Common use of Data Usage Control / Data Storage Media Control Clause in Contracts

Data Usage Control / Data Storage Media Control. Memory Control Prevention of unauthorized reading, copying, changing or erasure of data storage media (data storage media control). Prevention of unauthorized entry of Personal Information and unauthorized access to it, changing and deleting saved Personal Information (memory control). Ensuring that the parties authorized to use an automated processing system only have access to the Personal Information appropriate for their access authorization (e.g. through authorization concepts, passwords, regulations for leaving the company and for moving employees to other departments) (data usage control). The following technical and organizational measures have been implemented by the Operator for the processing of Personal Information described in this Agreement / Addendum: Roles and authorizations based on a “need to know principle” Number of administrators reduced to only the “essentials” Logging of access to applications, in particular the entry, change and erasure of data Physical erasure of data storage media before reuse Use of shredders or service providers Administration of rights by defined system administrators Password guidelines, incl. password length and changing passwords Secure storage of data storage media Proper destruction of data storage media (DIN 66399) Logging of destruction Miscellaneous:

Data Usage Control / Data Storage Media Control. Memory Control Prevention of unauthorized reading, copying, changing or erasure of data storage media (data storage media control). Prevention of unauthorized entry of Personal Information and unauthorized access to it, changing and deleting saved Personal Information (memory control). Ensuring that the parties authorized to use an automated processing system only have access to the Personal Information appropriate for their access authorization (e.g. e.g., through authorization concepts, passwords, regulations for leaving the company and for moving employees to other departments) (data usage control). The following technical and organizational measures have been implemented by the Operator for the processing of Personal Information described in this Agreement / Addendum: Roles and authorizations based on a “need to know principle” Number of administrators reduced to only the “essentials” Logging of access to applications, in particular the entry, change and erasure of data Physical erasure of data storage media before reuse Use of shredders or service providers Administration of rights by defined system administrators Password guidelines, incl. password length and changing passwords Secure storage of data storage media Proper destruction of data storage media (DIN 66399) Logging of destruction Miscellaneous:

Data Usage Control / Data Storage Media Control. Memory Control Prevention of unauthorized reading, copying, changing or erasure of data storage media (data storage media control). Prevention of unauthorized entry of Personal Information and unauthorized access to it, changing and deleting saved Personal Information (memory control). Ensuring that the parties authorized to use an automated processing system only have access to the Personal Information appropriate for their access authorization (e.g. through authorization concepts, passwords, regulations for leaving the company and for moving employees to other departments) (data usage control). The following technical and organizational measures have been implemented by the Operator for the processing of Personal Information described in this Agreement / Addendum: Roles and authorizations based on a “need to know principle” Number of administrators reduced to only the “essentials” Logging of access to applications, in particular the entry, change and erasure of data Physical erasure of data storage media before reuse Use of shredders or service providers Administration of rights by defined system administrators Password guidelines, incl. password length and changing passwords Secure storage of data storage media Proper destruction of data storage media (DIN 66399) Logging of destruction Miscellaneous:destruction

Data Usage Control / Data Storage Media Control. Memory Control Prevention of unauthorized reading, copying, changing or erasure of data storage media (data storage media control). Prevention of unauthorized entry of Personal Information and unauthorized access to it, changing and deleting saved Personal Information (memory control). Ensuring that the parties authorized to use an automated processing system only have access to the Personal Information appropriate for their access authorization (e.g. through authorization concepts, passwords, regulations for leaving the company IRBA and for moving employees to other departments) (data usage control). The following technical and organizational measures have been implemented by the Operator for the processing of Personal Information described in this Agreement / Addendum: Roles and authorizations based on a “need to know principle” Number of administrators reduced to only the “essentials” Logging of access to applications, in particular the entry, change and erasure of data Physical erasure of data storage media before reuse Use of shredders or service providers Administration of rights by defined system administrators Password guidelines, incl. password length and changing passwords Secure storage of data storage media Proper destruction of data storage media (DIN 66399) Logging of destruction Miscellaneous:destruction

Data Usage Control / Data Storage Media Control. Memory Control Prevention of unauthorized reading, copying, changing or erasure of data storage media (data storage media control). Prevention of unauthorized entry of Personal Information and unauthorized access to it, changing and deleting saved Personal Information (memory control). Ensuring that the parties authorized to use an automated processing system only have access to the Personal Information appropriate for their access authorization (e.g. through authorization concepts, passwords, regulations for leaving the company Hatch and for moving employees to other departments) (data usage control). The following technical and organizational measures have been implemented by the Operator for the processing of Personal Information described in this Agreement / Addendum: Roles and authorizations based on a “need to know principle” Number of administrators reduced to only the “essentials” Logging of access to applications, in particular the entry, change and erasure of data Physical erasure of data storage media before reuse Use of shredders or service providers Administration of rights by defined system administrators Password guidelines, incl. password length and changing passwords Secure storage of data storage media Proper destruction of data storage media (DIN 66399) Logging of destruction Miscellaneous:destruction

Data Usage Control / Data Storage Media Control. Memory Control Prevention of unauthorized reading, copying, changing or erasure of data storage media (data storage media control). , Prevention of unauthorized entry of Personal Information and unauthorized access to it, changing and deleting saved Personal Information (memory control). Ensuring that the parties authorized to use an automated processing system only have access to the Personal Information appropriate for their access authorization (e.g. through authorization concepts, passwords, regulations for leaving the company and for moving employees to other departments.) (data usage control). The following technical and organizational measures have been implemented by the Operator for the processing of Personal Information described in this Agreement / Agreement/Addendum: Roles and authorizations based on a “need to know principle” Number of administrators reduced to only the “essentials” Logging of access to applications, in particular the entry, change and erasure of data Physical erasure of data storage media before reuse Use of shredders or service providers Administration of rights by defined system administrators Password guidelines, incl. password length and changing passwords Secure storage of data storage media Proper destruction of data storage media (DIN 66399) Logging of destruction Miscellaneous:

Data Usage Control / Data Storage Media Control. Memory Control Prevention of unauthorized reading, copying, changing or erasure of data storage media (data storage media control). , Prevention of unauthorized entry of Personal Information and unauthorized access to it, changing and deleting saved Personal Information (memory control). Ensuring that the parties authorized to use an automated processing system only have access to the Personal Information appropriate for their access authorization (e.g. through authorization concepts, passwords, regulations for leaving the company and for moving employees to other departments.) (data usage control). The following technical and organizational measures have been implemented by the Operator Recipient for the processing of Personal Information described in this Agreement / Addendum: Roles and authorizations based on a “need to know principle” Number of administrators reduced to only the “essentials” Logging of access to applications, in particular the entry, change and erasure of data Physical erasure of data storage media before reuse Use of shredders or service providers Administration of rights by defined system administrators Password guidelines, incl. password length and changing passwords Secure storage of data storage media Proper destruction of data storage media (DIN 66399) Logging of destruction Miscellaneous:

Data Usage Control / Data Storage Media Control. Memory Control Prevention of unauthorized reading, copying, changing or erasure of data storage media (data storage media control). , Prevention of unauthorized entry of Personal Information and unauthorized access to it, changing and deleting saved Personal Information (memory control). Ensuring that the parties authorized to use an automated processing system only have access to the Personal Information appropriate for their access authorization (e.g. through authorization concepts, passwords, regulations for leaving the company and for moving employees to other departments.) (data usage control). The following technical and organizational measures have been implemented by the sub- Operator for the processing of Personal Information described in this Agreement / AddendumSub-Operator Agreement: Roles and authorizations based on a “need to know principle” Number of administrators reduced to only the “essentials” Logging of access to applications, in particular the entry, change and erasure of data Physical erasure of data storage media before reuse Use of shredders or service providers Administration of rights by defined system administrators Password guidelines, incl. password length and changing passwords Secure storage of data storage media Proper destruction of data storage media (DIN 66399) Logging of destruction Miscellaneous:

Data Usage Control / Data Storage Media Control. Memory Control Prevention of unauthorized reading, copying, changing or erasure of data storage media (data storage media control). , Prevention of unauthorized entry of Personal Information and unauthorized access to it, changing and deleting saved Personal Information (memory control). Ensuring that the parties authorized to use an automated processing system only have access to the Personal Information appropriate for their access authorization (e.g. through authorization concepts, passwords, regulations for leaving the company and for moving employees to other departments.) (data usage control). The following technical and organizational measures have been implemented by the sub-Operator for the processing of Personal Information described in this Agreement / Addendumsub- Operator Agreement: Roles and authorizations based on a “need to know principle” Number of administrators reduced to only the “essentials” Logging of access to applications, in particular the entry, change and erasure of data Physical erasure of data storage media before reuse Use of shredders or service providers Administration of rights by defined system administrators Password guidelines, incl. password length and changing passwords Secure storage of data storage media Proper destruction of data storage media (DIN 66399) Logging of destruction Miscellaneous:

Data Usage Control / Data Storage Media Control. Memory Control Prevention of unauthorized reading, copying, changing or erasure of data storage media (data storage media control). , Prevention of unauthorized entry of Personal Information and unauthorized access to it, changing and deleting saved Personal Information (memory control). Ensuring that the parties authorized to use an automated processing system only have access to the Personal Information appropriate for their access authorization (e.g. through authorization concepts, passwords, regulations for leaving the company and for moving employees to other departments.) (data usage control). The following technical and organizational measures have been implemented by the Operator for the processing of Personal Information described in this Agreement / AddendumOperator Agreement: Roles and authorizations based on a “need to know principle” Number of administrators reduced to only the “essentials” Logging of access to applications, in particular the entry, change and erasure of data Physical erasure of data storage media before reuse Use of shredders or service providers Administration of rights by defined system administrators Password guidelines, incl. password length and changing passwords Secure storage of data storage media Proper destruction of data storage media (DIN 66399) Logging of destruction Miscellaneous:

Data Usage Control / Data Storage Media Control. Memory Control Prevention of unauthorized reading, copying, changing or erasure of data storage media (data storage media control). , Prevention of unauthorized entry of Personal Information and unauthorized access to it, changing and deleting saved Personal Information (memory control). Ensuring that the parties authorized to use an automated processing system only have access to the Personal Information appropriate for their access authorization (e.g. through authorization concepts, passwords, regulations for leaving the company C-BRTA and for moving employees to other departments.) (data usage control). The following technical and organizational measures have been implemented by the Operator Recipient for the processing of Personal Information described in this Agreement / Addendum: Roles and authorizations based on a “need to know principle” Number of administrators reduced to only the “essentials” Logging of access to applications, in particular the entry, change and erasure of data Physical erasure of data storage media before reuse Use of shredders or service providers Administration of rights by defined system administrators Password guidelines, incl. password length and changing passwords Secure storage of data storage media Proper destruction of data storage media (DIN 66399) Logging of destruction Miscellaneous:destruction

Data Usage Control / Data Storage Media Control. Memory Control Prevention of unauthorized reading, copying, changing or erasure of data storage media (data storage media control). , Prevention of unauthorized entry of Personal Information and unauthorized access to it, changing and deleting saved Personal Information (memory control). Ensuring that the parties authorized to use an automated processing system only have access to the Personal Information appropriate for their access authorization (e.g. through authorization concepts, passwords, regulations for leaving the company and for moving employees to other departments.) (data usage control). The following technical and organizational measures have been implemented by the Operator Recipient for the processing of Personal Information described in this Agreement / Addendum: Roles and authorizations based on a “need to know principle” Number of administrators reduced to only the “essentials” Logging of access to applications, in particular the entry, change and erasure of data Physical erasure of data storage media before reuse Use of shredders or service providers Administration of rights by defined system administrators Password guidelines, incl. password length and changing passwords Secure storage of data storage media Proper destruction of data storage media (DIN 66399) Logging of destruction Miscellaneous:destruction

Data Usage Control / Data Storage Media Control. Memory Control Prevention of unauthorized reading, copying, changing or erasure of data storage media (data storage media control). Prevention of unauthorized entry of Personal Information and unauthorized access to it, changing and deleting saved Personal Information (memory control). Ensuring that the parties authorized to use an automated processing system only have access to the Personal Information appropriate for their access authorization (e.g. through authorization concepts, passwords, regulations for leaving the company and for moving employees to other departments) (data usage control). The following technical and organizational measures have been implemented by the Operator for the processing of Personal Information described in this Agreement / Agreement/Addendum: Roles and authorizations based on a “need to know principle” Number of administrators reduced to only the “essentials” Logging of access to applications, in particular the entry, change and erasure of data Physical erasure of data storage media before reuse Use of shredders or service providers Administration of rights by defined system administrators Password guidelines, incl. password length and changing passwords Secure storage of data storage media Proper destruction of data storage media (DIN 66399) Logging of destruction Miscellaneous:

Data Usage Control / Data Storage Media Control. Memory Control Prevention of unauthorized reading, copying, changing or erasure of data storage media (data storage media control). Prevention of unauthorized entry of Personal Information and unauthorized access to it, changing and deleting saved Personal Information (memory control). Ensuring that the parties authorized to use an automated processing system only have access to the Personal Information appropriate for their access authorization (e.g. through authorization concepts, passwords, regulations for leaving the company C-BRTA and for moving employees to other departments) (data usage control). The following technical and organizational measures have been implemented by the Operator for the processing of Personal Information described in this Agreement / Addendum: Roles and authorizations based on a “need to know principle” Number of administrators reduced to only the “essentials” Logging of access to applications, in particular the entry, change and erasure of data Physical erasure of data storage media before reuse Use of shredders or service providers Administration of rights by defined system administrators Password guidelines, incl. password length and changing passwords Secure storage of data storage media Proper destruction of data storage media (DIN 66399) Logging of destruction Miscellaneous:destruction