Common use of Obligations of Processor Clause in Contracts

Obligations of Processor. Processor must process personal data only in accordance with prior arrangements and the instructions of Controller, unless required to otherwise process the data by European Union or Member State law to which Processor is subject (such as investigations by law enforcement or national security agencies); in such a case, Processor must inform the Controller of these legal requirements prior to processing the data, unless the relevant law prohibits such information on important grounds of public interest (Article 28 (3) sentence 2 (a) GDPR). Processor may not use the personal data provided for processing for any other purpose, particularly for its own purposes. Copies or duplicates of the personal data must not be created without Controller’s knowledge. Processor guarantees performance of all the agreed measures for commissioned processing of personal data. Processor guarantees that the data processed for Controller will be strictly separated from other data. Processor must carry out, at a minimum, the following controls on all data processing performed on Controller’s behalf: Data availability control through, at a minimum, daily data backups Processor must cooperate to the extent necessary and adequately assist Controller as much as possible in fulfilling the rights of the data subjects per Art. 12 to 22 GDPR, preparing directories of processing activities and conducting the required data protection impact assessments (Article 28 (3) sentence 2 (e) and (f) GDPR). Processor must forward all information required for these purposes immediately to the following parties at the Controller: The authorized instruction giver named in section 4 Processor must notify Controller immediately if, in its opinion, an instruction given by Controller violates legal provisions (Article 28 (3) sentence 3 GDPR). Processor has the right to suspend the execution of the relevant instruction until it has been confirmed or changed by Controller after verification. Processor must correct, delete or limit the processing of personal data under the contractual relationship if Controller instructs Processor to do so and doing so does not go against the legitimate interests of Processor. Processor may only share information about personal data under the contractual relationship with third parties or the data subject after prior instruction or approval by Controller. Processor hereby agrees that Controller is entitled, generally by appointment, to check compliance with the provisions on data protection and data security as well as the contractual agreements, or to hire a third party to do so, to the appropriate and necessary extent, including but not limited to by obtaining information and access to the stored data and data processing programs as well as through on-site audits and inspections (Art. 28 (3) sentence 2 (h) GDPR). Processor assures that it will support such checks to the extent necessary. The processing of data in remote/home-office employees of Processor is permitted only with the consent of Controller. To the extent that data is processed in the described manner, this was previously regulated in a separate agreement between BHS Corrugated and the respective employees. The measures under Art. 32 GDPR are to be ensured in this case as well. The processor confirms that he is familiar with the relevant data protection regulations of the GDPR for the contract data processing. Processor agrees to maintain confidentiality in the commissioned processing of Controller’s personal data. This obligation continues after the end of the Agreement. Processor guarantees that it will familiarize employees involved in the execution of the work with the data protection rules relevant to their job before commencing the activity and require them to maintain confidentiality during as well as after termination of their employment (Art. 28 (3) sentence 2 (b) and Art. 29 GDPR). Processor will supervise compliance with the data protection regulations within its operation. The following person is the designated data protection officer for Processor: Last name, first name: Xx. Xxxxxx, Sebastian Organizational unit: IITR GmbH Contact information: Tel: +00 00 0000 0000, E-Mail: xxxxxxx@xxxx.xx Any changes in the identity of the data protection officer are to be communicated to Controller immediately.

Obligations of Processor. Processor must process personal data only in accordance with prior arrangements and the instructions of Controller, unless required to otherwise process the data by European Union or Member State law to which Processor is subject (such as investigations by law enforcement or national security agencies); in such a case, Processor must inform the Controller of these legal requirements prior to processing the data, unless the relevant law prohibits such information on important grounds of public interest (Article 28 (3) sentence 2 (a) GDPR). Processor may not use the personal data provided for processing for any other purpose, particularly for its own purposes. Copies or duplicates of the personal data must not be created without Controller’s knowledge. Processor guarantees performance of all the agreed measures for commissioned processing of personal data. Processor guarantees that the data processed for Controller will be strictly separated from other data. Processor must carry out, at a minimum, the following controls on all data processing performed on Controller’s behalf: Here the duties of the processor are entered. If the processor processes the data (on his systems), then the top and, if necessary, the middle selection should be ticked. If the processor processes the data on the client's system, then the middle selection should be ticked. Additional obligations can be defined in the lower selection, as long as the type of data processing requires it. However, this is usually not mandatory. Data availability control through, at a minimum, daily data backups Plausibility control of processing results The result of these controls must be documented. Processor must cooperate to the extent necessary and adequately assist Controller as much as possible in fulfilling fulfilling the rights of the data subjects per Art. 12 to 22 GDPR, preparing directories of processing activities and conducting the required data protection impact assessments (Article 28 (3) sentence 2 (e) and (f) GDPR). Processor must forward all information required for these purposes immediately to the following parties at the Controller: The authorized instruction giver named in section 4 4. Processor must notify Controller immediately if, in its opinion, an instruction given by Controller violates legal provisions (Article 28 (3) sentence 3 GDPR). Processor has the right to suspend the execution of the relevant instruction until it has been confirmed confirmed or changed by Controller after verificationverification. Processor must correct, delete or limit the processing of personal data under the contractual relationship if Controller instructs Processor to do so and doing so does not go against the legitimate interests of Processor. Processor may only share information about personal data under the contractual relationship with third parties or the data subject after prior instruction or approval by Controller. Processor hereby agrees that Controller is entitled, generally by appointment, to check compliance with the provisions on data protection and data security as well as the contractual agreements, or to hire a third party to do so, to the appropriate and necessary extent, including but not limited to by obtaining information and access to the stored data and data processing programs as well as through on-site audits and inspections (Art. 28 (3) sentence 2 (h) GDPR). Processor assures that it will support such checks to the extent necessary. The processing of data in private homes (remote/home-office office employees of Processor Processor) is permitted only with the consent of Controller. To the extent that data is processed in a private home, access to the described manner, this was previously regulated in a separate agreement between BHS Corrugated and employee’s home for control purposes by the respective employeesemployer must first be contractually secured. The measures under Art. 32 GDPR are to be ensured in this case as well. The processor confirms Processor confirms that he it is familiar with aware of the relevant data protection regulations rules of the GDPR for the contract relevant to commissioned data processing. Processor also agrees to observe the following secrecy protection rules relevant to this Agreement, which are the responsibility of Controller: Telecommunications secrecy according to the German Telecommunications Act (TKG) and the Telemedia Act (TMG) Processor agrees to maintain confidentiality confidentiality in the commissioned processing of Controller’s personal data. This obligation continues after the end of the Agreement. Processor guarantees that it will familiarize employees involved in the execution of the work with the data protection rules relevant to their job before commencing the activity and require them to maintain confidentiality confidentiality during as well as after termination of their employment (Art. 28 (3) sentence 2 (b) and Art. 29 GDPR). Processor will supervise compliance with the data protection regulations within its operation. The following person is the designated data protection officer officer for Processor: Last name, first name: Xx. XxxxxxXxxxxxxxx Xxxxxx IITR Datenschutz GmbH, Sebastian Organizational unit: IITR GmbH Contact information: Tel: Xxxxxxxxxxx 0, 00000 Xxxxxxx +00 00 0000 0000, E-Mail: xxxxxxx@xxxx.xx 0000 xxxxx@xxxx.xx Any changes in the identity of the data protection officer officer are to be communicated to Controller immediately.

Obligations of Processor. Processor must process personal data only in accordance with prior arrangements and the instructions of Controller, unless required to otherwise process the data by European Union or Member State law to which Processor is subject (such as investigations by law enforcement or national security agencies); in such a case, Processor must inform the Controller of these legal requirements prior to processing the data, unless the relevant law prohibits such information on important grounds of public interest (Article 28 (3) sentence 2 (a) GDPR). Processor may not use the personal data provided for processing for any other purpose, particularly for its own purposes. Copies or duplicates of the personal data must not be created without Controller’s knowledge. Processor guarantees performance of all the agreed measures for commissioned processing of personal data. Processor guarantees that the data processed for Controller will be strictly separated from other data. Processor must carry out, at a minimum, the following controls on all data processing performed on Controller’s behalf: Data availability control through, at a minimum, daily data backups Processor must cooperate to the extent necessary and adequately assist Controller as much as possible in fulfilling the rights of the data subjects per Art. 12 to 22 GDPR, preparing directories of processing activities and conducting the required data protection impact assessments (Article 28 (3) sentence 2 (e) and (f) GDPR). Processor must forward all information required for these purposes immediately to the following parties at the Controller: The authorized instruction giver named in section 4 Processor must notify Controller immediately if, in its opinion, an instruction given by Controller violates legal provisions (Article 28 (3) sentence 3 GDPR). Processor has the right to suspend the execution of the relevant instruction until it has been confirmed or changed by Controller after verification. Processor must correct, delete or limit the processing of personal data under the contractual relationship if Controller instructs Processor to do so and doing so does not go against the legitimate interests of Processor. Processor may only share information about personal data under the contractual relationship with third parties or the data subject after prior instruction or approval by Controller. Processor hereby agrees that Controller is entitled, generally by appointment, to check compliance with the provisions on data protection and data security as well as the contractual agreements, or to hire a third party to do so, to the appropriate and necessary extent, including but not limited to by obtaining information and access to the stored data and data processing programs as well as through on-site audits and inspections (Art. 28 (3) sentence 2 (h) GDPR). Processor assures that it will support such checks to the extent necessary. The processing of data in remote/home-office employees of Processor is permitted only with the consent of Controller. To the extent that data is processed in the described manner, this was previously regulated in a separate agreement between BHS Corrugated and the respective employees. The measures under Art. 32 GDPR are to be ensured in this case as well. The processor confirms that he is familiar with the relevant data protection regulations of the GDPR for the contract data processing. Processor agrees to maintain confidentiality in the commissioned processing of Controller’s personal data. This obligation continues after the end of the Agreement. Processor guarantees that it will familiarize employees involved in the execution of the work with the data protection rules relevant to their job before commencing the activity and require them to maintain confidentiality during as well as after termination of their employment (Art. 28 (3) sentence 2 (b) and Art. 29 GDPR). Processor will supervise compliance with the data protection regulations within its operation. The following person is the designated data protection officer for Processor: Last name, first name: Xx. Xxxxxx, Sebastian Xxxxxxxxx Organizational unit: IITR GmbH Contact information: Tel: +00 00 0000 0000, E-Mail: xxxxxxx@xxxx.xx Any changes in the identity of the data protection officer are to be communicated to Controller immediately.

Obligations of Processor. Processor must process personal data only in accordance with prior arrangements and the instructions of Controller, unless required to otherwise process the data by European Union or Member State law to which Processor is subject (such as investigations by law enforcement or national security agencies); in such a case, Processor must inform the Controller of these legal requirements prior to processing the data, unless the relevant law prohibits such information on important grounds of public interest (Article 28 (3) sentence 2 (a) GDPR). Processor may not use the personal data provided for processing for any other purpose, particularly for its own purposes. Copies or duplicates of the personal data must not be created without Controller’s knowledge. Processor guarantees performance of all the agreed measures for commissioned processing of personal data. Processor guarantees that the data processed for Controller will be strictly separated from other data. Processor must carry out, at a minimum, the following controls on all data processing performed on Controller’s behalf: Here the duties of the processor are entered. If the processor processes the data (on his systems), then the top and, if necessary, the middle selection should be ticked. If the processor processes the data on the client's system, then the middle selection should be ticked. Additional obligations can be defined in the lower selection, as long as the type of data processing requires it. However, this is usually not mandatory. Data availability control through, at a minimum, daily data backups Plausibility control of processing results The result of these controls must be documented. Processor must cooperate to the extent necessary and adequately assist Controller as much as possible in fulfilling the rights of the data subjects per Art. 12 to 22 GDPR, preparing directories of processing activities and conducting the required data protection impact assessments (Article 28 (3) sentence 2 (e) and (f) GDPR). Processor must forward all information required for these purposes immediately to the following parties at the Controller: The authorized instruction giver named in section 4 4. Processor must notify Controller immediately if, in its opinion, an instruction given by Controller violates legal provisions (Article 28 (3) sentence 3 GDPR). Processor has the right to suspend the execution of the relevant instruction until it has been confirmed or changed by Controller after verification. Processor must correct, delete or limit the processing of personal data under the contractual relationship if Controller instructs Processor to do so and doing so does not go against the legitimate interests of Processor. Processor may only share information about personal data under the contractual relationship with third parties or the data subject after prior instruction or approval by Controller. Processor hereby agrees that Controller is entitled, generally by appointment, to check compliance with the provisions on data protection and data security as well as the contractual agreements, or to hire a third party to do so, to the appropriate and necessary extent, including but not limited to by obtaining information and access to the stored data and data processing programs as well as through on-site audits and inspections (Art. 28 (3) sentence 2 (h) GDPR). Processor assures that it will support such checks to the extent necessary. The processing of data in private homes (remote/home-office employees of Processor Processor) is permitted only with the consent of Controller. To the extent that data is processed in a private home, access to the described manner, this was previously regulated in a separate agreement between BHS Corrugated and employee’s home for control purposes by the respective employeesemployer must first be contractually secured. The measures under Art. 32 GDPR are to be ensured in this case as well. The processor Processor confirms that he it is familiar with aware of the relevant data protection regulations rules of the GDPR for the contract relevant to commissioned data processing. Processor also agrees to observe the following secrecy protection rules relevant to this Agreement, which are the responsibility of Controller: Telecommunications secrecy according to the German Telecommunications Act (TKG) and the Telemedia Act (TMG) Processor agrees to maintain confidentiality in the commissioned processing of Controller’s personal data. This obligation continues after the end of the Agreement. Processor guarantees that it will familiarize employees involved in the execution of the work with the data protection rules relevant to their job before commencing the activity and require them to maintain confidentiality during as well as after termination of their employment (Art. 28 (3) sentence 2 (b) and Art. 29 GDPR). Processor will supervise compliance with the data protection regulations within its operation. The following person is the designated data protection officer for Processor: Last name, first name: Xx. XxxxxxXxxxxxxxx Xxxxxx IITR Datenschutz GmbH, Sebastian Organizational unit: IITR GmbH Contact information: Tel: Xxxxxxxxxxx 0, 00000 Xxxxxxx +00 00 0000 0000, E-Mail: xxxxxxx@xxxx.xx 0000 xxxxx@xxxx.xx Any changes in the identity of the data protection officer are to be communicated to Controller immediately.

Obligations of Processor. Processor must process personal data MentorcliQ shall treat Personal Data as Confidential Information and shall only Process Personal Data on behalf of and in accordance with prior arrangements and Controller’s documented instructions for the instructions of Controller, unless required to otherwise process the data by European Union or Member State law to which Processor is subject (such as investigations by law enforcement or national security agencies); in such a case, Processor must inform the Controller of these legal requirements prior to processing the data, unless the relevant law prohibits such information on important grounds of public interest (Article 28 (3) sentence 2 following purposes: (a) Processing in accordance with the Agreement and applicable Order Form(s) or Statement(s) of Work; (b) Processing initiated by Data Subjects in their use of the Services; and (c) Processing t o comply with other documented reasonable instructions provided by Controller (e.g., via email) where such instructions are consistent with the terms of the Agreement and otherwise lawful. Processor shall take the appropriate technical and organizational measures to adequately protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data, described under Schedule 2 to the Standard Contractual Clauses. Processor will facilitate Controller’s compliance with the Controller’s obligation to implement security measures with respect to Personal Data (including if applicable Controller’s obligations pursuant to Articles 32 to 34 (inclusive) of the GDPR), by implementing and maintaining the security measures described under Annex II, complying with the terms relation to Personal Data Breaches below; and providing the Controller with information in relation to the Processing in accordance with Section 5 (Audits). Processor may not use the personal data provided for processing for shall ensure that any other purpose, particularly for personnel whom Processor authorizes to process Personal Data on its own purposes. Copies or duplicates of the personal data must not be created without Controller’s knowledge. Processor guarantees performance of all the agreed measures for commissioned processing of personal data. Processor guarantees behalf has received appropriate training on their responsibilities and is subject to confidentiality obligations with respect to that the data processed for Controller will be strictly separated from other data. Processor must carry out, at a minimum, the following controls on all data processing performed on Controller’s behalf: Data availability control through, at a minimum, daily data backups Processor must cooperate to the extent necessary and adequately assist Controller as much as possible in fulfilling the rights of the data subjects per Art. 12 to 22 GDPR, preparing directories of processing activities and conducting the required data protection impact assessments (Article 28 (3) sentence 2 (e) and (f) GDPR). Processor must forward all information required for these purposes immediately to the following parties at the Controller: The authorized instruction giver named in section 4 Processor must notify Controller immediately if, in its opinion, an instruction given by Controller violates legal provisions (Article 28 (3) sentence 3 GDPR). Processor has the right to suspend the execution of the relevant instruction until it has been confirmed or changed by Controller after verification. Processor must correct, delete or limit the processing of personal data under the contractual relationship if Controller instructs Processor to do so and doing so does not go against the legitimate interests of Processor. Processor may only share information about personal data under the contractual relationship with third parties or the data subject after prior instruction or approval by Controller. Processor hereby agrees that Controller is entitled, generally by appointment, to check compliance with the provisions on data protection and data security as well as the contractual agreements, or to hire a third party to do so, to the appropriate and necessary extent, including but not limited to by obtaining information and access to the stored data and data processing programs as well as through on-site audits and inspections (Art. 28 (3) sentence 2 (h) GDPR). Processor assures that it will support such checks to the extent necessaryPersonal Data. The processing of data in remote/home-office employees of Processor is permitted only with the consent of Controller. To the extent that data is processed in the described manner, this was previously regulated in a separate agreement between BHS Corrugated and the respective employees. The measures under Art. 32 GDPR are undertaking to be ensured in this case as well. The processor confirms that he is familiar with the relevant data protection regulations of the GDPR for the contract data processing. Processor agrees to maintain confidentiality in the commissioned processing of Controller’s personal data. This obligation continues shall continue after the end termination of the Agreement. Processor guarantees shall ensure that it will familiarize employees involved its access to the Personal Data is limited to those personnel performing Services in the execution of the work accordance with the data protection rules relevant to their job before commencing the activity and require them to maintain confidentiality during as well as after termination of their employment (Art. 28 (3) sentence 2 (b) and Art. 29 GDPR)Agreement. Processor will supervise compliance notify the Controller within 48 hours after it becomes aware of any of any Personal Data Breach affecting any Personal Data. Processor will provide the Controller with all reasonable assistance necessary to enable the Controller to notify relevant Personal Data Breaches to competent authorities and/or affected Data Subjects, if Controller is required to do so under the Data Protection Law. Processor shall be entitled to engage Sub-Processors to fulfil Processor’s obligations defined in the Agreement only with Controller’s written consent. For these purposes, Controller consents to the engagement as sub-Processors of Processor’s affiliated companies and the third parties listed in Annex III. For the avoidance of doubt, the above authorization constitutes Controller’s prior written consent to the Sub- Processing by Processor for purposes of Clause 7.7 of the Standard Contractual Clauses. Where Processor engages Sub-Processors, Processor will enter into a contract with the Sub-Processor that imposes on the Sub-Processor the same obligations that apply to Processor under this DPA. Where the Sub-Processor fails to fulfil its data protection regulations within its operationobligations, Processor will remain liable to the Controller for the performance of such Sub-Processors obligations. Controller acknowledges and agrees that, in connection with the performance of the Services under the Agreement, Personal Data will be transferred to MentorcliQ in the United States, unless otherwise specified in applicable Order Form(s) or Statement(s) of Work. MentorcliQ. Is a part of the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks, in order to implement appropriate safeguards for such transfers pursuant to Article 46 of the GDPR. The following person Standard Contractual Clauses at Schedule 2 will apply with respect to Personal Data that is transferred outside the designated EEA, either directly or via onward transfer, to any country not recognized by the European Commission as providing an adequate level of protection for personal data protection officer for Processor: Last name, first name: Xx. Xxxxxx, Sebastian Organizational unit: IITR GmbH Contact information: Tel: +00 00 0000 0000, E-Mail: xxxxxxx@xxxx.xx Any changes (as described in the identity Data Protection Law). Other than to the extent required to comply with Data Protection Law, following termination or expiry of the Agreement, Processor will return data protection officer are to be communicated the Controller in a mutually agreeable format (e.g. .csv flat-file) and delete all Personal Data (including copies thereof) Processed pursuant to Controller immediatelythis DPA.