Common use of Information Security and Data Protection Clause in Contracts

Information Security and Data Protection. Each Party shall perform its obligations under this Agreement utilising security technologies and techniques in accordance with Applicable Laws and Good Industry Practice, including those relating to the prevention and detection of inappropriate use or access of Infrastructure or information including Personal Information and Confidential Information. Without limiting the generality of the foregoing, each Party shall implement and/or use network management and maintenance applications and tools and appropriate intrusion prevention, intrusion detection, identity management, and encryption technologies where reasonable and appropriate to do so. Each Party acknowledges the sensitive nature of the Personal Information to be exchanged under this Agreement and that where applicable some of the Personal Information may constitute Special Personal Information). Each Party shall ensure that its Staff shall not — Process the Personal Information in any manner or for any purpose other than to the extent strictly necessary to perform its obligations under this Agreement; and/or cause another Party to breach or contravene any applicable Data Protection Legislation or other Applicable Law. Each Party must notify the other Party immediately in the event of non-compliance or breach of any applicable Data Protection Legislation, who will in turn notify any affected Parties affected, in accordance with internal procedures. The Parties specifically record that all the Personal Information disclosed by a Party shall constitute Confidential Information of such Party. Each Party warrants and undertakes in favour of each of the other Parties that it shall at all times strictly comply with all Data Protection Legislation which may be in force from time to time. Without derogating from or limiting its further obligations in this Agreement, each Party further warrants that it shall ensure that all Infrastructure which it uses to provide, exchange or access any Personal Information, including all Infrastructure on which the Personal Information is Processed shall at all times be of a minimum standard required by Applicable Laws and Good Industry Practice. Neither Party shall transfer or Process any Personal Information of the other Party across the border of South Africa without the prior written consent of the Party and Data Subject who disclosed such Personal Information. Each Party shall take all reasonable and appropriate precautions necessary (having regard to Good Industry Practice, the requirements of Applicable Laws and the Parties' obligations under this Agreement) to preserve the integrity of the Personal Information and to prevent any unauthorised access, use, corruption or loss of the Personal Information in its possession or under its control or that of its Staff. In order to give effect to the provisions of clause , each Party shall — establish and maintain appropriate safeguards and verify that such safeguards are effectively implemented and are operating effectively; conduct its own regular assessments to identify all reasonably foreseeable internal and external risks to the Personal Information in its possession or control ("Data Risk Assessments"); update and align its safeguards with the risks identified during and/or pursuant to Data Risk Assessments; verify that the updated and aligned safeguards are effectively implemented; and generally ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards and to remain current with Good Industry Practice. The obligations in this clause shall also apply to and extend to any Personal Information disclosed or received by a Party prior to the signature date of this Agreement. Each Party warrants that, where it discloses Personal Information to the other Party, that it has obtained the necessary consent of the relevant Data Subject whose Personal Information it is disclosing under this Agreement and/or is otherwise authorised to make such disclosure to the other Party in accordance with Data Protection Legislation. All SANBS specific data collected and processed by the Service Provider in the performance of its obligations under this Agreement shall remain the property of SANBS and shall be delivered to SANBS upon termination or expiry of this Agreement. SANBS hereby grants the Service Provider the right to use such SANBS specific data for purposes of complying with its obligations under this Agreement. Where the Service Provider is required to Process any Personal Information belonging to SANBS, its customers, employees, patients, agents and/or any other member of SANBS Committee (both acting as responsible parties as defined in POPI), the Service Provider agrees to – act only in accordance with SANBS’ instructions; and use appropriate technical and organisational measures to protect the Personal Information against unauthorised or unlawful Processing and against accidental loss, destruction, damage, theft, use or disclosure.

Information Security and Data Protection. Each Party shall perform its obligations under this Agreement utilising security technologies and techniques in accordance with Applicable Laws and Good Industry Practice, including those relating to the prevention and detection of inappropriate use or access of Infrastructure or information including Personal Information and Confidential Information. Without limiting the generality of the foregoing, each Party shall implement and/or use network management and maintenance applications and tools and appropriate intrusion prevention, intrusion detection, identity management, and encryption technologies where reasonable and appropriate to do so. Each Party acknowledges the sensitive nature of the Personal Information to be exchanged under this Agreement and that where applicable some of the Personal Information may constitute Special Personal Information). Each Party shall ensure that its Staff shall not — Process the Personal Information in any manner or for any purpose other than to the extent strictly necessary to perform its obligations under this Agreement; and/or cause another Party to breach or contravene any applicable Data Protection Legislation or other Applicable Law. Each Party must notify the other Party immediately in the event of non-compliance or breach of any applicable Data Protection Legislation, who will in turn notify any affected Parties affected, in accordance with internal procedures. The Parties specifically record that all the Personal Information disclosed by a Party shall constitute Confidential Information of such Party. Each Party warrants and undertakes in favour of each of the other Parties that it shall at all times strictly comply with all Data Protection Legislation which may be in force from time to time. Without derogating from or limiting its further obligations in this Agreement, each Party further warrants that it shall ensure that all Infrastructure which it uses to provide, exchange or access any Personal Information, including all Infrastructure on which the Personal Information is Processed shall at all times be of a minimum standard required by Applicable Laws and Good Industry Practice. Neither Party shall transfer or Process any Personal Information of the other Party across the border of South Africa without the prior written consent of the Party and Data Subject who disclosed such Personal Information. Each Party shall take all reasonable and appropriate precautions necessary (having regard to Good Industry Practice, the requirements of Applicable Laws and the Parties' obligations under this Agreement) to preserve the integrity of the Personal Information and to prevent any unauthorised access, use, corruption or loss of the Personal Information in its possession or under its control or that of its Staff. In order to give effect to the provisions of clause 3, each Party shall — establish and maintain appropriate safeguards and verify that such safeguards are effectively implemented and are operating effectively; conduct its own regular assessments to identify all reasonably foreseeable internal and external risks to the Personal Information in its possession or control ("Data Risk Assessments"); update and align its safeguards with the risks identified during and/or pursuant to Data Risk Assessments; verify that the updated and aligned safeguards are effectively implemented; and generally ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards and to remain current with Good Industry Practice. The obligations in this clause 3 shall also apply to and extend to any Personal Information disclosed or received by a Party prior to the signature date of this Agreement. Each Party warrants that, where it discloses Personal Information to the other Party, that it has obtained the necessary consent of the relevant Data Subject whose Personal Information it is disclosing under this Agreement and/or is otherwise authorised to make such disclosure to the other Party in accordance with Data Protection Legislation. All SANBS specific data collected and processed by the Service Provider in the performance of its obligations under this Agreement shall remain the property of SANBS and shall be delivered to SANBS upon termination or expiry of this Agreement. SANBS hereby grants the Service Provider the right to use such SANBS specific data for purposes of complying with its obligations under this Agreement. Where the Service Provider is required to Process any Personal Information belonging to SANBS, its customers, employees, patients, agents and/or any other member of SANBS Committee (both acting as responsible parties as defined in POPI), the Service Provider agrees to – act only in accordance with SANBS’ instructions; and use appropriate technical and organisational measures to protect the Personal Information against unauthorised or unlawful Processing and against accidental loss, destruction, damage, theft, use or disclosure.

Information Security and Data Protection. Each Party shall perform its obligations under this Agreement utilising security technologies and techniques in accordance with Applicable Laws and Good Industry Practice, including those relating to the prevention and detection of inappropriate use or access of Infrastructure or information including Personal Information and Confidential Information. Without limiting the generality of the foregoing, each Party shall implement and/or use network management and maintenance applications and tools and appropriate intrusion prevention, intrusion detection, identity management, and encryption technologies where reasonable and appropriate to do so. Each Party acknowledges the sensitive nature of the Personal Information to be exchanged under this Agreement and that where applicable some of the Personal Information may constitute Special Personal Information). Each Party shall ensure that its Staff shall not — Process the Personal Information in any manner or for any purpose other than to the extent strictly necessary to perform its obligations under this Agreement; and/or cause another Party to breach or contravene any applicable Data Protection Legislation or other Applicable Law. Each Party must notify the other Party immediately in the event of non-compliance or breach of any applicable Data Protection Legislation, who will in turn notify any affected Parties affected, in accordance with internal procedures. The Parties specifically record that all the Personal Information disclosed by a Party shall constitute Confidential Information of such Party. Each Party warrants and undertakes in favour of each of the other Parties that it shall at all times strictly comply with all Data Protection Legislation which may be in force from time to time. Without derogating from or limiting its further obligations in this Agreement, each Party further warrants that it shall ensure that all Infrastructure which it uses to provide, exchange or access any Personal Information, including all Infrastructure on which the Personal Information is Processed shall at all times be of a minimum standard required by Applicable Laws and Good Industry Practice. Neither Party shall transfer or Process any Personal Information of the other Party across the border of South Africa without the prior written consent of the Party and Data Subject who disclosed such Personal Information. Each Party shall take all reasonable and appropriate precautions necessary (having regard to Good Industry Practice, the requirements of Applicable Laws and the Parties' obligations under this Agreement) to preserve the integrity of the Personal Information and to prevent any unauthorised access, use, corruption or loss of the Personal Information in its possession or under its control or that of its Staff. In order to give effect to the provisions of clause , each Party shall — establish and maintain appropriate safeguards and verify that such safeguards are effectively implemented and are operating effectively; conduct its own regular assessments to identify all reasonably foreseeable internal and external risks to the Personal Information in its possession or control ("Data Risk Assessments"); update and align its safeguards with the risks identified during and/or pursuant to Data Risk Assessments; verify that the updated and aligned safeguards are effectively implemented; and generally ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards and to remain current with Good Industry Practice. The obligations in this clause shall also apply to and extend to any Personal Information disclosed or received by a Party prior to the signature date of this Agreement. Each Party warrants that, where it discloses Personal Information to the other Party, that it has obtained the necessary consent of the relevant Data Subject whose Personal Information it is disclosing under this Agreement and/or is otherwise authorised to make such disclosure to the other Party in accordance with Data Protection Legislation. All SANBS specific data collected and processed Processed by the Service Provider Counterparty in the performance of its obligations under this Agreement shall remain the property of SANBS and shall be delivered to SANBS upon termination or expiry of this Agreement. SANBS hereby grants the Service Provider Counterparty the right to use such SANBS specific data for purposes of complying with its obligations under this Agreement. Where the Service Provider Counterparty is required to Process any Personal Information belonging to SANBS, its customers, employees, patients, agents and/or any other member of SANBS Committee (both acting as responsible parties as defined in POPI), the Service Provider Counterparty agrees to – act only in accordance with SANBS’ instructions; and use appropriate technical and organisational measures to protect the Personal Information against unauthorised or unlawful Processing and against accidental loss, destruction, damage, theft, use or disclosure. Notwithstanding any other provision in this Agreement, this clause shall survive any termination, cancellation or expiration of this Agreement.