Common use of Data Protection Clause in Contracts

Data Protection. The parties acknowledge that personal data may be transferred under this agreement (“Personal Data”) and each party will fully comply with its respective obligations under the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donor.

Data Protection. The parties acknowledge that personal data may be transferred under this agreement (“Personal Data”) SERVICE PROVIDER’s attention is hereby drawn to the Data Protection Requirements. The CLIENT and each party will fully comply with its respective the SERVICE PROVIDER shall observe their obligations under the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”)Requirements. The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account Where the state of SERVICE PROVIDER, pursuant to its obligations under this Contract, undertakes the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing Processing of Personal Data will meet the requirements on behalf of the Privacy Laws. Recipient agrees to notify Provider within a period CLIENT, it shall: carry out the Processing of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been only in accordance with instructions from the CLIENT (which may be specific instructions or may have been lost, damaged instructions of a general nature as set out in this Contract or subject as otherwise notified by the CLIENT to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In SERVICE PROVIDER during the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasureTerm); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with carry out the processing of Personal Data (collectivelyonly to the extent, "Correspondence")and in such manner, it shall promptly inform Provider as is necessary for the provision of the Ordered Services or as is required by Law or any Regulatory Body; implement appropriate technical and organisational measures to protect the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provideragainst unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. Recipient These measures shall not be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected; take reasonable steps to ensure the reliability of any SERVICE PROVIDER personnel who have access to the Personal Data; obtain prior written consent from the CLIENT in order to transfer any the Personal Data to a territory outside any Sub-Contractors for the provision of the European Economic Area ("EEA") unless it has taken such measures as Ordered Services; ensure that any SERVICE PROVIDER personnel required to access the Personal Data are necessary to ensure informed of the transfer is in compliance confidential nature of the Personal Data and comply with the Privacy Laws. Such measures may include transferring obligations set out in this Clause 14; ensure that none of the SERVICE PROVIDER personnel publish, disclose or divulge any of the Personal Data to a country that the European Commission has decided provides adequate protection for personal data; any third party unless directed in writing to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved do so by the European Commission. Recipient will not make any effort to identify individuals who are or may be CLIENT; notify the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donor.CLIENT (within five (5) Working Days) if it receives:

Data Protection. 18.1 The parties acknowledge Servicer and the Mortgages Trustee each represents that personal data may be transferred as at the date hereof it has and hereafter it will maintain all appropriate registrations, licences, consents and authorities (if any) required under this agreement the Data Protection ▇▇▇ ▇▇▇▇ together, with its ancillary legislation (“Personal Data”the DATA PROTECTION ACT) and each party will fully comply with to enable it to perform its respective obligations under this Agreement. In addition to the General foregoing and notwithstanding any of the other provisions of this Agreement, each of the Servicer and the Mortgages Trustee hereby agree and covenant as follows: (a) that only data that is not "personal data" (as described in the Data Protection Regulation Act) may be transferred by the Servicer to the Mortgages Trustee or any other entity located in Jersey (EU)2016/679 and applicable complementing national laws unless: (jointly “Privacy Laws”). The parties are independent controllers i) Jersey is determined, on the basis of their processing operations performed with such Personal Data. Taking into account Article 25(b) of Directive 95/46/EC, a third country which ensures an adequate level of protection of "personal data" by the state of European Commission or (ii) the art, the costs of implementation Servicer and the nature, scope, context and purposes of processing Mortgages Trustee have entered into a data transfer agreement in a form approved by the EC Commission as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet meeting the requirements of Article 26(2) of Directive 95/46/EC for the Privacy Laws. Recipient agrees transfer of personal data to notify Provider within a period third countries which do not ensure an adequate level of 48 hours where Recipient becomes aware of or reasonably suspects protection (the STANDARD CONTRACTUAL CLAUSES) in which case, subject to Clause 18(e), the Servicer may transfer such personal data to the Mortgages Trustee in Jersey); (b) that Personal Data if, at the date at which circumstances enable the Mortgages Trustee to exercise its right to demand that the Servicer transfer inter alia personal data to the Mortgages Trustee, (i) Jersey has been determined, on the basis of Article 25(b) of Directive 95/46/EC a third country which ensures an adequate level of protection of personal data by the European Commission or may (ii) the Servicer and the Mortgages Trustee have been lostentered into the Standard Contractual Clauses then, damaged or subject to unauthorized internal the CLAUSE 18(E), the Servicer shall transfer the relevant personal data to the Mortgages Trustee or external access or any other unlawful processing to its order; (a “Security Incident”c) and that the Servicer will, if the Mortgages Trustee requires the Servicer to do so, take all reasonable steps to mitigate notify each Borrower that the impact Mortgages Trustee is a "data controller" (as defined in the Data Protection Act) and provide each such Borrower with such details as the Mortgage Trustee shall reasonably request including but not limited to the Mortgages Trustee's contact details for the purposes of the Data Protection Act; (d) that the Servicer and the Mortgages Trustee will only use any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights the Loans and the related Borrowers for the purposes of accessadministering and/or managing the Portfolio, correction, objection and erasure); and (ii) will not sell such data to any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary or allow any third party to respond to use such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is data other than in compliance with the Privacy Laws. Such measures may include transferring Data Protection Act, the conditions stated in this CLAUSE 18 and for the sole purpose of administering and/or managing the Portfolio; (e) that the Mortgages Trustee will comply with the provisions of the Data to a country Protection (Jersey) Law 1987 (as amended) or any law which supersedes or replaces the Data Protection (Jersey) Law 1987 and (so long as the provisions of the Data Protection Act do not conflict with the provisions of the Data Protection (Jersey) Law 1987 (as amended) or any law which supersedes or replaces the Data Protection (Jersey) Law 1987) with the provisions of the Data Protection Act; (f) that the European Commission has decided provides adequate protection Mortgages Trustee shall maintain a written record of its reasons for personal data; applying the Data Protection Order 2000/185 (as set forth under the Conditions under paragraph 3 of Part II of Schedule I of the Data Protection Act). 18.2 The Servicer will use all reasonable endeavours to ensure that, in the event of the appointment of a Recipient that has achieved binding corporate rules authorization sub-contractor in accordance with Privacy Laws; or CLAUSE 3.2 such sub-contractor shall obtain and maintain all appropriate registrations, licences, consents and authorities required (including, without limitation, those required under the Data Protection Act), and comply with obligations equivalent to a Recipient that has executed standard contractual clauses adopted or approved by those imposed on the European Commission. Recipient will not make any effort Servicer in this CLAUSE 18, to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorenable it to perform its obligations.

Data Protection. 12.1 The parties acknowledge Company and the Customer agree that personal data for the purpose of Data Protection Legislation that the Customer shall be the Data Controller and the Company shall be the Data Processor in respect of any Personal Data which is transferred from the Customer to the Company under the terms of this Contract. 12.2 As a Data Processor the Company shall Process the Personal Data only to the extent necessary to perform its obligations pursuant to this Contract and/or in accordance with the Customer’s instructions from time to time, and shall not Process the Personal Data for any other purpose other than enabling it to fulfil its obligations pursuant to this Contract or to perform any other activity which may be transferred under authorised by the Customer from time to time. 12.3 Where a party is a Data Processor pursuant to this agreement (“Personal Data”) and each party will fully comply with its respective obligations under the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to Contract it shall take reasonable steps to mitigate the impact of any such Security Incident. In the event ensure that Recipient receives (i) any request from a data subject to exercise any its employees and agents are informed of its rights under Privacy Laws obligations in relation to Personal Data (including that it collects, transfers or holds, and its employees and agents shall Process such information in confidence and in accordance with all relevant Data Protection Legislation. 12.4 Each party warrants to the other that it will Process the other’s Personal Data in compliance with all applicable Data Protection Legislation. 12.5 Where a party to this Contract becomes a Data Processor pursuant to it, it warrants that in relation to the Personal Data in respect of which it is a Data Processor that: 12.5.1 having regard to the reasonably available state of the art of technological development, the nature of the Processing in question, the cost of implementation, and the material risk to the rights of accessaffected Data Subjects, correctionthe Data Processor will take appropriate technical and organisational measures to secure relevant Personal Data against the unauthorised or unlawful Processing and against the accidental loss or destruction; 12.5.2 it will assist the Data Controller, objection and erasure); and (ii) insofar as reasonably possible, in responding to any other correspondencerequests made by any relevant Data Subject which concern the exercise of that Data Subject’s rights under the GDPR, inquiry or complaint received from a data subjectsubject to Data Controller reimbursing it for the cost of the same; 12.5.3 it will notify the Data Controller, regulator or other third party in connection with insofar as reasonably possible, of any relevant requests for the processing disclosure of Personal Data (collectivelywhich may be made to it and which it considers that it is legally obliged to respond to, "Correspondence")subject to Data Controller reimbursing it for the cost of the same; 12.5.4 it will report to the Data Controller any actual data breach concerning Personal Data that relates to this Contract which comes to its attention and shall assist the Data Controller to inform the relevant regulator and affected Data Subjects, subject to Data Controller reimbursing it for the cost of the same; 12.5.5 it will, on request, take reasonable steps to demonstrate to the Data Controller, to the extent that is reasonable given the nature of the Processing in question, that it complies with Data Protection Legislation, subject to Data Controller reimbursing it for the cost of the same; and 12.5.6 it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of hold all Personal Data identified by Provider. Recipient shall not transfer any Personal Data in confidence, subject to a territory outside of security measures no less rigorous than those which it uses to safeguard its own confidential information. 12.6 Each party agrees to indemnify and keep indemnified and defend at its own expense the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; other party against all costs, claims, damages or to a Recipient that has executed standard contractual clauses adopted or approved expenses incurred by the European Commissionother party or for which the other party may become liable due to any failure by the first party or its employees or agents to comply with any of its obligations pursuant this clause 12. Recipient will In order to avail itself of this indemnity the claiming party must: promptly notify the indemnifier of any relevant claim of which the indemnified party becomes aware; not make any effort admission of liability or offer to identify individuals who are or may be settle in respect of any relevant claim without the donors prior written permission of the Original Material indemnifier; grant the indemnifier full control of all relevant proceedings on request, and; provide the indemnifier with such assistance in dealing with such claims as it may reasonably request. 12.7 The parties acknowledge that to the extent that a party is a Data Processor pursuant to this Contract it will be reliant on the other, the Data Controller, for direction as to the extent to which the Data Controller will be entitled to use and may Process the relevant Personal Data. Consequently, the Data Processor will not combine be liable to the Data Controller for any loss or damage which arises from any claim brought by a Data Subject or any fine levied by any relevant regulatory authority which results from any action or omission by the Data Processor, to the extent that such action or omission resulted directly from the Data Controller’s instructions. 12.8 The Company confirms that it will treat all Personal Data which is transferred to it under the terms of the Project this Contract in line with other data which may result in identification of a donortheir Privacy Policy.

Data Protection. 8.1 The parties acknowledge that personal data may be transferred under this agreement (“Personal Data”) and each party will fully comply with its respective obligations under terms defined in the EU General Data Protection Regulation 2016/679, (EU)2016/679 and applicable complementing national laws (jointly the “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security IncidentGDPR”) and the Regulation on the protection of natural persons with regard to take reasonable steps to mitigate the impact processing of any personal data by the Union institutions, bodies, offices and agencies and on the free movement of such Security Incident. In data, Regulation 2018/1725 (the event “EU DPR”) have the same meaning when used in this clause. 8.2 The Parties acknowledge that Recipient receives (i) any request from each of them will act as independent controller and not as a processor on behalf of, or joint controller with, the other Party, when processing personal data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the Services, including data processing performed in compliance with their obligations at law. The Service Provider shall comply with the GDPR and all other applicable data protection and data privacy laws (the “Data Protection Laws”) in disclosing personal data to EIB or otherwise processing personal data in connection with the Agreement and any Contract. 8.3 Before disclosing any personal data (other than mere contact information relating to the Service Provider’s personnel involved in the management of Personal Data the Agreement and any Contract (collectively“Contact Data”)) to EIB in connection with the Agreement and any Contract, "Correspondence"the Service Provider shall ensure that each data subject of such personal data: (a) has been informed of the disclosure to EIB (including the categories of personal data to be disclosed), it ; and (b) has been advised on the information contained in or has been provided with an appropriate link to EIB’s privacy statement in relation to its procurement and contract management activities as set out from time to time at <▇▇▇▇▇://▇▇▇.▇▇▇.▇▇▇/en/privacy/procurement.htm> or such other address as the Bank may notify to the Service Provider in writing. 8.4 The Service Provider shall promptly inform EIB in writing, with full details, if it: (a) becomes aware of any personal data breach; or (b) receives any communication from: (i) a data subject seeking to exercise a right under, or alleging breach of, the GDPR or any other applicable data protection or data privacy law; or (ii) a supervisory authority or other competent data protection authority, in relation to personal data disclosed or to be disclosed by EIB to the Service Provider or by the Service Provider to EIB, or otherwise processed by the Service Provider in connection with the Agreement and any Contract. 8.5 The Service Provider shall give EIB such information, co-operation and assistance as EIB reasonably requests to enable it to address the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing legal or other consequences of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside that personal data breach or of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country subject matter of that the European Commission has decided provides adequate protection communication. 8.6 The Service Provider shall notify EIB without delay of any legally binding request for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors disclosure of the Original Material and may not combine Data or results of the Project with other personal data which may result in identification of transmitted to it by EIB made by any national public authority, including an authority from a donorthird country.

Data Protection. The parties 7.1 To the extent that Personal Data is processed using the Product, the Parties acknowledge that personal data may be transferred under this agreement (“Personal Data”) Bynder is a Data Processor and Customer is a Data Controller and each party will fully Party shall comply with its their respective obligations under the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state of the artstatutory or regulatory data protection obligations. 7.2 Bynder, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood its subcontractors, licensors, and severity for the rights hosts, shall take sufficient and freedoms of data subjects, Recipient will maintain appropriate technical and organizational organisational measures in such a manner that to protect against unauthorised or unlawful processing of Personal Data will meet and against accidental loss or destruction of, or damage to Personal Data, having regard to the requirements state of technological development and cost of implementing any measures, to ensure a level of security appropriate to the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction, or damage and the nature of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data to be protected. 7.3 Bynder shall process Personal Data in accordance with Customer’s instructions. Should Customer’s instructions contravene or appear likely to contravene legislation binding Bynder, Bynder will notify Customer and request alternative instructions not in contravention of such legislation. Bynder shall have no liability whatsoever for breaches of Data Protection Legislation that arise as a result of its following Customer’s instructions in implementing and supplying the Product. 7.4 Customer is fully responsible for its Customer Data and guarantees to Bynder that the content, use, and/or processing of the Customer Data are not unlawful and do not infringe the rights of any third party. 7.5 Customer shall ensure that all Personal Data that it supplies or discloses to Bynder has been obtained fairly and lawfully and that it will obtain all consents from Data Subjects and registrations with authorities that are required to permit Bynder to transfer Personal Data to third parties to fulfil its obligations under this Agreement. 7.6 Customer indemnifies Bynder against any claim of a third party, including Data Subjects, instituted for whatever reason in connection with its Customer Data or may have been lostthe performance of this Agreement. 7.7 If a third party alleges infringement of its data protection rights, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and Bynder shall be entitled to take reasonable steps measures it deems necessary to mitigate prevent the impact infringement of any such Security Incident. In a third party’s rights from continuing. 7.8 Bynder shall have no liability whatsoever for the protection of Personal Data in the event that Recipient receives (i) any request from Customer uses a data subject Bynder Product to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to release such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to unauthorised persons, entities, or organisations. 7.9 Subject to applicable Data Protection Legislation, if a territory outside Data Subject submits a disclosure request to Customer to find out what of the European Economic Area ("EEA") their Personal Data Customer holds, and/or to obtain a copy of their Personal Data, Bynder shall inform Customer, unless it has taken prohibited by law, and will cooperate and invoice Customer on a time and material basis for any work conducted in fulfilling such measures as are necessary requests. Should Bynder be required by law to ensure the transfer is in compliance with the Privacy Lawssupply personal data to third parties, Subsection 4.6 shall apply. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donor.€

Data Protection. The parties acknowledge 15.1 In so far that personal data may be transferred Shared Personal Data is Processed under this agreement Agreement it is understood that the parties will each act in the capacity of an independent Data Controller. 15.2 The Grant Recipient (“Personal Data”including its employees agents or officers) and each party will fully Delivery Partner shall at all times during the period of this Agreement comply with its respective the provisions and obligations imposed by this clause 15 (Data protection) and the Data Protection Legislation generally, including any requirement to obtain registrations, consents, and provide notifications and relevant privacy information to Data Subjects as required for the purposes of their obligations under the General Data Protection Regulation (EU)2016/679 this Agreement. 15.3 The Grant Recipient warrants and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers represents that it and/or any of their processing operations performed with such Personal Data. Taking into account the state of the art, the costs of implementation its employees and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain each Delivery Partner each have in place appropriate technical and organizational organisational measures in such a manner that processing of to protect the Shared Personal Data will meet against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, and which provide a level of security appropriate to the requirements risk represented by the processing and the nature of the Privacy Laws. data to be protected. 15.4 The Grant Recipient agrees to shall notify Provider within a period of 48 hours where Recipient becomes Homes England without undue delay on becoming aware of or reasonably suspects that Personal any breach of the applicable Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws Protection Legislation in relation to the Shared Personal Data. 15.5 Whilst each party shall be responsible for responding to any complaint in relation to the Shared Personal Data (including its rights of accessProcessed pursuant to this Agreement, correctionor any request by individuals to exercise the Data Subject's rights, objection if necessary the parties will co-operate with each other and erasure); and (ii) provide reasonable assistance with any other correspondencerequest, proceedings or inquiry or complaint received from a data subject, regulator by any affected Data Subject and/or the Information Commissioner or other third party body authorised by statute which are concerned with the Data Protection Legislation in connection with the processing of Shared Personal Data Processed under this Agreement. 15.6 The provision of this clause 15 (collectivelyData protection) shall apply during the continuance of the Agreement and indefinitely after its termination. 15.7 The Grant Recipient shall indemnify Homes England against all claims and proceedings and all liability, "Correspondence")losses, it costs and expenses incurred in connection therewith by Homes England as a result of the Grant Recipient's destruction of and/or damage to any of the Shared Personal Data processed by the Grant Recipient, its employees, agents, or a Delivery Partner or any breach of or other failure to comply with the obligations in the Data Protection Legislation and/or this clause 15 (Data protection) by the Grant Recipient, its employees, agents or sub-contractors or any Delivery Partners. 15.8 The Grant Recipient shall promptly inform Provider appoint and the parties shall cooperate in good faith as necessary identify an individual within its organisation authorised to respond to enquiries from Homes England concerning the Grant Recipient's and each Delivery Partner's Processing of the Shared Personal Data and will deal with all enquiries from Homes England relating to such Correspondence and fulfill their respective Personal Data promptly, including those from the Information Commissioner. 15.9 The Grant Recipient undertakes to include obligations no less onerous than those set out in this clause 15 (Data protection), in all contractual arrangements with its Delivery Partners, Group Companies, agents or sub-contractors engaged by the Grant Recipient in performing its obligations under Privacy Laws. Upon Provider’s this Agreement to Homes England and to enforce all such obligations on Homes England's request. 15.10 Homes England may, Recipient at any time on not less than thirty (30) Business Days' notice, revise this clause 15 (Data protection) by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall restrict the processing of Personal Data identified apply when incorporated by Provider. Recipient shall not transfer any Personal Data attachment to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorthis Agreement).

Data Protection. 3.2.1 The parties acknowledge that personal data may be transferred under this agreement (“Personal Data”) and each party will fully comply with its respective obligations under Parties’ attention is drawn to the General Data Protection Regulation Act 1998, Directive 95/46/EC of the European Parliament and any legislation and/or regulations implementing them or made in pursuance of them (EU)2016/679 and applicable complementing national laws (jointly the “Privacy LawsData Protection Requirements”). The parties are independent controllers End-User acknowledges that Royal Mail is the data controller in respect of their processing operations performed with such Personal any personal data in the Data. Taking into account Royal Mail and the state Solutions Provider acknowledge that the End-User is the data controller in respect of any personal data in its own database whether it has been cleansed, modified or otherwise. The End-User agrees it will not do or omit to do any act which would place it, the Solutions Provider or Royal Mail in breach of the artData Protection Requirements and each Party warrants to the other that it will duly observe all its obligations under the Data Protection Requirements which arise in connection with the performance of this Licence Agreement. The End-User agrees that it shall: 3.2.1.1 implement appropriate technical and organisational measures to protect personal data within the Data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access; 3.2.1.2 promptly refer to Royal Mail (either directly or indirectly via the Solutions Provider any queries relating to the personal data within the Data from data subjects, the costs of implementation and Information Commissioner or any other law enforcement authority, for Royal Mail to resolve; 3.2.1.3 promptly upon request from Royal Mail provide such information to Royal Mail as Royal Mail may reasonably require to allow it to comply, in relation to the naturepersonal data within the Data, scope, context and purposes of processing as well as the risk of varying likelihood and severity for with the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner including subject access rights, or with information notices served by the Information Commissioner; and 3.2.1.4 ensure that processing if, during the term of Personal this Licence Agreement, it intends to make any transfers of personal data within the Data will meet the requirements of the Privacy Laws. Recipient agrees which are not European Commission Approved Transfers, then it shall, prior to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In transfer, obtain Royal Mail’s consent and at the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of accessEnd-User’s own cost provide such further information and sign such further documents, correction, objection and erasure); and (ii) any other correspondence, inquiry agreements or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith deeds as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary Royal Mail may require to ensure the transfer is adequate protection of the personal data. For the purposes of this clause 3.2 “data controller”, “data subject”, “personal data” and “processing” shall have the meanings ascribed to them in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorProtection Act 1998.

Data Protection. The parties acknowledge Administrator represents that personal data as at the date hereof the Administrator has and hereafter it will maintain on behalf of itself and on behalf of the Mortgages Trustee (as trustee for the Beneficiaries) all appropriate registrations, licences and authorities (if any) required under the Data Protection Act 1998 to enable each of them to perform their respective ▇▇▇▇▇▇▇▇ons under this Agreement. In addition to the foregoing and notwithstanding any of the other provisions of this Agreement, each of the Administrator and the Mortgages Trustee hereby agree and covenant as follows: (a) that only non-"personal data" (as described in the Data Protection Act 1998) may be transferred under this agreement (“Personal Data”) and each party will fully comply with its respective obligations under by the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account Administrator to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access Mortgages Trustee or any other unlawful processing entity located in Jersey (unless Jersey is declared an "approved state" by the European Commission, in which case the Administrator may transfer such personal data to the Mortgages Trustee in Jersey); (b) that, to the extent that circumstances enable the Mortgages Trustee to exercise its right to demand that the Administrator transfer inter alia personal data to the Mortgages Trustee, the Administrator shall only transfer such personal data to an agent of the Mortgages Trustee that is located in the United Kingdom and maintains all appropriate registrations, licences and authorities (if any) required under the Data Protection Act 1998 (unless Jersey is declared an "approved state" ▇▇ ▇▇▇ European Commission, in which case the Administrator may transfer such personal data to the Mortgages Trustee in Jersey); (c) that, to the extent that circumstances enable the Mortgages Trustee to exercise its right to demand that the Administrator transfer inter alia personal data to the Mortgages Trustee, the Administrator notify each Borrower that the Mortgages Trustee is a “Security Incident”"data controller" (as defined in the Data Protection Act 1998) and to take reasonable steps to mitigate provide each such Borrower with the impact address of the Mortgages Trustee; (d) that the Administrator and the Mortgages Trustee will only use any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights the Mortgage Loans and the related Borrowers for the purposes of accessadministering and/or managing the Mortgage Portfolio, correction, objection and erasure); and (ii) will not sell such data to any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary or allow any third party to respond to use such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is data other than in compliance with the Privacy Laws. Such measures may include transferring conditions stated in this Clause 16 and for the sole purpose of administering and/or managing the Mortgage Portfolio; (e) that the Mortgages Trustee will comply with the provisions of the Data to a country that Protection (Jersey) Law 1987 (as amended) and (so long as the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors provisions of the Original Material and may Data Protection Act 1998 do not combine Data or results conflict with the provisions of the Project Da▇▇ ▇▇▇▇▇ction (Jersey) Law 1987) with other data which may result in identification the provisions of the Data Protection Act 1998 (as amended); (f) that, upon the request of a donorBorrower, the Administrator will inform such Borrower that both the Administrator and the Mortgages Trustee are "data controllers" as described in the Data Protection Act 1998; and (g) that both the Administrator and the Mor▇▇▇▇▇▇ ▇rustee shall maintain a written record of their reasons for applying the Data Protection Order 2000 (as set forth under the Conditions under paragraph 3 of Part II of Schedule I of such Order).

Data Protection. The 8.1 Both parties acknowledge that personal data may be transferred will comply with all applicable requirements of the Data Protection Legislation. This clause Error! Reference source not found. is in addition to, and does not relieve, remove or replace, a party’s obligations under this agreement (“Personal Data”) and the Data Protection Legislation. 8.2 Without prejudice to the generality of clause 8.1, each party will fully comply ensure that it has all necessary appropriate consents and notices in place to enable lawful processing of the Personal Data for the duration and purposes of this Agreement 8.3 Without prejudice to the generality of clause 8.1, each party (“Processor Party”) shall, in relation to any Personal Data processed in connection with the performance by the Processor Party of its respective obligations under this agreement: 8.3.1 process Personal Data in respect of which the General other party (“Controller Party”) is Data Protection Regulation Controller only on the written instructions of the Controller Party unless the Processor Party is required by the laws of any member of the European Union or by the laws of the European Union applicable to the Processor Party to process Personal Data (EU)2016/679 and applicable complementing national laws (jointly “Privacy Applicable Laws”). The parties are independent controllers Where the Processor Party is relying on laws of their a member of the European Union or European Union law as the basis for processing operations performed with such Personal Data. Taking into account the state of the art, the costs Processor Party shall promptly notify the Controller Party of implementation and this before performing the nature, scope, context and purposes of processing as well as required by the risk of varying likelihood and severity for Applicable Laws unless those Applicable Laws prohibit the rights and freedoms of data subjects, Recipient will maintain Processor Party from so notifying the Controller Party; 8.3.2 ensure that it has in place appropriate technical and organizational measures in such a manner that organisational measures, to protect against unauthorised or unlawful processing of Personal Data will meet and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the requirements harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the Privacy Laws. Recipient agrees data to notify Provider within a period be protected, having regard to the state of 48 hours technological development and the cost of implementing any measures (those measures may include, where Recipient becomes aware of or reasonably suspects that appropriate, pseudonymising and encrypting Personal Data has been or may have been lostData, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) ensuring confidentiality, integrity, availability and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any resilience of its rights under Privacy Laws in relation systems and services, ensuring that availability of and access to Personal Data (including its rights can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of access, correction, objection the technical and erasureorganisational measures adopted by it); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of ; 8.3.3 ensure that all personnel who have access to and/or process Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and are obliged to keep the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall confidential; and 8.3.4 not transfer any Personal Data to a territory outside of the United Kingdom or the European Economic Area unless the prior written consent of the Controller Party has been obtained and the following conditions are fulfilled: ("EEA"a) the Controller Party or the Processor Party has provided appropriate safeguards in relation to the transfer; (b) the data subject has enforceable rights and effective legal remedies; (c) the Processor Party complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and (d) the Processor Party complies with reasonable instructions notified to it in advance by the Controller Party with respect to the processing of the Personal Data; 8.3.5 assist the Controller Party, at the Controller Party’s cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; 8.3.6 notify the Controller Party without undue delay on becoming aware of a Personal Data breach; 8.3.7 at the written direction of the Controller Party, delete or return Personal Data and copies thereof to the Controller Party on termination of the agreement unless it has taken such measures as are necessary is a Legal Requirement to ensure store the transfer is in Personal Data; and 8.3.8 maintain complete and accurate records and information to demonstrate its compliance with this clause Error! Reference source not found.. 8.4 For processing of Personal Data in connection with this Agreement: the Privacy Lawsduration of the processing is the term or such longer period as is required by law; the subject matter, nature and purpose is the storage of Personal Data and the sharing of Personal Data between the parties and their respective Group Companies to allow performance of the parties' obligations pursuant to this agreement; types of Personal Data subject to processing pursuant to this agreement are names, addresses, email addresses, IP addresses; and the categories of data subject are Company and Consultant contact details, employees of the Company and any Substitute. 8.5 [The Company agrees that any Substitute appointed under clause 3.3 is a third-party processor of personal data under this Agreement. Such measures may include transferring The Consultant confirms that they will enter into a written agreement, which incorporates terms which are substantially similar to those set out in this clause 8 with the Substitute. The Consultant will remain fully liable for all acts or omissions of any third-party processor appointed by it under this clause 8.5.] 8.6 The Consultant will have liability for and will indemnify the Company and any Group Company for any loss, liability, costs (including legal costs), damages, or expenses resulting from any breach by the Consultant or a Substitute of the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization Protection Legislation and will maintain in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorforce full comprehensive Insurance Policies.

Data Protection. The parties acknowledge Each Party shall in relation to the processing of the Shared Personal Data comply with all the obligations imposed on a controller under the Data Protection Legislation, and any material breach of the Data Protection Legislation by one Party shall, if not remedied within thirty (30) days of written notice from the other Party, give grounds to the other Party to terminate this Agreement with immediate effect. Each Party shall comply with the Data Protection Legislation in processing the Shared Personal Data and shall do all things reasonably necessary to assist the other in complying with its obligations under Data Protection Legislation in respect of the Shared Personal Data. In particular, each Party shall: ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of personal data may be transferred under this agreement (“and against accidental loss or destruction of, or damage to, Shared Personal Data”) ; ensure that it has all necessary notices and each party will fully comply consents in place to enable lawful transfer of the Shared Personal Data to the other Party for such purposes as the Parties have mutually agreed, and consult with the other Party about any notices given to data subjects in relation to the Shared Personal Data wherever possible; provide the other Party with reasonable assistance in complying with any data subject access request or deletion requests and queries or complaints made under Data Protection Legislation; provide the other Party with reasonable assistance in ensuring compliance with its respective obligations under the General Data Protection Regulation (EU)2016/679 Legislation with respect to security, breach notifications, impact assessments and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers consultations with supervisory authorities or regulators; notify the other Party without undue delay on becoming aware of their processing operations performed with such Personal Data. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of any Personal Data will meet the requirements of the Privacy Laws. Recipient agrees Breach in relation to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Shared Personal Data which it has been or may have been lost, damaged or subject received from the other Party and provide assistance to unauthorized internal or external access or any the other unlawful processing (a “Security Incident”) and Party as is necessary upon reasonable request to take reasonable steps to mitigate facilitate the impact handling of any such Security Incident. In Personal Data Breach in an expeditious and compliant manner; maintain complete and accurate records and information to demonstrate compliance with this Agreement; ensure the event that Recipient receives (i) any request from a data subject to exercise reliability of any of its rights Personnel who have access to personal data and ensure that such Personnel have committed themselves to confidentiality or are under Privacy Laws in relation to Personal Data (including its rights an appropriate statutory obligation of access, correction, objection and erasure)confidentiality; and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Shared Personal Data to a territory outside of the European Economic Area ("EEA") unless which it has taken such measures received from the other Party internationally or to an international organisation except as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization permitted in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorProtection Legislation.

Data Protection. 22.1 In relation to any Processing of Disclosed Data undertaken by the Supplier on behalf of the University pursuant to the Contract, the University and the Supplier acknowledge that, for the purposes of Data Protection Law, the University is the Data Controller and the Supplier is the Data Processor of such Disclosed Data. 22.2 The parties acknowledge Parties agree that personal the Supplier may only process Disclosed Data on and in the Supplier or the Supplier’s Sub-Contractors’ data centres in the EEA and the Disclosed Data may not be transferred stored, transferred, located or otherwise processed outside of such area. Neither the Supplier nor any of its Sub- Contractors are entitled to transfer any the Disclosed Data outside of the EEA without the University’s prior written consent (and otherwise procuring the University’s compliance with the Eighth Data Protection Principle of the Data Protection ▇▇▇ ▇▇▇▇ or equivalent restrictions under this agreement (“Personal Data”) Data Protection Law). 22.3 The Supplier warrants and each party will fully comply undertakes that it is solely responsible for ensuring that the Disclosed Data is processed by it in accordance with the Data Protection Law from the date that it is received from the University. 22.4 The Supplier undertakes to the University that it shall use the Disclosed Data only for purposes necessary for the performance of its respective obligations under the General Contract and only in accordance with the instructions given from time to time by the University. 22.5 The Supplier shall (and shall procure that any of the Supplier's Personnel involved in the provision of the Contract shall) comply with any notification requirements under Data Protection Regulation (EU)2016/679 Law and applicable complementing national laws (jointly “Privacy both Parties shall duly observe all their obligations under Data Protection Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party which arise in connection with the processing Contract. Supplier’s Personnel 22.6 The Supplier will ensure that access to the Disclosed Data is limited to: (a) Supplier’s Personnel who need access to the Disclosed Data to meet the Supplier's obligations under the Contract (the “Relevant Employees”); and (b) in the case of Personal any access by any of the Supplier’s Personnel, such part or parts of the Disclosed Data as is strictly necessary for performance of said Supplier’s Personnel duties. 22.7 The Supplier will ensure that its Relevant Employees: (collectively, "Correspondence"), it shall promptly inform Provider a) only Process Disclosed Data to the extent permitted by the Contract; (b) are bound by appropriate obligations of confidentiality in respect of the Disclosed Data and understand that the Disclosed Data is confidential in nature; (c) have undertaken training in Data Protection Law; and (d) are aware of the Supplier's obligations under such Data Protection Law and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s requestContract. 22.8 Without affecting the generality of clause 22.7, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary Supplier will take appropriate steps to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make reliability of any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of Supplier's Personnel who have access to the Project with other data which may result in identification of a donorDisclosed Data.

Data Protection. The parties Where any Personal Data is Processed in connection with the exercise of the Parties’ rights and obligations under this Framework Agreement, the Parties acknowledge that personal data either Party may be transferred a Data Controller or a Data Processor. The Parties shall: Process the Personal Data only in accordance with instructions from the other to perform its obligations under this agreement (“Personal Data”) and each party will fully comply with its respective obligations under the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain Framework Agreement; ensure that at all times it has in place appropriate technical and organizational organisational measures in such a manner that processing to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data; not disclose or transfer the Personal Data to any third party or employee unless necessary for the provision of the Services and, for any disclosure or transfer of Personal Data will meet to any third party, obtain the requirements prior written consent of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours other (save where Recipient becomes aware of such disclosure or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”transfer is specifically authorised under this Framework Agreement) and to take reasonable steps to mitigate ensure the impact reliability and integrity of any such Security Incident. In employee who has access to the Personal Data and ensure that they: are aware of and comply with the Provider’s duties under the Framework Agreement; are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the disclosing Party or as otherwise permitted by this Framework Agreement; and have undergone adequate training in the use, care, protection and handling of Personal Data (as defined in the DPA); notify the disclosing Party immediately if it becomes aware of an event that Recipient receives results, or may result, in unauthorised access to Personal Data held by the other under a Call-Off Contract, and/or actual or potential loss and/or destruction of Personal Data in breach of a Call-Off Contract, including any Personal Data breach or if it receives: from a Data Subject (ior third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request) a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to either Parties obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from a data subject any third party for disclosure of Personal Data where compliance with such request is required or purported to exercise any of its rights under Privacy Laws be required by Law; provide the disclosing Party with full cooperation and assistance (within the timescales reasonably required by the Disclosing Party) in relation to any complaint, communication or request made (as referred to at Clause 21.2.5) including by promptly providing: full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested to enable the disclosing Party to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and on request any Personal Data (including its rights of access, correction, objection and erasure)it holds in relation to a Data Subject; and if requested by the disclosing Party provide a written description of the measures it has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to Clause 21.2 and provide copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Parties agree that they shall not Process or otherwise transfer any Personal Data in or to a Restricted Country. If, after the Commencement Date, either Party or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to any Restricted Country outside the European Economic Area, the following provisions shall apply: the Data Processor shall propose a variation to the Data Controller which, if it is agreed, shall be dealt with in accordance with the Framework Agreement Variation Procedure; the Data Processor shall set out in its proposal for a variation details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Provider will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries to ensure the Data Controllers compliance with the DPA; in providing and evaluating the variation, the Parties shall ensure that they have regard to and comply with then-current the Authority, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Data Processor shall comply with such other instructions and shall carry out such other actions as the Data Controller may notify in writing, including: incorporating standard and/or model clauses (iiwhich are approved by the European Commission as offering adequate safeguards under the DPA) into this Framework Agreement or a separate data processing agreement between the Parties; and procuring that any other correspondence, inquiry or complaint received from a data subject, regulator Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in connection any Restricted Countries either enters into: a direct data processing agreement with the Data Controller on such terms as may be required by them; or a data processing of agreement with the Data Processor on terms which are equivalent to those agreed between the Data Controller and the Sub-Contractor relating to the relevant Personal Data (collectivelytransfer, "Correspondence"), it shall promptly inform Provider and in each case which the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures Parties acknowledge may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or incorporation of model contract provisions (which are approved by the European CommissionCommission as offering adequate safeguards under the DPA) and technical and organisation measures which the Data Controller deems necessary for protecting Personal Data. Recipient will not make The Parties shall use reasonable endeavours to assist each other in compliance with any effort obligations under the DPA and neither shall perform its obligations under this Framework Agreement in such a way as to identify individuals who are cause the other to breach any of their obligations under the DPA to the extent the Party in question is aware, or may ought reasonably to have been aware, that the same would be a breach of such obligations. The Parties shall designate a data protection officer if required by the donors Data Protection Legislation. Before allowing any Sub-Processor to process any Personal Data related to this Framework Agreement, the Parties shall: (a) notify the other in writing of the Original Material intended Sub-Processor and may not combine Data or results processing; (b) obtain the written consent of the Project Data Controller; (c) enter into a written agreement with other data the Sub-Processor which give effect to the terms set out in this Clause 21. such that they apply to the Sub-Processor; and provide the Data Controller with such information regarding the Sub-Processor as they may result in identification reasonably require. The Data Processor shall remain fully liable for all acts or omissions of a donorany Sub-Processor.

Data Protection. The parties With respect to the Parties' rights and obligations under this Agreement, the Parties acknowledge that personal data may be transferred under this agreement (“Personal in relation to any Customer Data”) , the Customer is a controller and each party will fully comply with its the Supplier is a processor. The Parties acknowledge their respective obligations under the General Data Protection Regulation (EU)2016/679 Legislation and applicable complementing national laws (jointly “Privacy Laws”)shall give each other such assistance as is reasonable to enable each other to comply with such obligations, however, for the avoidance of doubt the Customer agrees that where Entrust has satisfied a contractual obligation under this Agreement, then such satisfaction of the contractual obligation is deemed to satisfy the same or similar requirement under the Data Protection Legislation. The parties are independent controllers of their Customer warrants, represents and undertakes to Entrust that it has lawful grounds for processing operations performed with such Personal the Customer Data. Taking into account The Parties confirm that the state following information will be provided after the GDPR application date: subject matter and duration of the art, processing; the costs nature and purpose of implementation and the nature, scope, context and purposes processing; the type of processing as well as personal data; the risk of varying likelihood and severity for the rights and freedoms categories of data subjects; the obligations and rights of the Customer. Where Entrust processes the Customer Data under or in connection with this Agreement, Recipient will maintain Entrust shall: a) save as required otherwise by law, only process such the Customer Data as is necessary to perform its obligations under this Agreement, and only in accordance with the Customer’s documentedinstructions. b) put in place appropriate technical and organizational organisational measures to meet its own obligations under the Data Protection Legislation and which the Customer agrees are appropriate measures; c) ensure Entrust staff who will have access to the Customer Data are subject to appropriate confidentiality obligations; d) be entitled to engage Sub-Processors to process the Customer Data subject to Entrust ensuring that equivalent requirements to those set out in such a manner that processing of Personal Data will meet this clause are imposed on any sub-processor(s), Entrust remaining fully liable to the requirements Customer for the performance of the Privacy Laws. Recipient agrees sub-processor’s obligations and where applicable, providing to notify Provider within a period the Customer reasonable prior notice of 48 hours where Recipient becomes aware of any addition, removal or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact replacement of any such Security Incident. In Sub-Processors; e) not process or transfer the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Customer Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure without the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors prior documented consent of the Original Material Customer; f) have in place the appropriate technical and may not combine organisational security measures to protect the Customer Data against accidental or results of the Project with other data which may result in identification of a donor.unlawful destruction, loss, alteration, unauthorised disclosure or access;

Data Protection. The parties Parties acknowledge that personal data may be transferred their respective duties under this agreement (“Personal Data”) Data Protection Legislation and shall give each party will fully other all reasonable assistance as appropriate or necessary to enable each other to comply with its respective obligations under those duties. For the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers avoidance of their processing operations performed with such Personal Data. Taking into account the state of the artdoubt, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to Supplier shall take reasonable steps to mitigate ensure it is familiar with the impact Data Protection Legislation and any obligations it may have under such Data Protection Legislation and shall comply with such obligations. Where the Supplier is Processing Personal Data and/or the Parties are otherwise sharing Personal Data under or in connection with this Contract, the Parties shall comply with the Data Protection Protocol in respect of such matters. The Supplier and the Authority shall ensure that patient related Personal Data is safeguarded at all times in accordance with the Law, and this obligation will include (if transferred electronically) only transferring patient related Personal Data (a) if essential, having regard to the purpose for which the transfer is conducted; and (b) that is encrypted in accordance with any international data encryption standards for healthcare, and as otherwise required by those standards applicable to the Authority under any Law and Guidance (this includes, data transferred over wireless or wired networks, held on laptops, CDs, memory sticks and tapes). Where, as a requirement of this Contract, the Supplier is Processing Personal Data relating to NHS patients and/or service users and/or has access to NHS systems as part of the Services, the Supplier shall: complete and publish an annual information governance assessment using the Data Security and Protection Toolkit; achieve all relevant requirements in the relevant Data Security and Protection toolkit; nominate an information governance lead able to communicate with the Supplier’s board of directors or equivalent governance body, who will be responsible for information governance and from whom the Supplier’s board of directors or equivalent governance body will receive regular reports on information governance matters including, but not limited to, details of all incidents of data loss and breach of confidence; report all incidents of data loss and breach of confidence in accordance with Department of Health and Social Care and/or the NHS England and/or Health and Social Care Information Centre guidelines; put in place and maintain policies that describe individual personal responsibilities for handling Personal Data and apply those policies vigorously; put in place and maintain a policy that supports its obligations under the NHS Care Records Guarantee (being the rules which govern information held in the NHS Care Records Service, which is the electronic patient/service user record management service providing authorised healthcare professionals access to a patient’s integrated electronic care record); put in place and maintain agreed protocols for the lawful sharing of Personal Data with other NHS organisations and (as appropriate) with non-NHS organisations in circumstances in which sharing of that data is required under this Contract; where appropriate, have a system in place and a policy for the recording of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws telephone calls in relation to the Services, including the retention and disposal of those recordings; at all times comply with any information governance requirements and/or processes as may be set out in the Specification and Tender Response Document; and comply with any new and/or updated requirements, Guidance and/or Policies notified to the Supplier by the Authority from time to time (acting reasonably) relating to the Processing and/or protection of Personal Data. Where any Personal Data (including its rights is Processed by any Sub-contractor of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party the Supplier in connection with this Contract, the processing Supplier shall procure that such Sub-contractor shall comply with the relevant obligations set out in Clause 2 of this Schedule 3 of these Call-off Terms and Conditions and any relevant Data Protection Protocol of these Call-off Terms and Conditions, as if such Sub-contractor were the Supplier. The Supplier shall indemnify and keep the Authority indemnified against, any loss, damages, costs, expenses (including without limitation legal costs and expenses), claims or proceedings whatsoever or howsoever arising from the Supplier’s unlawful or unauthorised Processing, destruction and/or damage to Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance connection with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorthis Contract.

Data Protection. 11.1 The parties acknowledge Supplier/Contractor warrants and represents to the Purchaser that personal data may be transferred under this agreement (“Personal Data”) and each party will fully it shall comply with its respective the Data Protection Laws. 11.2 Without prejudice to Condition 12.1, the Supplier/Contractor shall: 11.2.1 process Personal Data only as necessary in accordance with obligations under the General Data Protection Regulation Contract and any written instructions given by the Purchaser (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”which may be specific or of a general nature). The parties are independent controllers of their processing operations performed , including with such Personal Data. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing regard to transfers of Personal Data will meet outside the requirements European Economic Area unless required to do so by European Union or Member state law or regulatory body to which the Supplier/Contractor is subject; in which case the Supplier/Contractor must, unless prohibited by that law, inform the Purchaser of that legal requirement before processing the Personal Data only to the extent, and in such manner as is necessary for the performance of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of Supplier/Contractor's obligations under this Contract or reasonably suspects that Personal Data has been or may have been lost, damaged or as is required by law; 11.2.2 subject to unauthorized internal Condition 12.2.1 only process or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not otherwise transfer any Personal Data in or to a territory any country outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary with the Purchaser prior written consent; 11.2.3 take all reasonable steps to ensure the transfer is in compliance reliability and integrity of any of its personnel who have access to the Personal Data and ensure that such personnel are: aware of and comply with the Privacy Laws. Such measures may include transferring terms of this Condition 12; subject to appropriate confidentiality undertakings; informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to a country that any third party unless directed in writing to do so by the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization Purchaser or as otherwise permitted by this Contract; 11.2.4 implement appropriate technical and organisational measures in accordance with Privacy Laws; Article 32 of the GDPR to protect Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure, such measures being appropriate to a Recipient that has executed standard contractual clauses adopted the harm which might result from any unauthorised or approved unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected; 11.2.5 provide to the Purchaser reasonable assistance including by the European Commission. Recipient will not make any effort to identify individuals who are or such technical and organisational measures as may be the donors appropriate in complying with Articles 12-23 of the Original Material and may not combine Data or results GDPR; 11.2.6 If the Supplier/Contractor engages a sub-contractor for carrying out Processing activities on behalf of the Project with other Purchaser, the Supplier/Contractor must ensure that the same data which may result protection obligations as set out in identification this Contract are imposed on the sub-contractor by way of a donorwritten and legally binding contract, in particular providing sufficient guarantees to implement appropriate technical and organisational measures. The Supplier/Contractor shall remain fully liable to the Purchaser for the performance of the sub-contractor's performance of the obligations; and 11.2.7 ensure it does not knowingly or negligently do or omit to do anything which places the Purchaser in breach of the Purchaser obligations under the Data Protection Laws.

Data Protection. The parties acknowledge that personal data may be transferred under 12.1 For the purposes of this agreement (Clause 12, “Personal Data” and “Processing” (and “Process” shall be construed accordingly) shall have the meanings given to them in the Personal Data Protection ▇▇▇ ▇▇▇▇, as may be updated, superseded or replaced from time to time (the “Act”). 12.2 You acknowledge that We may obtain certain information (including, without limitation, Personal Data), about You (“Your Personal Data”). 12.3 Notwithstanding anything to the contrary, You specifically authorise that We may collect, use, disclose and/or Process Your Personal Data (whether provided electronically or otherwise) to administer these Terms, provide Services to You, including without limitation, monitoring and each analysing the conduct of Your account and enabling Us to carry out statistical and other analysis, and otherwise market Services and products to You in accordance with these Terms. 12.4 You acknowledge and agree that in doing so, We may: 12.4.1 transfer or disclose Your Personal Data to any Associated Office or third party will fully comply wherever located in the world, including (without limitation) those who provide services to Us or act as Our agents, those to whom We transfer or propose to transfer any of Our rights or duties under these Terms and those licences, credit reference agencies or other organisations that help Us make credit decisions and reduce the incidence of fraud or in the course of carrying out identity fraud prevention or credit control checks; and 12.4.2 transfer information We hold about You to countries located outside of Singapore, where data protection safeguards may not be as high, for any of the purposes described in this Clause 12 and in such instances We shall ensure that adequate safeguards are put into place to protect Your Personal Data. 12.5 To the extent that We Process Your Personal Data, We shall: 12.5.1 Process it only for the purposes of complying with its respective Our obligations under these Terms, in accordance with Your reasonable instructions from time to time; and 12.5.2 ensure that appropriate technical and organisational measures shall be taken against unauthorised or unlawful Processing of Personal Data and the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with accidental loss or destruction of, or damage to, such Personal Data. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer . 12.6 If any Personal Data belonging to a territory outside any of Your directors, employees, officers, agents or clients is provided to Us, you represent to Us that each person is aware of and consents to the European Economic Area ("EEA") unless it has taken use of such measures data as are necessary set out in this Clause 12 and You agree to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; indemnify us against any loss, costs or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make expenses arising out of any effort to identify individuals who are or may be the donors breach of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorthis representation.

Data Protection. 11.1. The parties acknowledge LICENSEE acknowledges that in connection with the performance of its obligations under this Agreement PerfectForms may carry out Processing on Personal Data and sensitive personal data may be transferred under this agreement (“Personal Data”) and each party will fully comply with its respective obligations under the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state relating to employees of the artLICENSEE. PerfectForms shall use its best endeavors to carry out such Processing in compliance with any applicable data protection legislation in force from time to time, and shall, without limitation to the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain foregoing 11.1.1. Take appropriate technical and organizational measures in such a manner that against unauthorized or unlawful processing of LICENSEE Personal Data will meet and against accidental loss or destruction of, or damage to, LICENSEE Personal Data 11.1.2. Only disclose LICENSEE Personal Data or information extracted from such data to third parties with the requirements prior written approval of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security IncidentLICENSEE 11.1.3. In the event that Recipient receives (i) any request from a data subject PerfectForms is compelled to exercise any conform to edicts of its rights under Privacy Laws in relation to Personal Data (including its rights of accessthe law, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to subpoenas, to court orders, or legal processes, then, subject to any restrictions, PerfectForms shall promptly notify such Correspondence employee of the LICENSEE of such request and fulfill their respective obligations under Privacy Lawsrespond promptly to any request for information made by the LICENSEE in respect of such subject access 11.2. Upon Provider’s request, Recipient shall restrict The LICENSEE acknowledges that it is solely responsible for the processing creation of all LICENSEE Personal Data identified by Providerupon which PerfectForms carries out Processing under this Agreement. Recipient The LICENSEE shall not transfer any make obtain and maintain all necessary notifications authorizations and consents the LICENSEE is required to have for the Processing of LICENSEE Personal Data to a territory outside be carried out by PerfectForms under this Agreement. PerfectForms acknowledges that LICENSEE Personal Data in the possession of PerfectForms shall at all times remain the European Economic Area ("EEA") unless it has taken property of LICENSEE 11.3. The LICENSEE hereby instructs PerfectForms to carry out such measures Processing on LICENSEE Personal Data as are necessary is reasonably required by PerfectForms to ensure perform its obligations under this Agreement. The LICENSEE may vary the transfer is in compliance instruction given by this clause 11.3 with respect to the Privacy Laws. Such measures may include transferring Processing of LICENSEE Personal Data at any time by written notice to PerfectForms provided that PerfectForms shall have no liability of any kind to the Data to a country that LICENSEE for any loss or damage suffered by or claim made by any person against the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance LICENSEE arising directly or indirectly from PerfectForms complying with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donor.such notice

Data Protection. To the extent that the provision of any Service requires the Processing of Personal Data: (a) Each Provider shall comply with, and shall cause its controlled Affiliates and its and their respective employees, agents and subcontractors to comply with, all applicable Laws relating to the Processing of Personal Data (“Data Protection Laws”) in connection with the performance of the Provider’s and Recipient’s obligations under this Agreement. The parties Parties acknowledge that personal data may be transferred the Recipient is the Controller of all Personal Data Processed by the Provider in connection with the performance of the Provider’s and Recipient’s obligations under this agreement Agreement (“Personal Recipient Data”) and each party will fully comply with its respective obligations under agree that the General Provider (and any Sub-Processor) may Process Recipient Data Protection Regulation in the course of providing the Services. (EU)2016/679 and applicable complementing national laws b) Each Provider shall promptly notify the Recipient (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account as Controller) if the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such Provider receives a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise under any Data Protection Law in respect of its rights under Privacy Laws in relation to the Processing of Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing performance of the Provider’s or Recipient’s obligations under this Agreement; and ensure that the Provider does not respond to that request except on the instructions of the Recipient or as required by applicable Data Protection Law to which the Provider is subject (in which case, the Provider shall, to the extent permitted by applicable Data Protection Law, inform the Recipient of that legal requirement before the Provider responds to the request). (c) Each Provider shall notify the Recipient (as Controller) without undue delay upon the Provider becoming aware of unauthorized access to, or other security breach, affecting the Recipient’s Personal Data and providing the Recipient with sufficient information to allow the Recipient to meet any obligations to report or inform data subjects of the incident as required under the Data Protection Laws. Each Provider shall cooperate with the Recipient and take such reasonable commercial steps as are directed by the Recipient to assist in the investigation, mitigation and remediation of each such incident. (d) Further obligations of the Provider regarding the Processing of Personal Data in connection with the provision of the Services will be mutually agreed between the Parties in a separate Data Processing and Transfer Agreement (collectively, "Correspondence"), it shall promptly inform Provider the “DPA”) between the Parties. To the extent there are any conflicts between this Section 3.3 and the parties DPA, the DPA shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorgovern.

Data Protection. 15.1 Both parties will comply with all applicable requirements of the Data Protection Legislation. This clause 15 is in addition to, and does not relieve, remove or replace, a party's obligations under the Data Protection Legislation. 15.2 The parties acknowledge that for the purposes of the Data Protection Legislation, the Client is the data controller and FSI is the data processor (where data controller and data processor have the meanings as defined in the Data Protection Legislation). 15.3 Without prejudice to the generality of clause 15.1: (a) the Client will ensure that it has all necessary and appropriate consents and notices in place to enable lawful transfer of any personal data may be transferred to FSI for the duration and purposes of this agreement; and (b) FSI shall, in relation to any personal data processed in connection with the performance by FSI of its obligations under this agreement agreement: (i) process that personal data only on the documented written instructions of the Client unless FSI is required by the laws of any member of the European Union or by the laws of the European Union applicable to FSI and/or Data Protection Legislation that applies in the UK to process personal data (“Personal Data”) and each party will fully comply with its respective obligations under the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Applicable Laws”). The parties are independent controllers Where FSI is relying on Applicable Laws as the basis for processing personal data, FSI shall promptly notify the Client of their this before performing the processing operations performed with such Personal Data. Taking into account required by the state Applicable Laws unless those Applicable Laws prohibit FSI from doing so; (ii) not transfer any personal data outside of the art, the costs of implementation European Economic Area and the nature, scope, context and purposes of processing as well as United Kingdom unless the risk of varying likelihood and severity for following conditions are fulfilled: (A) FSI has provided appropriate safeguards in relation to the transfer; (B) the data subject has enforceable rights and freedoms effective legal remedies; (C) FSI complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any personal data subjects, Recipient will maintain appropriate technical and organizational measures that is transferred; and (D) FSI complies with reasonable instructions notified to it in such a manner that advance by the Client with respect to the processing of Personal Data will meet the requirements of personal data; (iii) assist the Privacy Laws. Recipient agrees Client, at the Client's cost, in responding to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to exercise any security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; (iv) notify the Client without undue delay on becoming aware of a personal data breach; (v) at the written direction of the Client, delete or return personal data and copies thereof to the Client on termination of this agreement unless required by Applicable Law to store the personal data; (vi) maintain complete and accurate records and information to demonstrate its rights under Privacy Laws compliance with this clause 15 and immediately inform the Client if, in relation the opinion of FSI, an instruction infringes the Data Protection Legislation. 15.4 The Client hereby consents to Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other FSI appointing third party in connection with sub-processors (and the processing of Personal Data (collectively, "Correspondence"), it Client shall promptly inform Provider and confirm its consent to the parties shall cooperate appointment of such persons as FSI requires in good faith as necessary to respond to writing) provided that such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall sub-processors will not transfer any Personal Data to a territory store personal data outside of the European Economic Area unless FSI has provided appropriate safeguards in relation to the transfer ("EEA") unless which it can demonstrate to the Client), the data subject has enforceable rights and effective legal remedies and FSI complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any personal data that is transferred. 15.5 Each party shall ensure that it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or place appropriate technical and organisational measures, reviewed and approved by the European Commission. Recipient will not make any effort other party, to identify individuals who are protect against unauthorised or may be unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data, appropriate to the donors harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the Original Material data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may not combine Data or results include, where appropriate, pseudonymising and encrypting personal data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to personal data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the Project with other data which may result in identification of a donortechnical and organisational measures adopted by it).

Data Protection. 8.1 Each party will comply with all applicable requirements of the Data Protection Legislation. This Clause is in addition to, and does not relieve, remove or replace, either party’s obligations under the Data Protection Legislation. 8.2 The parties acknowledge that personal data Personal Data of Licensee personnel may be transferred under this agreement (“provided to Blue Prism for the provision of Support Services during the Agreement Term, in which case Licensee shall be the Data Controller and Blue Prism shall be the Data Processor. Such Personal Data”) Data may include Licensee personnel names, work email address, job information and each party work telephone number and shall be used by Blue Prism to communicate with Licensee in the providing the Support Services and manage Support Service requests. 8.3 Save as set out in Clause 8.2, Licensee shall not provide any Personal Data to Blue Prism for processing by Blue Prism on Licensee’s behalf. 8.4 Licensee will fully comply with its respective obligations under the General Data Protection Regulation (EU)2016/679 ensure that it has all necessary appropriate consents and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state notices in place to enable lawful transfer of the art, Personal Data to Blue Prism for the costs of implementation and the nature, scope, context duration and purposes of processing this Agreement in order for Blue Prism to provide Support Services. 8.5 Blue Prism shall in relation to any Personal Data processed in connection with the performance of its obligations under this Agreement: 8.5.1 process that Personal Data only on the written instructions of Licensee as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain described in Clause 8.2 or otherwise agreed; 8.5.2 ensure that it has in place appropriate technical and organizational organisational measures in such a manner that to protect against unauthorised or unlawful processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees and against accidental loss or destruction of, or damage to, Personal Data; 8.5.3 ensure that all Blue Prism personnel who have access to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that and/or process Personal Data has been or may have been lost, damaged or subject are obliged to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate keep the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasure)confidential; and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not and 8.5.4 only transfer any Personal Data to a territory outside of the European Economic Area to its Affiliates and sub- contractors ("EEA"Licensee’s permission for which is hereby given) if: (a) Blue Prism has provided appropriate safeguards in relation to the transfer; (b) the Data Subject has enforceable rights and effective legal remedies; (c) Blue Prism complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and (d) Blue Prism complies with reasonable instructions notified to it in advance by Licensee with respect to the processing of the Personal Data; 8.5.5 provide reasonable assistance to Licensee in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; 8.5.6 notify Licensee without undue delay on becoming aware of a Personal Data breach; 8.5.7 at the written direction of Licensee, delete or return Personal Data and copies thereof to Licensee on termination or expiry of the Agreement unless required by applicable law to store the Personal Data; and 8.5.8 maintain complete and accurate records and information to demonstrate its compliance with this Clause 8. 8.6 Licensee consents to Blue Prism appointing third-party processors of Personal Data, including Blue Prism Affiliates, in order to provide Support Services to Licensee under this Agreement. Where a third-party processor is not a Blue Prism Affiliate, Blue Prism confirms that it has taken such measures as entered into a written agreement substantially on that third party’s standard terms of business. Further details of Blue Prism’s third-party processors are necessary included in the Blue Prism Privacy Policy. As between Licensee and Blue Prism, Blue Prism shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorthis Clause.

Data Protection. 9.1 Acolyte shall, in providing access to the Application and in preparing Intelligence Reports and Insight Reports, comply with Data Protection Legislation and with its Data Protection & Privacy Policy relating to the privacy and security of the personal data processed under this Agreement, which is available on the Acolyte website. Acolyte reserves the right to amend its policies as required. 9.2 Each party shall ensure compliance with all applicable Data Protection Legislation when processing personal data. 9.3 The parties acknowledge that each of them is a controller of the Candidate Data processed in connection with this Agreement. The Parties agree to regulate the processing of Candidate Data as set out in Schedule 2. 9.4 The parties acknowledge that any preceding or subsequent data processing activities involving Candidate Data will fall outside the scope of this Agreement. 9.5 Acolyte may record telephone and video calls for training and monitoring purposes, and all recordings shall be held in accordance with Data Protection Legislation. 9.6 The Client acknowledges that the personal data shall be stored within the EU or the UK but may be transferred accessed or processed in accordance with applicable legislation outside the EU or the country where ▇▇▇▇▇▇▇’s delivery team, the Client and the Authorised Users are located in order to provide access to the Application, and perform Acolyte’s obligations under this agreement (“Personal Data”) Agreement. Any transfer of personal data outside the EU or the UK will be subject to a Data Transfer Impact Assessment to confirm that the recipient ensures adequate protection for personal data and that the data subject has enforceable rights and effective legal remedies; 9.7 Where relevant, the parties shall ensure that each of them is entitled to transfer the relevant personal data to the other party will fully comply so that it may be lawfully used, processed and transferred in accordance with this Agreement; 9.8 The parties shall ensure that the relevant third parties have been informed of, and, where applicable, have given their consent to, such use, processing, and transfer as required by all applicable data protection legislation; 9.9 Each party shall take appropriate administrative, physical, technical and organisational measures against unauthorised or unlawful processing of the personal data and Candidate Data or its respective obligations under accidental loss, destruction or damage; and 9.10 The Client represents that the General Client has established appropriate confidentiality, privacy and security policies and safeguards consistent with Data Protection Regulation (EU)2016/679 Legislation, and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account industry standards and that the state of the art, the costs of implementation Client will educate Authorised Users on these policies and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity safeguards. 9.11 Acolyte shall follow its archiving procedures for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incidentpersonal data. In the event that Recipient receives (i) of any request loss or damage to Candidate Data, the Client’s sole and exclusive remedy shall be for Acolyte to use reasonable commercial endeavours to restore the lost or damaged Candidate Data from a data subject to exercise any the latest back- up of its rights under Privacy Laws in relation to Personal such Candidate Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified maintained by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization Acolyte in accordance with Privacy Laws; the archiving procedure. Acolyte shall not be responsible for any loss, destruction, alteration or disclosure of Candidate Data caused by any third party (except those third parties subcontracted by Acolyte to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort perform services related to identify individuals who are or may be the donors of the Original Material Candidate Data maintenance and may not combine Data or results of the Project with other data which may result in identification of a donorback-up).

Data Protection. The parties Parties acknowledge that personal data may be transferred their respective duties under this agreement (“Personal Data”) Data Protection Legislation and shall give each party will fully other all reasonable assistance as appropriate or necessary to enable each other to comply with its respective obligations under those duties. For the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers avoidance of their processing operations performed with such Personal Data. Taking into account the state of the artdoubt, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to Supplier shall take reasonable steps to mitigate ensure it is familiar with the impact Data Protection Legislation and any obligations it may have under such Data Protection Legislation and shall comply with such obligations. Where the Supplier is Processing Personal Data and/or the Parties are otherwise sharing Personal Data under or in connection with this Contract, the Parties shall comply with the Data Protection Protocol in respect of such matters. The Supplier and the Authority shall ensure that patient related Personal Data is safeguarded at all times in accordance with the Law, and this obligation will include (if transferred electronically) only transferring patient related Personal Data (a) if essential, having regard to the purpose for which the transfer is conducted; and (b) that is encrypted in accordance with any international data encryption standards for healthcare, and as otherwise required by those standards applicable to the Authority under any Law and Guidance (this includes, data transferred over wireless or wired networks, held on laptops, CDs, memory sticks and tapes). Where, as a requirement of this Contract, the Supplier is Processing Personal Data relating to NHS patients and/or service users and/or has access to NHS systems as part of the Services, the Supplier shall: complete and publish an annual information governance assessment using the Data Security and Protection toolkit; achieve all relevant requirements in the relevant Data Security and Protection Toolkit; nominate an information governance lead able to communicate with the Supplier’s board of directors or equivalent governance body, who will be responsible for information governance and from whom the Supplier’s board of directors or equivalent governance body will receive regular reports on information governance matters including, but not limited to, details of all incidents of data loss and breach of confidence; report all incidents of data loss and breach of confidence in accordance with Department of Health and Social Care and/or the NHS England and/or Health and Social Care Information Centre guidelines; put in place and maintain policies that describe individual personal responsibilities for handling Personal Data and apply those policies vigorously; put in place and maintain a policy that supports its obligations under the NHS Care Records Guarantee (being the rules which govern information held in the NHS Care Records Service, which is the electronic patient/service user record management service providing authorised healthcare professionals access to a patient’s integrated electronic care record); put in place and maintain agreed protocols for the lawful sharing of Personal Data with other NHS organisations and (as appropriate) with non-NHS organisations in circumstances in which sharing of that data is required under this Contract; where appropriate, have a system in place and a policy for the recording of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws telephone calls in relation to the Services, including the retention and disposal of those recordings; at all times comply with any information governance requirements and/or processes as may be set out in the Specification and Tender Response Document; and comply with any new and/or updated requirements, Guidance and/or Policies notified to the Supplier by the Authority from time to time (acting reasonably) relating to the Processing and/or protection of Personal Data. Where any Personal Data (including its rights is Processed by any Sub-contractor of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party the Supplier in connection with this Contract, the processing Supplier shall procure that such Sub-contractor shall comply with the relevant obligations set out in Clause 2 of this Schedule 3 of these Call-off Terms and Conditions and any relevant Data Protection Protocol, as if such Sub-contractor were the Supplier. The Supplier shall indemnify and keep the Authority indemnified against, any loss, damages, costs, expenses (including without limitation legal costs and expenses), claims or proceedings whatsoever or howsoever arising from the Supplier’s unlawful or unauthorised Processing, destruction and/or damage to Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance connection with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorthis Contract.

Data Protection. 16.1 Both parties will comply with all applicable requirements of the Data Protection Legislation. This clause 16 is in addition to, and does not relieve, remove or replace, a party's obligations under the Data Protection Legislation. 16.2 The parties acknowledge that for the purposes of the Data Protection Legislation, the Client is the data controller and FSI is the data processor (where data controller and data processor have the meanings as defined in the Data Protection Legislation). 16.3 Without prejudice to the generality of clause 16.1: (a) the Client will ensure that it has all necessary and appropriate consents and notices in place to enable lawful transfer of any personal data may be transferred to FSI for the duration and purposes of this agreement; and (b) FSI shall, in relation to any personal data processed in connection with the performance by FSI of its obligations under this agreement agreement: (i) process that personal data only on the documented written instructions of the Client unless FSI is required by the laws of any member of the European Union or by the laws of the European Union applicable to FSI and/or Data Protection Legislation that applies in the UK to process personal data (“Personal Data”) and each party will fully comply with its respective obligations under the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Applicable Laws”). The parties are independent controllers Where FSI is relying on Applicable Laws as the basis for processing personal data, FSI shall promptly notify the Client of their this before performing the processing operations performed with such Personal Data. Taking into account required by the state Applicable Laws unless those Applicable Laws prohibit FSI from doing so; (ii) not transfer any personal data outside of the art, the costs of implementation European Economic Area and the nature, scope, context and purposes of processing as well as United Kingdom unless the risk of varying likelihood and severity for following conditions are fulfilled: (A) FSI has provided appropriate safeguards in relation to the transfer; (B) the data subject has enforceable rights and freedoms effective legal remedies; (C) FSI complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any personal data subjects, Recipient will maintain appropriate technical and organizational measures that is transferred; and (D) FSI complies with reasonable instructions notified to it in such a manner that advance by the Client with respect to the processing of Personal Data will meet the requirements of personal data; (iii) assist the Privacy Laws. Recipient agrees Client, at the Client's cost, in responding to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to exercise any security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; (iv) notify the Client without undue delay on becoming aware of a personal data breach; (v) at the written direction of the Client, delete or return personal data and copies thereof to the Client on termination of this agreement unless required by Applicable Law to store the personal data; (vi) maintain complete and accurate records and information to demonstrate its rights under Privacy Laws compliance with this clause 16 and immediately inform the Client if, in relation the opinion of FSI, an instruction infringes the Data Protection Legislation. 16.4 The Client hereby consents to Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other FSI appointing third party in connection with sub-processors (and the processing of Personal Data (collectively, "Correspondence"), it Client shall promptly inform Provider and confirm its consent to the parties shall cooperate appointment of such persons as FSI requires in good faith as necessary to respond to writing) provided that such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall sub-processors will not transfer any Personal Data to a territory store personal data outside of the European Economic Area unless FSI has provided appropriate safeguards in relation to the transfer ("EEA") unless which it can demonstrate to the Client), the data subject has enforceable rights and effective legal remedies and FSI complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any personal data that is transferred. 16.5 Each party shall ensure that it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or place appropriate technical and organisational measures, reviewed and approved by the European Commission. Recipient will not make any effort other party, to identify individuals who are protect against unauthorised or may be unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data, appropriate to the donors harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the Original Material data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may not combine Data or results include, where appropriate, pseudonymising and encrypting personal data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to personal data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the Project with other data which may result in identification of a donortechnical and organisational measures adopted by it).

Data Protection. The parties acknowledge Administrator represents that personal data as at the date hereof the Administrator has and hereafter it will maintain on behalf of itself and on behalf of the Mortgages Trustee (as trustee for the Beneficiaries) all appropriate registrations, licences and authorities (if any) required under the Data Protection Act 1998 to enable each of them to perform their respective ob▇▇▇▇▇▇▇▇s under this Agreement. In addition to the foregoing and notwithstanding any of the other provisions of this Agreement, each of the Administrator and the Mortgages Trustee hereby agree and covenant as follows: (a) that only non-"personal data" (as described in the Data Protection Act 1998) may be transferred under this agreement (“Personal Data”) and each party will fully comply with its respective obligations under by the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account Administrator to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access Mortgages Trustee or any other unlawful processing entity located in Jersey (unless Jersey is declared an "approved state" by the European Commission, in which case the Administrator may transfer such personal data to the Mortgages Trustee in Jersey); (b) that, to the extent that circumstances enable the Mortgages Trustee to exercise its right to demand that the Administrator transfer inter alia personal data to the Mortgages Trustee, the Administrator shall only transfer such personal data to an agent of the Mortgages Trustee that is located in the United Kingdom and maintains all appropriate registrations, licences and authorities (if any) required under the Data Protection Act 1998 (unless Jersey is declared an "approved state" b▇ ▇▇▇ ▇▇ropean Commission, in which case the Administrator may transfer such personal data to the Mortgages Trustee in Jersey); (c) that, to the extent that circumstances enable the Mortgages Trustee to exercise its right to demand that the Administrator transfer inter alia personal data to the Mortgages Trustee, the Administrator notify each Borrower that the Mortgages Trustee is a “Security Incident”"data controller" (as defined in the Data Protection Act 1998) and to take reasonable steps to mitigate provide each such Borrower with the impact address of the Mortgages Trustee; (d) that the Administrator and the Mortgages Trustee will only use any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights the Mortgage Loans and the related Borrowers for the purposes of accessadministering and/or managing the Mortgage Portfolio, correction, objection and erasure); and (ii) will not sell such data to any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary or allow any third party to respond to use such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is data other than in compliance with the Privacy Laws. Such measures may include transferring conditions stated in this Clause 16 and for the sole purpose of administering and/or managing the Mortgage Portfolio; (e) that the Mortgages Trustee will comply with the provisions of the Data to a country that Protection (Jersey) Law 1987 (as amended) and (so long as the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors provisions of the Original Material and may Data Protection Act 1998 do not combine Data or results conflict with the provisions of the Project Data ▇▇▇▇▇▇▇▇on (Jersey) Law 1987) with other data which may result in identification the provisions of the Data Protection Act 1998 (as amended); (f) that, upon the request of a donorBorrower, the Administrator will inform such Borrower that both the Administrator and the Mortgages Trustee are "data controllers" as described in the Data Protection Act 1998; and (g) that both the Administrator and ▇▇▇ ▇▇▇▇gages Trustee shall maintain a written record of their reasons for applying the Data Protection Order 2000 (as set forth under the Conditions under paragraph 3 of Part II of Schedule I of such Order).

Data Protection. The parties Parties acknowledge that personal data may be transferred their respective duties under this agreement (“Personal Data”) Data Protection Legislation and shall give each party will fully other all reasonable assistance as appropriate or necessary to enable each other to comply with its respective obligations under those duties. For the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers avoidance of their processing operations performed with such Personal Data. Taking into account the state of the artdoubt, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to Supplier shall take reasonable steps to mitigate ensure it is familiar with the impact Data Protection Legislation and any obligations it may have under such Data Protection Legislation and shall comply with such obligations. Where the Supplier is Processing Personal Data and/or the Parties are otherwise sharing Personal Data under or in connection with this Contract, the Parties shall comply with the Data Protection Protocol in respect of such matters. The Supplier and the Authority shall ensure that patient related Personal Data is safeguarded at all times in accordance with the Law, and this obligation will include (if transferred electronically) only transferring patient related Personal Data (a) if essential, having regard to the purpose for which the transfer is conducted; and (b) that is encrypted in accordance with any international data encryption standards for healthcare, and as otherwise required by those standards applicable to the Authority under any Law and Guidance (this includes, data transferred over wireless or wired networks, held on laptops, CDs, memory sticks and tapes). Where, as a requirement of this Contract, the Supplier is Processing Personal Data relating to NHS patients and/or service users and/or has access to NHS systems as part of the Services, the Supplier shall: complete and publish an annual information governance assessment using the Data Security and Protection toolkit; achieve all relevant requirements in the relevant Data Security and Protection toolkit; nominate an information governance lead able to communicate with the Supplier’s board of directors or equivalent governance body, who will be responsible for information governance and from whom the Supplier’s board of directors or equivalent governance body will receive regular reports on information governance matters including, but not limited to, details of all incidents of data loss and breach of confidence; report all incidents of data loss and breach of confidence in accordance with Department of Health and Social Care and/or the NHS England and/or Health and Social Care Information Centre guidelines; put in place and maintain policies that describe individual personal responsibilities for handling Personal Data and apply those policies vigorously; put in place and maintain a policy that supports its obligations under the NHS Care Records Guarantee (being the rules which govern information held in the NHS Care Records Service, which is the electronic patient/service user record management service providing authorised healthcare professionals access to a patient’s integrated electronic care record); put in place and maintain agreed protocols for the lawful sharing of Personal Data with other NHS organisations and (as appropriate) with non-NHS organisations in circumstances in which sharing of that data is required under this Contract; where appropriate, have a system in place and a policy for the recording of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws telephone calls in relation to the Services, including the retention and disposal of those recordings; at all times comply with any information governance requirements and/or processes as may be set out in the Specification and Tender Response Document; and comply with any new and/or updated requirements, Guidance and/or Policies notified to the Supplier by the Authority from time to time (acting reasonably) relating to the Processing and/or protection of Personal Data. Where any Personal Data (including its rights is Processed by any Sub-contractor of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party the Supplier in connection with this Contract, the processing Supplier shall procure that such Sub-contractor shall comply with the relevant obligations set out in Clause 2 of this Schedule 3 of these Call-off Terms and Conditions and any relevant Data Protection Protocol, as if such Sub-contractor were the Supplier. The Supplier shall indemnify and keep the Authority indemnified against, any loss, damages, costs, expenses (including without limitation legal costs and expenses), claims or proceedings whatsoever or howsoever arising from the Supplier’s unlawful or unauthorised Processing, destruction and/or damage to Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance connection with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorthis Contract.

Data Protection. 13.1 It is agreed and acknowledged by the parties that they each act as Controller for Personal Data relevant to this Agreement. 13.2 The parties acknowledge Council is the Data Controller for the Personal Data that personal data may be transferred it holds and shares with the BID Company under this agreement Agreement as described in Appendix D (“the Council’s Personal Data”) ). Where the BID Company Processes the Council’s Personal Data in performance of this Agreement, the BID Company carries out such Processing as a Data Processor. 13.3 The BID Company is the Data Controller for the Personal Data that it holds and each party will fully comply shares with its respective obligations the Council under this Agreement as described in Appendix E (“the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy LawsBID Company’s Personal Data”). Where the Council Processes the BID Company’s Personal Data in performance of this Agreement, the Council carries out such Processing as a Data Processor. 13.4 As Controllers in common the Council and the BID Company agree to share and Process the Personal Data on the terms set out in this clause 13 and the appendices to this Agreement and the parties will comply with all the requirements of the Data Protection Legislation throughout the duration of this Agreement. 13.5 The parties are independent controllers agree that the sharing of their processing operations performed with such Personal Data. Taking into account Data is necessary for the state of the art, the costs of implementation and the nature, scope, context and purposes of processing this Agreement as well as defined in Appendices D and E (“the risk of varying likelihood Agreed Purpose”) and severity they shall not Process Shared Personal Data other than for the rights Agreed Purpose. 13.6 Each party will Process all Personal Data as set out in Appendices D and freedoms of data subjects, Recipient E. 13.7 Each party will maintain implement appropriate technical and organizational organisational measures to (a) prevent: (i) unauthorised or unlawful Processing of the Shared Personal Data; and (ii) the accidental loss or destruction of, or damage to, the Shared Personal Data; and (b) ensure a level of security appropriate to: (i) the harm that might result from such unauthorised or unlawful Processing or accidental loss, destruction or damage; and (ii) the nature of the Shared Personal Data to be protected in such a manner that processing of Personal Data all Processing will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period Data Protection Legislation and ensure the protection of 48 hours where Recipient becomes aware the rights of or reasonably suspects Data Subjects. 13.8 Each party shall ensure that it has legitimate grounds under the Data Protection Legislation for the Processing of Shared Personal Data. 13.9 Each party in sharing Personal Data has been or may have been lostwith the other, damaged or subject shall ensure that it provides clear and sufficient information to unauthorized internal or external access or the Data Subjects, in accordance with the Data Protection Legislation, of the purposes for which it will Process their Personal Data, the legal basis for such purposes and such other information as is required by Article 13 of the GDPR including, if Shared Personal Data will be transferred to a third party, that fact and sufficient information about such transfer and the purpose of such transfer to enable the Data Subject to understand the purpose and risks of such transfer. 13.10 Each party in receiving Personal Data from the other, undertakes to inform the Data Subjects, in accordance with the Data Protection Legislation, of the purposes for which it will Process their Personal Data, the legal basis for such purposes and such other information as is required by Article 14 of the GDPR including, if Shared Personal Data will be transferred to a third party, that fact and sufficient information about such transfer and the purpose of such transfer to enable the Data Subject to understand the purpose and risks of such transfer. 13.11 The parties each agree to provide such assistance as is reasonably required to enable the other party to comply with requests from Data Subjects to exercise their rights under the Data Protection Legislation within the time limits imposed by the Data Protection Legislation. 13.12 Each party is responsible for maintaining a record of individual requests for information from Data Subjects, the decisions made and any other unlawful processing (a “Security Incident”) information that was exchanged. Records must include copies of the request for information, details of the Data accessed and to take reasonable steps to mitigate the impact shared and where relevant, notes of any such Security Incident. In meeting, correspondence or phone calls relating to the event that Recipient receives (i) request. 13.13 Subject to any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of accessstatutory or stated retention periods, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as not retain or Process Shared Personal Data for longer than is necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict carry out the processing of Agreed Purpose. 13.14 Any Personal Data identified that has been shared with a party shall, at the direction of the other, disclosing, party be returned or destroyed in the following circumstances: (a) on termination of the Agreement; (b) on expiry of the BID Term; (c) once Processing of the Shared Personal Data is no longer necessary for the Agreed Purpose for which it was originally shared; unless required by Provider. Recipient law to continue to store such Personal Data 13.15 If a party appoints a third party Processor to Process the Shared Personal Data it shall comply with Article 28 and Article 30 of the GDPR and shall remain liable to the other party for any breach, non-performance or non-observance of this clause 13 by such other Processor in the same way and to the same extent as if such breach, non-performance or non-observance had been committed by the appointing party. 13.16 A party may not transfer any Shared Personal Data to a territory third party located outside the EEA unless it; (a) complies with the provisions of Articles 26 of the European Economic Area GDPR ("EEA"in the event the third party is a joint Controller); and (b) unless it has taken such measures as are necessary to ensure ensures that (i) the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort Commission as providing adequate protection pursuant to identify individuals who are or may be the donors Article 45 of the Original Material and may not combine Data or results GDPR; (ii) there are appropriate safeguards in place pursuant to Article 46 of the Project GDPR; or (iii) one of the derogations for specific situations in Article 49 of the GDPR applies to the transfer. 13.17 It is the responsibility of each party to ensure that its staff members are appropriately trained to handle and Process the Shared Personal Data in accordance with the technical and organisational security measures together with any other applicable national data protection laws and guidance and have entered into confidentiality agreements relating to the Processing of Personal Data. 13.18 Each party shall each comply with its obligation to report a Personal Data Breach to the other without undue delay and (where applicable) Data Subjects under Article 33 of the GDPR. The parties agree to provide reasonable assistance as is necessary to each other to facilitate the handling of any Personal Data Breach in an expeditious and compliant manner, including providing details of the nature of such Personal Data Breach, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned, together with details of the likely consequences of the Personal Data Breach, and the measures taken or proposed to be taken to address the Personal Data Breach including, where appropriate, measures to mitigate its possible adverse effects. 13.19 In the event of a dispute or claim brought by a Data Subject concerning the Processing of Shared Personal Data against either or both parties, the parties will inform each other about any such disputes or claims, and will co-operate with a view to settling them amicably in a timely fashion. 13.20 Each party undertakes to indemnify the other and hold the other harmless from any claims, proceedings, actions, damages, costs, fines, expenses and any other liabilities which may result arise out of, or in identification consequence of a donorbreach or purported breach of the Data Protection Legislation or the performance or non-performance by that party of its obligations under this Agreement in relation to the Data Protection Legislation, including loss of or damage to property, financial loss arising from any breach of the Data Protection Legislation, or any other loss which is caused directly or indirectly by any act or omission of the Party arising from any breach of the Data Protection Legislation. 13.21 The provisions of this clause 13 shall apply during the Term of this Contract and indefinitely after its expiry.

Data Protection. The parties acknowledge that personal data may be transferred under For the purpose of this agreement article 42, "Personal Data" and "Data Controller" shall have the meanings ascribed to them in the UK Data Protection Act 1998 (“Personal Data”) and each party will fully comply with its respective obligations under the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy LawsDPA”). The parties are independent controllers of their processing operations performed Seller shall ensure that it complies with such Personal Data. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the all requirements of the Privacy Laws. Recipient agrees to notify Provider within a period DPA as if Seller were the Data Controller in respect of 48 hours where Recipient becomes aware of or reasonably suspects that all Personal Data has been provided to Seller by ▇▇▇▇▇, any employee of Buyer, Buyer’s customers, ▇▇▇▇▇’s subcontractors and/or any agent of Buyer pursuant to or may have been lost, damaged or subject relating to unauthorized internal or external access or this Contract. Seller shall not process any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights controlled by ▇▇▇▇▇ except in the performance of accessand for the purpose of this Contract. Furthermore, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient Seller shall not transfer any Personal Data controlled by Buyer to a territory any other entity or outside of the European Economic Area ("EEA") unless it has taken such EEA without the express written consent of Buyer and without the provisions of the DPA and all applicable data protection law having been satisfied. Seller will have in place adequate technical and organizational security measures as are necessary to ensure so that the transfer is in compliance confidentiality of this processing complies with the Privacy LawsDPA and all applicable data protection laws and regulations. Such measures may include transferring the Data Seller shall immediately provide Buyer with copies of any and all requests by data subjects or regulatory authorities in relation to a country that the European Commission has decided provides adequate protection for personal data processed pursuant to this Contract, and notice of any and all data breaches or other unlawful processing of personal data; , and shall promptly provide Buyer with any and all assistance that may be required to a Recipient that has achieved binding corporate rules authorization in accordance respond to such requests or breaches. Where such requests relate to ▇▇▇▇▇▇’s failure to comply with Privacy Laws; the DPA or other applicable data protection laws and regulations, then such support and any remediation shall be at Seller’s expense. Where under this Contract personal data needs to a Recipient that has executed standard contractual clauses adopted or approved be exported from the EEA, Seller shall agree to execute such data transfer contracts based upon the model contracts published by the Article 29 Working Party of the European Commission. Recipient will not make Seller shall indemnify, keep indemnified and hold harmless Buyer and ▇▇▇▇▇’s customers from and against all expenses, contingent liabilities, liabilities, injuries, losses, damages, claims, demands, proceedings, judgments and legal costs (on a full indemnity basis) whether arising in tort (including negligence), breach of contract, breach of statutory duty, collaterally or otherwise which Buyer and/or Buyer’s customers incur or suffer arising from breach of this article 42 or any effort model contract entered into by Seller pursuant to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorit.

Data Protection. The parties acknowledge In this Section, “personal data” means data that relates to a living individual who can be identified from the data (either by itself or when it is combined with other data). WMIL may process personal data in connection with this Agreement and the products and services that it provides under it. For the purposes of the Applicable Data Protection Laws, WMIL is a controller in respect of the processing of this personal data and is responsible for compliance with the Applicable Data Protection Laws in respect of such processing. Notwithstanding any other provision of this Agreement, under no circumstances shall WMIL be deemed to be a processor on behalf of, or a joint controller with, the Client. WMIL explains what personal data it will process, why and how it will process it, who it may share it with, and the rights that an individual has in respect of their personal data at the following location: ▇▇▇▇▇://▇▇▇.▇▇▇▇▇▇▇▇▇▇.▇▇▇/en/privacy-notice/. In the remainder of this Section, WMIL refers to this as its “Privacy Notice”. Each party is responsible for its own compliance with Applicable Data Protection Laws and, except as explicitly set out in this Agreement, neither party relies on the other with respect to its own compliance with Applicable Data Protection Laws. The Client undertakes, where it transfers personal data to WMIL, it does so in accordance with the Applicable Data Protection Laws. The Client must ensure that any personal data that it provides to WMIL is accurate and up to date, and that it promptly notifies WMIL if it becomes aware that such personal data is incorrect. Where the Client provides personal data to WMIL, the Client must first have satisfied the obligations imposed by Applicable Data Protection Laws, including but not limited to the obligation to provide transparency information to affected individuals, and drawn the attention of those individuals to WMIL’s Privacy Notice. In addition, the Client shall promptly notify those individuals of any material changes to the Privacy Notice when advised by WMIL. Where, in connection with this Agreement and the products and services that it provides under it, it becomes necessary for WMIL to transfer personal data to the Client, or its appointed representatives or assigns, in any jurisdiction outside the UK that has not been deemed adequate for the purposes of Article 47 of the UK GDPR, the parties shall use all reasonable efforts to enter into such data transfer arrangements as may be transferred under this agreement (“Personal Data”) and each party will fully comply with its respective obligations under the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet necessary to satisfy the requirements of the Privacy Laws. Recipient agrees Applicable Data Protection Laws with respect to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incidenttransfer. In the event that Recipient receives (i) any request from a either party becomes aware of an actual or suspected personal data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of accessbreach affecting personal data disclosed under, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with with. this Agreement, that party shall notify the processing of Personal Data (collectivelyother party without undue delay, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate use all reasonable endeavours to assist one another in good faith as necessary satisfying the requirements of Applicable Data Protection Laws with respect to respond to any such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorbreach.

Data Protection. The parties acknowledge that personal data (a) If and insofar within the scope of this Agreement Personal Data is Processed by Pegasystems on behalf of Customer, Pegasystems shall: (i) Process the Personal Data only in accordance with instructions from the Customer (which may be transferred under specific instructions as are notified by the Customer to Pegasystems during the Term or instructions of a general nature as are set out in this agreement Agreement); (“Personal Data”ii) and each party will fully comply with its respective obligations under the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain implement appropriate technical and organizational measures in such a manner that processing of to protect the Personal Data will meet against unauthorized or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the requirements harm and/or reputational damage which might result from any unauthorized or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing and comply with the obligations in this sub-clause; (a “Security Incident”iii) and to take reasonable steps to mitigate ensure that all Pegasystems staff required to access the impact Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this sub-clause; and (iv) not publish, disclose or divulge any of the Personal Data to any third party except as described below or unless directed in writing to do so by the Customer. (b) Pegasystems will notify Customer in writing if it becomes aware of any breach of Personal Data or any claims in connection with such Security Incidentbreach. In the event Pegasystems shall inform Customer of all actions and measures taken to address such breach and/or claims. (c) Pegasystems will only transfer or provide direct access to Personal Data to Pegasystems’ affiliates and subcontractor that Recipient receives (i) any request from a data subject have agreed in writing to exercise any of its rights under Privacy Laws in relation to process the Personal Data (including its rights consistent with the terms of access, correction, objection and erasure); this Agreement and (ii) any other correspondence, inquiry (A) are located in a jurisdiction subject to Data Protection Legislation or complaint received from a data subject, regulator with privacy laws considered to be adequate by the European Commission or other third party in connection with (B) have entered into the processing EU standard contractual clauses for transfers of Personal Data (collectivelyto non-EU data processors, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate set out in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission Decision 2010/87/EC of 5 February 2010, to the extent necessary for Pegasystems to fulfill its obligations to Customer pursuant to this Agreement, unless and until Pegasystems has decided provides adequate protection in place an alternative valid mechanism which is suitable for personal data; this purpose, including but not limited to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorfor Processors.

Data Protection. The parties acknowledge that personal data may be transferred under this agreement (“Personal Data”) and each party will fully Each Party shall comply with its respective obligations under the General Applicable Data Protection Regulation (EU)2016/679 Law and applicable complementing national laws (jointly “Privacy Laws”)shall not do or omit to do anything which would cause the other Party to breach Applicable Data Protection Law. The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account To the state of extent that any personal data is processed by the artSupplier under this Agreement, the costs of implementation Supplier shall: process the personal data only in accordance with this Agreement and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain Customer’s lawful instructions; implement appropriate technical and organizational organisational measures in such a manner that processing of Personal Data will meet to protect the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of personal data against unauthorised or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (and against accidental loss, destruction, damage, alteration or disclosure; only permit the personal data to be processed by persons who are bound by enforceable obligations of confidentiality; remain entitled to appoint third party sub-processors. Where the Supplier appoints a “Security Incident”) and third party sub-processor, it shall, with respect to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives data protection obligations: (i) any request from a data ensure that the third party is subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of accessto, correctionand contractually bound by, objection and erasure)at least the same obligations as Supplier; and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other remain fully liable the Customer for all acts and omissions of the third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall party; not transfer any Personal Data to a territory or otherwise process the personal data outside of the European Economic Area ("“EEA"”) unless it without obtaining the Customer's prior written consent; where consent is granted under clause 12.2.5, the Supplier may only process, or permit the processing, of the personal data outside the EEA under the following conditions: (i) the territory has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to benefit of a country that the European Commission has decided finding that it provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Lawsthe privacy rights of individuals; or (ii) the Supplier has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available; or (iii) the transfer otherwise complies with Applicable Data Protection Law; notify the Customer without delay after becoming aware that it has suffered a personal data breach; at the Customer’s cost, permit the Customer (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit the Supplier’s data processing activities to enable the Customer to verify and/or procure that the Supplier is complying with its obligations under this clause 12 assist the Customer in responding to requests from data subjects who are exercising their rights under Applicable Data Protection Law; assist the Customer in complying with its obligations pursuant to Articles 32-36 of the GDPR (or such corresponding provisions of Applicable Data Protection Law), comprising (if applicable): (i) notifying a Recipient supervisory authority that the Customer has executed standard contractual clauses adopted or approved suffered a personal data breach; (ii) communicating a personal data breach to an affected individual; (iii) carrying out an impact assessment; and (iv) where required under an impact assessment, engaging in prior consultation with a supervisory authority; and unless applicable law requires otherwise, upon termination of this Agreement delete all personal data provided by the European CommissionCustomer to the Supplier. Recipient will not make any effort to identify individuals who are or may be Each Party acknowledges that the donors factual description of the Original Material and may not combine Data or results subject-matter, duration of the Project with other processing, the nature and purpose of the processing, the type of personal data which may result and the categories of data subjects shall be as set out in identification of this Agreement. To the extent that the foregoing is not set out in this Agreement, the Parties shall keep a donorseparate record the relevant particulars.

Data Protection. The parties acknowledge that personal data may be transferred under this agreement (“Personal Data”) and each party will fully comply with its respective obligations under the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”)1. The parties are independent controllers agree to treat the personal data to which they may have access for the purpose indicated in this Educational Cooperation agreement. In accordance with the provisions of their Regulation (EU) 2016/679, contained in Organic Law 3/2018, of 5 December 2018, concerning the Protection of Personal Data and Guarantee of Digital Rights and other development regulations, the processing operations performed of data of a personal nature that derives from this agreement is subject to the provisions of current legal regulations, obliging the parties to comply with such Personal Dataany obligations that may be required, and not to use personal data for purposes other than those provided for in this agreement nor to disseminate this data or provide it to third parties 2. Taking into account For these purposes, and in accordance with the state provisions of the artregulations on data protection, the costs parties will adopt measures that guarantee the adequate security of implementation and personal data in order to avoid unauthorized or illegal treatment, loss, destruction or accidental damage, through the nature, scope, context and purposes application of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that measures. 3. The personal data provided by the Parties referring to the contact persons or signatories shall be processed for the purpose of managing the formalised relationship between them, the legitimate basis for the processing being the execution of Personal Data will meet the requirements of the Privacy Lawsthis contract. Recipient agrees The data provided shall not be passed on to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lostthird parties, damaged or subject unless legally obliged to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incidentdo so. In the event that Recipient receives (i) any request from a The data subject to may exercise any of its rights under Privacy Laws in relation to Personal Data (including its his or her rights of access, correctionrectification, objection erasure, objection, limitation of processing, data portability and, where appropriate, the right not to be subject to automated decisions, by writing to the address of the parties indicated in this agreement. 4. If, as a result of the execution of this agreement, the parties access and erasure); and (ii) any process personal data belonging to the other correspondenceparty, inquiry or complaint received from a data subject, regulator or other third party in connection with they must sign the corresponding contract for the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary such data. 5. Failure to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer comply with any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken above obligations shall be sufficient cause for termination of this agreement, without prejudice to any liabilities of any kind that may be incurred for such measures non-compliance. 6. Each party must hold the other party harmless against all claims, damages, losses, fines, penalties, costs and expenses arising out of legal and/or extrajudicial proceedings due to any breach by that party's personnel of the obligations contained in this clause, not assuming any responsibility as are necessary to ensure a consequence of the transfer is in non-compliance with the Privacy Laws. Such measures regulations in force on data protection in which the other party may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorincur.

Data Protection. The parties acknowledge that personal data may be transferred under 12.1 For the purposes of this agreement (Clause 12, “Personal Data” and “Processing” (and “Process” shall be construed accordingly) shall have the meanings given to them in the Personal Data Protection Act 2012, as may be updated, superseded or replaced from time to time (the “ Act”). 12.2 You acknowledge that We may obtain certain information (including, without limitation, Personal Data), about You (“Your Personal Data”). 12.3 Notwithstanding anything to the contrary, You specifically authorise that We may collect, use, disclose and/or Process Your Personal Data (whether provided electronically or otherwise) to administer these Terms, provide Services to You, including without limitation, monitoring and each analysing the conduct of Your account and enabling Us to carry out statistical and other analysis, and otherwise market Services and products to You in accordance with these Terms. 12.4 You acknowledge and agree that in doing so, We may: (a) transfer or disclose Your Personal Data to any Associated Office or third party will fully comply wherever located in the world, including (without limitation) those who provide services to Us or act as Our agents, those to whom We transfer or propose to transfer any of Our rights or duties under these Terms and those licences, credit reference agencies or other organisations that help Us make credit decisions and reduce the incidence of fraud or in the course of carrying out identity fraud prevention or credit control checks; and (b) transfer information We hold about You to countries located outside of Singapore, where data protection safeguards may not be as high, for any of the purposes described in this Clause 12 and in such instances We shall ensure that adequate safeguards are put into place to protect Your Personal Data. 12.5 To the extent that We Process Your Personal Data, We shall: (a) Process it only for the purposes of complying with its respective Our obligations under these Terms, in accordance with Your reasonable instructions from time to time; and (b) ensure that appropriate technical and organisational measures shall be taken against unauthorised or unlawful Processing of Personal Data and the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with accidental loss or destruction of, or damage to, such Personal Data. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer . 12.6 If any Personal Data belonging to a territory outside any of Your directors, employees, officers, agents or clients is provided to Us, you represent to Us that each person is aware of and consents to the European Economic Area ("EEA") unless it has taken use of such measures data as are necessary set out in this Clause 12 and You agree to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; indemnify us against any loss, costs or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make expenses arising out of any effort to identify individuals who are or may be the donors breach of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorthis representation.

Data Protection. The parties acknowledge that 9.1 For the purposes of this Clause 9, "controller", "processor", "data subject", "personal data", "personal data may be transferred under this agreement (“Personal Data”) breach" and each party will fully comply with its respective obligations under "processing" shall have the General meanings set out in the Data Protection Regulation (EU)2016/679 Legislation and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state of the art, the costs of implementation "process" and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws "processed" when used in relation to Personal the processing of the personal data, will be construed accordingly. 9.2 To the extent applicable, the Parties shall comply with the Data Protection Legislation. 9.3 The Parties acknowledge that the factual arrangement between them dictates the classification of each Party in respect of the Data Protection Legislation. Notwithstanding the foregoing, the Parties anticipate that each Party shall act as a controller in common in processing personal data for the purposes of each Party's responsibilities and in accordance with these Terms of Business. 9.4 Without prejudice to the generality of clause 9.2, the Intermediary confirms that it complies with the GDPR. 9.5 Without prejudice to the generality of clause 9.2, where either Party (including its rights of access, correction, objection and erasure); and the "Disclosing Party") discloses personal data to the other (iithe "Recipient") any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the operation of these Terms of Business or Insurance Business, the Disclosing Party will ensure that all necessary fair processing notices have been given (and all necessary consents obtained) which are sufficient in scope and kept up-to-date to meet the Transparency Requirements so that the personal data it provides to the Recipient can be lawfully used or disclosed by the Recipient in the manner and for the purposes anticipated by these Terms of Personal Data Business. 9.6 Where the Intermediary collects personal data which it subsequently transfers to the Insurer (collectively, the "CorrespondenceIntermediary Data"), it shall ensure that such Intermediary Data is: 9.6.1 not subject to any prohibition or restriction which would: (a) prevent or restrict it from disclosing or transferring the Intermediary Data to the (b) prevent or restrict the Insurer from processing the Intermediary Data for the purposes anticipated by these Terms of Business; 9.6.2 adequate, relevant and limited to what is necessary for the purposes anticipated by these 9.6.3 accurate and, where necessary, up to date; having taking every reasonable step to ensure that any inaccurate personal data has been rectified. 9.7 The Intermediary shall notify the Insurer promptly inform Provider (and in any event within two (2) Business Days of having notified a Regulator) in relation to any Intermediary Data or any personal data processed under or in connection with these Terms of Business, including full details of the personal data breach and the parties shall cooperate steps taken (or proposed to be taken) in good faith as necessary to respond relation to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorbreach.

Data Protection. The parties acknowledge In this Section, “personal data” means data that relates to a living individual who can be identified from the data (either by itself or when it is combined with other data). WMIL may process personal data in connection with this Agreement and the products and services that it providesunder it. For the purposes of the Applicable Data Protection Laws, WMIL is a controller in respect of the processing of this personal data and is responsible for compliance with the Applicable Data Protection Laws in respect of such processing. Notwithstanding any other provision of this Agreement, under no circumstances shall WMIL be deemed to be a processor on behalf of, or a joint controller with, the Client. WMIL explains what personal data it will process, why and how it will process it, who it may share it with, and the rights that an individual has in respect of their personal data at the following location: ▇▇▇▇▇://▇▇▇.▇▇▇▇▇▇▇▇▇▇.▇▇▇/en/privacy-notice/. In the remainder of this Section, WMILrefers to this as its “Privacy Notice”. Each party is responsible for its own compliance with Applicable Data Protection Laws and, except as explicitly set out in this Agreement, neither party relies on the other with respect to its own compliance with Applicable Data Protection Laws. The Client undertakes, where it transfers personal data to WMIL, it does so in accordance with the Applicable Data Protection Laws. The Client must ensure that any personal data that it provides to WMIL is accurate and up to date, and that it promptly notifies WMIL if it becomes aware that such personal data is incorrect. Where the Client provides personal data to WMIL, the Client must first have satisfied the obligations imposed by Applicable Data Protection Laws, including but not limited to the obligation to provide transparency information to affected individuals, and drawn the attention of those individuals to WMIL’s Privacy Notice. In addition, the Client shall promptly notify those individuals of any material changes to the Privacy Notice when advised by WMIL. Where, in connection with this Agreement and the products and services that it provides under it, it becomes necessary for WMIL to transfer personal data to the Client, or its appointed representatives or assigns, in any jurisdiction outside the UK that has not been deemed adequate for the purposes of Article 47 of the UK GDPR, the parties shall use all reasonable efforts to enter into such data transfer arrangements as may be transferred under this agreement (“Personal Data”) and each party will fully comply with its respective obligations under the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet necessary to satisfy the requirements of the Privacy Laws. Recipient agrees Applicable Data Protection Laws with respect to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incidenttransfer. In the event that Recipient receives (i) any request from a either party becomes aware of an actual or suspected personal data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of accessbreach affecting personal data disclosed under, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with with, this Agreement, that party shall notify the processing of Personal Data (collectivelyother party without undue delay, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate use all reasonable endeavours to assist one another in good faith as necessary satisfying the requirements of Applicable Data Protection Laws with respect to respond to any such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorbreach.

Data Protection. The parties acknowledge Service Provider shall (and shall procure that personal data may be transferred under this agreement (“Personal Data”its entire Staff shall) and each party will fully comply with its respective any notification requirements under the DPA and both Parties will duly observe all of their obligations under the General DPA which arise in connection with this Framework Agreement. Notwithstanding the general obligation in Clause 22.1, where the Service Provider is processing personal data (as defined by the DPA) as a data processor for the Authority (as defined by the DPA) the Service Provider shall ensure that it has in place appropriate technical organisational measures to ensure the security of the personal data (and to guard against unauthorised or unlawful processing of the personal data and against accidental loss or destruction of, or damage to, the personal data), as required under the Seventh Data Protection Regulation (EU)2016/679 Principle in Schedule 1 to the DPA; and applicable complementing national laws (jointly “Privacy Laws”)provide the Authority with such information as the Authority may reasonably require to satisfy itself that the Service Provider is complying with its obligations under the DPA; promptly notify the Authority of any breach of the security measures required to be in place pursuant to this Clause 22; and ensure it does not knowingly or negligently do or omit to do anything which places the Authority in breach of the Authority’s obligations under the DPA. The parties are independent controllers provisions of their processing operations performed with such Personal Datathis Clause 22 shall apply during the Term and indefinitely after its expiry. Taking into account FREEDOM OF INFORMATION The Service Provider acknowledges that the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet Authority is subject to the requirements of the Privacy LawsFOIA and the Environmental Information Regulations and shall assist and co-operate with the Authority to enable the Authority to comply with its Information disclosure obligations. Recipient agrees The Service Provider shall and shall procure that its Sub-Contractors shall:- transfer to notify Provider the Authority all Requests for Information that it receives as soon as practicable and in any event within two (2) Working Days of receiving a Request for Information; provide the Authority with a copy of all Information, relevant to a Request for Information, in its possession or power, in the form that the Authority requests within five (5) Working Days (or such other period as the Authority may specify) of 48 hours where Recipient becomes aware the Authority's request; and provide all necessary assistance reasonably requested by the Authority to enable the Authority to respond to the Request for Information within the time for compliance set out in section 10 of the FOIA or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access regulation 5 of the Environmental Information Regulations. The Authority shall be responsible for determining in its absolute discretion and notwithstanding any other provision in this Framework Agreement or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate agreement whether the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasure); and (ii) Commercially Sensitive Information and/or any other correspondence, inquiry or complaint received Information is exempt from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization disclosure in accordance with Privacy Lawsthe provisions of the FOIA or the Environmental Information Regulations. In no event shall the Service Provider respond directly to a Request for Information unless expressly authorised to do so by the Authority. The Service Provider acknowledges that (notwithstanding the provisions of this Clause 23) the Authority may, acting in accordance with the Ministry of Justice’s Code of Practice on the Discharge of the Functions of Public Authorities under Part 1 of the Freedom of Information ▇▇▇ ▇▇▇▇ (“the Code”), be obliged under the FOIA, or the Environmental Information Regulations to disclose Information concerning the Service Provider or the Services:- in certain circumstances without consulting the Service Provider; or following consultation with the Service Provider and having taken their views into account, provided always that where Clause 23.5 applies the Authority shall, in accordance with any recommendations of the Code, take reasonable steps, where appropriate, to a Recipient give the Service Provider advanced notice, or failing that, to draw the disclosure to the Service Provider's attention after any such disclosure. The Service Provider shall ensure that has executed standard contractual clauses adopted or approved by all Information is retained for disclosure in accordance with Clause 18 and shall permit the European CommissionAuthority to inspect such records as requested from time to time. Recipient will The Service Provider acknowledges that the Commercially Sensitive Information listed in Schedule 12 is of indicative value only and that the Authority may be obliged to disclose it in accordance with Clause 23.5. PUBLICITY Subject to Clause 25 (Marketing) the Service Provider shall not make any effort press announcements or publicise this Framework Agreement in any way without the Authority’s prior written consent. The Authority shall be entitled to identify individuals who are publicise this Framework Agreement in accordance with any legal obligation upon the Authority, including any examination of this Framework Agreement by the National Audit Office pursuant to the National Audit ▇▇▇ ▇▇▇▇ or otherwise. The Service Provider shall not do anything to cause anything to be done, which may be damage the donors reputation of the Original Material and may not combine Data Authority or results of bring the Project with other data which may result in identification of a donorAuthority into disrepute.

Data Protection. The parties acknowledge that (1) In this condition references to “personal data”, “ data may subjects” and “data processor” are to be transferred under this agreement interpreted as defined in the Data Protection Act 1998 (“Personal Data”) and each party will fully comply with its respective obligations under the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy LawsAct”). The parties are independent controllers of their processing operations performed Contractor shall comply with such Personal Data. Taking into account the state all relevant provisions of the artAct and do nothing which causes, or may cause, the costs Authority to be in breach of implementation and its obligations under the natureAct. In particular, scopeto the extent that the Contractor acts as a data processor in respect of any personal data pursuant to the Contract, context and purposes of processing the Contractor shall only process such personal data as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain is necessary to enable it to fulfil its obligations under this Contract. (2) The Contractor warrants that it has appropriate technical and organizational organisational measures in such a manner that place to protect any personal data it is processing of Personal Data will meet on the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of Authority’s behalf against any unauthorised or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and against any accidental loss, destruction or damage and undertakes to maintain such measures during the course of this Contract. The Contractor shall also take all reasonable steps to mitigate ensure the impact reliability of its staff having access to any such personal data. (3) Upon reasonable notice the Contractor shall allow the Authority access to any relevant premises owned or controlled by it to enable the Authority to inspect its procedures described at Condition 31(2) above and will upon the Authority’s request from time to time prepare a report for it on the technical and organisational measures it has in place to protect the personal data it is processing on the Authority’s behalf. (4) The Contractor shall at its own cost, at the Authority’s request, assist the Authority to comply with any requests for access to personal data under Section 7 of the Act and in particular shall respond to any such request promptly to enable the Authority to comply with its obligations under the Act. When requested by the Authority the Contractor shall at its own cost promptly provide it with any personal data relating to this Contract. (5) If the Contractor fails to comply with any provision of this condition, the Authority may terminate the Contract immediately in which event the provisions of Condition 20 shall apply. (6) The Contractor shall indemnify the Authority against all claims and proceedings, and all costs and expenses incurred in connection therewith, made or brought against the Authority by any person in respect of the Act or equivalent applicable legislation in any other country which claims would not have arisen but for some act, omission, misrepresentation or negligence on the part of the Contractor or its sub-contractors and hold it harmless against all costs, losses and liability whatsoever incurred by it arising out of any such Security Incident. In the event that Recipient receives (i) any request from a data subject action or inaction on its part in relation to exercise any of its rights obligations as set out in this Contract which results in the Authority being in breach of its obligations under Privacy Laws the Act or equivalent applicable legislation in relation to Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondencecountry. (7) The Contractor warrants that it has submitted, inquiry or complaint received from pursuant to Section 18(1) of the Act, a data subject, regulator or other third party in connection with notification to the processing of Personal Data Information Commissioner and shall keep that notification up to date. (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient 8) The Contractor shall not transfer any Personal Data to a territory personal data outside of the European Economic Area unless authorised in writing to do so by the Authority. ("EEA"9) Upon the termination of this Contract for whatever reason the Contractor shall, unless notified otherwise by the Authority or required by law, immediately cease any processing of the personal data on the Authority’s behalf and as requested by the Authority destroy or provide the Authority with a copy on suitable media. (10) The Contractor shall promptly carry out any request from the Authority requiring it has taken such measures as to amend, transfer or delete the personal data or any part of the personal data. (11) Where the Contractor is required to collect any personal data on behalf of the Authority, it shall ensure that it provides the data subjects from whom the personal data are necessary collected with a data protection notice in a form to ensure the transfer is in compliance be agreed with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorAuthority.

Data Protection. The parties acknowledge 15.1 Each party shall be responsible for ensuring that personal data may be transferred under this agreement (“Personal Data”) and each party will fully comply with it fulfills its respective obligations and responsibilities under the General Data Protection Regulation Legislation and any other applicable laws relating to the protection of personal data and the privacy of individuals (EU)2016/679 all as amended, updated or re-enacted from time to time), or the relevant legislation covering the use of personal data applicable to each party in the jurisdiction in which it is based. This includes, but is not limited to the following: (a) The parties shall agree the appropriate processes and arrangements under which any necessary data sharing and processing is to be carried out in the provision of the Services and Software under this Agreement. For all purposes related to the applicable complementing national laws Data Protection Legislation, the Customer shall be the Data Controller and Simitive a Data Processor as regards such data sharing and processing. (jointly b) Simitive shall not transfer any personal data to any country or territory outside the United Kingdom or European Economic Area or other such geographical location as required by the Customer to comply with Data Protection Legislation in the Customer’s jurisdiction. (c) The Customer shall notify Simitive of the identities of the users and the administrators authorised to be users of the Software provided and hosted by Simitive under this Agreement (the “Privacy LawsAuthorised Users”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account ; (d) Simitive shall enable the state appropriate, agreed access and use of the artSimitive Software by such Authorised Users; (e) The Customer is responsible for ensuring that Authorised Users comply with instructions in respect of the use of the Simitive Software, the costs including those relating to access to, processing and protection of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain personal data. (f) Simitive shall take appropriate technical and organizational organisational measures with the intention of preventing unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. (g) Any Simitive staff with access to the Software shall be subject to appropriate security checks as a condition of their employment and have received appropriate training in data security. (h) Simitive shall provide such assistance as required to enable the Customer to meet its obligations under the Data Protection Legislation in relation to the security of processing, notification of personal data breeches and data protection impact assessments. 15.2 Simitive shall process personal data provided by the Customer only for the following lawful purposes; (a) to perform its duties and obligations under this Agreement; (b) in connection with the provision, implementation, monitoring, operation, evaluation and support of the Simitive Software; (c) to manage its provision of the Simitive Software and Services; (d) to carry out statistical analysis; (e) for administration, accounting, and archival purposes; 15.3 The parties agree that they will use reasonable endeavours to ensure that they do not, and do not cause the other Party to, breach the Data Protection Legislation (or other equivalent and applicable legislation in any jurisdiction in which a manner that processing party is based) by their acts or omissions. 15.4 Simitive will delete or destroy all personal data supplied by the Customer within 3 months of the date of termination or otherwise end of the term of this agreement. Deleted content may persist in backup copies for up to one year, but will be encrypted and not available to third parties. 15.5 The Purpose of Processing is to allow the Customer to use the Simitive Software. 15.6 The Type of Personal Data will meet include names, email addresses, job titles, employment commencement and end dates. If chosen by the requirements Customer it may also include Gender, Ethnicity or other such characteristics as required by the Customer to enable the statistical reporting. 15.7 Categories of Data Subjects will be employees or former employees of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorCustomer.

Data Protection. (a) The parties Operator and the Authority acknowledge and agree that the Authority is a data controller in respect of all personal data processed by the Operator on behalf of the Authority in the performance of the Services, including all Network Data which constitutes personal data, all personal data relating to users of the Ticketing System, passengers on the Network and any individuals whose personal data may be transferred recorded by any CCTV system operated by the Operator under or in connection with this agreement Agreement. (“Personal Data”b) and each party will fully comply with its respective obligations under To the General extent that the provision of the Services by the Operator involves the processing of personal data (as defined in the Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account Acts) by the state Operator on behalf of the artAuthority, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient Operator agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives that: (i) it shall process such personal data in accordance with the instructions of the Authority and the terms of this Agreement; (ii) it shall implement and maintain such security measures as are required to comply with the data security obligations of the Data Protection Acts; (iii) the Authority (or its authorised representative(s)), acting reasonably, shall be entitled, at reasonable times and on reasonable notice, to audit the security measures adopted by the Operator to ensure that such measures comply with the data security obligations of the Data Protection Acts; (iv) it shall report any request from incident which gives rise to a risk of unauthorised disclosure, loss, destruction or alteration of such personal data to the Authority immediately upon becoming aware of such an incident and shall provide the Authority with such co-operation and assistance as may be reasonably required to mitigate against the effect of the security incident; (v) it shall inform the Authority promptly in the event of receiving a data subject to exercise any of its rights under Privacy Laws access request in relation to Personal Data (including its rights of access, correction, objection any such personal data and erasure); shall provide all such co-operation and (ii) assistance as may be required to enable the Authority to deal with any other correspondence, inquiry or complaint received from a data subject, regulator or other third party subject access request in connection accordance with the processing of Personal Data Protection Acts; (collectively, "Correspondence"), vi) it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory such personal data outside of the European Economic Area Area: ("EEA"A) unless it has taken without the prior written consent of the Authority; and (B) without ensuring that such measures as are necessary to ensure the transfer is in compliance complies with the Privacy Laws. Such measures may include transferring Data Protection Acts; and (vii) it shall at all times comply with the relevant provisions of the Data Protection Acts including any obligation to register as a country that data processor (as defined in the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance Data Protection Acts) with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorProtection Commissioner.

Data Protection. The parties acknowledge 19.1 In performing its obligations under this Agreement, the Parties shall: 19.1.1 comply with the provisions of the Data Protection Legislation insofar as it is applicable to this Agreement; 19.1.2 not process Personal Information for any purpose other than that personal data which may be transferred required to perform its obligations under this agreement (“Personal Data”) Agreement and each party ensure that such processing will fully comply with its respective obligations under not place the General University in breach of any Data Protection Regulation Legislation; 19.1.3 only act on the express instructions of the University in collecting, processing and utilising any Personal Information (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”for avoidance of doubt, this Agreement shall constitute such instructions). The parties are independent controllers of their processing operations performed with ; 19.1.4 not disclose or otherwise make available any Personal Information to any third party other than authorised Personnel or sub-contractors who require access to such Personal Data. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity Information strictly in order for the rights Service Provider to carry out its obligations pursuant to this Agreement, and freedoms of data subjects, Recipient will maintain appropriate technical ensure that such Personnel and organizational measures in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) persons that have access to the Personal Information are bound by appropriate and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws legally binding confidentiality and non-use obligations in relation to the Personal Data Information. 19.2 The Service Provider shall be responsible for establishing and maintaining an information security system that is designed to: 19.2.1 ensure the security and confidentiality of the all Personal Information and any University information (including its rights any back-ups, where applicable) by the use of accessencryption for such information at transit and rest; 19.2.2 protect against any anticipated threats or hazards; 19.2.3 protect against unauthorised access to, correction, objection and erasure); and (ii) disclosure or use of any other correspondence, inquiry or complaint received University information; 19.2.4 ensure the proper separation of information belonging to the University from a data subject, regulator or other any third party information; 19.2.5 where appropriate, ensure the proper disposal of information belonging to the University; 19.2.6 preserve the integrity of any information belonging to the University and prevent the corruption, destruction or loss of such information at all times; and 19.2.7 ensure that all sub-contractors of the Service Provider, if any, comply with the provisions of this clause 19. 19.3 The Service Provider will report to the University orally and confirmed in writing any actual and/or suspected breaches such as security incidents, unauthorised access or disclosure of Confidential and/or Personal Information immediately upon discovery of the unauthorised disclosure but in no event more than 2 (two) days after the Service Provider reasonably believes there has been such unauthorised use or disclosure. 19.4 Where the Service Provider (including the Service Provider’s Personnel) is given access (whether direct or remote) to any University Information Technology Systems under or in connection with the processing Agreement, the Service Provider shall (and shall ensure that the Service Provider’s Personnel): 19.4.1 comply with the Rules, requirements or other instructions of Personal Data (collectivelythe University or, "Correspondence")where applicable, it shall promptly inform Provider and the parties shall cooperate University’s third party suppliers, regarding use of such University Information Technology Systems; 19.4.2 only use the University Information Technology Systems in good faith as necessary connection with the proper delivery of the Deliverables; 19.4.3 not permit any other individual or entity to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provideraccess the University Information Technology Systems; 19.4.4 upon the University’s request, Recipient shall restrict immediately cease access to and use of any University Information Technology Systems and return all University Information Technology Systems (and associated documentation) to the processing of Personal Data identified by Provider. Recipient shall University; and 19.4.5 not transfer reverse engineer, deconstruct, decompile, deactivate or disable any Personal Data University Information Technology Systems or introduce any viruses or other similar code, or take any other action that would cause any damage or harm to a territory outside any Information Technology Systems of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorUniversity.

Data Protection. The parties acknowledge Administrator represents that personal data as at the date hereof the Administrator has and hereafter it will maintain on behalf of itself and on behalf of the Mortgages Trustee (as trustee for the Beneficiaries) all appropriate registrations, licences and authorities (if any) required under the Data Protection Act 1998 to enable each of them to perform their respective ▇▇▇▇▇▇▇ions under this Agreement. In addition to the foregoing and notwithstanding any of the other provisions of this Agreement, each of the Administrator and the Mortgages Trustee hereby agree and covenant as follows: (a) that only non-"personal data" (as described in the Data Protection Act 1998) may be transferred under this agreement (“Personal Data”) and each party will fully comply with its respective obligations under by the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account Administrator to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access Mortgages Trustee or any other unlawful processing entity located in Jersey (unless Jersey is declared an "approved state" by the European Commission, in which case the Administrator may transfer such personal data to the Mortgages Trustee in Jersey); (b) that, to the extent that circumstances enable the Mortgages Trustee to exercise its right to demand that the Administrator transfer inter alia personal data to the Mortgages Trustee, the Administrator shall only transfer such personal data to an agent of the Mortgages Trustee that is located in the United Kingdom and maintains all appropriate registrations, licences and authorities (if any) required under the Data Protection Act 1998 (unless Jersey is declared an "approved state" ▇▇ ▇▇▇ European Commission, in which case the Administrator may transfer such personal data to the Mortgages Trustee in Jersey); (c) that, to the extent that circumstances enable the Mortgages Trustee to exercise its right to demand that the Administrator transfer inter alia personal data to the Mortgages Trustee, the Administrator notify each Borrower that the Mortgages Trustee is a “Security Incident”"data controller" (as defined in the Data Protection Act 1998) and to take reasonable steps to mitigate provide each such Borrower with the impact address of the Mortgages Trustee; (d) that the Administrator and the Mortgages Trustee will only use any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights the Mortgage Loans and the related Borrowers for the purposes of accessadministering and/or managing the Mortgage Portfolio, correction, objection and erasure); and (ii) will not sell such data to any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary or allow any third party to respond to use such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is data other than in compliance with the Privacy Laws. Such measures may include transferring conditions stated in this Clause 16 and for the sole purpose of administering and/or managing the Mortgage Portfolio; (e) that the Mortgages Trustee will comply with the provisions of the Data to a country that Protection (Jersey) Law 1987 (as amended) and (so long as the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors provisions of the Original Material and may Data Protection Act 1998 do not combine Data or results conflict with the provisions of the Project Da▇▇ ▇▇▇▇▇ction (Jersey) Law 1987) with other data which may result in identification the provisions of the Data Protection Act 1998 (as amended); (f) that, upon the request of a donorBorrower, the Administrator will inform such Borrower that both the Administrator and the Mortgages Trustee are "data controllers" as described in the Data Protection Act 1998; and (g) that both the Administrator and the Mor▇▇▇▇▇▇ ▇rustee shall maintain a written record of their reasons for applying the Data Protection Order 2000 (as set forth under the Conditions under paragraph 3 of Part II of Schedule I of such Order).

Data Protection. 12.1 You warrant and confirm to Us that You: (a) are registered under applicable Data Protection Laws; (b) will at all times comply with all applicable provisions of Data Protection Laws and any other applicable legislation relating to personal data; and (c) will immediately inform Us in writing and at Your own cost if You have failed to comply with any provision of applicable Data Protection Laws. 12.2 When You submit an Application to Us under this Agreement, this will constitute Processing personal data. The parties acknowledge purpose of this Clause 12 is to set out the roles that You and We perform in respect of that personal data. 12.3 When You submit an Application to Us, including when You populate an Application, You do so as a controller of the personal data which You collect and process and provide to Us, and You are solely responsible for the processing of that personal data and ensuring that such processing is undertaken in accordance with the requirements of Data Protection Laws. 12.4 You and We shall each be separately and independently responsible under Data Protection Laws for any personal data in respect of which we are a controller while the personal data is in our possession or under our control. We shall, where necessary, cooperate with, and provide reasonable assistance to one another in order to enable each of us to comply with our respective obligations under Data Protection Laws, including (but not limited to): (a) making available to the other party in a timely manner any correspondence from any data subjects or any relevant supervisory authority in relation to the processing of personal data by that party (to the extent that this is legally permitted); and/or (b) to the extent appropriate, informing one another of any Data Security Incident which may impact the other party, in so far as such Data Security Incident involves the personal data which is processed in relation to the Terms. 12.5 You shall ensure that, to the extent that any personal data is to be transferred to Us for the purposes of this Agreement, You will: (a) have a lawful purpose for transferring the personal data to Us, and will have complied with all other necessary lawful requirements to enable the lawful transfer of the personal data to Us. We will receive the personal data as a controller; (b) ensure You have all necessary consents and notices in place to enable the personal data to be transferred to Us lawfully for the purposes of this Agreement; (c) give full information to any Applicant whose personal data may be processed under this Agreement of the nature such processing, including making the Applicant aware of the purposes for which We will process personal data and to whom that personal data may be transferred under disclosed and notifying the Applicant that, on the termination of this agreement Agreement, personal data relating to the Applicant may be retained by Us; (“Personal Data”d) and each party will fully comply with its respective obligations under process any personal data We provide to You only for the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk this Agreement and not disclose or allow access to such personal data to anyone who is not subject to written contractual obligations concerning such personal data (including obligations of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain confidentiality) which are no less demanding than those imposed on You by this Agreement; (e) take appropriate technical and organizational organisational measures to guard against unauthorised or unlawful processing or accidental loss, destruction, damage or alteration or disclosure of such personal data. This shall include where appropriate encryption of and password protected access to all such data whether stored on hard copy or in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access electronic form or any other unlawful processing form whatsoever. Such measures shall be in accordance with good industry practice and all guidance from any Regulatory Authority (a “Security Incident”including the UK Information Commissioner and the FCA) and from time to take reasonable steps time; (f) restrict access to mitigate the impact such personal data to employees who are required to have it; (g) notify Us immediately of any security breaches relevant to the performance of this Agreement that may result in an unauthorised person gaining access to such Security Incident. In personal data or to a device on which such personal data is held; (h) retain such personal data for no longer than necessary for the event that Recipient receives purpose for which the personal data is processed; (i) not transfer any request personal data received from a data subject to exercise any Us outside the EEA unless You: (i) comply with the provisions of its rights under Privacy Laws in relation to Personal Data (including its rights Article 26 of access, correction, objection and erasure)the GDPR; and and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data ensure that: (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA"A) unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient Commission as providing adequate protection pursuant to Article 45 of the GDPR; (B) there are appropriate safeguards in place pursuant to Article 46 of the GDPR; or (C) one of the derogations for specific situations in Article 49 of the GDPR applies to the transfer. 12.6 We shall be entitled to use any information including personal data supplied by You for the purpose of: (a) considering the Application and any subsequent business from You; (b) administrative purposes including contract management; (c) conducting market research and statistical analysis; (d) informing You about new products, services, and about changes in the terms for existing products; (e) fraud and money laundering prevention; (f) preparing strategic or other marketing plans and gauging product sales,; (g) in connection with any prospective sale or assignment of Our business or part thereof; and (h) for any purpose which is lawful and/or with the Applicant's consent under applicable Data Protection Laws. 12.7 You shall assist Us in complying with all applicable requirements of the Data Protection Laws with respect to the Applicants and, in particular, shall: (a) consult with Us about any notices given to the Applicants in relation to their personal data; (b) promptly inform Us about the receipt of any data subject access request; (c) provide Us with reasonable assistance in complying with any data subject access request; (d) not disclose or release any personal data in response to a data subject access request without first consulting Us wherever possible; (e) assist Us, at our cost, in responding to any request from an Applicant and in ensuring compliance with Our obligations under the Data Protection Laws with respect to security, personal data breach notifications, data protection impact assessments and consultations with supervisory authorities or regulators; (f) at Our written direction, delete or return to Us on termination of this Agreement all personal Data and all copies thereof which You are not required by law to retain; (g) use compatible technology for the processing of personal data to ensure that there is no lack of accuracy resulting from personal data transfers; (h) maintain complete and accurate records and information to demonstrate Your compliance with this Clause 12 and allow Us or Our designated auditor to conduct such audits of Your security measures as We require to ensure Your compliance with this Clause 12; (i) You will not make indemnify Us against all claims and proceedings and all liability, loss, costs and expenses We may suffer or incur as a result of any effort claim made or brought by an Applicant or by any other person in respect of any loss, damage or distress caused to identify individuals who are or them as a result of any breach by You of the Data Protection Laws. 12.8 Any breach of this Clause 12 by You may be the donors a material breach of this Agreement which is not capable of being remedied, irrespective of whether any financial loss or reputational damage arises, and irrespective of the Original Material and level of any financial loss or deprivation of benefit arising, as a consequence of such breach. 12.9 Please note that telephone calls may not combine Data be recorded or results of the Project with other data which may result in identification of a donormonitored for security or training purposes.

Data Protection. B36.1 Each Party shall comply with their respective duties under the Data Protection Legislation and any successor legislation and shall give all reasonable assistance to each other where appropriate or necessary to comply with such duties. B36.1 The parties acknowledge Parties agree that personal data may be transferred in relation to: B36.1.1 Personal Data processed by the Provider in providing Services under this agreement Agreement (“for example, patient details, medical history and treatment details), the Provider shall be the sole Data Controller; and B36.1.2 Personal Data, the processing of which is required by the Authority for the purposes of quality assurance, performance management and contract management the Authority and the Provider will be independent Data Controllers; together the “Agreed Purpose”) and each party will fully comply with its respective obligations . B36.2 Where the Authority requires information under clause 9.1.2 above, the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Provider shall consider whether the requirement can be met by providing anonymised or aggregated data which does not contain Personal Data. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Where Personal Data will must be shared in order to meet the requirements of the Privacy Laws. Recipient agrees to notify Authority, the Provider within a period shall provide such information in pseudonymised form where possible. B36.3 Schedule 1 sets out the categories of 48 hours where Recipient becomes aware Data Subjects, types of or reasonably suspects that Personal Data has been or may have been lostData, damaged or subject to unauthorized internal or external access or any other unlawful processing Processing operations (a “Security Incident”including scope, nature and purpose of Processing) and to take reasonable steps to mitigate the impact duration of any such Security Incident. In Processing. B36.4 Each Party shall comply with all the event that Recipient receives (i) any request from obligations imposed on a data subject to exercise any of its rights Data Controller under Privacy the Data Protection Laws in relation to all Personal Data that is processed by it in the course of performing its obligations under this Agreement. B36.5 Any material breach of the Data Protection Laws by one Party shall, if not remedied within fourteen (including its rights 14) days of accesswritten notice from the other Party, correctiongives grounds to the other Party to terminate this Agreement with immediate effect. B36.6 In relation to the Processing of any Personal Data, objection each Party shall: B36.6.1 ensure that it has all necessary notices and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party consents in connection with the processing place to enable lawful sharing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and to the parties shall cooperate in good faith as necessary Permitted Recipients for the Agreed Purpose; B36.6.2 give full information to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of any Data Subject whose Personal Data identified by Provider. Recipient shall may be processed under this Agreement of the nature of such Processing; B36.6.3 process the Personal Data only for the Agreed Purpose; B36.6.4 not transfer any disclose or allow access to the Personal Data to a territory outside of anyone other than the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donor.Permitted Recipients;

Data Protection. The parties acknowledge that personal data may be transferred under this agreement (“Personal Data”) 16.1 Each party is a Data Controller of Protected Data and each party will fully shall comply with its respective the obligations imposed on Data Controllers under the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”)Legislation. The parties are independent controllers of their processing operations performed Nothing in these Conditions shall prohibit or otherwise restrict a party from complying with such Personal Data. Taking into account obligations. 16.2 The Data Recipient shall notify the state of Data Discloser: 16.2.1 without undue delay and in any event within seven (7) days upon receiving a subject access or other request from a Data Subject concerning Protected Data disclosed to the artData Recipient, or if the costs of implementation Data Recipient receives any other claim, complaint or allegation relating to Protected Data disclosed to the Data Recipient; and 16.2.2 without undue delay and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider any event within a period of 48 forty-eight (48) hours where Recipient becomes upon becoming aware of or reasonably suspects that Personal having reasonable cause to suspect any breach of security leading to the destruction, loss or unlawful disclosure of Protected Data has been disclosed to the Data Recipient, and shall provide all details of the data breach as is required under applicable Data Protection Legislation, and in each case the parties shall co-operate with each other in handling such an event and provide reasonable assistance to the other in the discharging of their respective duties under Data Protection Legislation. 16.3 Each party shall (at its own cost) assist the other in complying with its obligations as Data Controller including by providing reasonable assistance, information and cooperation as required by Data Protection Legislation to the other party and, if appropriate, to Data Subjects. 16.4 The Buyer shall indemnify, keep indemnified, hold harmless and keep held harmless Novartis Gene Therapies and its affiliates against all losses, claims, damages, liabilities, fines, sanctions, interest, penalties, costs, charges, expenses, compensation paid to Data Subjects, demands and legal and other professional costs (calculated on a full indemnity basis and in each case whether or may have been lostnot arising from any investigation by, damaged or subject to unauthorized internal imposed by, a regulator) arising out of or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with any breach by the processing Buyer of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective its obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict this clause 16. 16.5 For the processing purposes of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donor.this clause 16:

Data Protection. The parties acknowledge In this Section, “personal data” means data that relates to a living individual who can be identified from the data (either by itself or when it is combined with other data). WME may process personal data may be transferred in connection with this Agreement and the products and services that it provides under this agreement (“Personal Data”) and each party will fully comply with its respective obligations under it. For the General purposes of the Applicable Data Protection Regulation (EU)2016/679 Laws, WME is a controller in respect of the processing of this personal data and applicable complementing national laws (jointly is responsible for compliance with the Applicable Data Protection Laws in respect of such processing. Notwithstanding any other provision of this Agreement, under no circumstances shall WME be deemed to be a processor on behalf of, or a joint controller with, the Client. WME explains what personal data it will process, why and how it will process it, who it may share it with, and the rights that an individual has in respect of their personal data at the following location: ▇▇▇▇▇://▇▇▇.▇▇▇▇▇▇▇▇▇▇.▇▇▇/en/privacy-notice/. In the remainder of this Section, WME refers to this as its “Privacy Notice”. Each party is responsible for its own compliance with Applicable Data Protection Laws”), and, except as explicitly set out in this Agreement, neither party relies on the other with respect to its own compliance with Applicable Data Protection Laws. The parties are independent controllers of their processing operations performed Client undertakes, where it transfers personal data to WME, it does so in accordance with the Applicable Data Protection Laws. The Client must ensure that any personal data that it provides to WME is accurate and up to date, and that it promptly notifies WME if it becomes aware that such Personal Datapersonal data is incorrect. Taking into account Where the state of the artClient provides personal data to WME, the costs Client must first have satisfied the obligations imposed by Applicable Data Protection Laws, including but not limited to the obligation to provide transparency information to affected individuals, and drawn the attention of implementation and those individuals to WME’s Privacy Notice. In addition, the nature, scope, context and purposes Client shall promptly notify those individuals of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the requirements of any material changes to the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security IncidentNotice when advised by WME. In the event that Recipient receives (i) any request from a either party becomes aware of an actual or suspected personal data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of accessbreach affecting personal data disclosed under, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with this Agreement, that party shall notify the processing of Personal Data (collectivelyother party without undue delay, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate use all reasonable endeavours to assist one another in good faith as necessary satisfying the requirements of Applicable Data Protection Laws with respect to respond to any such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorbreach.

Data Protection. 16.1 The parties Parties acknowledge that personal data may be transferred their respective duties under Data Protection Legislation and shall give each other all reasonable assistance as appropriate or necessary to enable each other to comply with those duties. 16.2 Where the Provider is Processing Personal Data under or in connection with this Framework Agreement, the Provider must, in particular, but without limitation: 16.2.1 only Process such Personal Data as is necessary to perform its obligations under this agreement (“Framework Agreement, and only in accordance with any instructions given by the Authority under this Framework Agreement; 16.2.2 put in place appropriate technical and organisational measures against any unauthorised or unlawful Processing of that Personal Data”) , and each party will fully comply with its respective obligations under against the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers accidental loss or destruction of their processing operations performed with or damage to such Personal Data. Taking into account , the state of the art, the costs of implementation technical development and the nature, scope, context and purposes level of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such harm that may be suffered by a manner that processing of Data Subject whose Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of is affected by unauthorised or reasonably suspects that Personal Data has been unlawful Processing or may have been lostby its loss, damaged damage or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to destruction; 16.2.3 take reasonable steps to mitigate ensure the impact reliability of Staff who will have access to Personal Data, and ensure that those Staff are aware of and trained in any relevant policies and procedures. 16.3 The Provider and the Authority shall ensure that Personal Data is safeguarded at all times in accordance with the Law, and this obligation will include (if transferred electronically) only transferring Personal Data (a) if essential, having regard to the purpose for which the transfer is conducted; and (b) that is encrypted in accordance with any international data encryption standards for healthcare, and as otherwise required by those standards applicable to the Authority under any Law and Guidance (this includes, data transferred over wireless or wired networks, held on laptops, CDs, memory sticks and tapes). 16.4 Where any Personal Data is Processed by any subcontractor of the Supplier in connection with this Framework Agreement, the Provider shall procure that such Security Incident. In subcontractor shall comply with the event that Recipient receives relevant obligations set out in Clause 16 of this Framework Agreement, as if such subcontractor were the Provider. 16.5 The Provider shall indemnify and keep the Authority indemnified against, any loss, damages, costs, expenses (i) any request including without limitation legal costs and expenses), claims or proceedings whatsoever or howsoever arising from a data subject to exercise any of its rights under Privacy Laws in relation the Provider’s unlawful or unauthorised Processing, destruction and/or damage to Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorthis Framework Agreement.

Data Protection. 3.1 Both parties will comply with all applicable requirements of the Data Protection Legislation in performing their duties or exercising their rights under the Agreement and this Addendum. This Addendum is in addition to, and does not relieve, remove or replace, a party's obligations under the Data Protection Legislation. 3.2 The parties acknowledge that for the purposes of the Data Protection Legislation, in respect of any personal data that is processed by the Provider on behalf of the Client in the course of providing the Services, the Client is the controller and the Provider is the processor (where Controller and Processor have the meanings given to them in the Data Protection Legislation). Schedule 1 sets out the scope, nature and purpose of processing by the Provider, the duration of the processing and the types of Personal Data and categories of Data Subject. 3.3 Without prejudice to the generality of clause 3.1, the Client will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to the Provider for the duration and purposes of this data processing agreement. 3.4 Without prejudice to the generality of clause 3.1 the Provider shall, in relation to any Personal Data processed in connection with the performance by the Provider of its obligations under this agreement: (a) process that Personal Data only on the written instructions of the Client unless the Provider is required by Applicable Laws to otherwise process that Personal Data. The Client’s instructions shall be contained in or be given in accordance with the Agreement; (b) where the Provider is relying on laws of a member state of the European Union or the law of the European Union as the basis for processing Personal Data, promptly notify the Client of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit the Provider from so notifying the Client; (c) take all reasonable steps to ensure the reliability of all personnel who have access to and/or process Personal Data and shall ensure that all such personnel are obliged to keep the Personal Data confidential and that access to Personal Data is limited to those individuals who need to have access to Personal Data for the purposes of the agreement and to comply with Applicable Laws; (d) ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it); (e) not enter into any Restricted Transfer unless the following conditions are fulfilled: (i) the transfer is made to an adequate country or the Provider has provided appropriate safeguards within the meaning of Data Protection Legislation; (ii) the Data Subject has enforceable rights and effective legal remedies; (iii) the Provider complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; (f) comply with reasonable instructions notified to it in advance by the Client with respect to the processing of the Personal Data; (g) assist the Client, at the Client 's cost (save where such assistance is required as a result of a breach by the Provider of its obligations under this Addendum and/or the Agreement in which case such costs will be borne by the Provider) in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; (h) notify the Client without undue delay on becoming aware of a Personal Data breach and provide the Client with all information listed in article 33 GDPR in its possession, if necessary in phases; (i) reasonably co-operate with the Client in the Client's handling of a Personal Data Breach, taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach; (j) at the written direction of the Client, delete or return Personal Data and copies thereof to the Client on termination of the Agreement unless required by Applicable Law to store the Personal Data. 3.5 The Provider shall maintain complete and accurate records and information (Records) to demonstrate its compliance with this Addendum and will allow the Client by its own personnel or by an independent auditor, who shall enter into a confidentiality agreement with the Client, to access to all such Records during the term of the Agreement and for six months after termination provided: (a) any such access for the purposes of auditing or otherwise inspecting the Records shall be on not less than fourteen (14) days written notice at any time during normal business hours and not more than once during any twelve (12) month period unless: (i) the Client has reasonable grounds to suspect that a Personal Data breach has occurred; or (ii) the Client is required or requested to carry out an audit by Data Protection Legislation or a regulatory authority responsible for the enforcement of Data Protection Legislation in any country; (b) the Client shall make (and shall ensure that any independent auditor makes) reasonable endeavours to avoid causing any damage, injury or disruption to the Provider’s premises, equipment, personnel and business during the audit; (c) the Client shall submit a detailed audit plan to the Provider upon giving notice of an audit, setting out details of the proposed scope and duration of the audit, such audit plan to be agreed between the parties (acting reasonably); (d) if the scope of the requested audit has been addressed in an audit carried out by a recognised independent third party auditor within twelve (12) months of the Client’s request, and the Provider provides written confirmation that there have been no material changes in the controls and systems to be audited, the Client agrees to accept that audit report in lieu of carrying out its own audit; (e) all audit costs will be borne by the Client, including the reasonable costs of the Provider incurred during the audit. 3.6 The Client consents to the Provider appointing third-party processors of Personal Data under this agreement. The Provider confirms that it has entered or (as the case may be) will enter with each third- party processor into a written agreement substantially on that third party's standard terms of business including terms which are substantially similar to those set out in this Addendum. The Client acknowledges that this may involve a Restricted Transfer and consents to the use of the SCC or another mechanism offering an adequate level of protection in respect of any such Restricted Transfer. As between the Client and the Provider, the Provider shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this clause 3.6. A list of third-party processors currently used by the Provider is set out in Schedule 2 to this Addendum. The Provider shall provide reasonable prior notice to the Client prior to amending this list. 3.7 Upon either party’s reasonable request and at any time during the term of this Addendum and for the purposes of transfers of Personal Data under this Addendum, the parties shall enter into additional trans-border data flow agreements as may be transferred required under this applicable Data Protection Legislation, and to maintain such additional trans-border data flow agreement (“with any updates and amendments as may be required to reflect changes in the applicable Data Protection Legislation in the SCC and/or in any other transfer mechanism required under the applicable Data Protection Legislation) for the entire period during which Personal Data”) Data is processed by the Provider hereunder. SCHEDULE 1 1. Processing by the Processor 1.1 Scope, nature and each party purpose of processing Scope, Nature and Purpose of processing The Provider will fully process Personal Data as necessary to provide the Services to the Client and comply with its respective obligations under the General Agreement. Types of personal data Identity Data: First name, last name, title, job title, employer Contact and Location Data: home address, work address, email addresses, telephone numbers, IP address (for technical and security reasons) Transaction Data: purchase history, offers made, offers received Interests Data: art collection, collecting interests, art for sale or to sell. Categories of data subject Data Protection Regulation (EU)2016/679 Controller's employees, agents, advisors and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state freelancers, including Data Controller's authorised users of the artServices Data Controller's customers, prospects, professional contacts and suppliers. Data Controller's website visitors, mailing list subscribers Employees, agents and freelancers of Data Controller's customers, prospects, professional contacts and suppliers 1.2 Duration of the costs processing The duration of implementation and the nature, scope, context and processing corresponds to the duration of the Agreement. SCHEDULE 2 List of third party processors As per information available at this URL: ▇▇▇▇▇://▇▇▇▇▇▇▇▇.▇▇▇/sub-processors/ SCHEDULE 3 - Standard Contractual Clauses - Processors For the purposes of processing as well as the risk Article 26(2) of varying likelihood and severity Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection The Client of Artlogic accepting the Clauses (the Data Exporter) And Artlogic Media Limited (the Data Importer) each a party; together the parties, HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet exporter to the requirements data importer of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a personal data subject to exercise any of its rights under Privacy Laws specified in relation to Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donor.Annex A.

Data Protection. The parties acknowledge that personal data may be transferred under this agreement (“Personal Data”) SERVICE PROVIDER’s attention is hereby drawn to the Data Protection Requirements. The CLIENT and each party will fully comply with its respective the SERVICE PROVIDER shall observe their obligations under the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”)Requirements. The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account Where the state of SERVICE PROVIDER, pursuant to its obligations under this Contract, undertakes the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing Processing of Personal Data will meet the requirements on behalf of the Privacy Laws. Recipient agrees to notify Provider within a period CLIENT, it shall: carry out the Processing of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been only in accordance with instructions from the CLIENT (which may be specific instructions or may have been lost, damaged instructions of a general nature as set out in this Contract or subject as otherwise notified by the CLIENT to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In SERVICE PROVIDER during the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasureTerm); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with carry out the processing of Personal Data only to the extent, and in such manner, as is necessary for the provision of the Ordered Services or as is required by Law or any Regulatory Body; implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected; take reasonable steps to ensure the reliability of any SERVICE PROVIDER personnel who have access to the Personal Data; obtain prior written consent from the CLIENT in order to transfer the Personal Data to any Sub-Contractors for the provision of the Ordered Services; ensure that any SERVICE PROVIDER personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 14; ensure that none of the SERVICE PROVIDER personnel publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the CLIENT; notify the CLIENT (collectivelywithin five (5) Working Days) if it receives: a request from a Data Subject to have access to that person’s Personal Data; or a complaint or request relating to the CLIENT’s obligations under the Data Protection Requirements; provide the CLIENT with full cooperation and assistance in relation to any complaint or request made, "Correspondence"including by: providing the CLIENT with full details of the complaint or request; complying with a data access request within the relevant timescales set out in the Data Protection Requirements and in accordance with the CLIENT’s instructions; providing the CLIENT with any Personal Data it holds in relation to a Data Subject (within the timescales required by the CLIENT); and providing the CLIENT with any information requested by the CLIENT; permit the CLIENT or its representatives (subject to reasonable and appropriate confidentiality undertakings), it shall promptly inform Provider to inspect and audit the parties shall cooperate SERVICE PROVIDER’s data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the CLIENT to enable the CLIENT to verify and/or procure that the SERVICE PROVIDER is in good faith as necessary to respond to such Correspondence and fulfill their respective full compliance with its obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict this Contract; provide a written description of the processing technical and organisational methods employed by the SERVICE PROVIDER for Processing Personal Data (within the timescales required by the CLIENT); and not undertake the Processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless without the prior written consent of the CLIENT and, where the CLIENT consents to a transfer, to comply with: the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and any reasonable instructions notified to it has taken by the CLIENT. The SERVICE PROVIDER shall comply at all times with the Data Protection Requirements and shall not perform its obligations under this Contract in such measures a way as are necessary to ensure cause the transfer CLIENT to breach any of its applicable obligations under the Data Protection Requirements. The CLIENT may from time to time serve on the SERVICE PROVIDER an information notice requiring the SERVICE PROVIDER within such time and in such form as is specified in the information notice, to furnish to the CLIENT such information as the CLIENT may reasonably require relating to: compliance by the SERVICE PROVIDER with the SERVICE PROVIDER’s obligations under this Contract in connection with the Processing of Personal Data; and/or the rights of Data Subjects, including but not limited to subject access rights. The SERVICE PROVIDER will allow its data Processing facilities, procedures and documentation to be submitted for scrutiny by the CLIENT or its auditors in order to ascertain compliance with the Privacy Lawsrelevant laws of the United Kingdom and the terms of this Contract. Such measures may include transferring With respect to the parties’ rights and obligations under this Contract, the parties acknowledge that, except where otherwise agreed, the CLIENT is the Data Controller and the SERVICE PROVIDER is the Data Processor. Where the SERVICE PROVIDER wishes to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization appoint, in accordance with Privacy Laws; or the provisions of Clause 28, a Sub-Contractor to a Recipient that has executed standard contractual clauses adopted or approved assist it in providing the Ordered Services and such assistance includes the Processing of Personal Data on behalf of the CLIENT, then, subject always to compliance by the European CommissionSERVICE PROVIDER with the provisions of Clause 28 relating to the appointment of Sub-Contractors, the CLIENT hereby grants to the SERVICE PROVIDER a delegated authority to appoint on the CLIENT’S behalf such Sub-Contractor to undertake the Processing of Personal Data provided that the SERVICE PROVIDER shall notify the CLIENT in writing of such appointment and the identity and location of such Sub-Contractor. Recipient will not make The SERVICE PROVIDER warrants that such appointment shall be on substantially the same terms with respect to Data Protection Requirements as are set out in this Contract, including the terms set out in Clause 14.2. Any Sub-Contractor appointed under the provisions of this Clause 14.6 shall, for the purposes of Schedule 2-7, be regarded as a principal Sub-Contractor and shall be specified in Table 1 of Schedule 2-7. Save as set out in this Clause 14, any effort to identify individuals who are unauthorised Processing, use or may disclosure of personal data by the SERVICE PROVIDER is strictly prohibited. The SERVICE PROVIDER shall be liable for and shall indemnify (and keep indemnified) the donors CLIENT against each and every action, proceeding, liability, cost, claim, loss, expense (including reasonable legal fees and disbursements on a solicitor and client basis) and demands incurred by the CLIENT which arise directly or in connection with the SERVICE PROVIDER’s data Processing activities under this Contract, including without limitation those arising out of any third party demand, claim or action, or any breach of contract, negligence, fraud, wilful misconduct, breach of statutory duty or non-compliance with any part of the Original Material and may not combine Data Protection Requirements by the SERVICE PROVIDER or results of the Project with other data which may result in identification of a donorits employees, servants, agents or Sub-Contractors.

Data Protection. The parties acknowledge that personal Parties, acting both as data may be transferred under controllers in respect of the Personal Information they supply to the other Party, shall, throughout the term of this agreement Agreement, comply with all applicable data protection and privacy Laws, as amended from time to time, including the EU Directive 95/46/EC (EU Data Protection Directive) (“Personal Data”) and each party will fully comply with its respective obligations under the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”), with respect to the collection, use, processing, storage, transfer, modification, deletion and/or disclosure of any Personal Information under this Agreement. The parties are independent controllers Each Party shall not, through any act or omission, cause the other Party to be in breach of their processing operations performed with its obligations under applicable Data Protection Laws. In particular: (a) Each Party may only use Personal Information it receives from the other Party solely for the purposes of meeting its obligations under this Agreement and may only transmit such Personal Data. Taking into account Information to its Affiliates which are directly involved in the state research, development, Manufacture or Commercialization of Licensed Products and their Agents solely for the purpose of the artAgreement, including client relationship management and keeping track of interactions with the other Party. (b) Each Party shall immediately notify the other if: (i) it receives any complaint, notice or communication which relates directly or indirectly to the processing of; or (ii) it becomes aware of any loss or unauthorised use of, or access to, the costs Personal Information supplied by the other Party. (c) Each Party will take appropriate technical and organisational measures against the unauthorised or unlawful processing of implementation Personal Information and against the natureaccidental loss or destruction of, scopeor damage to, context Personal Information, including, providing appropriate training and purposes guidance to their respective staff. (d) Personal Information may only be transmitted to entities outside the European Economic Area and Canada where such entity is located in a country or territory which ensures an adequate level of processing as well as the risk of varying likelihood and severity protection for the rights and freedoms of data subjectsthe individual to whom the Personal Information transferred relates, Recipient will maintain appropriate technical and organizational measures or where adequate safeguards are in such a manner that processing of Personal place to ensure compliance with applicable Data will meet the requirements of the Privacy Protection Laws. Recipient agrees The receiving entity must be under obligations to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that protect any Personal Data has been or may have been lostInformation transferred which are no less onerous than those imposed under this Agreement. (e) Upon request, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) each Party, its employees and to take reasonable steps to mitigate principals can exercise the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection rectification and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party erasure in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside respect of the European Economic Area Personal Information it supplies to the other Party, utilizing the notice provisions of this Agreement. ("EEA"f) unless it has taken such measures The Parties may disclose Personal Information as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; required by regulatory agencies or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorotherwise under applicable Law.

Data Protection. The parties acknowledge that 13.1. For the purposes of this Agreement the terms "controller", "data subjects", "personal data may be transferred under data", "processor," "process," and “supervisory authority” shall have the meaning given to them by EU Data Protection Law. 13.2. Diligent will process any Client Personal Data on the Client's behalf as a processor, and the Client is the controller of such data. Each Party undertakes to comply with all Data Privacy Law applicable to such Party and shall not knowingly cause the other to breach Data Privacy Law. 13.3. Diligent will only process the Client Personal Data on documented instructions from the Client (which instructions constitute, for the avoidance of doubt, the instructions to process Client Personal Data in the course of Diligent’s performance of this agreement (“Personal Data”Agreement) and each party will fully comply with its respective not process any such Client Personal Data for any purpose except as set out in this Agreement. 13.4. Diligent will implement appropriate technical and organisational security measures (including confidentiality obligations under applicable to Diligent Personnel) to ensure a level of security appropriate to the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties risks that are independent controllers presented by the processing of their processing operations performed with such Client Personal Data. Taking into account In case of a personal data breach which may affect Client Personal Data, Diligent will notify the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes Client without undue delay after becoming aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take it. 13.5. Diligent will use commercially reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives efforts to: (i) any request from a assist the Client in ensuring compliance with the Client's obligation to respond to requests for exercising data subject to exercise any of its subject's rights under EU Data Protection Law; (ii) make available all information reasonably necessary to demonstrate compliance with Data Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasure)Laws; and (iiiii) any other correspondenceallow for and contribute to audits, inquiry including inspections and information requests, conducted by the Client or complaint received from an auditor mandated by the Client, provided that such audit shall be constrained to provision of Diligent’s then-current technical Documentation which relates to the processing of Client Personal Data unless otherwise required by a data subjectsupervisory authority. 13.6. Diligent will, regulator at the Client's choice, delete or return all Client Personal Data after termination of this Agreement unless otherwise provided by law. 13.7. The Client acknowledges and agrees that Diligent may retain Affiliates and other third party parties as sub-processors (all together "Sub-Processors") in connection with the processing provision of Personal Data (collectivelythe BoardEffect Platform, "Correspondence"), it shall promptly inform Provider and having imposed on such Sub-Processors the parties shall cooperate same data protection obligations as are imposed on Diligent under this Agreement. Diligent will be liable to the Client for performance of such obligations by the Sub-Processors. 13.8. In order to ensure that adequate safeguards are in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict place for the processing and transfer of Personal Data identified by Provider. Recipient personal data, the Parties shall not transfer any Personal Data to a territory ensure that personal data is transferred outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure only where permitted by EU Data Protection Law. Unless otherwise mutually agreed by the transfer is Parties, Diligent shall only host Client Data in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that United Kingdom, Germany or elsewhere in the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorEconomic Area.

Data Protection. The parties Parties acknowledge that personal data may be transferred their respective duties under this agreement (“Personal Data”) Data Protection Legislation and shall give each party will fully other all reasonable assistance as appropriate or necessary to enable each other to comply with its respective obligations under those duties. For the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers avoidance of their processing operations performed with such Personal Data. Taking into account the state of the artdoubt, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to Supplier shall take reasonable steps to mitigate ensure it is familiar with the impact Data Protection Legislation and any obligations it may have under such Data Protection Legislation and shall comply with such obligations. Where the Supplier is Processing Personal Data and/or the Parties are otherwise sharing Personal Data under or in connection with this Contract, the Parties shall comply with the Data Protection Protocol in respect of such matters. The Supplier and the Authority shall ensure that patient related Personal Data is safeguarded at all times in accordance with the Law, and this obligation will include (if transferred electronically) only transferring patient related Personal Data (a) if essential, having regard to the purpose for which the transfer is conducted; and (b) that is encrypted in accordance with any international data encryption standards for healthcare, and as otherwise required by those standards applicable to the Authority under any Law and Guidance (this includes, data transferred over wireless or wired networks, held on laptops, CDs, memory sticks and tapes). Where, as a requirement of this Contract, the Supplier is Processing Personal Data relating to NHS patients and/or service users and/or has access to NHS systems as part of the Services, the Supplier shall: complete and publish an annual information governance assessment using the Data Security and Protection Toolkit; achieve all relevant requirements in the relevant Data Security and Protection toolkit; nominate an information governance lead able to communicate with the Supplier’s board of directors or equivalent governance body, who will be responsible for information governance and from whom the Supplier’s board of directors or equivalent governance body will receive regular reports on information governance matters including, but not limited to, details of all incidents of data loss and breach of confidence; report all incidents of data loss and breach of confidence in accordance with Department of Health and Social Care and/or the NHS England and/or Health and Social Care Information Centre guidelines; put in place and maintain policies that describe individual personal responsibilities for handling Personal Data and apply those policies vigorously; put in place and maintain a policy that supports its obligations under the NHS Care Records Guarantee (being the rules which govern information held in the NHS Care Records Service, which is the electronic patient/service user record management service providing authorised healthcare professionals access to a patient’s integrated electronic care record); put in place and maintain agreed protocols for the lawful sharing of Personal Data with other NHS organisations and (as appropriate) with non-NHS organisations in circumstances in which sharing of that data is required under this Contract; where appropriate, have a system in place and a policy for the recording of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws telephone calls in relation to the Services, including the retention and disposal of those recordings; at all times comply with any information governance requirements and/or processes as may be set out in the Specification and Tender Response Document; and comply with any new and/or updated requirements, Guidance and/or Policies notified to the Supplier by the Authority from time to time (acting reasonably) relating to the Processing and/or protection of Personal Data. Where any Personal Data (including its rights is Processed by any Sub-contractor of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party the Supplier in connection with this Contract, the processing Supplier shall procure that such Sub-contractor shall comply with the relevant obligations set out in Clause 2 of this Schedule 3, and any relevant Data Protection Protocol, as if such Sub-contractor were the Supplier. The Supplier shall indemnify and keep the Authority indemnified against, any loss, damages, costs, expenses (including without limitation legal costs and expenses), claims or proceedings whatsoever or howsoever arising from the Supplier’s unlawful or unauthorised Processing, destruction and/or damage to Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance connection with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorthis Contract.

Data Protection. The parties acknowledge that personal data may be transferred under this agreement Supplier shall comply with the Data Protection Act 1998 (“Personal Data”"the 1998 Act") and each party will fully any other applicable data protection legislation. In particular the Supplier agrees to comply with the obligations placed on the Authority by the seventh data protection principle ("the Seventh Principle") set out in the 1998 Act, namely: to maintain technical and organisational security measures sufficient to comply at least with the obligations imposed on the Authority by the Seventh Principle; only to process Personal Data for and on behalf of the Authority, in accordance with the instructions of the Authority and for the purpose of performing its respective obligations under the General Data Protection Regulation (EU)2016/679 Agreement and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed to ensure compliance with such Personal Data. Taking into account the state of 1998 Act; and to allow the art, Authority to audit the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet Supplier's compliance with the requirements of this Clause 17 on reasonable notice and/or to provide the Privacy LawsAuthority with evidence of its compliance with the obligations set out in this Clause 17. Recipient Subject to Clause 14, the Supplier agrees to notify Provider indemnify and keep indemnified the Authority and any Administering Entity against all claims and proceedings and all liability, loss, costs and expenses incurred in connection therewith by the Authority and any Administering Entity as a result of any claim made or brought by any individual or other legal person in respect of any loss, damage or distress caused to that individual or other legal person as a result of the Supplier's unauthorised processing, unlawful processing, destruction of and/or damage to any Personal Data processed by the Supplier, its employees or agents in the Supplier's performance of the Agreement or as otherwise agreed between the Parties. Both Parties agree to use all reasonable efforts to assist each other to comply with the 1998 Act. For the avoidance of doubt, this includes the Supplier providing the Authority with reasonable assistance in complying with subject access requests served on the Authority under Section 7 of the 1998 Act and the Supplier consulting with the Authority prior to the disclosure by the Supplier of any Personal Data in relation to such requests. Subject to Clause 18.2, neither Party shall be considered to be in default or liable for breach of any obligation hereunder nor liable to the other Party for any loss or damage whatsoever arising out of the prevention, hindrance or delay of the performance of any such obligation to the extent that the performance of such obligation is prevented, hindered or delayed by an event of Force Majeure. The Supplier shall only be entitled to rely on an event of Force Majeure and will not be considered to be in default or liable for breach of any obligations hereunder if the Supplier has fulfilled its obligations pursuant to Clauses 2.8, 2.9 and 2.11. A Party wishing to rely on an event of Force Majeure shall promptly and in any event within a period 7 days of 48 hours where Recipient becomes becoming aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject the same give written notice to unauthorized internal or external access or any the other unlawful processing (a “Security Incident”) Party of the nature of the event of Force Majeure and to take reasonable steps shall use its best endeavours to mitigate the impact effects of any such Security Incidentevent of Force Majeure. In If an event of Force Majeure relied on by the Supplier shall subsist for 28 days or more then the Authority shall have the right to terminate this Agreement at once by giving notice to the Supplier. On the occurrence of an event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection Force Majeure the Parties shall meet as soon as reasonably practicable and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate acting in good faith as shall use all reasonable endeavours (but without incurring undue costs) to agree the measures (if any) necessary to respond mitigate the effects of such event of Force Majeure and or to remedy any effects of the Force Majeure and, subject to Clause 18.2, the obligations of both parties shall be suspended to the extent that they are affected by such event of Force Majeure unless and until: the event of Force Majeure shall have ceased and any such measures shall have been agreed and the damage shall have been remedied pursuant to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Lawsagreement; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may this Agreement is terminated whichever shall be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorearlier.

Data Protection. The parties acknowledge that personal data may be transferred under For the purpose of this agreement article 42, "Personal Data" and "Data Controller" shall have the meanings ascribed to them in the UK Data Protection Act 1998 (“Personal Data”) and each party will fully comply with its respective obligations under the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy LawsDPA”). The parties are independent controllers of their processing operations performed Seller shall ensure that it complies with such Personal Data. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the all requirements of the Privacy Laws. Recipient agrees to notify Provider within a period DPA as if Seller were the Data Controller in respect of 48 hours where Recipient becomes aware of or reasonably suspects that all Personal Data has been provided to Seller by ▇▇▇▇▇, any employee of Buyer, Buyer’s customers, ▇▇▇▇▇’s subcontractors and/or any agent of Buyer pursuant to or may have been lost, damaged or subject relating to unauthorized internal or external access or this Contract. Seller shall not process any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights controlled by ▇▇▇▇▇ except in the performance of accessand for the purpose of this Contract. Furthermore, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient Seller shall not transfer any Personal Data controlled by Buyer to a territory any other entity or outside of the European Economic Area ("EEA") unless it has taken such EEA without the express written consent of Buyer and without the provisions of the DPA and all applicable data protection law having been satisfied. Seller will have in place adequate technical and organizational security measures as are necessary to ensure so that the transfer is in compliance confidentiality of this processing complies with the Privacy LawsDPA and all applicable data protection laws and regulations. Such measures may include transferring the Data Seller shall immediately provide Buyer with copies of any and all requests by data subjects or regulatory authorities in relation to a country that the European Commission has decided provides adequate protection for personal data processed pursuant to this Contract, and notice of any and all data breaches or other unlawful processing of personal data; , and shall promptly provide Buyer with any and all assistance that may be required to a Recipient that has achieved binding corporate rules authorization in accordance respond to such requests or breaches. Where such requests relate to ▇▇▇▇▇▇’s failure to comply with Privacy Laws; the DPA or other applicable data protection laws and regulations, then such support and any remediation shall be at Seller’s expense. Where under this Contract personal data needs to a Recipient that has executed standard contractual clauses adopted or approved be exported from the EEA, Seller shall agree to execute such data transfer contracts based upon the model contracts published by the article 29 Working Party of the European Commission. Recipient will not make Seller shall indemnify, keep indemnified and hold harmless Buyer and ▇▇▇▇▇’s customers from and against all expenses, contingent liabilities, liabilities, injuries, losses, damages, claims, demands, proceedings, judgments and legal costs (on a full indemnity basis) whether arising in tort (including negligence), breach of contract, breach of statutory duty, collaterally or otherwise which Buyer and/or Buyer’s customers incur or suffer arising from breach of this article 42 or any effort model contract entered into by Seller pursuant to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorit.

Data Protection. The parties acknowledge that personal data may be transferred under this agreement (“Personal Data”) SERVICE PROVIDER’s attention is hereby drawn to the Data Protection Requirements. The CUSTOMER and each party will fully comply with its respective the SERVICE PROVIDER shall observe their obligations under the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”)Requirements. The parties are independent controllers Where the SERVICE PROVIDER, pursuant to its obligations under this Contract, undertakes the Processing of their processing operations performed with such Personal Data. Taking into account the state Data on behalf of the artCUSTOMER, it shall: carry out the costs Processing of implementation Personal Data only in accordance with instructions from the CUSTOMER (which may be specific instructions or instructions of a general nature as set out in this Contract or as otherwise notified by the CUSTOMER to the SERVICE PROVIDER during the Term); carry out the Processing of Personal Data only to the extent, and the naturein such manner, scope, context and purposes of processing as well as the risk of varying likelihood and severity is necessary for the rights and freedoms provision of data subjects, Recipient will maintain the Ordered Services or as is required by Law or any Regulatory Body; implement appropriate technical and organizational organisational measures in such a manner that processing of to protect the Personal Data will meet against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the requirements harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject which is to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to be protected; take reasonable steps to mitigate ensure the impact reliability of any such Security Incident. In SERVICE PROVIDER personnel who have access to the event Personal Data; obtain prior written consent from the CUSTOMER in order to transfer the Personal Data to any Sub-Contractors for the provision of the Ordered Services; ensure that Recipient receives any SERVICE PROVIDER personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 15; ensure that none of the SERVICE PROVIDER personnel publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the CUSTOMER; notify the CUSTOMER (iwithin five (5) any Working Days) if it receives: a request from a Data Subject to have access to that person’s Personal Data; or a complaint or request relating to the CUSTOMER’s obligations under the Data Protection Requirements; provide the CUSTOMER with full cooperation and assistance in relation to any complaint or request made, including by: providing the CUSTOMER with full details of the complaint or request; complying with a data access request within the relevant timescales set out in the Data Protection Requirements and in accordance with the CUSTOMER’s instructions; providing the CUSTOMER with any Personal Data it holds in relation to a Data Subject (within the timescales required by the CUSTOMER); and providing the CUSTOMER with any information requested by the CUSTOMER; permit the CUSTOMER or its representatives (subject to exercise reasonable and appropriate confidentiality undertakings), to inspect and audit the SERVICE PROVIDER’s data Processing activities (and/or those of its agents, subsidiaries and Sub-Contractors) and comply with all reasonable requests or directions by the CUSTOMER to enable the CUSTOMER to verify and/or procure that the SERVICE PROVIDER is in full compliance with its obligations under this Contract. In this respect, the SERVICE PROVIDER shall be responsible for maintaining the confidentiality of information relating to its other clients; provide a written description of the technical and organisational methods employed by the SERVICE PROVIDER for Processing Personal Data (within the timescales required by the CUSTOMER); and not undertake the Processing of Personal Data outside the European Economic Area without the prior written consent of the CUSTOMER and, where the CUSTOMER consents to a transfer, to comply with: the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and any reasonable instructions notified to it by the CUSTOMER. The SERVICE PROVIDER shall comply at all times with the Data Protection Requirements and shall not perform its obligations under this Contract in such a way as to cause the CUSTOMER to breach any of its rights applicable obligations under Privacy Laws the Data Protection Requirements. The CUSTOMER may from time to time serve on the SERVICE PROVIDER an information notice requiring the SERVICE PROVIDER within such time and in relation such form as is specified in the information notice, to Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party furnish to the CUSTOMER such information as the CUSTOMER may reasonably require relating to: compliance by the SERVICE PROVIDER with the SERVICE PROVIDER’s obligations under this Contract in connection with the processing Processing of Personal Data; and/or the rights of Data Subjects, including but not limited to subject access rights. The SERVICE PROVIDER will allow its data Processing facilities, procedures and documentation to be submitted for scrutiny by the CUSTOMER or its auditors in order to ascertain compliance with the relevant laws of the United Kingdom and the terms of this Contract. In this respect, the SERVICE PROVIDER shall be responsible for maintaining the confidentiality of information relating to its other clients. With respect to the parties’ rights and obligations under this Contract, the parties acknowledge that, except where otherwise agreed, the CUSTOMER is the Data Controller and the SERVICE PROVIDER is the Data Processor. Where the SERVICE PROVIDER wishes to appoint, in accordance with the provisions of Clause 31, a Sub-Contractor to assist it in providing the Ordered Services and such assistance includes the Processing of Personal Data (collectivelyon behalf of the CUSTOMER, "Correspondence")then, it shall promptly inform Provider and subject always to compliance by the parties shall cooperate in good faith as necessary SERVICE PROVIDER with the provisions of Clause 31 relating to respond the appointment of Sub-Contractors, the CUSTOMER hereby grants to the SERVICE PROVIDER a delegated authority to appoint on the CUSTOMER’S behalf such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict Sub-Contractor to undertake the processing Processing of Personal Data identified by Providerprovided that the SERVICE PROVIDER shall notify the CUSTOMER in writing of such appointment and the identity and location of such Sub-Contractor. Recipient The SERVICE PROVIDER warrants that such appointment shall not transfer be on substantially the same terms with respect to Data Protection Requirements as are set out in this Contract, including the terms set out in Clause 15.2. Any Sub-Contractor appointed under the provisions of this Clause 15.6 shall, for the purposes of Schedule 2-8, be regarded as a principal Sub-Contractor and shall be specified in Table 1 of Schedule 2-8. Save as set out in this Clause 15, any unauthorised Processing, use or disclosure of Personal Data to by the SERVICE PROVIDER is strictly prohibited. The SERVICE PROVIDER shall be liable for and shall indemnify (and keep indemnified) the CUSTOMER against each and every action, proceeding, liability, cost, claim, loss, expense (including reasonable legal fees and disbursements on a territory outside solicitor and client basis) and demands incurred by the CUSTOMER which arise directly or in connection with the SERVICE PROVIDER’s data Processing activities under this Contract, including without limitation those arising out of any third party demand, claim or action, or any breach of contract, negligence, fraud, wilful misconduct, breach of statutory duty or non-compliance with any part of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved Protection Requirements by the European CommissionSERVICE PROVIDER or its employees, servants, agents or Sub-Contractors. Recipient will not make If the SERVICE PROVIDER is responsible for storing any effort to identify individuals who are or may be the donors CUSTOMER data as part of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donor.Ordered Services then:

Data Protection. ‌ 12.1 You warrant and confirm to Us that You: (a) are registered under applicable Data Protection Laws; (b) will at all times comply with all applicable provisions of Data Protection Laws and any other applicable legislation relating to personal data; and (c) will immediately inform Us in writing and at Your own cost if You have failed to comply with any provision of applicable Data Protection Laws. 12.2 When You submit an Application to Us under this Agreement, this will constitute Processing personal data. The parties acknowledge purpose of this Clause 12 is to set out the roles that You and We perform in respect of that personal data. 12.3 When You submit an Application to Us, including when You populate an Application, You do so as a controller of the personal data which You collect and process and provide to Us, and You are solely responsible for the processing of that personal data and ensuring that such processing is undertaken in accordance with the requirements of Data Protection Laws. 12.4 You and We shall each be separately and independently responsible under Data Protection Laws for any personal data in respect of which we are a controller while the personal data is in our possession or under our control. We shall, where necessary, cooperate with, and provide reasonable assistance to one another in order to enable each of us to comply with our respective obligations under Data Protection Laws, including (but not limited to): (a) making available to the other party in a timely manner any correspondence from any data subjects or any relevant supervisory authority in relation to the processing of personal data by that party (to the extent that this is legally permitted); and/or (b) to the extent appropriate, informing one another of any Data Security Incident which may impact the other party, in so far as such Data Security Incident involves the personal data which is processed in relation to the Terms. 12.5 You shall ensure that, to the extent that any personal data is to be transferred to Us for the purposes of this Agreement, You will: (a) have a lawful purpose for transferring the personal data to Us, and will have complied with all other necessary lawful requirements to enable the lawful transfer of the personal data to Us. We will receive the personal data as a controller; (b) ensure You have all necessary consents and notices in place to enable the personal data to be transferred to Us lawfully for the purposes of this Agreement; (c) give full information to any Applicant whose personal data may be processed under this Agreement of the nature such processing, including making the Applicant aware of the purposes for which We will process personal data and to whom that personal data may be transferred under disclosed and notifying the Applicant that, on the termination of this agreement Agreement, personal data relating to the Applicant may be retained by Us; (“Personal Data”d) and each party will fully comply with its respective obligations under process any personal data We provide to You only for the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk this Agreement and not disclose or allow access to such personal data to anyone who is not subject to written contractual obligations concerning such personal data (including obligations of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain confidentiality) which are no less demanding than those imposed on You by this Agreement; (e) take appropriate technical and organizational organisational measures to guard against unauthorised or unlawful processing or accidental loss, destruction, damage or alteration or disclosure of such personal data. This shall include where appropriate encryption of and password protected access to all such data whether stored on hard copy or in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access electronic form or any other unlawful processing form whatsoever. Such measures shall be in accordance with good industry practice and all guidance from any Regulatory Authority (a “Security Incident”including the UK Information Commissioner and the FCA) and from time totime; (f) restrict access to take reasonable steps such personal data to mitigate the impact employees who are required to have it; (g) notify Us immediately of any security breaches relevant to the performance of this Agreement that may result in an unauthorised person gaining access to such Security Incident. In personal data or to a device on which such personal data is held; (h) retain such personal data for no longer than necessary for the event that Recipient receives purpose for which the personal data is processed; (i) not transfer any request personal data received from a data subject to exercise any Us outside the EEA unless You: (i) comply with the provisions of its rights under Privacy Laws in relation to Personal Data (including its rights Article 26 of access, correction, objection and erasure)the GDPR; and and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data ensure that: (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA"A) unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient Commission as providing adequate protection pursuant to Article 45 of the GDPR; (B) there are appropriate safeguards in place pursuant to Article 46 of the GDPR; or (C) one of the derogations for specific situations in Article 49 of the GDPR applies to the transfer. 12.6 We shall be entitled to use any information including personal data supplied by You for the purpose of: (a) considering the Application and any subsequent business from You; (b) administrative purposes including contract management; (c) conducting market research and statistical analysis; (d) informing You about new products, services, and about changes in the terms for existing products; (e) fraud and money laundering prevention; (f) preparing strategic or other marketing plans and gauging product sales,; (g) in connection with any prospective sale or assignment of Our business or part thereof; and (h) for any purpose which is lawful and/or with the Applicant's consent under applicable Data Protection Laws. 12.7 You shall assist Us in complying with all applicable requirements of the Data Protection Laws with respect to the Applicants and, in particular, shall: (a) consult with Us about any notices given to the Applicants in relation to their personal data; (b) promptly inform Us about the receipt of any data subject access request; (c) provide Us with reasonable assistance in complying with any data subject access request; (d) not disclose or release any personal data in response to a data subject access request without first consulting Us wherever possible; (e) assist Us, at our cost, in responding to any request from an Applicant and in ensuring compliance with Our obligations under the Data Protection Laws with respect to security, personal data breach notifications, data protection impact assessments and consultations with supervisory authorities or regulators; (f) at Our written direction, delete or return to Us on termination of this Agreement all personal Data and all copies thereof which You are not required by law to retain; (g) use compatible technology for the processing of personal data to ensure that there is no lack of accuracy resulting from personal data transfers; (h) maintain complete and accurate records and information to demonstrate Your compliance with this Clause 12 and allow Us or Our designated auditor to conduct such audits of Your security measures as We require to ensure Your compliance with this Clause 12; (i) You will not make indemnify Us against all claims and proceedings and all liability, loss, costs and expenses We may suffer or incur as a result of any effort claim made or brought by an Applicant or by any other person in respect of any loss, damage or distress caused to identify individuals who are or them as a result of any breach by You of the Data Protection Laws. 12.8 Any breach of this Clause 12 by You may be the donors a material breach of this Agreement which is not capable of being remedied, irrespective of whether any financial loss or reputational damage arises, and irrespective of the Original Material and level of any financial loss or deprivation of benefit arising, as a consequence of such breach. 12.9 Please note that telephone calls may not combine Data be recorded or results of the Project with other data which may result in identification of a donormonitored for security or training purposes.

Data Protection. The parties acknowledge Parties agree that the personal data may be transferred under this agreement they submit to each other, including but not limited to, names, address, email, phone, fax, signature, job title, gender (“Personal Data”) may be processed, shared, and each party will fully otherwise used exclusively for the purposes of and in connection with the implementation of this Agreement. The Parties shall comply with its respective their applicable obligations under the Data Privacy Laws (any Laws or Regulations relating to the processing, privacy or use of Personal Data as applicable when processing Personal Data in the context of this Agreement). The Parties agree that processing of Personal Data shall be done in accordance with the terms of the Agreement and the applicable law. In particular, it shall be processed in a manner that ensures the security of the Personal Data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures. In the event Personal Data is transferred to jurisdictions, which may not offer adequate level of protection, The Parties shall take necessary steps to provide appropriate safeguards in accordance with the Data Privacy Laws. The Parties have implemented all appropriate security measures to protect Personal Data against accidental, unlawful, or unauthorized (i) destruction (ii) loss, (iii) alteration, (iv) disclosure, or (v) access (including remote access) and will protect Personal Data against all other forms of unlawful processing, including unnecessary collection, transfer, or processing, beyond what is strictly necessary for the performance of the Agreement. The Parties may grant to their personnel access only to personal data that is strictly necessary for implementing, managing and monitoring their tasks within the Project. The Parties must also ensure that any supply of personal data to any other party is legitimate and compliant with Data Privacy Laws. The Parties shall ensure that persons authorized to process the Personal Data have committed themselves to confidentiality. In the event that, in the course of implementing this Agreement, a controller to processor or processor sub-processor relationship is created, the Parties undertake to enter into an appropriate data processing agreement which complies with Article 28 of the Regulation (EU) 2016/679 the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”GDPR). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet subject requests shall be sent to IUCN using the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing online form here (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasure▇▇▇▇▇://▇▇▇▇▇▇▇.▇▇▇▇.▇▇▇/▇▇▇▇▇▇▇▇▇▇▇▇▇▇/▇▇▇▇▇▇▇▇▇▇▇); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donor.

Data Protection. The parties acknowledge that For the purposes of the Data Protection Act 1998, the Applicant agrees and gives consent to the holding and processing of personal data relating to the Applicant in any form, (whether obtained or held in writing, electronically or otherwise) by the Producer, affiliated companies of the Producer or the broadcaster for purposes connected with the relationship hereunder including, but not limited to: verifying your age and identity, carrying out background checks with law enforcement and government agencies, taking decisions as to fitness to take part, and ensuring compliance with the Producer’s legal obligations. The Producer wishes to ensure that the information it holds remains as accurate as possible. The Producer may therefore at any time request the Applicant to update the information relating to the Applicant held by the Producer and the Applicant should, in any event, inform the Producer as soon as practicable of any changes to the Applicant’s personal information. The Applicant may review and update the information at any time, on reasonable notice to the Producer. The Producer may, from time to time, need to make some of the Applicant’s information available to legal and regulatory authorities, lawyers and/or other outside professional advisors, and to other parties which provide products or services to the Producer (such as IT systems suppliers and medical practitioners). Some of these recipients will be located in Europe, But others may be transferred under this agreement (“Personal Data”) and each party will fully comply with its respective obligations under the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state of the artlocated, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lostrelevant operations located, damaged elsewhere such as in the US or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) elsewhere, where data protection and to privacy regulations may not offer the same level of protection as applies in the EU. However, the Producer will at all times take reasonable steps to mitigate ensure the impact security and confidentiality of personal data. 15. The Company shall not be liable to the Applicant for any such Security Incident. In loss or damage or injury to the event that Recipient receives (i) Applicant or the Applicant’s property or any request from a data subject to exercise any economic loss including without limitation loss of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry earnings caused or complaint received from a data subject, regulator or other third party suffered in connection with the processing Selection Process and/or the pre- production and /or production of Personal Data (collectivelythe proposed Programme or any advice given to the Applicant by the Company or its employees, "Correspondence"), it servants or contractors unless caused by the negligence of the Company and recoverable on that ground. 16. The Applicant agrees that the Contribution shall promptly inform Provider be true and original to the parties shall cooperate in good faith as necessary to respond to such Correspondence Applicant and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer contain anything which is defamatory or an infringement of copyright or in contempt of court or which is calculated to bring the Programme, the Company or the commissioning broadcaster into disrepute. 17. Nothing contained in this Agreement shall constitute an undertaking by the Company to produce or exhibit the Programme or to use the Contribution or any Personal Data part of it in the Programme or its exploitation. 18. The Applicant is free to enter this Agreement and hereby agrees to indemnify the Company in respect of all actions, proceedings, claims, damages and other liabilities, which may be brought against or incurred by the Company as a territory outside result of the European Economic Area breach of any of the Applicant’s warranties, representations, obligations or undertakings contained in this Agreement. 19. The Company shall be entitled to assign the benefit of this agreement either in whole or in part to any of its subsidiary or associated companies or successors in title and/or any third party. 20. The Applicant agrees that in the event of any breach of this agreement by the Company the Applicant shall not be entitled to enjoin and/ or injunction the distribution and/or exploitation of the Programmes and any legal remedy the Applicant may have shall lie in an action at law for damages. 21. The provisions of the Contracts ("EEA"Rights of Third Parties) unless Act 1999 shall apply to this Agreement to the extent that it has taken such measures as are necessary to ensure the transfer confers benefits on Bah Media Film Production Limited and or ▇▇▇▇▇▇▇ ▇▇▇ but not otherwise, and it is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country expressly agreed that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors breach of the Original Material terms of this Agreement shall entitle Bah Media Film Production Limited and may not combine Data or results ▇▇▇▇▇▇▇ ▇▇▇, as interested parties (and no other third party) in their own right, jointly and severally to enforce the terms of this Agreement in part or in full. 22. The Courts of England shall have exclusive jurisdiction in relation to the terms and conditions of the Project with other data Agreement, which may result in identification shall be interpreted according to the laws of a donorEngland.

Data Protection. 10.1 The parties Parties shall at all times comply with the Data Legislation. 10.2 The Council and the Recipient acknowledge that personal data may be transferred under this agreement (“each Party is individually a Data Controller in respect of any Personal Data”) Data Processed by it and each party will fully agree to comply with its respective obligations under Data Protections Legislation accordingly. 10.3 The Recipient agrees that it is the data controller of any personal data processed by it pursuant to the Project/Funded Activities, as those terms are defined in the Data Protection Legislation in force at the relevant time. It will comply fully with the Data Protection Legislation to the extent that they are applicable to it and with the ICO’s public guidance for data controllers. 10.4 The Recipient shall (and shall procure that any of its staff, employees, agents, consultants, third party or any Sub-Recipient involved in connection with the activities under the Agreement shall) comply with their obligations under the General Data Protection Regulation (EU)2016/679 Legislation and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed shall enter into appropriate arrangements with such Personal Data. Taking into account third parties. 10.5 On request from the state of the artCouncil, the costs of implementation Recipient will provide the Council with all such relevant documents and information relating to the nature, scope, context Recipient’s data protection policies and purposes of processing as well procedures as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or Council may reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incidentrequire. In the event that Recipient receives (i) any request from a data subject the Parties agree it is necessary to exercise any of its rights under Privacy Laws in relation to share, exchange or jointly hold Personal Data for the purpose of fulfilling the Parties obligations under this Agreement (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the except where one Party shall be processing of Personal Data on the other’s behalf) then the Parties shall: (collectivelya) where possible in order to facilitate the exchange of information, "Correspondence"), anonymise or aggregate such information to the degree that it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to does not identify any individual; and (b) agree such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures additional or varied terms as are necessary to ensure the transfer is in full compliance with the Privacy Laws. Such measures may include transferring Data Protection Legislation. 10.6 In the event that the Parties agree it is necessary to share, exchange or jointly hold Personal Data for the purpose of fulfilling the Parties obligations under this Agreement (except where one Party shall be processing Personal Data on the other’s behalf) then the Parties shall: (a) where possible in order to facilitate the exchange of information, anonymise or aggregate such information to the degree that it does not identify any individual; and (b) agree such additional or varied terms as are necessary to ensure full compliance with the Data to a country Protection Legislation. 10.7 In the event that the European Commission has decided provides adequate protection for personal data; Council determines that the Recipient is processing Personal Data on the Council’s behalf then the Recipient shall immediately enter into a Data Processing Agreement with the Council on reasonable terms to be determined by the Council to ensure full compliance with the Data Protection Legislation. Failure by the Recipient to enter into such an agreement shall constitute a Recipient that has achieved binding corporate rules authorization serious breach of this Agreement and the Council may exercise its rights under this Agreement to withhold/suspend/reduce payment or require payment in full or part of the Grant in accordance with Privacy Laws; clause 11 and/or terminate this Agreement in accordance with clause 18. 10.8 The Recipient shall indemnify and keep the Council indemnified in full for any and all costs, claims, losses, damages, expenses, liabilities, fines, penalties, interest or to otherwise for which the Council may become liable as a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors result of the Original Material and may Recipient’s failure (or the Recipient’s employee’s agents or any sub-recipient’s failure) to comply with their obligations under Data Protection Legislation or this clause 10. 10.9 Any clause in this Agreement limiting the Recipient’s liability in respect of any obligations, costs, claims, losses, damages, expenses, liabilities, fines, penalties, interest or otherwise under the Data Protection Legislation and/or this clause 10 shall not combine Data or results of the Project with other data which may result in identification of a donorapply.

Data Protection. The parties Parties acknowledge that personal data for the purposes of the Data Protection Legislation, the Council is the Controller and the Contractor is the Processor. The only processing that the Contractor is authorised to do is listed in Schedule 3 by the Council and may not be transferred under this agreement determined by the Contractor. The Contractor shall (“Personal Data”and shall procure that any of the Contractor Staff involved in the provision of the Agreement) and each party will fully comply with its respective any notification requirements under the DPA and both parties will duly observe all their obligations under the General DPA which arise in connection with the Agreement. The Contractor shall comply with any notification requirements under the Data Protection Regulation (EU)2016/679 Legislation and applicable complementing national laws (jointly “Privacy Laws”)shall observe all of its obligations under the Data Protection Legislation which arise during the Term of the Agreement. The parties Contractor acknowledges that they shall not hold or process any personal data unless such data applies for the performance of the Agreement a process shall be agreed between the Contractor and the Council as to how the personal data shall be managed. If a breach does occur by the Contractor of its obligations under the Data Protection Legislation then the Council may terminate the Agreement. If the Contract is terminated by the Council the Contractor shall comply with the Council’s requirements which may include: the delivery of the originals of such information, records and papers to the Council’s offices or such other address as specified by the Council, and/or; immediately destroy all original and copies of such information, records and papers; The Contractor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement: process that Personal Data only in accordance with Schedule 3, unless the Contractor is required to do otherwise by Law. If it is so required the Contractor shall promptly notify the Council before processing the Personal Data unless prohibited by Law; ensure that it has in place Protective Measures, which have been reviewed and approved by the Council as appropriate to protect against a Data Loss Event having taken account of the: nature of the data to be protected; harm that might result from a Data Loss Event; state of technological development; and cost of implementing any measures; ensure that : the Staff do not process Personal Data except in accordance with this Agreement (and in particular Schedule 3); it takes all reasonable steps to ensure the reliability and integrity of any Staff who have access to the Personal Data and ensure that they: are independent controllers aware of their and comply with the Contractor’s duties under this clause; are subject to appropriate confidentiality undertakings with the Contractor or any Sub-processor; are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Council or as otherwise permitted by this Agreement; and have undergone adequate training in the use, care, protection and handling of Personal Data; and not transfer Personal Data outside of the EU unless the prior written consent of the Council has been obtained and the following conditions are fulfilled: the Council or the Contractor has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Council; the Data Subject has enforceable rights and effective legal remedies; the Contractor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Council in meeting its obligations); and the Contractor complies with any reasonable instructions notified to it in advance by the Council with respect to the processing operations performed of the Personal Data; at the written direction of the Council, delete or return Personal Data (and any copies of it) to the Council on termination of the Agreement unless the Contractor is required by Law to retain the Personal Data. Subject to clause 12.9, the Contractor shall notify the Council immediately if it: receives a Data Subject Access Request (or purported Data Subject Access Request); receives a request to rectify, block or erase any Personal Data; receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation; receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Agreement; receives a request from any third Party for disclosure of Personal Data where compliance with such Personal Datarequest is required or purported to be required by Law; or becomes aware of a Data Loss Event. The Contractor’s obligation to notify under clause 12.8 shall include the provision of further information to the Council in phases, as details become available. Taking into account the state nature of the artprocessing, the costs Contractor shall provide the Council with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under clause 12.8 (and insofar as possible within the timescales reasonably required by the Council) including by promptly providing: the Council with full details and copies of implementation the complaint, communication or request; such assistance as is reasonably requested by the Council to enable the Council to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation; the Council, at its request, with any Personal Data it holds in relation to a Data Subject; assistance as requested by the Council following any Data Loss Event; assistance as requested by the Council with respect to any request from the Information Commissioner’s Office, or any consultation by the Council with the Information Commissioner's Office. The Contractor shall maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Contractor employs fewer than two hundred and fifty (250) staff, unless: the Council determines that the processing is not occasional; the Council determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; and the nature, scope, context and purposes of Council determines that the processing as well as the is likely to result in a risk of varying likelihood and severity for to the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing Data Subjects. The Contractor shall allow for audits of Personal its Data will meet Processing activity by the requirements of Council or the Privacy LawsCouncil’s designated auditor. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from The Contractor shall designate a data subject protection officer if required by the Data Protection Legislation. Before allowing any Sub-processor to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer process any Personal Data related to a territory outside this Agreement, the Contractor must: notify the Council in writing of the European Economic Area intended Sub-processor and processing; obtain the written consent of the Council; enter into a written agreement with the Sub-processor which give effect to the terms set out in this clause 12 such that they apply to the Sub-processor; and provide the Council with such information regarding the Sub-processor as the Council may reasonably require. The Contractor shall remain fully liable for all acts or omissions of any Sub-processor. The Council may, at any time on not less than twenty ("EEA"20) unless Working Days’ notice, revise this clause by replacing it has taken such measures as are necessary with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Agreement). The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Council may on not less than twenty (20) Working Days’ notice to the Contractor amend this agreement to ensure the transfer is in compliance that it complies with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved any guidance issued by the European CommissionInformation Commissioner’s Office. Recipient will not make any effort to identify individuals who are or may be The provisions of this clause shall apply during the donors continuance of the Original Material Agreement and may not combine Data indefinitely after its expiry or results of the Project with other data which may result in identification of a donortermination.

Data Protection. The parties acknowledge 11.1 For the purposes of this Schedule "Personal Data", "Data Processor", "Data Subject", "Data Controller" and "Process" shall have the meanings ascribed to them in the Data Protection Act 1998 (the "DPA") as amended or re-enacted from time to time. 11.2 LRQA warrants and represents that personal data may be transferred it has obtained all necessary registrations, notifications and consents required by the DPA to process Personal Data for the purposes of performing its obligations under this agreement Agreement. 11.3 LRQA undertakes that to the extent that LRQA and/or any of its employees receives, has access to and/or is required to process Personal Data on behalf of the Agency (“"the Agency’s Personal Data”") and each party for the purpose of providing the Services, it will fully at all times comply with its respective obligations under the General provisions of the DPA for the time being in force, including without limitation the Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state Principles set out in Schedule 1 of the artDPA. In particular, LRQA agrees to comply with the costs of implementation requirements and obligations imposed on the nature, scope, context Data Controller in the Seventh Data Protection Principle set out in the DPA namely: 10.3.1 LRQA shall at all material times have in place and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational organisational security measures in such a manner that processing designed to safeguard against accidental or unlawful destruction, accidental loss, alteration, unauthorised or unlawful disclosure of or access to the Agency’s Personal Data and any person it authorises to have access to any the Agency’s Personal Data will meet respect and maintain the confidentiality and security of the Agency’s Personal Data. This includes the obligation to comply with any records management, operational and/or information security policies operated by the Agency, when providing the Services on the Agency’s premises and/or accessing their manual and/or automated information systems. These measures shall be appropriate to the harm which might result from any unauthorised Processing, accidental loss, destruction or damage to the Personal Data which is to be protected; 10.3.2 LRQA shall only process Personal Data for and on behalf of the Agency for the purpose of performing the Services in accordance with this Agreement, or as is required by Law or any Regulatory Body, and where necessary only on written Instructions from the Agency to ensure compliance with the DPA; 10.3.3 LRQA shall allow the Agency to audit LRQA's compliance with the requirements of this Clause 11 on reasonable notice and/or, at the Privacy Laws. Recipient agrees Agency’s request, provide the Agency with evidence of LRQA's compliance with the obligations within this Clause 11. 11.4 LRQA undertakes not to notify Provider within a period disclose or transfer any of 48 hours where Recipient becomes aware of or reasonably suspects that the Agency’s Personal Data has been to any third party without the prior written consent of the Agency save that without prejudice to Clause 11.3 LRQA shall be entitled to disclose the Agency’s Personal Data to employees and third parties to whom such disclosure is reasonably necessary in order for LRQA to carry out the Services, or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (the extent required under a “Security Incident”) and to court order. 11.5 LRQA shall: 11.5.1 take reasonable steps to mitigate ensure the impact reliability of any such Security Incident. In Consultant Personnel who have access to the event Personal Data; 11.5.2 ensure that Recipient receives (i) any request from a data subject all Consultant Personnel required to exercise access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 11; 11.5.3 ensure that none of Consultant Personnel publish, disclose or divulge any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") any third party unless it has taken such measures as are necessary directed in writing to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved do so by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donor.Agency;

Data Protection. 8.1 The parties acknowledge Parties agree that personal data may be transferred to the extent that Confidential Information provided to the Receiving Party comprises any Personal Data (as defined under this agreement the Irish Data Protection Acts 1988 and 2003 (“Personal Data”) as amended, modified or consolidated or, on and each party will fully comply with effect from its respective obligations under effective date, the General Data Protection Regulation (EU)2016/679 EU) 2016/679 of the European Parliament and applicable complementing national laws the Council of 27 April 2016 (jointly the “Privacy GDPR”) as may be amended, re-enacted or re-instated from time to time and any implementing legislation (together, the “Data Protection Laws”). The parties are independent controllers of their processing operations performed with ) any such Personal DataData which the Disclosing Party, supplies or discloses to the Receiving Party pursuant to this Agreement and / or otherwise as part of the Proposed Transaction, shall be treated as set out in this Clause 7. 8.2 The Parties acknowledge that the Receiving Party may transfer Personal Data to its Affiliates. Taking In such a case, the Receiving Party shall be directly liable and fully responsible for the observance and proper performance (and any omissions in that regard) by those of its Affiliates who have received Personal Data of the terms and conditions of this Agreement and in particular this Clause 7. 8.3 The Receiving Party confirms that it has appropriate technical and organisational measures required to protect against unauthorised access to, or accidental or unauthorised destruction, loss, alteration or disclosure of any Personal Data contained in the Confidential Information. 8.4 The Personal Data shall remain at all times the property of and in the ownership of the Disclosing Party (as applicable) and the Receiving Party shall have no rights whatsoever in respect thereof. 8.5 The Receiving Party warrants and undertakes that it shall: (a) comply with the Data Protection Laws and all other applicable data protection laws and guidance including (without limitation) applicable laws relating to accessing, use and onward disclosure, distribution, exporting, archiving, maintenance and storage of Personal Data and with the terms of this Agreement and process the Personal Data only to the extent strictly necessary in connection with the Proposed Transaction and in accordance with the Disclosing Party’s instructions from time to time; (b) subject to this Clause 7, not otherwise modify, amend or alter the contents of the Personal Data or disclose or permit the disclosure of any of the Personal Data to any third party unless specifically authorised to do so in writing by the Disclosing Party; (c) take into account the state factors described in Article 32 of the artGDPR which is hereby incorporated by reference, the costs of implementation implement and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational organisational security measures in such a manner that processing order to protect against unauthorised access to, or accidental or unauthorised destruction, loss, alteration or disclosure of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees and to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that detect and prevent any Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact breach in respect of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing Data;other than transfers of Personal Data (collectivelyto the Disclosing Party or to other third parties specified by the Disclosing Party, "Correspondence"), it shall promptly inform Provider and not under any circumstances transfer the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area unless authorised in writing to do so by the Disclosing Party; ("EEA"d) unless take appropriate steps to ensure that its, employees, officers, authorised agents and any sub-processors, including but not limited to its Related Parties, comply with and acknowledge and respect the confidentiality of Personal Data, including after the end of their employment, contract or at the end of their assignment; and (e) enter into such other written agreement in respect of the processing or transfer of Personal Data as a Disclosing Party may require. 8.6 Upon expiry or termination of this Agreement, or upon the earlier written request of a Disclosing Party, the Receiving Party shall promptly, or at the latest within 14 days of the request, either return or destroy all Personal Data disclosed to it by the Disclosing Party including any copies, notes or other materials containing such Personal Data and the Receiving Party shall if so requested in writing by the Disclosing Party, certify to the Disclosing Party that it has taken complied with this Clause 7. 8.7 The Receiving Party shall notify the Disclosing Party as soon as reasonably practicable and in any event within twenty-four (24) hours of: (a) any legally binding request for disclosure of Personal Data by a law enforcement regulatory body or other competent authority unless prohibited by law from doing so; (b) receiving any correspondence, notice or other communication whether orally or in writing from the relevant data protection regulator or any other regulator or person, relating to the Personal Data. 8.8 Where the Receiving Party receives a legally binding request for access to personal data by a law enforcement agency regulatory body on other competent authority, the Receiving Party will inform the Disclosing Party except where such measures disclosure is itself legally prohibited. The Receiving Party will reject any such request which is non- legally binding. 8.9 Without prejudice to the other provisions of this Clause 7 , if the Receiving Party or any of the Receiving Party’s employees or contractors becomes aware of any Data Protection Incident, or has commenced an investigation to assess whether there has been Data Protection Incident (an “Investigation”), then the Receiving Party shall promptly (but in any event within twenty-four (24) hours of, the earlier of (i): discovery of a Data Protection Incident; or (ii) commencement of an Investigation) notify the Disclosing Party by both telephone and by email. The Receiving Party shall, at no additional cost to the Disclosing Party, provide the Disclosing Party with all resources, assistance and cooperation as are required by the Disclosing Party in order for it to comply with its own contractual or legal obligations in respect of the data subjects (as defined in the Data Protection Laws). 8.10 The Receiving Party shall execute all such additional documents, give such assistance and do such acts and things as may in the opinion of any Disclosing Party be necessary or desirable in order comply with the Data Protection Laws. 8.11 Without prejudice to Clause 7.5(b), the Receiving Party shall not permit a third party to process Personal Data on its behalf unless the Receiving Party and the third party first enter into a written agreement which imposes the same obligations on the third party as are imposed on the Receiving Party under this Agreement and which also imposes the obligations that are required under Data Protection Laws. 8.12 The Receiving Party acknowledges and agrees that insofar as it processes Personal Data, comprised in the Confidential Information provided to the Receiving Party, it does so as a data controller in its own right and not as a data processor for the Disclosing Party. However, without prejudice to the foregoing to the extent that the Receiving Party acts as a data processor on behalf of the Disclosing Party, the Receiving Party shall in addition to the obligations set out in this Clause 7 and Clause 4.1.1: (a) inform the Disclosing Party if it is required to process the Personal Data by EU or member state law to which it is subject, prior to such processing, other than where that law prohibits the Disclosing Party from being informed on important grounds of public interest; (b) not appoint any sub-processors except pursuant to Clause 7.5(b); (c) taking into account the nature of the processing by the Receiving Party and the nature of the information available to it, assist the Disclosing Party in respect of data subject rights requests under Chapter III of the GDPR and assist the Disclosing Party in complying with its mandatory obligations under Articles 32 to 36 of the GDPR; (d) make available to the Disclosing Party all information necessary to ensure the transfer is in demonstrate its compliance with the Privacy Laws. Such measures may include transferring the Data its obligations under this Clause 7 and Clause 4.1.1, and shall allow for and contribute to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved audits, including inspections, conducted by the European Commission. Recipient will not make any effort Disclosing Party and/or its auditors, having regard to identify individuals who are or may be the donors Receiving Party’s obligations of confidentiality to third parties other than the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorDisclosing Party.

Data Protection. The parties acknowledge that personal data may be transferred under this agreement (“Personal Data”) and each party will fully 7.1 Each Party shall comply with its respective obligations under the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal this Agreement and the provision of the Services. to the Consultant is [available on the Client’s intranet] [available to the ]. o the extent that, in providing the Services, the Consultant processes pe he Client is the controller for the purposes of the Data (including Protection Laws: the Client shall provide to the Consultant the terms upon which the Co process such personal data; the Consultant shall comply with such terms, the reasonable instruction and the Data Protection Laws in relation to such processing; the Consultant shall keep such personal data confidential and take nec organisational, technical and other measures to ensure its rights security and the Consultant shall notify the Client as soon as practicable if there is a suspected breach of accesssecurity, correction, objection and erasure)privacy or of the Data Protection Laws rel personal data; and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection the Consultant shall assist the Client with the processing of Personal Data (collectivelyClient’s compliance with t Protection Laws, "Correspondence"), it shall promptly inform Provider and including responding to any data subject access reque the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient Consultant shall not transfer any Personal Data such personal data outside the UK the Consultant shall return to a territory outside the Client or delete all or any such perso (including any copies of such personal data) at the request of the European Economic Area ("EEA") unless it has taken such measures as are Clien the termination of the Appointment; and the Consultant shall provide to the Client all information necessary to ensure the transfer is in d compliance with the Privacy Data Protection Laws and shall allow and contribut including inspections, conducted by the Client or another auditor mand Client for such purpose. onsultant may not, without the prior written consent of the Client, appoi or of personal data of which the Client is the controller for the purposes on Laws. Such measures may include transferring .] OR [If the Data Consultant appoints a Substitute in accordance wit he extent that it is necessary for the Substitute to receive personal data the controller: the Client authorises the Consultant to engage the Substitute as a country proc personal data provided that the European Commission Consultant has decided provides adequate informed the Client of s engagement in advance to allow the Client to object to such engageme the Consultant shall enter into a written contract with the Substitute rel personal data on equivalent terms to Clauses 7.3 and 7.4; and 7.2 The Client’s data protection for policy which applies to the use and processing of personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors data relating Consultant on request 7.3 If and t rsonal data of which t (a) nsultant shall (b) s of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donor.Client (c) ▇▇▇▇▇▇ confidentiality;

Data Protection. 1. The parties acknowledge that Parties shall comply with all applicable requirements of the Data Protection Laws applicable in respect of any personal data may be transferred processed under this agreement TOBA; and provide such assistance, co-operation and information as is reasonably requested by the other to comply with the Data Protection Laws. 2. The Parties acknowledge that, for the purposes of the Data Protection Laws, they shall each be controllers (as defined in the Data Protection Laws) in common in respect of the personal data obtained (whether directly or indirectly) from data subjects in relation to this TOBA. 3. Parties shall ensure that they process and share personal data (“Shared Personal Data”) fairly and each party will fully comply lawfully in accordance with its respective obligations under the General Data Protection Regulation Laws on the basis that the data subject has unambiguously given his or her consent, or on the basis of some other valid ground provided for in the Data Protection Laws. 4. Where a Party (EU)2016/679 and applicable complementing national laws ”Disclosing Party”) discloses personal data to the other(s) (jointly “Privacy LawsRecipient(s)”). The parties are independent controllers ) in connection with the operation of their processing operations performed with such Personal Data. Taking into account the state of the artthis TOBA, the costs of implementation and Disclosing Party will ensure that it obtains all necessary consents from the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or alternatively discloses the personal data on the basis of some other third party valid ground provided for in connection the Data Protection Laws, so that the personal data it provides to the Recipient(s) can be lawfully used or disclosed by the Recipient(s) in the manner and for the purposes anticipated by this ▇▇▇▇. 5. You shall, in respect of Shared Personal Data, ensure that fair processing notices are provided to data subjects in accordance with the Data Protection Laws, including that they are clear and provide sufficient information to the data subjects for them to understand what personal data you are sharing with us, the circumstances in which it will be shared, the purposes for the data sharing, either the identity of us or a description of the type of organisation(s) that will receive the personal data (such type of organisation to include us) and such other information as we may reasonably require. The information provided by you to the Data Subject shall be detailed enough that the obligations to provide fair processing information pursuant to Data Protection Laws is complied with and that we need not provide any further information to the Data Subject in order to comply with Data Protection Laws in respect of the processing of Personal Data (collectivelyin the manner and for the purposes anticipated by this TOBA. 6. You shall indemnify Onsi on demand against any and all losses, "Correspondence")liabilities, it claims, proceedings, settlement, damages, costs, regulatory fines and expenses arising out of or in connection with any breach by us of our obligation set out in this Appendix 2. 7. The Disclosing Party shall promptly inform Provider provide such information and documentation as the parties shall cooperate in good faith as necessary Recipient(s) may reasonably request from time to respond time to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in evidence its compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorthis Appendix 2.

Data Protection. 18.1 The parties acknowledge Servicer and the Mortgages Trustee each represents that personal data may be transferred as at the date hereof it has and hereafter it will maintain all appropriate registrations, licences, consents and authorities (if any) required under this agreement the Data Protection Act 1998 together, with its ancillary legislation (“Personal Data”the ▇▇▇▇ ▇▇OTECTION ACT) and each party will fully comply with to enable it to perform its respective obligations under this Agreement. In addition to the General foregoing and notwithstanding any of the other provisions of this Agreement, each of the Servicer and the Mortgages Trustee hereby agree and covenant as follows: (a) that only data that is not "personal data" (as described in the Data Protection Regulation Act) may be transferred by the Servicer to the Mortgages Trustee or any other entity located in Jersey (EU)2016/679 and applicable complementing national laws unless: (jointly “Privacy Laws”). The parties are independent controllers i) Jersey is determined, on the basis of their processing operations performed with such Personal Data. Taking into account Article 25(b) of Directive 95/46/EC, a third country which ensures an adequate level of protection of "personal data" by the state of European Commission or (ii) the art, the costs of implementation Servicer and the nature, scope, context and purposes of processing Mortgages Trustee have entered into a data transfer agreement in a form approved by the EC Commission as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet meeting the requirements of Article 26(2) of Directive 95/46/EC for the Privacy Laws. Recipient agrees transfer of personal data to notify Provider within a period third countries which do not ensure an adequate level of 48 hours where Recipient becomes aware of or reasonably suspects protection (the STANDARD CONTRACTUAL CLAUSES) in which case, subject to Clause 18(e), the Servicer may transfer such personal data to the Mortgages Trustee in Jersey); (b) that Personal Data if, at the date at which circumstances enable the Mortgages Trustee to exercise its right to demand that the Servicer transfer inter alia personal data to the Mortgages Trustee, (i) Jersey has been determined, on the basis of Article 25(b) of Directive 95/46/EC a third country which ensures an adequate level of protection of personal data by the European Commission or may (ii) the Servicer and the Mortgages Trustee have been lostentered into the Standard Contractual Clauses then, damaged or subject to unauthorized internal the CLAUSE 18(E), the Servicer shall transfer the relevant personal data to the Mortgages Trustee or external access or any other unlawful processing to its order; (a “Security Incident”c) and that the Servicer will, if the Mortgages Trustee requires the Servicer to do so, take all reasonable steps to mitigate notify each Borrower that the impact Mortgages Trustee is a "data controller" (as defined in the Data Protection Act) and provide each such Borrower with such details as the Mortgage Trustee shall reasonably request including but not limited to the Mortgages Trustee's contact details for the purposes of the Data Protection Act; (d) that the Servicer and the Mortgages Trustee will only use any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights the Loans and the related Borrowers for the purposes of accessadministering and/or managing the Portfolio, correction, objection and erasure); and (ii) will not sell such data to any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary or allow any third party to respond to use such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is data other than in compliance with the Privacy Laws. Such measures may include transferring Data Protection Act, the conditions stated in this CLAUSE 18 and for the sole purpose of administering and/or managing the Portfolio; (e) that the Mortgages Trustee will comply with the provisions of the Data to a country Protection (Jersey) Law 1987 (as amended) or any law which supersedes or replaces the Data Protection (Jersey) Law 1987 and (so long as the provisions of the Data Protection Act do not conflict with the provisions of the Data Protection (Jersey) Law 1987 (as amended) or any law which supersedes or replaces the Data Protection (Jersey) Law 1987) with the provisions of the Data Protection Act; (f) that the European Commission has decided provides adequate protection Mortgages Trustee shall maintain a written record of its reasons for personal data; applying the Data Protection Order 2000/185 (as set forth under the Conditions under paragraph 3 of Part II of Schedule I of the Data Protection Act). 18.2 The Servicer will use all reasonable endeavours to ensure that, in the event of the appointment of a Recipient that has achieved binding corporate rules authorization sub-contractor in accordance with Privacy Laws; or CLAUSE 3.2 such sub-contractor shall obtain and maintain all appropriate registrations, licences, consents and authorities required (including, without limitation, those required under the Data Protection Act), and comply with obligations equivalent to a Recipient that has executed standard contractual clauses adopted or approved by those imposed on the European Commission. Recipient will not make any effort Servicer in this CLAUSE 18, to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorenable it to perform its obligations.

Data Protection. The parties acknowledge In this clause, "Data Protection Laws" means all privacy laws applicable to any Personal Data processed under or in connection with the Agreement, including, without limitation, the General Data Protection Regulation 2016/679 (the "GDPR"), the Privacy and Electronic Communications Directive 2002/58/EC (as the same may be superseded by the Regulation on Privacy and Electronic Communications ("ePrivacy Regulation"), and all national legislation implementing or supplementing the foregoing, all as amended, re- enacted and/or replaced and in force from time to time; To the extent that a party acts a data processor ("Processor") acts on behalf the other party acting as a data controller ("Controller") in respect of any personal data may be transferred under this agreement comprised in the Customer Data (“Personal Data”) and each party will fully comply with its respective obligations under are defined in the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state of the artLaws , the costs of implementation Processor shall ensure that: (i) unless required to do otherwise by applicable Data Protection Laws, it shall (and shall take steps to ensure each person acting under its authority shall) process the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet only on and in accordance with the requirements of Controller’s documented instructions as set out in Schedule 1 (Data Processing Details), as updated from time to time by agreement between the Privacy Laws. Recipient agrees parties; (ii) persons authorised by the Processor to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that process the Personal Data has been have committed themselves to confidentiality or may have been lostare under an appropriate statutory obligation of confidentiality; (iii) if Data Protection Laws require it, damaged or subject to unauthorized internal or external access or any process Personal Data other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate than in accordance with Schedule 1, it shall notify the impact Controller of any such Security Incident. In requirement before processing the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights unless applicable law prohibits such information on important grounds of accesspublic interest); (iv) it informs the Controller of any addition, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator replacement or other third party in connection changes of Sub-processors and provide the Controller with the processing opportunity to reasonably object to such changes on legitimate grounds. The Controller acknowledges that these Sub-processors are essential to provide the Services and that objecting to the use of Personal Data (collectivelya Sub-processor may prevent the Processor from offering the Services to the Controller. The Processor will enter into a written agreement with the Sub- processor imposing on the Sub-processor obligations comparable to those imposed on the Processor under this Agreement, "Correspondence")including appropriate data security measures. In case the Sub-processor fails to fulfil its data protection obligations under such written agreement with the Processor, it shall promptly inform Provider and that Processor will remain liable towards Controller for the parties shall cooperate in good faith performance of the Sub-processor’s obligations under such agreement. By way of this Agreement, the Controller provides general written authorization to the Processor to engage Sub-processors as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Lawsperform the Services; including those listed in Vendor's privacy policy. Upon Provider’s request, Recipient shall restrict “Sub-processor” means another data processor engaged by the Processor for carrying out processing activities in respect of the Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside on behalf of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donor.Controller;

Data Protection. The Each of the parties acknowledge that personal data may be transferred shall in the course of performing its obligations under this agreement Agreement comply with the provisions of the Applicable Data Protection Legislation. For the purposes of this Clause 14, the parties agree and acknowledge that: whilst the factual arrangement between the parties dictates the classification of each party as a ‘Controller’ or ‘Processor’ under the Applicable Data Protection Legislation, the parties anticipate that the Customer shall be the Controller and SPS Global shall be the Processor where SPS Global is processing Personal Data in connection with its provision of the Services; the description provided in Schedule [11] (“Data Protection Particulars) is an accurate description of the Data Protection Particulars; SPS Global may have access to Personal Data (including ‘sensitive’ or ‘special categories’ of Personal Data”) and each party will fully comply with in its respective obligations under the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state provision of the artServices. Where SPS Global processes Personal Data as a Processor on behalf of the Customer, SPS Global shall: process the costs Personal Data only in accordance with the terms of implementation this Agreement and the nature, scope, context and purposes documented instructions of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain Customer; implement appropriate technical and organizational organisational measures in such a manner that processing of to protect the Personal Data will meet against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm and risk which might result from any unauthorised or unlawful processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected; ensure that all individuals who it permits to process Personal Data are bound by enforceable obligations of confidentiality; save where such countries have been deemed by the European Commission to be providing an adequate level of protection pursuant to the relevant provisions of the Applicable Data Protection Legislation, not transfer Personal Data outside the European Economic Area without the written instructions of the Customer. Notwithstanding the foregoing, SPS Global is expressly permitted and instructed by the Customer that it may transfer Personal Data to any other SPS Global Group Member and any other third parties, subject to first ensuring that adequate protections are in place to protect the Personal Data consistent with the requirements of the Privacy Laws. Recipient agrees to Applicable Data Protection Legislation; notify Provider within a period of 48 hours where Recipient the Customer without undue delay if it becomes aware of or reasonably suspects that a Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws Breach in relation to Personal Data (including its rights processed pursuant to this Agreement; taking into account the nature of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate information available to SPS Global and the price paid by the Customer, assist the Customer in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict ensuring the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in Customer's compliance with the Privacy Laws. Such measures may include transferring Customer's obligations under the Applicable Data Protection Legislation in relation to a country that the European Commission has decided provides adequate protection for personal data; Personal Data processed pursuant to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donor.this Agreement:

Data Protection. 1.1 The parties acknowledge Examiner acknowledges that personal data in performing the Services, he or she may be transferred under this agreement process Personal Data on behalf of the Institute (“Personal Institute Data”) and each party will fully comply with its respective obligations under the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). In such circumstances, the Examiner acknowledges that the Institute is the controller and the Examiner is a processor of such Institute Data, as each term is defined in Data Protection Law. The Examiner agrees that: (a) the Examiner shall process the Institute Data referred to in Recital C above, and such other Personal Data as the parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state may agree in writing from time to time, on behalf of the artInstitute in the context of, and for so long as he or she is, performing the Services to the Institute. The obligations and rights of the Institute shall be as set out in this Data Processing Agreement; (b) the Examiner shall process such Institute Data in accordance with the documented instructions of the Institute; (c) the Examiner shall use all reasonable endeavours to maintain the confidentiality of the Institute Data; (d) the Examiner shall maintain reasonable security measures to ensure compliance with the data security obligations under Data Protection Law, and in line with the Guidelines for External Examiner on GDPR as provided to all Examiners. From time to time, and without prejudice to the Examiner’s obligation under this Clause 1.1(d), the costs of implementation and Institute may circulate guidance on the nature, scope, context and purposes of processing as well as additional security measures which should be taken; (e) the risk of varying likelihood and severity for Examiner shall not engage any sub-processors to undertake the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Institute Data will meet on its behalf (in respect of which the requirements Institute is the controller); (f) the Examiner shall, at the request and cost of the Privacy Laws. Recipient agrees to notify Provider within a period Institute (which costs shall be agreed in advance), assist the Institute in ensuring compliance with applicable obligations in respect of 48 hours where Recipient becomes aware security of or reasonably suspects that Personal Institute Data, data protection impact assessments and prior consultation requirements under Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing Protection Law; (a “Security Incident”g) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives Examiner shall: (i) any request from a data subject make available to exercise any of its rights under Privacy Laws the Institute all information necessary to demonstrate compliance with the obligations laid down in relation to Personal this Data (including its rights of access, correction, objection and erasure)Processing Agreement; and (ii) any other correspondenceallow for and assist with audits, inquiry including inspections, conducted by the Institute or complaint received from a data subjectanother party mandated by the Institute, regulator or other third party in connection order to ensure compliance with the processing of Personal obligations laid down in this Data (collectivelyProcessing Agreement, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective including his or her data security obligations under Privacy Laws. Upon Provider’s requestData Protection Law; (h) the Examiner shall inform the Institute immediately if, Recipient in his or her opinion, he or she receives an instruction from the Institute which infringes Data Protection Law; (i) the Examiner shall restrict notify the processing Institute without undue delay, and in any event within twenty-four (72) hours, after becoming aware of Personal any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Institute Data identified by Provider. Recipient transmitted, stored or otherwise processed, in particular in relation to any loss of or damage to an examination script, and shall not transfer provide the Institute with such co-operation and assistance as may reasonably be required to mitigate against the effects of, and comply with any Personal reporting obligations which may apply in respect of, any such breach; and (j) no Institute Data to a territory shall be transferred outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be Examiner without the donors prior written consent of the Original Material and may not combine Institute. 1.2 For the purposes of this Data or results of the Project with other data which may result in identification of a donor.Processing Agreement:

Data Protection. The parties acknowledge that personal data may be transferred under For purposes of this agreement (Agreement, “Data Controller”, “Personal Data”) , “Processing” and each party will fully comply with its respective obligations under “Data Subject” shall have the meanings ascribed to them as from May 25, 2018, in the EU General Data Protection Regulation (EU)2016/679 GDPR) (2016/679) and, before such date, in the data protection laws and applicable complementing national laws requirements that apply to the parties in the different EU member states in relation to this Agreement as well as the Swiss Federal Act on Data Protection as of 19 June 1992 (jointly FADP) (“Privacy Applicable Data Protection Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account Each Party acts as the state Data Controller in respect of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet that they process in the requirements context of the Privacy Lawsthis Agreement. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection Both Parties shall comply with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Applicable Data Protection Laws. Upon ProviderFor information on how ▇▇▇▇▇▇ Biomet may Process Grant Recipient’s requestPersonal Data, Recipient shall restrict the processing types of Personal Data identified by Provider. ▇▇▇▇▇▇ Biomet may collect, how ▇▇▇▇▇▇ Biomet uses, shares and protects these Personal Data, Grant Recipient’s data protection rights, and how to contact ▇▇▇▇▇▇ Biomet about its privacy practices, the Grant Recipient shall not transfer any review the Data Protection Notice (EMEA) provided by ▇▇▇▇▇▇ Biomet along with this Agreement. Grant Recipient shall provide all Grant Recipient personnel as well as health care professionals attending the Event(s) subject of this Agreement, whose personal data will be processed by ▇▇▇▇▇▇ Biomet with a copy of the Grant Recipient Data Protection Notice (EMEA) within 14 days from the occurrence of the Event(s) so that such Grant Recipient personnel or health care professionals attending the Event(s) can understand how their Personal Data will be processed by ▇▇▇▇▇▇ Biomet. ▇▇▇▇▇ Recipient acknowledges and agrees that certain Personal Data on Grant Recipient’s personnel or health care professionals attending the Event(s) may be disclosed, transferred to, or stored by ▇▇▇▇▇▇ Biomet, its group companies or third parties if such disclosure, transfer or storage is reasonably necessary or desirable for purposes of entering into or performing obligations under this Agreement. ▇▇▇▇▇ Recipient acknowledges and expressly agrees to a territory the transfer of Grant Recipient’s and on behalf of its personnel, Grant Recipient’s personnel Personal Data outside of the European Economic Area ("EEA") unless it has taken such measures and/or Switzerland to countries where the laws may not offer the same level of data protection as are necessary the country in which the Personal Data were initially collected. In that case, ▇▇▇▇▇▇ Biomet implements required mechanisms to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides transferred Personal Data receive adequate levels of protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorapplicable law.

Data Protection. The parties acknowledge that In as far as on the basis of this Agreement data are transferred by one Contracting Party (the "transferring Contracting Party") to the other Contracting Party (the "receiving Con- tracting Party") which are to be considered personal data may according to the laws of the Con- tracting Parties, the following provisions shall apply in addition to national rules: (a) The receiving Contracting Party shall use the data only for the indicated purposes and under the conditions stipulated by the transferring Contracting Party and in no circum- stances for any purpose outside the purposes for which the Agreement was concluded. (b) The receiving Contracting Party shall inform the transferring Contracting Party upon request of the use of the transferred data and the results obtained thereby. (c) Personal data transferred pursuant to this Agreement shall only be transferred under this agreement to Competent Authorities. (“Personal Data”d) and each party will fully comply with its respective obligations under If the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state law of the artreceiving Contracting Party allows exemptions from the provisions of paragraphs (a) - (c) of this Article, the costs operation of implementation and such exemptions shall require the natureprior permission of the transferring Contracting Party, scopewhich shall give its general consent in writing. (e) The transferring Contracting Party shall verify the correctness of the data to be transferred, context and purposes of processing as well as the risk necessity and the proportionality of varying likelihood the transfer prior to their transfer. Transfers prohibited under national law of either of the Contracting Parties shall remain prohibited. If incorrect data, or data whose transfer are forbidden, are transferred, the receiving Contracting Party shall be notified forthwith, whereupon the receiving Con- tracting Party shall correct or destroy the data as necessary. (f) Upon request, the subject of the personal data shall be informed about which data have been transferred and severity for which purposes. Requests for information by the subject of the personal data shall be treated in accordance with the national law of the Contracting Party in which the information is requested. (g) If the national law of the transferring Contracting Party contains time limits for the rights and freedoms retention of personal data, the receiving Contracting Party shall be informed accordingly by the transferring Contracting Party. Regardless of such time limits, transferred personal data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner shall be destroyed when they are no longer capable of serving the purpose for which they had been transferred or when that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data purpose has been or may have been lost, damaged or subject fulfilled. (h) The transferring and receiving authorities shall be obliged to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) record the transfer and to take reasonable steps to mitigate the impact receipt of any such Security Incident. In the event that Recipient receives personal data in written form. (i) any request from a The transferring and receiving Contracting Parties shall be obliged to protect trans- ferred personal data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of against unauthorised access, correction, objection unauthorised change and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorunauthorised publication.

Data Protection. The ‌‌ 8.1 Both parties acknowledge that personal data may be transferred will comply with all applicable requirements of the Data Protection Legislation. This clause 8 is in addition to, and does not relieve, remove or replace, a party’s obligations under this agreement (“Personal Data”) and the Data Protection Legislation.‌‌ 8.2 Without prejudice to the generality of clause 8.1, each party will fully comply ensure that it has all necessary appropriate consents and notices in place to enable lawful processing of the Personal Data for the duration and purposes of this Agreement 8.3 Without prejudice to the generality of clause 8.1, each party (“Processor Party”) shall, in relation to any Personal Data processed in connection with the performance by the Processor Party of its respective obligations under this agreement: 8.3.1 process Personal Data in respect of which the General other party (“Controller Party”) is Data Protection Regulation Controller only on the written instructions of the Controller Party unless the Processor Party is required by the laws of any member of the European Union or by the laws of the European Union applicable to the Processor Party to process Personal Data (EU)2016/679 and applicable complementing national laws (jointly “Privacy Applicable Laws”). The parties are independent controllers Where the Processor Party is relying on laws of their a member of the European Union or European Union law as the basis for processing operations performed with such Personal Data. Taking into account the state of the art, the costs Processor Party shall promptly notify the Controller Party of implementation and this before performing the nature, scope, context and purposes of processing as well as required by the risk of varying likelihood and severity for Applicable Laws unless those Applicable Laws prohibit the rights and freedoms of data subjects, Recipient will maintain Processor Party from so notifying the Controller Party; 8.3.2 ensure that it has in place appropriate technical and organizational measures in such a manner that organisational measures, to protect against unauthorised or unlawful processing of Personal Data will meet and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the requirements harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the Privacy Laws. Recipient agrees data to notify Provider within a period be protected, having regard to the state of 48 hours technological development and the cost of implementing any measures (those measures may include, where Recipient becomes aware of or reasonably suspects that appropriate, pseudonymising and encrypting Personal Data has been or may have been lostData, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) ensuring confidentiality, integrity, availability and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any resilience of its rights under Privacy Laws in relation systems and services, ensuring that availability of and access to Personal Data (including its rights can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of access, correction, objection the technical and erasureorganisational measures adopted by it); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of ; 8.3.3 ensure that all personnel who have access to and/or process Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and are obliged to keep the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall confidential; and 8.3.4 not transfer any Personal Data to a territory outside of the United Kingdom or the European Economic Area unless the prior written consent of the Controller Party has been obtained and the following conditions are fulfilled: ("EEA"a) the Controller Party or the Processor Party has provided appropriate safeguards in relation to the transfer; (b) the data subject has enforceable rights and effective legal remedies; (c) the Processor Party complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and (d) the Processor Party complies with reasonable instructions notified to it in advance by the Controller Party with respect to the processing of the Personal Data; 8.3.5 assist the Controller Party, at the Controller Party’s cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; 8.3.6 notify the Controller Party without undue delay on becoming aware of a Personal Data breach; 8.3.7 at the written direction of the Controller Party, delete or return Personal Data and copies thereof to the Controller Party on termination of the agreement unless it has taken such measures as are necessary is a Legal Requirement to ensure store the transfer is in Personal Data; and 8.3.8 maintain complete and accurate records and information to demonstrate its compliance with this clause 8. 8.4 For processing of Personal Data in connection with this Agreement: the Privacy Lawsduration of the processing is the term or such longer period as is required by law; the subject matter, nature and purpose is the storage of Personal Data and the sharing of Personal Data between the parties and their respective Group Companies to allow performance of the parties' obligations pursuant to this agreement; types of Personal Data subject to processing pursuant to this agreement are names, addresses, email addresses, IP addresses; and the categories of data subject are Company and Consultant Company contact details, employees of the Company and the Individual or any Substitute. 8.5 [The Company agrees that any Substitute appointed under clause 3.3 is a third-party processor of personal data under this Agreement. Such measures may include transferring The Consultant Company confirms that it will enter into a written agreement, which incorporates terms which are substantially similar to those set out in this clause 8 with the Substitute. The Consultant Company will remain fully liable for all acts or omissions of any third-party processor appointed by it under this clause 8.5.]‌‌ 8.6 The Consultant Company will have liability for and will indemnify the Company and any Group Company for any loss, liability, costs (including legal costs), damages, or expenses resulting from any breach by the Consultant Company, the Individual or a Substitute of the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization Protection Legislation and will maintain in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorforce full comprehensive Insurance Policies.

Data Protection. The parties acknowledge that personal data a. As part of providing the NoRamp Services, this Personal Data may be transferred under to other regions, including to the United States. Such transfers will be completed in compliance with relevant Data Protection Legislation. b. When NoRamp Processes Personal Data in the course of providing the NoRamp Services, NoRamp will: i. Process the Personal Data as a Data Processor and/or Service Provider, only for the purpose of providing the NoRamp Services in accordance with documented instructions from you (provided that such instructions are commensurate with the functionalities of the NoRamp Services), and as may subsequently be agreed to by you. If NoRamp is required by law to Process the Personal Data for any other purpose, NoRamp will provide you with prior notice of this agreement (“requirement, unless NoRamp is prohibited by law from providing such notice; ii. notify you if, in ▇▇▇▇▇▇’s opinion, your instruction for the Processing of Personal Data infringes applicable Data Protection Legislation; iii. notify you promptly, to the extent permitted by law, upon receiving an inquiry or complaint from a Supervisory Authority relating to NoRamp’s Processing of the Personal Data”) ; iv. implement reasonable technical and each party will fully comply with its respective obligations under the General organizational measures enabling you to execute Data Protection Regulation (EU)2016/679 Subject Requests that you are obligated to fulfill; v. implement and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that to protect the Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorized or unlawful processing, accidental loss, destruction, damage or theft of Personal Data will meet and appropriate to the requirements nature of the Privacy LawsPersonal Data which is to be protected; vi. Recipient agrees upon request, provide reasonable information to help the Customer complete the Customer’s data protection impact assessments. vii. provide you, upon request, with up-to-date attestations, reports or extracts thereof where available from a source charged with auditing NoRamp’s data protection practices (e.g. external auditors, internal audit, data protection auditors), or suitable certifications, to enable you to assess compliance with the terms of this Addendum; viii. notify Provider within a period of 48 hours where Recipient becomes you without undue delay upon becoming aware of and confirming any accidental, unauthorized, or reasonably suspects unlawful processing of, disclosure of, or access to the Personal Data; ix. ensure that its personnel who access the Personal Data has been or may have been lost, damaged or are subject to unauthorized internal confidentiality obligations that restrict their ability to disclose the Customer Personal Data; and x. upon termination of the Agreement, NoRamp will promptly initiate its purge process to delete or external access or any other unlawful processing (anonymize the Personal Data. If you request a “Security Incident”) copy of such Personal Data within 60 days of termination, NoRamp will provide you with a copy of such Personal Data. c. In the course of providing the NoRamp Services, you acknowledge and agree that NoRamp may use Subprocessors to take reasonable steps to mitigate Process the impact Personal Data. NoRamp’s use of any such Security Incident. In specific Subprocessor to process the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is must be in compliance with Data Protection Legislation and must be governed by a contract between NoRamp and Subprocessor that requires comparable protections to this Data Processing Addendum. If you object to the Privacy Laws. Such measures appointment of a Subprocessor you may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization terminate this agreement in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material our Terms and may not combine Data or results of the Project with other data which may result in identification of a donorConditions, if applicable.

Data Protection. 7.1 Where applicable, expressions defined in the Data Protection Legislation and used in this clause 7 shall have the meanings given to them in the Data Protection Legislation. 7.2 Both Parties shall jointly determine the purposes and means of processing Personal Data in relation to learners to whom the Centre is providing Qualifications to pursuant to this Agreement (“Learners”), including special categories of data (as referred to in Article 9(1) GDPR), and shall be joint controllers of that Personal Data (as referred to in Article 26 GDPR “Joint controllers”). 7.3 Pursuant to Article 26 GDPR, the Parties set out their respective responsibilities for compliance with the Data Protection Legislation herein: 7.3.1 The parties acknowledge Centre shall solely determine whether consent is required in order to process the Personal Data of learners save that personal data may Laser Learning Awards shall have the right to review any such determination and to require a different determination if it reasonably considers the Centre’s determination to be transferred contrary to the GDPR; 7.3.2 Where consent as envisaged in clause 7.3.1 above is determined to be required from learners, the Centre shall gain all necessary consents from Learners required by and in accordance with the Data Protection Legislation as is necessary for the provision of Qualifications under this agreement (“Agreement; 7.3.3 The Centre shall have the sole responsibility to provide the information required to be provided to Learners as set out in Articles 13 and 14 GDPR save that Laser Learning Awards shall have the right to review any information provided or proposed to be provided and to require different information to be provided if it reasonably considers the Centre’s information to be contrary to the GDPR; 7.3.4 The Centre shall be responsible for satisfying the rights of Learners as Data Subjects as set out in the GDPR. Laser Learning Awards shall assist the Centre in discharging this responsibility save that Laser Learning Awards shall have the right to require a different manner in which the Centre discharges or proposes to discharge its responsibility if it reasonably considers the Centre’s discharging to be contrary to the GDPR; 7.3.5 The Centre shall gather Personal Data”) Data as is necessary for the operation of this Agreement in accordance with the GDPR; 7.3.6 Laser Learning Awards shall process Personal Data as is necessary for the provision of services under this Agreement; and 7.3.7 The Centre shall make the essence of this arrangement in relation to the respective roles and each party will fully relationships of the Parties as Joint controllers available to the relevant Data Subjects. 7.4 Each Party, as a Data Controller in relation to learners’ Personal Data shall comply with its respective obligations under the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures Legislation in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees relation to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any and shall aid the other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of Party in its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorcompliance.

Data Protection. 15.1 ▇▇▇▇’s Privacy Policy explains how and for what purposes we collect, use, retain, disclose, and safeguard the Personal Data that the Client provides to Nium. The parties acknowledge Client agree to the terms of ▇▇▇▇’s Privacy Policy, which Nium may update from time to time. 15.2 The Client represents and warrants to Nium that personal it has the legal right to disclose all Personal Data disclosed to Nium under or in connection with this Agreement. 15.3 Nium and the Client each acknowledges and agrees that they each act as independent data may be transferred controller, or the equivalent under Data Protection Legislation in relation to the Personal Data they each Processes under or in connection with this agreement (“Personal Data”) and each party will fully Agreement. Each Party shall comply with its respective obligations under the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state of the art, the costs of implementation Legislation. 15.4 Nium and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner Client shall each ensure that processing of access to Personal Data will meet is limited to Nium’s or the requirements of Client’s Personnel who have a reasonable need to access Personal Data to enable the Privacy Laws. Recipient agrees Nium or the Client to notify Provider within a period of 48 hours where Recipient perform its respective obligations under this Agreement. 15.5 If Nium or the Client receives or becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence")following, it shall promptly inform Provider notify the other Party of: (a) any breach of security or unauthorised access to Personal Data within forty eight (48) hours of becoming aware of such incident; and (b) any complaint, inquiry or request from a Data Subject or Data Protection Authority regarding Personal Data unless such notice is prohibited by Data Protection Legislation. 15.6 Each Party shall refrain from notifying or responding to any Data Subject or Data Protection Authority on behalf of the other Party unless (i) specifically requested to do so by the other Party in writing or (ii) by Data Protection Legislation. 15.7 The Client acknowledges and agrees that ▇▇▇▇, at its sole discretion, may disclose any Personal Data or transaction-related information to third parties in order to perform Nium’s obligations under this Agreement as required under Law, including but not limited to anti-money laundering, sanctions, or as may otherwise be required by Law. Furthermore, such disclosure may be made to any Regulatory Authority, where such disclosure is made to satisfy routine governmental audit or examination requirements or as part of informational submissions required to be made to such Regulatory Authority in the parties shall cooperate in good faith ordinary course of business. 15.8 Nium may transfer Personal Data on a global basis as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Lawsprovide the Services. Upon Provider’s requestIn particular, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not Nium may transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is its Affiliates and sub-processors in compliance with the Privacy Lawsother jurisdictions. Such measures may include transferring the Where Nium transfers Personal Data under this Agreement to a country that the European Commission has decided provides or recipient not recognised as having an adequate level of protection for personal data; Personal Data according to a Recipient that has achieved binding corporate rules authorization in accordance Data Protection Legislation, Nium will comply with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine its obligations under Data or results of the Project with other data which may result in identification of a donorProtection Legislation.

Data Protection. 9.1 The parties acknowledge that Consultant shall not either during or after the termination of this Agreement without limit in point of time divulge or communicate to any person or persons except to those staff of UCLan whose province it is to know the same any personal data data, as defined in the Data Protection Act 1998 (and including, but without limitation, any sensitive personal data) relating to any living identifiable person or persons in whole or part or in any form which the Consultant may be transferred under receive in connection with or for the purposes of any arrangements made by or pursuant to this agreement Agreement (in this clause 9 “Personal Data”) and each party will fully comply with its respective obligations under shall not (save for such purposes) process, use reproduce or disclose any Personal Data unless authorised by legislation or by the General Data Protection Regulation (EU)2016/679 express written consent of UCLan and applicable complementing national laws (jointly “Privacy Laws”)on such terms as UCLan may specify. The parties are independent controllers Consultant shall procure that its employees and agents (and for the avoidance of their doubt, the Personnel) shall observe the provisions of this clause. 9.2 The Consultant shall take appropriate security measures in respect of all Personal Data in its possession or control. 9.3 Where the Consultant processes Personal Data on behalf of UCLan, the Consultant shall: 9.3.1 immediately at the request of UCLan stop processing operations performed with such all or any Personal Data. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or confirm any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws disclosures made in relation to Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection accordance with the processing terms of Personal Data this Agreement (collectivelyand provide copies, "Correspondence")if required) and assist UCLan in responding to any enquiry by the Information Commissioner; 9.3.2 unless otherwise agreed in writing, it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any only process Personal Data to the extent and in such a territory outside manner as is necessary for the provision of the European Economic Area Services or as is required by law; 9.3.3 implement appropriate technical and organisational measures to protect Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure; 9.3.4 promptly notify UCLan if the Consultant receives a request from a Data Subject ("EEA"being an individual who is the subject of Personal Data) unless it has taken to have access to Personal Data, or any other request or complaint relating to UCLan‟s obligations under the Data Protection Act, and provide full co-operation and assistance to UCLan in relation to any such measures as are necessary request or complaint; and 9.3.5 permit UCLan or its duly authorised representative to ensure inspect and audit the transfer Consultant‟s data processing activities under this Agreement, and comply with all reasonable requests or directions by UCLan to enable UCLan to verify and/or procure that the Consultant is in compliance with the Privacy Laws. Such measures may include transferring the Data its obligations under this Agreement. 9.4 The Consultant shall comply with all and any data protection legislation and mandatory regulations as required from time to time by law. 9.5 The Consultant shall indemnify UCLan against all liability loss damage and expense of whatsoever nature incurred or suffered by UCLan or any third party as a country that the European Commission has decided provides adequate result of any breach of any data protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; legislation, regulations, codes of practice, guidance and requirements of government or to a Recipient that has executed standard contractual clauses adopted or approved governmental agency by the European Commission. Recipient will not make any effort to identify individuals who are or may be Consultant (including the donors Personnel and employees and agents of the Original Material and may not combine Data or results Consultant). 9.6 The provisions of the Project with other data which may result this clause 9 shall continue in identification effect notwithstanding termination of a donorthis Agreement for any reason.

Data Protection. 8.1 The parties acknowledge Merchant acknowledges and agrees that details of the Merchant's name, address and payment record may be submitted to a credit reference agency and personal data may will be transferred under this agreement (“Personal Data”) processed by and each on behalf of Handepay and its suppliers in connection with the Services. 8.2 Each party will fully shall comply with its respective obligations under the General Data Protection Regulation (EU)2016/679 Legislation and applicable complementing national laws (jointly “Privacy Laws”)as specified in this clause 8. Neither party shall do any act that puts the other party in breach of its obligations set out in this clause 8 and nothing in this Agreement shall be deemed to prevent any party from taking the steps it reasonably deems necessary to comply with the Data Protection Legislation. 8.3 The parties are independent controllers acknowledge and agree that Handepay processes personal data on the Merchant’s behalf when performing its obligations under this Agreement, and the parties record their intention that the Merchant shall be the data controller and Handepay shall be a data processor and in any such case: 8.3.1 the Merchant shall ensure that it is entitled to transfer the relevant personal data to Handepay so that Handepay may lawfully use, process and transfer the personal data in accordance with this Agreement on the Merchant's behalf; 8.3.2 the Merchant shall ensure that the relevant third parties have been informed of, and have given their consent to, such use, processing, and transfer as required by all applicable data protection legislation; 8.3.3 the Merchant agrees that Handepay can appoint a sub-contractor to process the personal data (and at this date that sub-contractor is Cardstream Partners Limited and if the sub-contractor changes Handepay will notify the Merchant), but shall ensure that any contract with the sub—contractor reflects the terms of their processing operations performed this clause 8. 8.3.4 Handepay agrees that it will i. only process the personal data in accordance with instructions from the Merchant, which may be specific instructions or standing instructions of general application in relation to the Services, whether set out in this Contract or otherwise notified to Cardstream; ii. unless otherwise agreed in writing, only process the personal data to the extent and in such Personal Data. Taking into account manner as is necessary for the state provision of the artServices or as is required by law or any regulatory body or otherwise as appropriate including where necessary involving credit reference, the costs of implementation fraud prevention and the nature, scope, context law enforcement agencies and purposes of processing as well as the risk of varying likelihood other organisations in relation to preventing fraud and severity for the rights and freedoms of data subjects, Recipient will money laundering; iii. maintain appropriate sufficient technical and organizational organisational measures in such a manner that to prevent unauthorised or unlawful processing of Personal Data will meet personal data and to prevent any loss, destruction or unauthorised disclosure of personal data having regard to the requirements nature of the Privacy Laws. Recipient agrees personal data to notify Provider be protected and inform the Merchant promptly and in any event within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incidentbreach of security affecting or compromising the Merchant's personal data; iv. In promptly notify the event that Recipient Merchant if it receives (i) any a request from a data subject (as defined in the Data Protection Legislation) to exercise have access to personal data or any of its rights other complaint or request relating to the Merchant’s obligations under Privacy Laws the Data Protection Legislation and provide full co-operation and assistance to the Merchant in relation to Personal any such complaint or request (including, without limitation, by allowing data subjects to have access to their personal data); v. not transfer the personal data outside of the EEA without the consent of the Merchant; and vi. otherwise provide reasonable assistance to the Merchant as necessary to allow the Merchant to comply with the Data Protection Legislation. 8.4 The Merchant warrants and undertakes that any instructions given by it to Handepay (including its rights whether specific or non-specific) in respect of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"), it personal data shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization at all times be in accordance with Privacy Laws; the requirements of the Data Protection Legislation and that compliance with such instructions by Handepay in its provision of the Services shall not put the Merchant or to Handepay in breach of the Data Protection Legislation. 8.5 The Merchant recognises that a Recipient breach of the Data Protection Legislation would severely impact the reputation and shareholder value of Handepay and therefore agrees that has executed standard contractual clauses adopted or approved it will on demand fully and effectively indemnify Handepay and keep Handepay fully indemnified against any loss, liability and costs incurred as a result of any breach of the Data Protection Legislation by the European CommissionMerchant. 8.6 Any obligation on Handepay or the Merchant under this clause 8 to do, or refrain from doing, any act or thing shall include an obligation on Handepay or the Merchant respectively to procure that its employees, agents and sub- contractors (if any) also do, or refrain from doing, such act or thing. 8.7 As a data processor, Handepay will process personal data in accordance with its Privacy Policy. Recipient will not make any effort to identify individuals who are or may be the donors A copy of the Original Material Policy is available on the Handepay website and may not combine Data or results of the Project with other data which may result in identification of a donoran electronic copy can be requested at any time.”

Data Protection. 2.1 Both parties will comply with all applicable requirements of the Data Protection Legislation. 2.2 The parties acknowledge that personal data may be transferred under this agreement (“Personal Data”) and each party will fully comply with its respective obligations under for the General purposes of the Data Protection Regulation (EU)2016/679 Legislation, the 3DCrowd is the Controller and applicable complementing national laws (jointly “Privacy Laws”). the Volunteer Admin/Coordinator is the Processor. 2.3 The parties are independent controllers scope, nature and purpose of their processing operations performed with such Personal Data. Taking into account by the state Volunteer Admin/Coordinator, the duration of the art, the costs of implementation processing and the nature, scope, context types of Personal Data and categories of Data Subject are set out in the attached Schedule. 2.4 3DCrowd will ensure that it has all necessary consents and notices in place to enable lawful transfer of the Personal Data to the Volunteer Admin/Coordinator for the duration and purposes of processing this Agreement. 2.5 The Volunteer Admin/Coordinator shall, in relation to any Personal Data processed under the Terms of Service and this Agreement: (a) only process the Data as well strictly necessary to provide the Service, or as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain otherwise instructed in writing by 3DCrowd; (b) ensure that it has in place appropriate technical and organizational measures in such a manner that organisational measures, reviewed and approved by 3DCrowd, to protect against unauthorised or unlawful processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within and/or a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been Breach, appropriate to the harm that might result; (c) if the Volunteer Admin/Coordinator is a company or may have been lostorganisation, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event ensure that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to all personnel who process Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with are obliged to keep the processing of Personal Data confidential; (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall d) not transfer any Personal Data to a territory outside of the United Kingdom or European Economic Area without the prior written consent of 3DCrowd; ("EEA"e) pass any requests relating to Data Subjects' rights to 3DCrowd as soon as practicable without responding directly unless it has taken 3DCrowd provides written permission, and assist 3DCrowd, at 3DCrowd's cost, in responding to any such measures as are requests; (f) assist 3DCrowd, at 3DCrowd's cost, in ensuring compliance with its obligations under Data Protection Legislation with respect to security, data protection impact assessments and consultations with supervisory authorities; (g) notify 3DCrowd without undue delay on becoming aware of a Personal Data Breach; (h) at the written direction of 3DCrowd, delete or return Personal Data and copies thereof to 3DCrowd on termination of the Agreement; and (i) provide to 3DCrowd on request all information necessary to ensure the transfer is in demonstrate its compliance with this Agreement. (j) 3DCrowd does not consent to the Privacy Laws. Such measures may include transferring Volunteer Admin/Coordinator appointing any third party processor of Personal Data under this Agreement, with the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors exception of the Original Material and may not combine Data or results use of mainstream consumer-facing products that are considered market standard in the Project with other data which may result in identification of a donor.UK e.g.

Data Protection. a. Data Ownership- The parties acknowledge Department will own all rights, title, and interest in its data that personal data may be transferred under is related to this agreement (“Personal Data”) and each party will fully comply with its respective obligations under the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”)Agreement. The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account Provider shall not access public jurisdiction user accounts or public jurisdiction data, except (1) in the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms course of data subjectscenter operations, Recipient will maintain appropriate (2) in response to service or technical and organizational measures in such a manner that processing issues, (3) as required by the express terms of Personal Data will meet this contract, or (4) at the requirements Department’s written request. b. Loss of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. Data- In the event that Recipient receives (i) of loss of any request from a Department data subject or records where such loss is due to exercise the intentional act, omission, or negligence of the Provider or any of its rights under Privacy Laws subcontractors or agents, the Provider shall be responsible for recreating such lost data in relation the manner and on the schedule set by the Department. The Provider shall ensure that all data is backed up and is recoverable by the Licensee. In accordance with prevailing federal or Department law or regulations, the Provider shall report the loss of non-public data as directed in this agreement. c. Protection of data and personal privacy (as further described and defined in this agreement) shall be an integral part of the business activities of the Provider to Personal Data (including its rights ensure there is no inappropriate or unauthorized use of Department information at any time. To this end, the Provider shall safeguard the confidentiality, integrity, and availability of Department information as further indicated in this section. d. The Provider shall implement and maintain appropriate administrative, technical, and organizational security measures to safeguard against unauthorized access, correctiondisclosure, objection or theft of Confidential Information and erasure); non-public data. Such security measures shall be in accordance with recognized industry practice and (ii) not less stringent than the measures the Provider applies to its own Confidential Information and non-public data of similar kind. e. All Confidential Information shall be encrypted at rest and in transit with controlled access, including back-ups. Unless otherwise stipulated, the Provider is responsible for the encryption of the Confidential Information. All data collected or created in the performance of this contract shall become and remain property of the Department. f. Unless otherwise stipulated, the Provider shall encrypt all non-public data at rest and in transit. The Department shall identify to the Provider the data it deems non-public. The level of protection and encryption for all non-public data shall be identified and made a part of this Agreement. g. At no time shall any other correspondencedata or processes – that either belong to or are intended for the use of the Department or its officers, inquiry agents or complaint received from a data subjectemployees – be copied, regulator disclosed, or other third retained by the Provider or any party related to the Provider for subsequent use in any transaction that does not include the Department. h. The Provider shall not use any information collected in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and service issued under this Agreement for any purpose other than fulfilling the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorservice.

Data Protection. The parties acknowledge that personal data may be transferred under this agreement (“Personal Data”) and each 16.1 Each party will fully shall comply with its respective all applicable requirements of the Data Protection Legislation. This clause is in addition to, and does not relieve, remove or replace, a party’s obligations under the General Data Protection Regulation (EU)2016/679 Legislation. 16.2 The Organiser and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state Sponsor acknowledge that for the purposes of the artData Protection Legislation, either party may be the Data Controller depending upon what is specified in the Order Form. 16.3 Without prejudice to the generality of clause 16.1, the costs Data Controller shall ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of implementation and the nature, scope, context Personal Data to the Data Processor for the duration and purposes of processing as well this Agreement. 16.4 Without prejudice to the generality of clause 16.1, the Data Processor shall, in relation to any Personal Data processed in connection with the performance by it of its obligations under this agreement: (a) process that Personal Data only on the written instructions of the Data Controller unless the Data Processor is required by the laws of any member of the European Union or by the laws of the European Union applicable to the Data Processor to process Personal Data (Applicable Laws). Where the Data Processor is relying on laws of a member of the European Union or European Union law as the risk basis for processing Personal Data, the Data Processor shall promptly notify the Data Controller of varying likelihood and severity for this before performing the rights and freedoms of data subjects, Recipient will maintain processing required by the Applicable Laws unless those Applicable Laws prohibit the Data Processor from so notifying the Data Controller; (b) ensure that it has in place appropriate technical and organizational measures in such a manner that organisational measures, reviewed and approved by the Data Controller, to protect against unauthorised or unlawful processing of Personal Data will meet and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the requirements harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the Privacy Laws. Recipient agrees data to notify Provider within a period be protected, having regard to the state of 48 hours technological development and the cost of implementing any measures (those measures may include, where Recipient becomes aware of or reasonably suspects that appropriate, pseudonymising and encrypting Personal Data has been or may have been lostData, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) ensuring confidentiality, integrity, availability and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any resilience of its rights under Privacy Laws in relation systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it); (including its rights of access, correction, objection and erasure); and (iic) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of ensure that all personnel who have access to and/or process Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and are obliged to keep the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall confidential; and (d) not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring prior written consent of the Data Controller has been obtained and the following conditions are fulfilled: (i) the Data Controller or the Data Processor has provided appropriate safeguards in relation to a country the transfer; (ii) the data subject has enforceable rights and effective legal remedies; (iii) the Data Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and (iv) the European Commission has decided provides adequate protection for personal data; Data Processor complies with reasonable instructions notified to a Recipient that has achieved binding corporate rules authorization it in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved advance by the European Commission. Recipient will not make any effort Data Controller with respect to identify individuals who are or may be the donors processing of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donor.Personal Data;

Data Protection. 15.1 ▇▇▇▇’s Privacy Policy explains how and for what purposes we collect, use, retain, disclose, and safeguard the Personal Data that the Client provides to Nium. The parties acknowledge Client agree to the terms of ▇▇▇▇’s Privacy Policy, which Nium may update from time to time. 15.2 The Client represents and warrants to Nium that personal it has the legal right to disclose all Personal Data disclosed to Nium under or in connection with this Agreement. 15.3 Nium and the Client each acknowledges and agrees that they each act as independent data may be transferred controller, or the equivalent under Data Protection Legislation in relation to the Personal Data they each Processes under or in connection with this agreement (“Personal Data”) and each party will fully Agreement. Each Party shall comply with its respective obligations under the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state of the art, the costs of implementation Legislation. 15.4 Nium and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner Client shall each ensure that processing of access to Personal Data will meet is limited to Nium’s or the requirements of Client’s Personnel who have a reasonable need to access Personal Data to enable the Privacy Laws. Recipient agrees Nium or the Client to notify Provider within a period of 48 hours where Recipient perform its respective obligations under this Agreement. 15.5 If Nium or the Client receives or becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence")following, it shall promptly inform Provider notify the other Party of: (a) any breach of security or unauthorised access to Personal Data within forty eight (48) hours of becoming aware of such incident; and (b) any complaint, inquiry or request from a Data Subject or Data Protection Authority regarding Personal Data unless such notice is prohibited by Data Protection Legislation. 15.6 Each Party shall refrain from notifying or responding to any Data Subject or Data Protection Authority on behalf of the other Party unless (i) specifically requested to do so by the other Party in writing or (ii) by Data Protection Legislation. 15.7 The Client acknowledges and agrees that ▇▇▇▇, at its sole discretion, may disclose any Personal Data or transaction-related information to the Program Bank or third parties shall cooperate in good faith order to perform Nium’s obligations under this Agreement as required under Law, including but not limited to anti-money laundering, sanctions, or as may otherwise be required by Law. Furthermore, such disclosure may be made to any Regulatory Authority, where such disclosure is made to satisfy routine governmental audit or examination requirements or as part of informational submissions required to be made to such Regulatory Authority in the ordinary course of business. 15.8 Nium may transfer Personal Data on a global basis as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Lawsprovide the Services. Upon Provider’s requestIn particular, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not Nium may transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is its Affiliates and sub-processors in compliance with the Privacy Lawsother jurisdictions. Such measures may include transferring the Where Nium transfers Personal Data under this Agreement to a country that the European Commission has decided provides or recipient not recognised as having an adequate level of protection for personal data; Personal Data according to a Recipient that has achieved binding corporate rules authorization in accordance Data Protection Legislation, Nium will comply with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine its obligations under Data or results of the Project with other data which may result in identification of a donorProtection Legislation.

Data Protection. 7.1 The parties acknowledge that personal data may You will ordinarily be transferred the Controller and We will be the Processor in respect of all Personal Data provided under this agreement (“Personal Data”) and each party will fully Agreement. 7.2 The parties shall at all times comply with its respective obligations under the General any and all Data Protection Regulation (EU)2016/679 Legislation. 7.3 To the extent that We are the Processor, We shall: 7.3.1 process the Personal Data in compliance with Your documented instructions from time to time unless We are required to do otherwise by law in which case We shall inform You about that legal requirement before processing, unless We are prohibited by law to do so on grounds of public interest; 7.3.2 process the Personal Data only to the extent necessary for the proper performance of this Agreement and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such We shall not process the Personal Data. Taking Data for any other purpose whatsoever; 7.3.3 taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjectsnatural persons, Recipient We will maintain implement the appropriate technical and organizational organisational measures (including, where relevant, those prescribed elsewhere in such this Agreement) to ensure a manner that processing level of security appropriate to the risk and to protect the Personal Data will meet against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, and against all other unlawful forms of Processing; 7.3.4 take reasonable steps to ensure the requirements reliability of any of Our personnel who have access to the Personal Data; that only those personnel who need to have access to the Personal Data are granted access to it; that such access is granted only for the purposes of the Privacy Laws. Recipient agrees proper performance of this Agreement; and that such personnel are informed by Us of (and have committed themselves to) the confidential nature of the Personal Data and comply with the obligations set out in this clause 7; 7.3.5 notify You without undue delay from the time it comes to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects Our attention, that any Personal Data has been the subject of accidental or may have been lostunlawful destruction or accidental loss, damaged alteration, unauthorised disclosure or subject to unauthorized internal or external access access, or any other unlawful processing (a “Security Incident”) form of Processing; 7.3.6 taking into account the nature of the Processing, assist You by appropriate technical and organisational measures, in so far as this is possible, for the fulfilment of Your obligations to take reasonable steps respond to mitigate requests for exercising the impact data subject’s rights laid down in Chapter III of the GDPR provided that any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws costs incurred in relation to such assistance shall be borne exclusively by You; 7.3.7 assist You in ensuring compliance with the obligations pursuant to Articles 32 (Security of processing) to Article 36 (Prior consultation) of the GDPR taking into account the nature of processing and the information available to Us and provided that any costs incurred in relation to such assistance shall be borne exclusively by You; and 7.3.8 not retain the Personal Data for longer than is necessary to properly perform the Services and/or make the Services available and/or meet Our obligations under this Agreement and, upon expiry or termination of this Agreement for any reason whatsoever, or at any other time at Your request, securely destroy or immediately return to You any and all Personal Data provided that such secure destruction or return does not prevent Us from fulfilling Our obligations under this Agreement. 7.4 We may, in some limited circumstances, act as a Controller and collect, Process and use Personal Data. To the extent that We are a Controller, We shall: 7.4.1 only process that Personal Data solely for the purpose of providing the Services and/or making the Services available, and for no other use, unless expressly authorised in writing by You; and 7.4.2 implement the appropriate technical and organisational measures (including its rights of including, where relevant, those prescribed elsewhere in this Agreement) to protect the Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, correction, objection and erasure); against all other unlawful forms of Processing. 7.5 You hereby agree and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of acknowledge that We may decide to store Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory on servers outside of the European Economic Area for business or operational reasons. In the event that We do this, We will use reasonable endeavours to ensure that such Personal Data is secure and ensure that any transfer of Personal Data outside the European Economic Area is compliant with Data Protection Legislation. 7.6 In the event of any change in the Data Protection Legislation subsequent to the date of signature of this Agreement ("EEA"including, but not limited to, the coming into force of the European General Data Protection Regulation), We shall take such steps (including agreeing to additional obligations, executing additional documents and/or doing all such acts and things) unless it has taken such measures at Our sole cost and expense as are may be necessary to ensure that the transfer Processing of Personal Data under this Agreement continues to comply with the Data Protection Legislation. 7.7 The parties agree that the subject matter, duration, nature and purpose of processing, the type of Personal Data and the categories of data subject are set out in Schedule 5. 7.8 We shall keep at Our normal place of business records relating to the processing of the Personal Data insofar as it is in necessary to demonstrate compliance with Our obligations under this clause 7 ("Records"). We shall permit You, on reasonable notice, to gain access to and take copies of, the Privacy LawsRecords at Our premises and inspect those Records provided that: 7.8.1 Such records shall only be made available to the extent the same is necessary for us to discharge our obligations pursuant to the GDPR (and, in particular, Article 28(3)(h) of the GDPR); 7.8.2 You shall use the Records for no other purpose except the purpose of auditing Our compliance with Our obligations under this clause 7 only; 7.8.3 You shall carry out such inspection as soon as possible after the Records have been made available to you and then return copies of the same to Us as soon as possible after completion of such inspection; and 7.8.4 You shall exercise Your rights under this clause 7.8 with as little disturbance to Our business operations as possible. 7.9 This clause 7.9 only applies to the extent we are acting as Your Processor. Such measures may include transferring You give to Us general authorisation to engage Our existing sub-processors as at the Commencement Date to process the Personal Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization on Our behalf. We shall not engage any additional processor (or change our existing sub-processors) without Your prior authorisation and without acting in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commissionprovisions of this clause 7.9. Recipient We will not make any effort to identify individuals who are or may be the donors notify You of the Original Material identity of any proposed new sub-processor following which You shall either approve or reject the appointment of such sub-processor (and may any such approval shall not combine Data be unreasonably withheld). 7.10 If You reject such appointment, or results We do not receive a response from you within 5 Business Days of Our notice, We shall not sub-contract any of Our obligations under this clause 7 to such proposed sub-processor and We reserve the Project right to terminate this Agreement on written notice. 7.11 If You approve the appointment of such sub-processor under that clause, then before such appointment takes effect, We shall enter into and maintain for the duration of such appointment a written agreement with other data such sub-processor which may result includes terms that are similar those set out in identification of a donorthis clause 7.

Data Protection. The parties acknowledge that personal data may be transferred under this agreement (“Personal Data”) and each party will fully comply with its respective obligations under the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects Contractor acknowledges that Personal Data has been or described in the scope of the Schedule Part 4 (Data Protection) may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party be Processed in connection with the processing Project. For the purposes of any such Processing, the Parties agree that the Contractor acts as the Data Processor and the Client acts as the Data Controller. Both Parties agree to negotiate in good faith any such amendments to this Agreement that may be required to ensure that both Parties meet all their obligations under Data Protection Laws. The provisions of this Clause 11 are without prejudice to any obligations and duties imposed directly on the Contractor under the Data Protection Laws and the Contractor hereby agrees to comply with those obligations and duties. The Contractor will, in conjunction with the Client and in its own right and in respect of the Project, make all necessary preparations to ensure it will be compliant with the Data Protection Laws. The Contractor will provide the Client with the contact details of its data protection officer or other designated individual with responsibility for data protection and privacy to act as the point of contact for the purpose of observing its obligations under the Data Protection Laws. The Contractor must: Process Personal Data only as necessary in accordance with obligations under the Contract and any written instructions given by the Client (which may be specific or of a general nature), including with regard to transfers of Personal Data (collectivelyoutside the European Economic Area unless required to do so by European Union or Member state law or Regulatory Body to which the Contractor is subject; in which case the Contractor must inform the Client of that legal requirement before Processing unless prohibited by that law the Personal Data only to the extent, "Correspondence"), it shall promptly inform Provider and in such manner as is necessary for the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective performance of the Contractor’s obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict this Agreement or as is required by the processing of Personal Data identified by Provider. Recipient shall not law; Subject to clause 11.5.1only Process or otherwise transfer any Personal Data in or to a territory any country outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary with the Client’s prior written consent; Take all reasonable steps to ensure the transfer is in compliance reliability and integrity of any Supplier personnel who have access to the Personal Data and ensure that the Contractor personnel: are aware of and comply with the Privacy Laws. Such measures may include transferring Contractor’s duties under this clause; are subject to appropriate confidentiality undertakings with the Contractor or the relevant sub-contractor; are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to a country that any third party unless directed in writing to do so by the European Commission has decided provides Client or as otherwise permitted by this Agreement; and have undergone adequate training in the use, care, protection for personal data; to a Recipient that has achieved binding corporate rules authorization and handling of Personal Data. implement appropriate technical and organisational measures including those in accordance with Privacy Article 32 of the GDPR to protect Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure, such measures being appropriate to the harm which might result from any unauthorised or unlawful Processing accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected. The Contractor shall not engage a sub-contractor to carry out Processing in connection with the Project without prior specific or general written authorisation from the Client. In the case of general written authorisation, the Contractor must inform the Client of any intended changes concerning the addition or replacement of any other sub-contractor and give the Client an opportunity to object to such changes. If the Contractor engages a sub-contractor for carrying out Processing activities on behalf of the Client, the Contractor must ensure that same data protection obligations as set out in this Agreement are imposed on the sub-contractor by way of a written and legally binding contract, in particular providing sufficient guarantees to implement appropriate technical and organisational measures. The Contractor shall remain fully liable to the Client for the performance of the sub-contractor’s performance of the obligations. The Contractor must provide to the Client reasonable assistance including by such technical and organisational measures as may be appropriate in complying with Articles 12-23 of the GDPR. The Contractor must notify the Client if it: receives a Data Subject Access Request (or purported Data Subject Access Request); receives a request to rectify, block or erase any Personal Data; receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Laws; receives any communication from the Supervisory Authority or any other regulatory authority in connection with Personal Data Processed under this Contract; or receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to a Recipient that has executed standard contractual clauses adopted be required by law or approved by the European Commission. Recipient will not make regulatory order; and such notification must take place as soon as is possible but in any effort to identify individuals who are or may be the donors event within 3 business days of receipt of the Original Material and may not combine Data request or results of any other period as agreed in writing with the Project with other data which may result in identification of a donorClient from time to time.

Data Protection. 16.1 The parties acknowledge that agree that: 16.1.1 the provisions of this clause 16 shall apply to any personal data may be transferred under this agreement which is included in the Data (“Personal Relevant Data”) ); and 16.1.2 the Licensee is the data controller and each party will fully comply the Licensor is the data processor in respect of any Relevant Data the Licensor processes in connection with its respective obligations under the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The Agreement. 16.2 Where required by data protection laws, the parties are independent controllers of their processing operations performed with such Personal Data. Taking into account shall include in the state Agreement a description of the art, relevant processing activities to be carried out by the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws Licensor in relation to Personal the Relevant Data (including its the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data being processed, the categories of data subjects and the obligations and rights of access, correction, objection the Licensee as data controller) via a written amendment agreed and erasure); and (ii) any other correspondence, inquiry or complaint received from a signed by both parties. 16.3 Each party undertakes to comply in all material respects with all of its obligations under applicable data subject, regulator or other third party protection laws which arise in connection with the processing of Personal Relevant Data (collectivelyin accordance with the Agreement, "Correspondence"), it shall promptly inform Provider and to not knowingly act in a way that causes the parties shall cooperate other party to be in good faith as necessary to respond to such Correspondence and fulfill their respective breach of its own obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict applicable data protection laws with respect to the Relevant Data. 16.4 The Licensee hereby consents to the processing of Personal the Relevant Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless Area. Relevant Data may be transferred in order for the Licensor to manage certain security processes such as access control and for disaster recovery purposes. The Licensor considers that such transfers will be necessary for the efficient and effective performance of the Licensor’s obligations under the Agreement. 16.5 If the Licensor becomes aware of any accidental, unauthorised or unlawful destruction, loss, alteration, disclosure of or access to any Relevant Data that it has taken such measures as are necessary to ensure the transfer is processes in compliance connection with the Privacy Laws. Such measures may include transferring Agreement (a Security Incident) it shall promptly, but in all cases within three days, notify the Licensee and provide the Licensee with all reasonable assistance and co-operation that it requires in connection with the Security Incident. 16.6 Where a third party processing Relevant Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors on behalf of the Original Material and may not combine Data Licensor, including any the Licensor group company or results subcontractor fails to fulfil its obligations under any sub-processing agreement or any applicable data protection laws, the Licensor shall remain fully liable to the Licensor for the fulfilment of the Project with other data which may result in identification of a donorLicensor’s obligations under the Agreement.

Data Protection. The parties 16.1 Notwithstanding the remainder of this clause 16, each Party shall comply with all applicable obligations imposed by, and all requirements under, the Data Protection Laws. 16.2 Without prejudice to the generality of clause 1, where either Party (the "Disclosing Party") or its employee or representative discloses Personal Data to the other (the "Recipient") in connection with the operation of this Contract, the Disclosing Party will ensure that it obtains all necessary consents from the Data Subject, or alternatively that it only discloses the Personal Data on the basis of some other valid ground provided for in the Data Protection Laws, such that the Personal Data it provides to the Recipient can be lawfully used or disclosed by the Recipient in the manner and for the purposes anticipated by this Contract. 16.3 Although the Parties acknowledge that personal data may the Data Protection Laws ultimately determine status, the Parties are of the view that they shall each be transferred under controllers (as defined in the Data Protection Laws) in respect of Shared Personal Data that they receive pursuant to this agreement (“Personal Data”) and each party will fully comply with its respective Contract. 16.4 Without prejudice to the Disclosing Party's obligations under clauses 16.2 and 16.5, the General Parties shall ensure that they process and share the Shared Personal Data fairly and lawfully in accordance with the Data Protection Regulation Laws. Each Party shall only use Shared Personal Data for the purposes of performing its obligations, and exercising its rights, under the Contract. 16.5 The Disclosing Party shall ensure that fair processing notices are provided to the Data Subjects in accordance with the Data Protection Laws, including that they are clear and provide sufficient information to the Data Subjects for them to understand what Personal Data the Disclosing Party is sharing with the Recipient, the circumstances in which it will be shared, the purposes for the data sharing and either the identity of the Recipient or a description of the types of organisation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such that includes the Recipient) that will receive the Personal Data. Taking into account The information provided by the state Disclosing Party to Data Subjects shall be detailed enough that the Data Protection Laws are complied with and so that the Recipient need not provide any information to the Data Subject in order to comply with the Data Protection Laws (including Article 14 of GDPR). 16.6 Each Party is responsible for maintaining a record of individual requests for Personal Data, or other requests from Data Subjects to exercise their rights under the Data Protection Laws, the decisions made and any information that was exchanged. Records must include copies of the artrequest, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the requirements details of the Privacy Laws. Recipient agrees data accessed and shared and, where relevant, notes of any meeting, correspondence or phone calls relating to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal the request. 16.7 The Parties agree to provide reasonable assistance to each other to enable them to comply with the Data has been or may have been lostProtection Laws including, damaged or but not limited to, subject to unauthorized internal or external access requests or any other unlawful processing (exercise by a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any Data Subject of its rights under Privacy the Data Protection Laws and to respond to any other queries or complaints from Data Subjects or regulators. 16.8 Having regard to the state of technological development and the cost of implementing such measures, each Party shall have in relation to place appropriate technical and organisational security measures in order to: (a) prevent: (i) unauthorised or unlawful processing of the Shared Personal Data (including its rights of access, correction, objection and erasure)Data; and and (ii) the accidental loss or destruction of, or damage to, the Shared Personal Data; and (b) ensure a level of security appropriate to: (i) the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage; and (ii) the nature of the Shared Personal Data to be protected. 16.9 Each Party shall promptly notify the other Party of any personal data breach (as defined in GDPR) which affects, or may affect, Shared Personal Data obtained from that other correspondenceParty and shall provide such additional information and assistance as the other Party may request in order to comply with Data Protection Laws. 16.10 The Supplier shall indemnify Exterion Media on demand against any and all losses, inquiry liabilities, claims, proceedings, settlement, damages, costs, regulatory fines and expenses arising out of or complaint received from a data subject, regulator or other third party in connection with any breach by the processing Supplier of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective its obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring this clause 15 or under the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Protection Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donor.

Data Protection. The parties acknowledge that personal data may be transferred under this agreement (“Personal Data”) and each 5.1 Each party will fully shall comply with its respective obligations under the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed Legislation in connection with such its activities under this Agreement. 5.2 If Rittman ▇▇▇▇ Processes any Personal Data. Taking into account Data on the state of the artClient’s behalf when performing its obligations under this Agreement, the costs Client shall be the Data Controller and Rittman ▇▇▇▇ shall be a Data Processor and in any such case: (a) Client shall ensure that the Client is entitled to transfer the Personal Data to ▇▇▇▇▇▇▇ ▇▇▇▇; (b) ▇▇▇▇▇▇▇ ▇▇▇▇ shall only the Personal Data in accordance with the terms of implementation this Agreement and any instructions given by the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain Client from time to time; (c) Rittman ▇▇▇▇ shall take appropriate technical and organizational organisational measures in such a manner that processing against unauthorised or unlawful Processing of the Personal Data will meet or its accidental loss, destruction or damage; (d) Rittman ▇▇▇▇ shall ensure that only those of its personnel and Permitted Sub-processors who may be required to assist in it meeting its obligations under this Agreement shall have access to the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing Data; (a “Security Incident”e) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) Rittman ▇▇▇▇ shall promptly carry out any request from a data subject Client requiring Rittman ▇▇▇▇ to exercise any of its rights under Privacy Laws in relation to amend, transfer or delete the Personal Data or any part of the Personal Data; (including its rights f) ▇▇▇▇▇▇▇ ▇▇▇▇ shall notify Client immediately upon receiving any notice or communication from any Data Subject, supervisory or government body which relates directly or indirectly to the Processing of access, correction, objection and erasure); and the Personal Data; (iig) any other correspondence, inquiry or complaint Rittman ▇▇▇▇ shall assist Client promptly with all subject access requests which may be received from Data Subjects and shall not respond to any such request without the consent of Client; (h) Rittman ▇▇▇▇ shall provide to Client a data subject, regulator or other third party in connection with copy of the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate if requested in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified writing by Provider. Recipient shall not Client. 5.3 Rittman ▇▇▇▇ may transfer any Personal Data outside the EEA or the UK provided that ▇▇▇▇▇▇▇ ▇▇▇▇ ensures that such transfer is to a territory outside of the European Economic Area ("EEA") unless it covered by an Adequacy Decision and/or Rittman ▇▇▇▇ has taken ensured appropriate safeguards are in place to govern such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; the Data Protection Legislation such as Standard Contractual Clauses or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commissionbinding corporate rules. Recipient Rittman ▇▇▇▇ will not make provide Client with details of any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorsuch transfers on written request.

Data Protection. This agreement sets out the framework for the sharing of personal data between the parties as data controllers. Each party acknowledges that one party (the Data Discloser) will regularly disclose to the other party (the Data Recipient) Shared Personal Data collected by the Data Discloser for the Agreed Purposes. The parties First Company and the Second Company acknowledge that personal data for the purpose of the Data Protection Legislation, each party is both a controller and a processor. Each party shall comply with all the obligations imposed on a controller and a processor (as applicable) under the Data Protection Legislation, and any material breach of the Data Protection Legislation by one party shall, if not remedied within 30 days of written notice from the other party, give grounds to the other party to terminate this agreement with immediate effect. Annex A describes the subject matter, duration, nature and purpose of processing and the Personal Data categories and Data Subject types in respect of which the parties may process to fulfil the Agreed Purposes. Each party shall: Ensure that it has all necessary notices and consents in place to ensure the lawful transfer of the Shared Personal Data to the Permitted Recipients for the Agreed Purposes; Give full information to any Data Subject whose Personal Data may be transferred processed under this agreement (“Agreement about the nature of such processing. This includes giving notice that, on the termination of this agreement, Personal Data”) and each party will fully comply with its respective obligations under Data relating to them may be retained by or, as the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state case may be, transferred to one or more of the artPermitted Recipients, their successors and assignees; Process the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity Shared Personal Data only for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Agreed Purposes; Not disclose or allow access to the Shared Personal Data will meet to anyone other than the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects Permitted Recipients; Ensure that Personal Data has been or may have been lost, damaged or all Permitted Recipients are subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate written contractual obligations concerning the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Shared Personal Data (including its rights obligations of accessconfidentiality) which are no less onerous than those imposed by this agreement; Ensure that it has in place appropriate technical and organisational measures, correctionreviewed and approved by the other party on request, objection to protect against unauthorised or unlawful processing of personal data and erasure); against accidental loss or destruction of, or damage to, personal data. In each case of the sharing of Shared Personal Data by the Data Discloser to the Data Recipient: The Data Recipient will only process the Shared Personal Data to the extent, and (ii) in such a manner, as is necessary for the Agreed Purposes and otherwise in accordance with the Data Discloser’s written instructions. The Data Recipient will not process the Personal Data for any other correspondencepurpose or in a way that does not comply with this Agreement or the Data Protection Legislation. Each party must promptly notify the other party if, inquiry in its reasonable opinion, the other party’s instruction would not comply with the Data Protection Legislation. The Data Recipient must promptly comply with any request or complaint received instruction from the Data Discloser requiring the Data Recipient to amend, transfer, delete or otherwise process the Shared Personal Data, or to stop, mitigate or remedy any unauthorised processing. The Data Recipient will maintain the confidentiality of all Shared Personal Data and will not disclose Shared Personal Data to third parties unless the Data Discloser or this Agreement specifically authorises the disclosure, or as required by law. If a data subjectlaw, court, regulator or other third party supervisory authority requires the Data Recipient to process or disclose Shared Personal Data, the Data Recipient must first inform the Data Discloser of the legal or regulatory requirement and give the Data Discloser an opportunity to object or challenge the requirement, unless the law prohibits such notice. The Data Recipient will reasonably assist the Data Discloser with meeting the Data Discloser’s compliance obligations under the Data Protection Legislation, taking into account the nature of the Data Recipient’s processing and the information available to the Data Discloser, including in connection relation to Data Subject rights, data protection impact assessments and reporting to and consulting with supervisory authorities under the Data Protection Legislation. The Data Recipient will use compatible technology for the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Shared Personal Data to a territory outside ensure that there is no lack of accuracy relating to personal data transfers. The parties will ensure that all of their employees: are informed of the European Economic Area ("EEA") unless it has taken such measures as confidential nature of the Shared Personal Data and are necessary to ensure bound by confidentiality obligations and use restrictions in respect of the transfer is in compliance with the Privacy Laws. Such measures may include transferring Shared Personal Data; have undertaken training on the Data Protection Legislation relating to a country that the European Commission has decided provides adequate protection for personal datahandling Shared Personal Data and how it applies to their particular duties; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who and are or may be the donors aware both of the Original Material parties’ duties and may not combine their personal duties and obligations under the Data or results of the Project with other data which may result in identification of a donorProtection Legislation and this Agreement.

Data Protection. The parties acknowledge that personal data may be transferred under this agreement Where SurveyMonkey is processing Personal Data for Customer, SurveyMonkey will: (“Personal Data”a) only do so on documented Customer instructions and each party will fully comply in accordance with its respective obligations under the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed law, including with such Personal Data. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing regard to transfers of Personal Data will meet to other jurisdictions or an international organization, and the requirements parties agree that these Terms of Use constitute such documented instructions of the Privacy Laws. Recipient agrees Customer to notify Provider within a period SurveyMonkey to process Customer Data; (b) to the extent applicable, for data transfers SurveyMonkey Europe UC relies upon the Standard Contractual Clauses and/or consent for personal data transfers to countries that do not have adequate levels of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lostdata protection as determined by the European Commission, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator United Kingdom or other third party in connection jurisdictions which approve and require Standard Contractual Clauses; (c) with the processing respect to any transfers of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside out of the European Economic Area ("EEA"), the United Kingdom or other country requiring Standard Contractual Clauses, that may be required in relation to or in connection with the Terms of Use and the provision of the Services hereunder, the parties shall comply with and be subject to all obligations imposed on a ‘data importer’ or 'data exporter' (as appropriate) unless it has taken such measures as set out under the Standard Contractual Clauses; (d) ensure that all SurveyMonkey personnel involved in the processing of Personal Data are subject to confidentiality obligations in respect of the Personal Data; (e) make available information necessary for Customer to ensure the transfer is in demonstrate compliance with its Article 28 obligations (if applicable to the Privacy LawsCustomer) where such information is held by SurveyMonkey and is not otherwise available to Customer through its account and user areas or on SurveyMonkey websites, provided that Customer provides SurveyMonkey with at least 14 days' written notice of such an information request; (f) cooperate as reasonably requested by Customer to enable Customer to comply with any exercise of rights by a Data Subject afforded to Data Subjects by Data Protection Legislation in respect of Personal Data processed by SurveyMonkey in providing the Services; (g) provide assistance, where necessary with all requests received directly from a Data Subject in respect of a Data Subject's Personal Data submitted through the Services; (h) upon deletion, by you, not retain Customer Personal Data from within your account other than in order to comply with applicable laws and regulations and as may otherwise be kept in routine backup copies made for disaster recovery and business continuity purposes subject to our retention policies; (i) cooperate with any supervisory authority or any replacement or successor body from time to time (or, to the extent required by the Customer, any other data protection or privacy regulator under Data Protection Legislation) in the performance of such supervisory authority's tasks where required; (j) not store Personal Data (in a format that permits identification of relevant Data Subjects) for longer than is necessary for the purposes for which the data is processed save to the extent such retention is required for legitimate business purposes (with respect to, for example, security and billing), in order to comply with applicable laws and regulations and as may otherwise be kept in routine backup copies made for disaster recovery and business continuity purposes; (k) where required by Data Protection Legislation, inform Customer if it comes to SurveyMonkey’s attention that any instructions received from Customer infringe the provisions of Data Protection Legislation, provided that notwithstanding the foregoing, SurveyMonkey shall have no obligation to review the lawfulness of any instruction received from the Customer. Such measures If this provision is invoked, SurveyMonkey will not be liable to Customer under the Terms of Use for any failure to perform the applicable Services until such time as Customer issues new lawful Instructions with regard to the Processing; and (l) assist Customer as reasonably required where Customer (i) conducts a data protection impact assessment involving the Services (which may include transferring the Data by provision of documentation to allow customer to conduct their own assessment); or (ii) is required to notify a Security Incident (as defined below) to a country that the European Commission has decided provides adequate protection for personal data; to supervisory authority or a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other relevant data which may result in identification of a donorsubject.

Data Protection. 11.1 The parties acknowledge Supplier shall (and shall procure that personal data may be transferred under this agreement (“Personal Data”its third party subcontractor(s) and each party will fully shall) comply with its respective obligations all Data Protection Legislation and such compliance shall include, but not be limited to, maintaining a valid and up to date registration or notification (where applicable) under the General Data Protection Regulation Legislation. 11.2 The Supplier shall (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner shall procure that its third party subcontractor(s) shall) only undertake processing of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing Data: (a “Security Incident”a) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party Reasonably required in connection with the performance of its obligations under this Agreement; and (b) In accordance with the Client written instructions And shall (and shall procure that its third party subcontractor(s) shall) comply with all reasonable procedures and processes notified by the Client to the Supplier from time to time. The Client hereby instructs the Supplier to take such steps in the processing of Personal Data on behalf of the Client as are reasonably necessary for the performance of the Supplier’s obligations under this Agreement. 11.3 The Supplier shall not (collectivelyand shall procure that its third party subcontractor(s) shall not) process or transfer any Personal Data outside the European Economic Area without the prior written consent of the Client. 11.4 Notwithstanding clause 11.2, "Correspondence")the Supplier shall (and shall procure that its third party subcontractor(s) shall) at all times have appropriate technical and organisational measures in place acceptable to the Client: (a) To prevent unauthorised or unlawful processing of any Personal Data; (b) To protect any Personal Data against accidental loss, it shall promptly inform Provider destruction or damage; (c) To include taking reasonable steps to ensure the reliability of the Supplier Personnel having access to the Personal Data; and (d) Having regard to the state of technological development and the parties cost of implementing those measures so as to ensure a level of security appropriate to: (i) The harm that may result from breach of those measures; and (ii) The nature of the Personal Data to be protected. 11.5 On the Client’s reasonable request the Supplier will (and shall cooperate procure that its third party subcontractor(s) will): (a) Provide a detailed, written description of the measures referred to in good faith as necessary clause 11.4 and the Supplier’s compliance with those measures; and (b) Allow the Client (or its third party subcontractor(s)) access to respond the Supplier’s premises to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict inspect its procedures for the processing of Personal Data. 11.6 If the Supplier (or its third party subcontractor(s)) receives a request from a Data identified by Provider. Recipient Subject for access to Personal Data or any other request relating to the Client’s obligations under the Data Protection Legislation the Supplier shall not transfer (and shall procure that its third party subcontractor(s) shall): (a) Immediately notify the Client; and (b) Provide full co-operation and assistance to the Client in relation to any such complaint or request: (i) Providing the Client with full details of any such request; (ii) Providing the Client with any Personal Data it holds in relation to a territory outside Data Subject in a form specified by the Client and within 10 days of receipt of the European Economic Area request from a Data Subject or as otherwise stipulated by the Client; and ("EEA"iii) unless it has taken such measures as are necessary to ensure the transfer is in compliance Comply with the Privacy Laws. Such measures may include transferring data access request within the relevant timescales set out in the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization Protection Legislation and in accordance with Privacy Lawsexplicit authorisation to do so from the Client. 11.7 The Supplier shall (and shall procure that its third party subcontractor(s) shall): (a) Immediately provide the Client with full details of any complaint or allegation that it or the Client is not complying with the Data Protection Legislation or if it becomes aware of any fact or matter that would mean that it or the Client was not complying with the Data Protection Legislation; (b) Immediately provide the Client with full details of any systemic issue relating to the Supplier’s IT systems or processes that would mean that the Supplier was not able to comply with the Seventh Principle; and (c) Assist the Client in taking any action that the Client deems appropriate to deal with such complaint or allegation or non-compliance including without limitation immediately providing the Client with any Personal Data it holds in relation to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will Data Subject. 11.8 The Supplier shall not make subcontract to any effort third party any of its obligations to identify individuals who are or may be the donors process Personal Data on behalf of the Original Material and may not combine Data or results Client unless all of the Project following provisions of this clause have first been complied with: (a) The Supplier has provided the Client with other data which such information as the Client may result in identification require to ascertain that such subcontractor has the ability to comply with the provisions of the Data Protection Legislation; (b) The Supplier has obtained the prior written consent of the Client; and (c) The proposed subcontractor has entered into a donorcontract with the Client substantially upon the terms of this clause 11. 11.9 Upon expiry or termination of this Agreement for any reason the Supplier shall (and shall procure that its third party subcontractor(s) shall) immediately return, or at the Client’s option, destroy any Personal Data held by it or its third party subcontractor(s).

Data Protection. 2.1 Arrangement between the parties 2.1.1 The parties shall each Process the Personal Data. The parties acknowledge that personal data may the factual arrangements between them dictate the classification of each party in respect of the Data Protection Laws. Notwithstanding the foregoing, the parties anticipate that, in respect of the Personal Data, as between the Training Provider and ISL for the purposes of this Contract, the Training Provider shall act as a Controller and ISL shall, depending on the circumstances of the processing, act as a Controller or a Processor, as follows: a The Training Provider shall be transferred a Controller where it is Processing Personal Data in relation to Delegates; b ISL shall be a Controller in relation to passing enquiries from potential Delegates to the Training Provider, and related obligations; and c ISL shall be a Processor where it is Processing Personal Data in relation to the Permitted Purpose in connection with the performance of its obligations under this agreement (“Personal Data”) Contract. 2.1.2 Each party acknowledges and each party agrees that Appendix A to this Contract is an accurate description of the Data Processing Particulars. 2.1.3 ISL undertakes to the Training Provider that it will fully comply take all necessary steps to ensure that it operates at all times in accordance with the requirements of the Data Protection Laws and ISL will, at its respective own expense, assist the Training Provider in discharging its obligations under the General Data Protection Regulation (EU)2016/679 Laws as more particularly detailed in this paragraph 2. ISL shall not, whether by act or omission, cause the Training Provider to breach any of its obligations under the Data Protection Laws. 2.1.4 Each party shall comply with all the obligations imposed on a Controller under the Data Protection Laws. 2.2 Data Processor obligations 2.2.1 To the extent that ISL Processes any Personal Data as a Processor for and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state on behalf of the art, Training Provider (as the costs Controller) it shall: a only Process the Personal Data for and on behalf of implementation and the nature, scope, context and Training Provider for the purposes of processing as well as performing its obligations b keep a record of any Processing of the risk Personal Data it carries out on behalf of varying likelihood the Training Provider; c take, implement and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational organisational security measures which are sufficient to comply with at least the obligations imposed d within thirty (30) calendar days of a request from the Training Provider, allow its data processing facilities, procedures and documentation to be submitted for scrutiny, inspection or audit by the Training Provider (and/ or its representatives, including its appointed auditors) in such a manner that processing order to ascertain compliance with the terms of this Paragraph 1.2, and provide reasonable e not disclose Personal Data will meet to a third party (including a sub-contractor) in any circumstances without the requirements Training f promptly comply with any request from the Training Provider to amend, transfer or delete any Personal Data; g notify the Training Provider promptly (and in any event within forty-eight (48) hours) following its receipt of any Data Subject Request or ICO Correspondence and shall: i not disclose any Personal Data in response to any Data Subject Request or ICO Correspondence without first consulting with and obtaining the Privacy Laws. Recipient agrees Training Provider’s prior written consent; and ii provide the Training Provider with all reasonable co-operation and assistance required by the Training Provider in relation to any such Data Subject Request or ICO Correspondence; h notify the Training Provider promptly (and in any event within a period of 48 hours where Recipient becomes twenty-four (24) hours) upon becoming aware of any actual or reasonably suspects that suspected, threatened or “near miss” Personal Data has been Breach in relation to the Personal Data (and follow-up in writing) and shall: i conduct or may have been lostsupport the Training Provider in conducting such investigations and analysis that the Training Provider reasonably requires in respect of such Personal Data Breach; ii implement any actions or remedial measures necessary to restore the security of compromised Personal Data; and iii assist the Training Provider to make any notifications to the ICO and affected Data Subjects; i comply with the obligations imposed upon a Processor under the Data Protection Laws; j use all reasonable endeavours to assist the Training Provider to comply with the obligations imposed on the Training Provider by the Data Protection Laws, damaged or subject including: i compliance with the Security Requirements; ii obligations relating to unauthorized internal or external access notifications required by the Data Protection Laws to the ICO and/ or any other unlawful processing relevant Data Subjects; iii undertaking any Data Protection Impact Assessments (a “Security Incident”) and to take reasonable steps to mitigate and, where required by the impact Data Protection Laws, consulting with the ICO and/or any equivalent regulatory body in respect of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasureProtection Impact Assessments); and iv without undue delay and where feasible not later than 72 hours after having become aware of it notify Personal k upon the earlier of: i the receipt of a written direction of the Training Provider; ii termination or expiry of this Contract (ii) any other correspondenceas applicable); and iii the date on which Personal Data is no longer relevant to, inquiry or complaint received from necessary for, the Permitted Purpose, ISL shall l not make (nor instruct or permit a data subject, regulator or other third party in connection with the processing to make) a transfer of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside Restricted Country except with the prior written consent of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization Training Provider and in accordance with Privacy Laws; or any terms the Training Provider may impose on such transfer as the Training Provider deems necessary to a Recipient satisfy the requirements m maintain complete and accurate records and information to demonstrate its compliance with this paragraph 1.2. 2.3 ISL Personnel 2.3.1 ISL shall only disclose Personal Data to its Personnel that has executed standard contractual clauses adopted or approved are required by ISL to assist it in meeting its obligations under this Contract and shall ensure that such Personnel shall have entered into appropriate contractually- binding confidentiality undertakings. 2.4 Appointing sub-contractors 2.4.1 ISL shall not be permitted to appoint a 2.4.2 Notwithstanding any consent given by the European Commission. Recipient will not make Training Provider under paragraph 2.4.1, ISL shall remain primarily liable to the Training Provider for the acts, errors and omissions of any effort sub-contractor to identify individuals who are or may whom it discloses Personal Data, and shall be responsible to the donors Training Provider for the acts, errors and omissions of such sub-contractor as if they were ISL’s own acts, errors and omissions to the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donor.extent that ISL would be liable to the

Data Protection. The parties acknowledge that personal data may be transferred under 26.1 For the purposes of this agreement (Clause the terms “Data Controller”, “Data Processor”, “Data Subject”, “Personal Data”) , “Process” and each party will fully “Processing shall have the meaning prescribed under the Data Protection ▇▇▇ ▇▇▇▇ (DPA) 26.2 The Recipient shall comply at all times with the Data Protection Legislation and shall not perform its respective obligations under this Agreement in such a way as to cause either the Recipient or the Trust to breach any applicable obligations under the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Legislation. 26.3 To the extent that the Recipient is required to hold or process Personal Data. Taking into account , whether the state data is Trust data or Recipient data, the following provisions of this Clause shall have effect. 26.4 The Recipient shall process the Personal Data only to the extent, and in such manner, as is necessary for the provision of the artServices or as is required by Law or any Regulatory Body. 26.5 The Recipient shall not delete or remove any proprietary notices contained within or relating to any Personal data. 26.6 The Recipient shall not store, the costs of implementation and the naturecopy, scopedisclose, context and purposes of processing process or use Personal Data except as well as the risk of varying likelihood and severity necessary for the rights and freedoms performance by the Recipient of data subjectsits obligations under this Agreement or as otherwise expressly authorised in writing by the Trust. 26.7 The Recipient shall ensure that any system on which it holds any Personal Data, including back-up data, is a secure system. 26.8 The Recipient will maintain shall implement appropriate technical and organizational organisational measures in such to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected. 26.9 If the Personal Data is corrupted, lost or sufficiently degraded as a manner that processing result of the Recipient’s default so as to be unusable, the Trust may require the Recipient (at its expense) to restore or procure the restoration of Personal Data will meet Data, and the requirements of Recipient shall do so as soon as practicable. 26.10 If at any time the Privacy Laws. Recipient agrees suspects or has reason to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects believe that Personal Data has been or may have been lostbecome corrupted, damaged lost or subject sufficiently degraded in any way for any reason, then the Recipient shall notify the Trust immediately and inform the Trust of the remedial action the it proposes to unauthorized internal take. 26.11 The Recipient shall obtain prior written consent from the Trust in order to transfer the Personal Data to any sub-contractors or external Affiliates for the provision of the Services; 26.12 The Recipient shall ensure that all Recipient Staff required to access or any other unlawful processing (a “Security Incident”) the Personal Data are informed of the confidential nature of the Personal Data and to take reasonable steps to mitigate comply with the impact of any such Security Incident. In obligations set out in this Clause 26.13 The Recipient shall provide the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws Trust with full co-operation and assistance in relation to any complaint or request made in respect of Personal Data, including by; a) providing the Trust with full details of the complaint or request; b) complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Trust’s instructions; c) providing the Trust with any Personal Data it holds in relation to Data Subject (including its rights of access, correction, objection and erasurewithin the timescales required by the Trust); and d) providing the Trust with any information requested by the Trust in respect of any Complaint; 26.14 The Recipient shall permit the Trust or the Trust Representative (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit the Recipient’s data processing activities (iiand/or those of its agents, subsidiaries and sub-contractors) any other correspondence, inquiry and comply with all reasonable requests or complaint received from directions by the Trust to enable the Trust to verify and/or procure that the Recipient is in full compliance with its obligations under this Agreement 26.15 The Recipient shall provide a data subject, regulator or other third party in connection with written description of the technical and organisational methods employed by the Recipient for processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and within 3 months of a request being made by the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Trust 26.16 The Recipient shall not transfer any Process Personal Data to a territory generated or supplied for the purposes of this Agreement outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary without the prior written consent of the Trust and, where the Trust consents to ensure the transfer is in compliance a transfer, to comply with the Privacy Laws. Such measures may include transferring obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to a country any Personal Data that the European Commission has decided provides adequate protection for personal data; is transferred any reasonable instructions notified to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved it by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorTrust.

Data Protection. The parties acknowledge that personal data may be transferred under 18.1 For the purposes of this agreement (“Personal Data”) and each party will fully comply Agreement, the terms with its respective obligations under a first capitalized letter shall have the General meaning given to them in the Data Protection Regulation (EU)2016/679 Legislation or any Applicable Laws. This Section is applicable only in relation to any Personal Data processed by either Party in connection with, and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account pursuant to this Agreement. 18.2 To the state extent the conclusion and execution of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that present Agreement entails processing of Personal Data will meet within the requirements meaning of the Privacy LawsData Protection Legislation, Polestar and VCFSUK to comply with applicable Data Protection Legislation. 18.3 For the avoidance of doubt, the present Agreement will not entail processing of Personal Data by any Party as processor to the other Party within the meaning of the Data Protection Legislation. 18.4 Polestar and VCFSUK acknowledge that both Parties may process Personal Data in their respective capacity as independent Controllers for the purpose of, or in connection with (i) the purpose of this Agreement, the execution of the Customer Agreements (in this Section 18 referred to as the “Purposes”), (ii) Applicable Law (such as anti-money laundering or anticorruption, tax audit or financial sector related law and regulations); (iii) requests and communications from competent authorities (such as courts, regulators, tax authorities or other public authorities) in strict observance of the lawful basis given by Data Protection Legislation for the performed processing. 18.5 The Parties agree that the cooperation contemplated hereunder can only be effectively operated if processes are IT-based. Recipient agrees The Parties further acknowledge that they shall make use of their respective current IT systems and have decided that each Party makes the minor necessary adjustment to notify Provider their IT systems in order to exchange data and communicate with each other. Each Party therefore undertakes to adapt at its own costs (but only to the extent such costs are reasonable), where necessary, its IT Systems in order to enable the electronic communication and data transfer and exchange on the Commencement Date of wholesale financing for the purpose of Wholesale Finance and on the commencement date of retail finance for the purposes of Retail Finance at the latest. If the IT-implementation deadline falls behind the relevant commencement date, the Parties will put in place an interim solution, where the invoicing and payment routines shall be handled by normal paper invoices instead of electronic data transfer within a such interim period. The exact service levels during such interim period of 48 hours where Recipient becomes aware of or reasonably suspects shall be defined in detail between the Parties. 18.6 To the extent permitted by Data Protection Legislation, Polestar and VCFSUK further acknowledge that Personal Data has been collected for the Purposes, may be disclosed to, Parties’ Affiliates and their relevant service provider, each Party’s service providers and competent authorities for one or more of the Purposes. Personal Data may have been lostalso be disclosed to, damaged or subject and processed by, other third party subprocessors to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) the extent reasonably necessary in connection with the Purposes and to take reasonable steps to mitigate permitted hereunder. Each Party remains responsible at all times for the impact performance of any such Security Incident. the Affiliates’ and third party subprocessors’ obligations in compliance with the terms of this Article and applicable Data Protection Legislation. 18.7 In the event that Recipient receives (i) any request from a data subject to exercise any where the processing and disclosure of its rights under Privacy Laws in relation to Personal Data (including its rights referenced in this paragraph may involve the transfer of accessPersonal Data to countries outside of the European Economic Area such transfer should only take place on the basis of a European Commission adequacy decision, correctionstandard data protection clauses, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator approved code of conduct or other third party in connection with transfer mechanism provided by the Data Protection Legislation. 18.8 The Parties hereby acknowledge that any Data Subject — within the meaning of the Data Protection Legislation—whose Personal Data are being processed under the Agreement has a right to be informed and to object to the processing of Personal Data (collectively, "Correspondence"in which case the Parties may not be able to perform their obligations deriving from this Agreement), it to access, free of charge, Personal Data, a right to request their rectification as well as all rights of individual Data Subjects provided in Data Protection Legislation. Such request may be addressed to one or the other of the Parties. Therefore, in case a request is addressed to one Party that should necessitate action of the other Party, the former shall promptly inform Provider notify the other for VCFSUK at ▇▇▇@▇▇▇▇▇▇.▇▇▇ and the parties shall cooperate in good faith for Polestar at ▇▇▇@▇▇▇▇▇▇▇▇.▇▇▇. The Parties agree to provide reasonable assistance as is necessary to respond each other to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s requestenable them to provide, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring Data Protection Legislation, the appropriate reply to Data Subject requests and to respond to any other queries or complaints from Data Subjects or any Data Protection Authority. 18.9 Each Party shall ensure and warrant that any Personal Data collected and provided to the other Party for the purpose and execution of the Agreement have been collected lawfully, fairly and in a transparent manner so as to enable such Personal Data to a country be processed by each Party and the other parties referenced in this present clause for all of the Purposes. The Parties will ensure that the European Commission has decided provides adequate protection Parties’ privacy notices are brought to the attention of the relevant Data Subjects and, where necessary, the Parties will provide or procure each other with all evidence as to the information of individual Data Subjects whose Personal Data will be processed for personal data; the Purposes, as may be reasonably requested by each of the Parties. The Parties shall not collect more Personal Data than is strictly necessary for the Purposes. The Parties shall not retain or process Personal Data for longer than is necessary to carry out the Agreement or the Customer Agreements. 18.10 Each Party shall inform the other as soon as possible of any significant change in Personal Data collected and to supplying one another upon request with any additional information such Party deems useful to the maintenance of a Recipient relationship between them and/or required by Applicable Laws or regulation. The refusal to communicate such data to any Party and the denial of any Party’s recourse to data processing techniques, notably in respect of information technology, when this is left to the other Party’s discretion, would be an impediment to the creation of a relationship or the maintenance of an existing relationship between the Parties. 18.11 Having considered the applicable Data Protection Legislation and guidance, the Parties have in place their own policies that has achieved binding corporate rules authorization must be followed in the event of a data security reach. Parties are under a strict obligation to notify any actual destruction, loss, alteration, unauthorized disclosure of, or access to the Personal Data to their respective point of contact as detailed in Section 18 as soon as possible and, in any event, within forty-eight (48) hours of identification of destruction, loss, alteration, unauthorized disclosure of, or access to the Personal Data, in order to enable the Parties to consider what action is required in order to resolve the issue in accordance with Privacy Laws; or the applicable Data Protection Legislation. The Parties agree to a Recipient that has executed standard contractual clauses adopted or approved by provide reasonable assistance as is necessary to each other to facilitate the European Commissionhandling of any data security breach in an expeditious and compliant manner. Recipient will not make any effort to identify individuals who are or may Such notification shall be the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorconsidered as Confidential Information.

Data Protection. 18.1 The parties acknowledge that personal data may be transferred under this agreement Executive shall at all times during the Appointment act in accordance with the Data Protection Act 1988 (the “Personal DataDPA”) and each party will fully shall comply with its respective obligations under any policy introduced by the General Company from time to time to comply with the DPA. Breach of this undertaking will constitute a disciplinary offence. 18.2 The Executive hereby consents to the Company holding and processing both electronically and manually the Personal Data Protection Regulation it collects which relates to the Executive which is necessary or reasonably required for the proper performance of this agreement, for management, administrative and other employment related purposes (EU)2016/679 both during and after the Appointment) or for the conduct of Group’s business or to comply with applicable complementing national laws law, rules and regulations (jointly the “Privacy LawsAuthorised Purposes”). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state of the art, the costs of implementation ) and the nature, scope, context and purposes of processing as well as Executive agrees to provide the risk of varying likelihood and severity Group with all Personal Data relating to her which is necessary or reasonably required for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet Authorised Purposes. 18.3 The Executive explicitly consents to the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access Company or any other unlawful Group Company processing (a “Security Incident”) and her Personal Data, including her Sensitive Personal Data, where this is necessary or reasonably required to take reasonable steps achieve one or more of the Authorised Purposes. 18.4 The Executive acknowledges that the Company may, from time to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to time collect or disclose her Personal Data (including its rights her Sensitive Personal Data) from and to third parties (including without limitation the Executive’s referees, any management consultants or compute maintenance companies engaged by the Company, the Company’s professional advisers, other Group Companies, any suppliers of accessgoods or services to the Group and any potential purchasers of the business, correction, objection and erasurethe Company and/or the Group); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond . The Executive consents to such Correspondence collection and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict disclosure even where this involves the processing transfer of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory such data outside of the European Economic Area ("EEA") unless it has taken such measures as are where this is necessary of reasonably required to ensure achieve one or more of the Authorised Purposes or is in the interests of the Company and/or its shareholders. 18.5 Further, the Executive consents to the transfer is in compliance with the Privacy Laws. Such measures may include transferring the of Personal Data to a country any employees of the Company who has requested any Personal Data in an equal pay or other questionnaire reserved pursuant to statute provided that the European Commission has decided provides adequate protection transfer of Personal Data is limited to Personal Data lawfully requested and subject to the Company first receiving a written undertaken from the requesting employee to keep any disclosed Personal Data strictly confidential and not to use the disclosed Personal Data for personal data; any purpose other than pursuing legal proceedings in an Employment Tribunal. 18.6 The Company agrees to a Recipient that has achieved binding corporate rules authorization process any Personal Data made available to it by the Executive in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors provisions of the Original Material DPA. 18.7 In this clause “Data Controller” “Personal Data” “processing” and may not combine Data or results “Sensitive Personal Data” shall have the meaning set out in sections 1 and 2 of the Project with other data which may result in identification of a donorDPA.

Data Protection. The parties acknowledge that personal data may be transferred under this agreement (“Personal Data”) SERVICE PROVIDER’s attention is hereby drawn to the Data Protection Requirements. The CUSTOMER and each party will fully comply with its respective the SERVICE PROVIDER shall observe their obligations under the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”)Requirements. The parties are independent controllers Where the SERVICE PROVIDER, pursuant to its obligations under this Contract, undertakes the Processing of their processing operations performed with such Personal Data. Taking into account the state Data on behalf of the artCUSTOMER, it shall: carry out the costs Processing of implementation the Personal Data only in accordance with instructions from the CUSTOMER (which may be specific instructions or instructions of a general nature as set out in this Contract or as otherwise notified by the CUSTOMER to the SERVICE PROVIDER during the Term); carry out the Processing of Personal Data only to the extent, and the naturein such manner, scope, context and purposes of processing as well as the risk of varying likelihood and severity is necessary for the rights and freedoms provision of data subjects, Recipient will maintain the Services or as is required by Law or any Regulatory Body; implement appropriate technical and organizational organisational measures in such a manner that processing of to protect the Personal Data will meet against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the requirements harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject which is to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to be protected; take reasonable steps to mitigate ensure the impact reliability of any such Security Incident. In SERVICE PROVIDER personnel who have access to the event that Recipient receives (i) any request Personal Data; obtain prior written consent from a data subject the CUSTOMER in order to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with transfer the processing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside any Sub-Contractors for the provision of the European Economic Area ("EEA") unless it has taken such measures as Ordered Services; ensure that any SERVICE PROVIDER personnel required to access the Personal Data are necessary to ensure informed of the transfer is in compliance confidential nature of the Personal Data and comply with the Privacy Laws. Such measures may include transferring obligations set out in this Clause 14; ensure that none of the SERVICE PROVIDER personnel publish, disclose or divulge any of the Personal Data to a country that the European Commission has decided provides adequate protection for personal data; any third party unless directed in writing to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved do so by the European Commission. Recipient will not make any effort to identify individuals who are or may be CUSTOMER; notify the donors of the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donor.CUSTOMER (within five (5) Working Days) if it receives:

Data Protection. The parties acknowledge that personal data may be transferred under this agreement Where Momentive is processing Personal Data for Customer, Momentive will: (“Personal Data”a) only do so on documented Customer instructions and each party will fully comply in accordance with its respective obligations under the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”). The parties are independent controllers of their processing operations performed law, including with such Personal Data. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing regard to transfers of Personal Data will meet to other jurisdictions or an international organization, and the requirements parties agree that this Agreement constitutes such documented instructions of the Privacy Laws. Recipient agrees Customer to notify Provider within a period Momentive to process Customer Data; (b) to the extent applicable, for data transfers Momentive Europe UC relies upon the Standard Contractual Clauses and/or consent for personal data transfers to countries that do not have adequate levels of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lostdata protection as determined by the European Commission, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator United Kingdom or other third party in connection jurisdictions which approve and require Standard Contractual Clauses; (c) with the processing respect to any transfers of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside out of the European Economic Area ("EEA"), the United Kingdom or other country requiring Standard Contractual Clauses, that may be required in relation to or in connection with the Agreement and the provision of the Services hereunder, the parties shall comply with and be subject to all obligations imposed on a ‘data importer’ or 'data exporter' (as appropriate) unless it has taken such measures as set out under the Standard Contractual Clauses; (d) ensure that all Momentive personnel involved in the processing of Personal Data are subject to confidentiality obligations in respect of the Personal Data; (e) make available information necessary for Customer to ensure the transfer is in demonstrate compliance with its Article 28 obligations (if applicable to the Privacy LawsCustomer) where such information is held by Momentive and is not otherwise available to Customer through its account and user areas or on Momentive websites, provided that Customer provides Momentive with at least 14 days' written notice of such an information request; (f) cooperate as reasonably requested by Customer to enable Customer to comply with any exercise of rights by a Data Subject afforded to Data Subjects by Data Protection Legislation in respect of Personal Data processed by Momentive in providing the Services; (g) provide assistance, where necessary with all requests received directly from a Data Subject in respect of a Data Subject's Personal Data submitted through the Services; (h) upon deletion, by you, not retain Customer Personal Data from within your account other than in order to comply with applicable laws and regulations and as may otherwise be kept in routine backup copies made for disaster recovery and business continuity purposes subject to our retention policies; (i) cooperate with any supervisory authority or any replacement or successor body from time to time (or, to the extent required by the Customer, any other data protection or privacy regulator under Data Protection Legislation) in the performance of such supervisory authority's tasks where required; (j) not store Personal Data (in a format that permits identification of relevant Data Subjects) for longer than is necessary for the purposes for which the data is processed save to the extent such retention is required for legitimate business purposes (with respect to, for example, security and billing), in order to comply with applicable laws and regulations and as may otherwise be kept in routine backup copies made for disaster recovery and business continuity purposes; and (k) where required by Data Protection Legislation, inform Customer if it comes to Momentive’s attention that any instructions received from Customer infringe the provisions of Data Protection Legislation, provided that notwithstanding the foregoing, Momentive shall have no obligation to review the lawfulness of any instruction received from the Customer. Such measures If this provision is invoked, Momentive will not be liable to Customer under the Agreement for any failure to perform the applicable Services until such time as Customer issues new lawful Instructions with regard to the Processing; and (l) assist Customer as reasonably required where Customer (i) conducts a data protection impact assessment involving the Services (which may include transferring the Data by provision of documentation to allow customer to conduct their own assessment); or (ii) is required to notify a Security Incident (as defined below) to a country that the European Commission has decided provides adequate protection for personal data; to supervisory authority or a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results of the Project with other relevant data which may result in identification of a donorsubject.

Data Protection. The parties acknowledge that transfer of personal data shall only take place if such transfer is necessary for the implementation of this Agreement by the competent authorities of the Parties. When transferring, using or otherwise processing personal data, the competent authorities of the Parties in each particular case shall carry out in accordance with its state’s national laws and legislations and international obligations, the provisions of this Agreement and the following principles: personal data must be processed fairly and lawfully; personal data must be collected for the specified, explicit and legitimate purpose related to the implementation of this Agreement and may not be further processed by either collecting authorities or receiving authorities the Parties in a way incompatible with the above-mentioned purpose; personal data must only serve the purpose for which they are collected and/or further processed. The transferred personal data have to relate primarily to the following: the details of the returnee (e.g. name and surname, previous names, other names used/by which known or aliases, sex, civil status, date and place of birth, current and previous citizenship); identity documents, driving licence or travel documents (number, period of validity, date of issue, issuing authority, place of issue); stop-overs and itineraries; other necessary information to identify the returnee or to examine whether conditions for the readmission are met under this Agreement; personal data must be accurate and, where necessary, kept up to date; personal data must be kept in a form, which permits identification of the returnee and for no longer than is necessary for their collection and further processing; both the transferring and the receiving authorities of the Parties shall take every reasonable step to ensure the rectification, destruction or blocking of personal data when the processing does not comply with the provisions of this Article, particularly when the data are not compatible with the purpose of their collection and/or further processing. The competent authorities shall notify each other of any rectification, destruction or blocking of the data; the competent authority receiving the data shall, upon request, notify the transferring authority of the use of the transferred data and the results obtained therefrom; personal data may only be transferred under this agreement (“Personal Data”) to the competent authorities. Further transfer to other bodies requires prior consent of the transferring authority; the transferring and each party will fully comply with its respective obligations under the General Data Protection Regulation (EU)2016/679 receiving authorities must make a written record of the transfer and applicable complementing national laws (jointly “Privacy Laws”)the receipt of personal data. Upon request of the returnee, he shall be given information as to what personal data relating to him are available, and for what purpose they are used or intended to be used. The parties are independent controllers right of their processing operations performed with the returnee to receive such Personal Data. Taking into account information is governed by the national legislation of the state of the artParty from whose territory the request comes. The request to provide such information may be refused, if such a refusal is necessary for the purpose of implementing this Agreement and ensuring the state security, public order, preventing crimes and protecting personal and third-party rights and freedoms. When it becomes evident that erroneous personal data or data for which transferring is not permitted have been transmitted, the costs receiving authority shall be immediately notified and shall, without delay, rectify or destroy them. When transferring personal data, the Parties shall indicate the data retention deadlines as foreseen in their respective national legislation after which the data must be destroyed. Regardless of implementation and the natureretention deadlines, scope, context and purposes the personal data transferred shall be immediately destroyed as soon as it is determined that they are no longer necessary for the purpose for which they were supplied. The Party that transferred the personal data must be notified of processing their destruction as well as the risk of varying likelihood and severity reasons for the rights and freedoms of data subjects, Recipient will maintain appropriate technical and organizational measures in such a manner that processing of Personal Data will meet the requirements destruction. After expiration of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware validity of or reasonably suspects that Personal Data has been or may have been lostthis Agreement, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data (collectively, "Correspondence"), it Parties shall promptly inform Provider and the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside immediately destroy all of the European Economic Area ("EEA") unless it has taken such measures as are necessary to data received. The competent authorities shall ensure the transfer confidentiality of the information obtained from each other, if the information is in compliance with sensitive or the Privacy Laws. Such measures may include Party transferring the Data information is unwilling to a country that the European Commission has decided provides adequate protection for personal data; make it public. This shall similarly apply to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material technical means, equipment and may not combine Data or results of the Project with other data which may result in identification of a donormaterials.

Data Protection. The parties acknowledge that 8.1 Each Party shall comply with the Data Protection Legislation. In particular where a Party (“Processor”) is processing personal data on behalf of the other Party (“Controller”) it shall: 8.1.1 process it only for the purposes of complying with its obligations under this Agreement, in accordance with the Controller’s documented instructions from time to time and good industry practice; 8.1.2 ensure that appropriate technical and organisational measures shall be taken to ensure a level of security of Controller personal data appropriate to the risk (including measures taken against unauthorised or unlawful processing of Controller personal data and the accidental loss or destruction of, or damage to, such data) and promptly provide to the Controller details of those measures from time to time on receipt of Controller’s written notice; 8.1.3 not transfer, or otherwise directly or indirectly disclose, any Controller personal data to a third party or to a country or territory outside the European Economic Area without the prior written consent of the Controller which may be transferred under refused or granted subject to such conditions as Controller deems necessary; and 8.1.4 immediately and fully notify the Controller on receipt of any notices received by the Processor relating to the processing of Controller personal data including (but not limited to) data subject requests, complaints and/or correspondence or if any Controller personal data has been disclosed in breach of this agreement clause or if it is lost, becomes corrupted, is damaged or is deleted in error and provide the Controller with such information and assistance as the Controller may require in relation to such notice or breach (“Personal Data”) and each party will fully comply with its respective obligations under at no cost to the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”Controller). The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account the state of the art, the costs of implementation Processor shall provide and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain appropriate implement technical and organizational organisational measures in such a manner that processing of Personal Data will meet to help the requirements of the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of Controller fulfil its rights under Privacy Laws obligations in relation to Personal Data (including its rights such notices from or on behalf of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party subjects in connection with the processing rights conferred on them by Data Protection Legislation. For the avoidance of Personal Data doubt, in no event shall the Processor respond directly to any notice relating to any Controller personal data. 8.2 The Processor shall comply with the provisions set out in Article 28 of the GDPR (collectively, "Correspondence"), it together with any provisions referenced therein) which shall promptly inform Provider have effect as obligations on the Processor as if set out in full in this clause and the parties expressions “controller” and “processor” used in those provisions and incorporated in this Agreement pursuant to this clause shall cooperate in good faith as necessary be deemed references to respond the Controller and the Processor respectively. References to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for “personal data; to a Recipient that has achieved binding corporate rules authorization ”, “processing, “data subject” shall have the meanings set out in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine applicable Data or results of the Project with other data which may result in identification of a donorProtection Legislation.

Data Protection. The parties acknowledge that personal data may be transferred under this agreement (“Personal Data”) and each party will fully You shall comply with its respective your obligations under the General Data Protection Regulation (EU)2016/679 and applicable complementing national laws (jointly “Privacy Laws”)Legislation. The parties are independent controllers of their processing operations performed with such Personal Data. Taking into account Without prejudice to the state generality of the artforegoing, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of you shall: (i) ensure data subjects, Recipient will maintain appropriate technical and organizational measures subjects are provided with all information required under Data Protection Legislation in such a manner that processing respect of Personal Data will meet the requirements of the Privacy Laws. Recipient agrees you provide to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasure)us; and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with ensure that the processing of Personal Data in accordance with your instructions will not cause us to breach Data Protection Legislation or any other applicable law; and (collectively, "Correspondence"), it shall promptly inform Provider and the parties shall cooperate in good faith as necessary iii) not provide or make available to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing us any special categories of Personal Data identified by Provider(as defined under Data Protection Legislation). Recipient shall not transfer As part of providing Dimensions and otherwise performing our obligations hereunder, you hereby generally authorise our appointment of our affiliates, hosting providers and any other sub-contractors (“Sub-Processors”) who may from time to time be engaged to process data (including Personal Data, Buyer Data to a territory outside and Buyer Personal Data) as part of the services, who in each case are subject to written terms that comply with the Data Protection Legislation. We shall make a current list of Sub-Processors available to you and shall remain liable for their acts or omissions as if they were its own. You may object to the appointment of any new Sub-Processor in writing within ten (10) days of being informed of the same and we shall act reasonably to consider such objection and seek to propose an alternative solution, together with any additional cost required for their implementation. As part of providing the services, you hereby consent to the transfer of the data which we process on your behalf (including Personal Data, Buyer Data and Buyer Personal Data) outside the United Kingdom/European Economic Area as required to perform the services, including to any countries in which our Sub-Processors operate. For the purposes of European Data Protection Legislation, Schedule 3 of the Digital Science DPA ("EEA"▇▇▇▇▇://▇▇▇▇▇.▇▇▇▇▇.▇▇▇/public/DigitalScienceDPA) unless shall apply to any relevant transfers. To the extent we, it has taken such measures the capacity as are necessary a controller, provide Data as part of the Services to ensure you that comprises Personal Data for you to use for your own purposes, you shall use (the transfer is in compliance with the Privacy Laws. Such measures may include transferring the most up-to-date version, where appropriate of) that Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy the Agreement and implement technical and organisational measures to ensure an appropriate level of security, and, for the purposes of European Data Protection Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by , the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors Cross-Border Transfer Provisions (as applicable) in Schedule 3 of the Original Material Digital Science DPA shall apply. We may process Personal Data in accordance with the privacy policy applicable to Dimensions (available on the Dimensions website). You shall ensure that any individuals whose Personal Data you provide has consented to its transfer and may other processing as set out in the Agreement. If you consider the technical and organisational measures we have in place in respect of Dimensions not combine Data or results of to be adequate, you shall provide us with detailed reasons and we shall act reasonably to consider the Project same and seek to propose an alternative solution, together with other data which may result in identification of a donorany additional cost required for their implementation.

Data Protection. 14.2.1 The parties acknowledge that personal data may be transferred under this agreement (“Personal Data”) and each party will fully Parties must comply with its respective Data Protection Legislation, Data Guidance, the FOIA and the EIR, and must assist each other as necessary to enable each other to comply with these obligations. 14.2.2 Without prejudice to the generality of clause 14.2.1, the Recipient must ensure that all Personal Data processed by or on behalf of the Recipient in the course of delivering the Project is processed in accordance with the relevant Parties’ obligations under the General Data Protection Regulation (EU)2016/679 Legislation and applicable complementing national laws (jointly “Privacy Laws”)Data Guidance. The parties are independent controllers Recipient shall: (a) process Personal Data only on the written instructions of their processing operations performed with such the Council, unless the Recipient is required by Domestic Law to otherwise process the Personal Data. Taking into account Where the state of Recipient is so required, it shall promptly notify the artCouncil before processing the Personal Data, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Recipient will maintain unless prohibited by Domestic Law; (b) ensure that it has in place appropriate technical and organizational measures in such a manner that organisational measures, reviewed and approved by the Council, to protect against unauthorised or unlawful processing of Personal Data will and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it); (c) not transfer any Personal Data outside of the UK unless the prior written consent of the Council has been obtained and the following conditions are fulfilled: (i) the Council or the Recipient has provided appropriate safeguards in relation to the transfer; (ii) the Data Subject has enforceable rights and effective remedies; (iii) the Recipient complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and (iv) the Recipient complies with the reasonable instructions notified to it in advance by the Council with respect to the processing of the Personal Data; (d) notify the Council as soon as reasonably practicable if it receives: (i) a request from a Data Subject to have access to that individual’s Personal Data; (ii) a Right of Access, Rectification or Erasure Request; (iii) receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation (including any communication from the Information Commissioner); (e) at the Recipient’s expense, assist the Council in responding to any request from a Data Subject and in ensuring compliance with the Council’s obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; (f) at the written direction of the Council, delete or return Personal Data and copies thereof to the individual on termination or expiry of this Agreement unless required by the Applicable Laws to store the Personal Data; (g) maintain complete and accurate records and information to demonstrate its compliance with this clause 14.2 and allow for audits by the Council or the Council’s designated auditor. 14.2.3 Where the Council requires information for the purposes of quality management, the Recipient must consider whether the Council’s request can be met by providing anonymised or aggregated data which does not contain Personal Data. Where Personal Data must be shared in order to meet the requirements of the Privacy Laws. Council, the Recipient agrees to notify Provider within a period of 48 hours must: (a) provide such information in pseudonymised form where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasure)possible; and in any event (iib) any other correspondence, inquiry or complaint received from ensure that there is a data subject, regulator or other third party in connection with legal basis for the processing sharing of Personal Data (collectively, "Correspondence"), it shall promptly inform Provider and Data. 14.2.4 If the parties shall cooperate in good faith as necessary Recipient is to respond engage any sub-contractor or sub-consultant to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer deliver any Personal Data to a territory outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Privacy Laws. Such measures may include transferring the Data to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved by the European Commission. Recipient will not make any effort to identify individuals who are or may be the donors of the Original Material and may not combine Data or results part of the Project (other than as a Data Processor) and the sub-contractor or sub-consultant is to access personal or confidential information or interact with individuals, the Recipient must impose on it obligations that are no less onerous than the obligations imposed on the Recipient by this clause 14.2. 14.2.5 The Recipient shall indemnify the Council against any Losses incurred by the Council arising from, or in connection with, any breach of the Recipient’s obligations under this clause 14.2. 14.2.6 Notwithstanding any other data provision of this Agreement, where the Recipient commits a Personal Data Breach which under Data Protection Legislation must be notified to the Information Commissioner and/or to an individual the Council may result in identification of a donorterminate this Agreement with immediate effect.

Data Protection. 7.1 The parties acknowledge Parties agree that personal data may be transferred to the extent that Confidential Information provided to the Receiving Party comprises any Personal Data (as defined under this agreement the Irish Data Protection Acts 1988 and 2003 (“Personal Data”) as amended, modified or consolidated or, on and each party will fully comply with effect from its respective obligations under effective date, the General Data Protection Regulation (EU)2016/679 EU) 2016/679 of the European Parliament and applicable complementing national laws the Council of 27 April 2016 (jointly the “Privacy GDPR”) as may be amended, re-enacted or re-instated from time to time and any implementing legislation (together, the “Data Protection Laws”). The parties are independent controllers of their processing operations performed with ) any such Personal Data. Taking into account Data which the state Disclosing Party, supplies or discloses to the Receiving Party pursuant to this Agreement and / or otherwise as part of the artProposed Transaction, shall be treated as set out in this Clause 7. 7.2 The Parties acknowledge that the Receiving Party may transfer Personal Data to its Affiliates. In such a case, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity Receiving Party shall be directly liable for the rights observance and freedoms proper performance (and any omissions in that regard) by those of data subjects, Recipient will maintain its Affiliates who have received Personal Data of the terms and conditions of this Agreement and in particular this Clause 7. 7.3 The Receiving Party confirms that it has appropriate technical and organizational organisational measures required to protect against unauthorised access to, or accidental or unauthorised destruction, loss, alteration or disclosure of any Personal Data contained in such a manner the Confidential Information. 7.4 The Personal Data shall remain at all times the property of and in the ownership of the Disclosing Party (as applicable) and the Receiving Party shall have no rights whatsoever in respect thereof. 7.5 The Receiving Party warrants and undertakes that processing it shall: (a) comply with the Data Protection Laws and all other applicable data protection laws and guidance including (without limitation) applicable laws relating to accessing, use and onward disclosure, distribution, exporting, archiving, maintenance and storage of Personal Data will meet and with the requirements terms of this Agreement and process the Privacy Laws. Recipient agrees to notify Provider within a period of 48 hours where Recipient becomes aware of or reasonably suspects that Personal Data has been or may have been lost, damaged or subject only to unauthorized internal or external access or any other unlawful processing (a “Security Incident”) and to take reasonable steps to mitigate the impact of any such Security Incident. In the event that Recipient receives (i) any request from a data subject to exercise any of its rights under Privacy Laws in relation to Personal Data (including its rights of access, correction, objection and erasure); and (ii) any other correspondence, inquiry or complaint received from a data subject, regulator or other third party extent strictly necessary in connection with the processing Proposed Transaction and in accordance with the Disclosing Party’s instructions from time to time; (b) subject to this Clause 7, not otherwise modify, amend or alter the contents of the Personal Data or disclose or permit the disclosure of any of the Personal Data to any third party unless specifically authorised to do so in writing by the Disclosing Party; (c) implement and maintain such technical and organisational security measures as may be required to comply with the applicable Disclosing Party’s data security obligations in the Data Protection Laws; (d) other than transfers of Personal Data (collectivelyto the Disclosing Party or to other third parties specified by the Disclosing Party, "Correspondence"), it shall promptly inform Provider and not under any circumstances transfer the parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfill their respective obligations under Privacy Laws. Upon Provider’s request, Recipient shall restrict the processing of Personal Data identified by Provider. Recipient shall not transfer any Personal Data to a territory outside of the European Economic Area unless authorised in writing to do so by the Disclosing Party; and ("EEA"e) unless enter into such other written agreement in respect of the processing or transfer of Personal Data as a Disclosing Party may require. 7.6 Upon expiry or termination of this Agreement, or upon the earlier written request of a Disclosing Party, the Receiving Party shall promptly either return or destroy all Personal Data disclosed to it by the Disclosing Party including any copies, notes or other materials containing such Personal Data and the Receiving Party shall if so requested in writing by the Disclosing Party, certify to the Disclosing Party that it has taken complied with this Clause 7. 7.7 The Receiving Party shall notify the Disclosing Party as soon as reasonably practicable and in any event within twenty-four (24) hours of: (a) any legally binding request for disclosure of Personal Data by a law enforcement regulatory body or other competent authority unless prohibited by law from doing so; (b) receiving any correspondence, notice or other communication whether orally or in writing from the relevant data protection regulator or any other regulator or person, relating to the Personal Data. 7.8 Where the Receiving Party receives a legally binding request for access to personal data by a law enforcement agency regulatory body on other competent authority, the Receiving Party will inform the Disclosing Party except where such measures disclosure is itself legally prohibited. The Receiving Party will reject any such request which is non-legally binding. 7.9 Without prejudice to the other provisions of this Clause 7 , if the Receiving Party or any of the Receiving Party’s employees or contractors becomes aware of any Data Protection Incident, or has commenced an investigation to assess whether there has been Data Protection Incident (an “Investigation”), then the Receiving Party shall promptly (but in any event within twenty-four (24) hours of, the earlier of (i): discovery of a Data Protection Incident; or (ii) commencement of an Investigation) notify the Disclosing Party by both telephone and by email. The Receiving Party shall, at no additional cost to the Disclosing Party, provide the Disclosing Party with all resources, assistance and cooperation as are required by the Disclosing Party in order for it to comply with its own contractual or legal obligations in respect of the data subjects (as defined in the Data Protection Laws). 7.10 The Receiving Party shall execute all such additional documents, give such assistance and do such acts and things as may in the opinion of any Disclosing Party be necessary or desirable in order comply with the Data Protection Laws. 7.11 Without prejudice to Clause 7.5(b), the Receiving Party shall not permit a third party to process Personal Data on its behalf unless the Receiving Party and the third party first enter into a written agreement which imposes the same obligations on the third party as are imposed on the Receiving Party under this Agreement and which also imposes the obligations that are required under Data Protection Laws. 7.12 The Receiving Party acknowledges and agrees that insofar as it processes Personal Data, comprised in the Confidential Information provided to the Receiving Party, it does so as a data controller in its own right and not as a data processor for the Disclosing Party. However, without prejudice to the foregoing to the extent that the Receiving Party acts as a data processor on behalf of the Disclosing Party, the Receiving Party shall in addition to the obligations set out in this Clause 7 and Clause 4.1: (a) inform the Disclosing Party if it is required to process the Personal Data by EU or member state law to which it is subject, prior to such processing, other than where that law prohibits the Disclosing Party from being informed on important grounds of public interest; (b) not appoint any sub-processors except pursuant to Clause 7.5(b); (c) taking into account the nature of the processing by the Receiving Party and the nature of the information available to it, assist the Disclosing Party in respect of data subject rights requests under Chapter III of the GDPR and assist the Disclosing Party in complying with its mandatory obligations under Articles 32 to 36 of the GDPR; (d) make available to the Disclosing Party all information necessary to ensure the transfer is in demonstrate its compliance with the Privacy Laws. Such measures may include transferring the Data its obligations under this Clause 7 and Clause 4.1, and shall allow for and contribute to a country that the European Commission has decided provides adequate protection for personal data; to a Recipient that has achieved binding corporate rules authorization in accordance with Privacy Laws; or to a Recipient that has executed standard contractual clauses adopted or approved audits, including inspections, conducted by the European Commission. Recipient will not make any effort Disclosing Party and/or its auditors, having regard to identify individuals who are or may be the donors Receiving Party’s obligations of confidentiality to third parties other than the Original Material and may not combine Data or results of the Project with other data which may result in identification of a donorDisclosing Party.