (including, but not limited to, the GDPR) and any best practice guidance issued by the ICOapplicable supervisory authority. The Data Processor Cappfinity shall provide all reasonable assistance (at the Data Controller’s cost) to the Data Controller Client in complying with its obligations under the GDPR with Data Protection Law respect to the security of processing, the notification of personal data breaches, the conduct of data protection impact assessments, and in dealings with the ICOsupervisory authorities. When processing the Personal Data on behalf of the Data ControllerClient, the Data Processor Cappfinity shall: not process the Personal Data outside the United Kingdom without the prior written consent of the Data Controller and, where the Data Controller consents to such a transfer to a country that is outside of the EEA, to comply with the obligations of Data Processors under the provisions applicable to transfers of Personal Data to third countries set out in Chapter 5 of the GDPR by providing an adequate level of protection to any Personal Data that is transferred; not transfer any of the Personal Data to any third party without the written consent of the Data Controller Client and, in the event of such consent, the Personal Data shall be transferred strictly subject to the terms of a suitable agreement, as set out in Clause 10; process the Personal Data only to the extent, and in such manner, as is necessary in order to comply with its obligations to the Data Controller Client or as may be required by law (in which case, the Data Processor Cappfinity shall inform the Data Controller Client of the legal requirement in question before processing the Personal Data for that purpose unless prohibited from doing so by law); implement appropriate technical and organisational measures, as described in Schedule 1, measures and take all steps necessary to protect the Personal Data against any unauthorised processing, including any accidental or unlawful processing, accidental loss, destruction, damage, alteration, disclosure or disclosureaccess. The In assessing the appropriate level of security, the Parties shall take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risks for Data Processor Subjects. Cappfinity shall at least implement the technical and organisational measures specified in Schedule 2 and shall inform the Data Controller Client in advance of any material changes to such measures; : if so requested by the Data Controller Client acting reasonably (and within the timescales required by the Data ControllerClient) supply further details of the technical and organisational systems in place to safeguard the security of the Personal Data held and to prevent unauthorised access; make available to the Data Controller Client any and all such information as is reasonably required and necessary to demonstrate the Data ProcessorCappfinity’s compliance with the GDPRData Protection Law; on reasonable prior notice, submit to audits and inspections and provide the Data Controller Client with any information reasonably required in order to assess and verify compliance with the provisions of this Agreement and both Parties’ compliance with the requirements of the GDPR. The requirement to give notice will not apply if the Data Controller believes that the Data Processor is in breach of any of its obligations under this Agreement or under the data protection law; and promptly inform the Data Controller immediately Client if it is asked to do anything that it reasonably believes infringes the GDPR or any other applicable data protection legislation. The Data Processor shall , at the Data Controller’s cost, assist the Data Controller in complying with its obligations under the GDPR. In particular, the following shall apply to data subject access requests, complaints, and data breaches. The Data Processor shall notify be under no obligation to follow such instruction until the Data Controller without undue delay if it receives: a subject access request from a data subject; or any other complaint or request relating to matter is resolved in good-faith between the processing of the Personal Data. The Data Processor shall ,at the Data Controller’s cost, cooperate fully with the Data Controller and assist as required in relation to any subject access request, complaint, or other request, including by: providing the Data Controller with full details of the complaint or request; providing the necessary information and assistance in order to comply with a subject access request; providing the Data Controller with any Personal Data it holds in relation to a data subject (within the timescales required by the Data Controller); and providing the Data Controller with any other information requested by the Data Controller. The Data Processor shall notify the Data Controller immediately if it becomes aware of any form of Personal Data breach, including any unauthorised or unlawful processing, loss of, damage to, or destruction of any of the Personal Data. The Data Controller has appointed a Data Protection Officer in accordance with Article 37 of the GDPR, whose details are as follows: ▇▇▇▇ ▇▇▇▇▇▇ contactable at ▇▇▇▇▇▇▇@▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇Parties.▇▇▇

Data Protection Compliance. All instructions given by the Data Controller to the Data Processor shall be made in writing and shall at all times be in compliance with the GDPR and other applicable laws. The Data Processor shall act only on such written instructions from the Data Controller unless the Data Processor is required by law to do otherwise (as per Article 29 of the GDPR). The Data Processor shall promptly comply with any request from the Data Controller requiring the Data Processor to amend, transfer, delete, or otherwise dispose of the Personal Data. The Data Processor shall transfer all Personal Data to the Data Controller on the Data Controller’s reasonable request in the formats, at the times, and in compliance with the Data Controller’s written instructions. Both Parties shall comply at all times with the GDPR and other applicable laws and shall not perform their obligations under this Agreement or any other agreement or arrangement between themselves in such way as to cause either Party to breach any of its applicable obligations under the GDPR. The Data Controller hereby warrants, represents, and undertakes that the Personal Data shall comply with the GDPR in all respects including, but not limited to, its collection, holding, and processing. The Data Processor hereby warrants, represents and undertakes that it shall comply with the GDPR in all respects including in respect of, but no limited to, the holding and processing of Personal Data. The Data Processor agrees to comply with any reasonable measures required by the Data Controller to ensure that its obligations under this Agreement are satisfactorily performed in accordance with any and all applicable legislation from time to time in force (including, but not limited to, the GDPR) and any best practice guidance issued by the ICO. The Data Processor shall provide all reasonable assistance (at the Data Controller’s cost) to the Data Controller in complying with its obligations under the GDPR with respect to the security of processing, the notification of personal data breaches, the conduct of data protection impact assessments, and in dealings with the ICO. When processing the Personal Data on behalf of the Data Controller, the Data Processor shall: not process the Personal Data outside the United Kingdom other than as defined in schedule 4 without the prior written consent of the Data Controller and, where the Data Controller consents to such a transfer to a country that is outside of the EEA, to comply with the obligations of Data Processors under the provisions applicable to transfers of Personal Data to third countries set out in Chapter 5 of the GDPR by providing an adequate level of protection to any Personal Data that is transferred; not transfer any of the Personal Data to any third party other than those defined in schedule 4 without the written consent of the Data Controller and, in the event of such consent, the Personal Data shall be transferred strictly subject to the terms of a suitable agreement, as set out in Clause 10; process the Personal Data only to the extent, and in such manner, as is necessary in order to comply with its obligations to the Data Controller or as may be required by law (in which case, the Data Processor shall inform the Data Controller of the legal requirement in question before processing the Personal Data for that purpose unless prohibited from doing so by law); implement appropriate technical and organisational measures, as described in Schedule 13, and take all steps necessary to protect the Personal Data against unauthorised or unlawful processing, accidental loss, destruction, damage, alteration, or disclosure. The Data Processor shall inform the Data Controller in advance of any changes to such measures; if so requested by the Data Controller (and within the timescales required by the Data Controller) supply further details of the technical and organisational systems in place to safeguard the security of the Personal Data held and to prevent unauthorised access; make available to the Data Controller any and all such information as is reasonably required and necessary to demonstrate the Data Processor’s compliance with the GDPR; on reasonable prior notice, submit to audits and inspections and provide the Data Controller with any information reasonably required in order to assess and verify compliance with the provisions of this Agreement and both Parties’ compliance with the requirements of the GDPR. The requirement to give notice will not apply if the Data Controller believes that the Data Processor is in breach of any of its obligations under this Agreement or under the law; and inform the Data Controller immediately if it is asked to do anything that infringes the GDPR or any other applicable data protection legislation. The Data Processor shall , at the Data Controller’s cost, assist the Data Controller in complying with its obligations under the GDPR. In particular, the following shall apply to data subject access requests, complaints, and data breaches. The Data Processor shall notify the Data Controller without undue delay if it receives: a subject access request from a data subject; or any other complaint or request relating to the processing of the Personal Data. The Data Processor shall ,at the Data Controller’s cost, cooperate fully with the Data Controller and assist as required in relation to any subject access request, complaint, or other request, including by: providing the Data Controller with full details of the complaint or request; providing the necessary information and assistance in order to comply with a subject access request; providing the Data Controller with any Personal Data it holds in relation to a data subject (within the timescales required by the Data Controller); and providing the Data Controller with any other information requested by the Data Controller. The Data Processor shall notify the Data Controller immediately if it becomes aware of any form of Personal Data breach, including any unauthorised or unlawful processing, loss of, damage to, or destruction of any of the Personal Data. The Data Controller has appointed a Data Protection Officer in accordance with Article 37 of the GDPR, whose details are as follows: ▇▇▇▇ ▇▇▇▇▇▇ contactable at ▇▇▇▇▇▇▇@▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇.▇▇▇;