Common use of OBLIGATIONS OF THE DATA PROCESSOR Clause in Contracts

OBLIGATIONS OF THE DATA PROCESSOR. 4.1. The Parties agree that the subject-matter of Processing performed by Data Processor under this DP Agreement, including the nature and purpose of Processing, the type of Personal Data, and categories of Data Subjects, shall be as described in Schedule 1 and Schedule 2 of this DP Agreement. 4.2. As part of Data Processor providing the Service to Data Controller under the Agreement, Data Processor agrees and declares as follows: 4.2.1. to process Personal Data in accordance with Data Controller's documented instructions as set out in the Agreement and this DP Agreement or as otherwise necessary to provide the Service, except where required otherwise by applicable laws (and provided such laws do not conflict with Data Protection Law); in such case, Data Processor shall inform Data Controller of that legal requirement upon becoming aware of the same (except where prohibited by applicable laws); 4.2.2. to ensure that all staff and management are fully aware of their responsibilities to protect Personal Data in accordance with this DP Agreement and have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; 4.2.3. to implement and maintain appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access (a "Data Security Breach"), provided that such measures shall take into account the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, so as to ensure a level of security appropriate to the risks represented by the Processing and the nature of the Data to be protected; 4.2.4. to notify Data Controller, without undue delay, in the event of a confirmed Data Security Breach affecting Data Controller's Data and to cooperate with Data Controller as necessary to mitigate or remediate the Data Security Breach; 4.2.5. to comply with the requirements of Clause 5 (Use of Sub-processors) when engaging a Sub-processor; 4.2.6. taking into account the nature of the Processing, to assist Data Controller (including by appropriate technical and organisational measures), insofar as it is commercially reasonable, to fulfil Data Controller's obligation to respond to requests from Data Subjects to exercise their rights under Data Protection Law (a "Data Subject Request"). In the event Data Processor receives a Data Subject Request directly from a Data Subject, it shall (unless prohibited by law) direct the Data Subject to the Data Controller in the first instance. However, in the event Data Controller is unable to address the Data Subject Request, taking into account the nature of the Processing, the complexity and frequency of the request(s), and the information available to Data Processor, Data Processor, shall, on Data Controller's request and at Data Controller's reasonable expense, address the Data Subject Request, as required under the Data Protection Law; 4.2.7. upon request, to provide Data Controller with commercially reasonable information and assistance, taking into account the nature of the Processing and the information available to Data Processor, to help Data Controller to conduct any data protection impact assessment or Supervisor consultation it is required to conduct under Data Protection Law; 4.2.8. upon termination of Data Controller's access to and use of the Service, to comply with the requirements of Clause 9 of this DP Agreement (Return and Destruction of Personal Data); 4.2.9. to comply with the requirements of Clause 6 of this DP Agreement (Audit) in order to make available to Data Controller information that demonstrates Data Processor’s compliance with this DP Agreement; and 4.2.10. to appoint a security officer who will act as a point of contact for Data Controller, and coordinate and control compliance with this DP Agreement, including the Security Measures. 4.3. Data Processor shall immediately inform Data Controller if, in its opinion, Data Controller's Processing instructions infringe any law or regulation. In such event, Data Processor is entitled to refuse Processing of Personal Data that it believes to be in violation of any law or regulation.

OBLIGATIONS OF THE DATA PROCESSOR. 4.16.1. The Parties agree that For the subject-matter purposes of Processing performed by Data Processor under this DP Agreement, including the nature and purpose of Processing, the type correct processing of Personal Data, and categories of Data Subjects, shall be as described in Schedule 1 and Schedule 2 of this DP Agreement. 4.2. As part of the Data Processor providing the Service to Data Controller under the Agreement, Data Processor agrees and declares as followsundertakes to: 4.2.1. a) carry out any Personal Data processing operation in compliance with the applicable regulations relating to process the protection of personal data, including the principles referred to in chapter II of the Regulation (articles 5-11); b) carry out the processing of Personal Data in accordance with Data Controller's documented instructions as set out in the implementation of this Framework Agreement and this DP Agreement or for the purposes relative to the provision of the services therein referred to, for the time period strictly necessary for the performance of the above mentioned purposes as otherwise necessary well as the purposes strictly linked and instrumental to provide the Servicemanagement of technical issues linked thereto; c) guarantee the full compliance with the obligations imposed by the Regulation directly onto the Data Processor, except including by way of example, the obligation to hold a register of the operations carried out on behalf of the Data Controller pursuant to article 30, paragraph 2 of the Regulation and, where required otherwise by applicable laws (and provided such laws do not conflict with required, the requirement to appoint a Data Protection Law); in such caseOfficer pursuant to article 37, Data Processor shall inform Data Controller of that legal requirement upon becoming aware paragraph 1 of the same (except where prohibited by applicable laws)Regulations; 4.2.2. to ensure that all staff and management are fully aware d) in compliance with article 32 of their responsibilities to protect Personal Data in accordance with this DP Agreement and have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; 4.2.3. to the Regulation, implement and maintain appropriate technical and organisational measures to protect guarantee an adequate level of security for the processing operations carried out on behalf of the Data Controller, as well as cooperate with the latter by providing the same with the information and documentation required by the same in order to assess and check from time to time that the Data Processor has adopted technical and administrative measures; e) in the performance of the data processing operations on behalf of the Data Controller, follow the provisions and instructions included in this Data Processing Agreement; f) in relation to the collection of Personal Data against accidental from data subjects, where required, the Data Processor ensures this is done in compliance with the specific procedures agreed with the Data Controller in order to guarantee that the collection of Personal Data and their subsequent processing comply with the law (e.g. privacy policy and requests of consent for the processing of data provided by the Data Controller; tracing and archiving of consents given by the data subjects); g) with the exclusion of cases strictly necessary for the provision of Services, not to disclose or unlawful destruction share Personal Data with third parties without the previous written consent of the Data Controller and to adopt the organisational and technical measures necessary to ensure the maximum confidentiality of the Personal Data acquired and used in the performance of the activities object of this designation; h) not transfer the Personal Data outside of the European Union, directly or accidental lossindirectly (possibly through third party suppliers that have been authorised in writing by the Data Controller) without the previous written consent of the Data Controller and in compliance with the general principles and conditions applicable to the transfer required by chapter V of the Regulation, alteration, unauthorized disclosure or access (a "notifying the Data Security Breach"), provided that such Controller of the measures shall take into account adopted in order to ensure an adequate level of protection for the costs of implementation transferred data and the naturerights of the data subjects (for example, scopeadequacy decisions, context type of clauses, binding regulations on the company, code of conduct, certification, etc.); i) guarantee that access to Personal Data by personnel takes place only on the basis of the principle of need and that the processing operations linked to the execution of the Framework Agreement are carried out only by authorised persons acting on the authority of the Data Processor on the basis of adequate instructions; j) adequately train authorised persons, tasked with the execution of the Framework Agreement, providing the same with precise instructions and supervising their compliance to the same. The updated list of personnel authorised to process Personal Data will be made available to the Data Controller on request from the latter; k) guarantee that all physical persons (employees and/or collaborators) authorised to process personal data for the above stated purposes are committed to confidentiality or have a legal obligation to confidentiality; l) regularly adopt, update and assess all the technical and organisational measures necessary to guarantee an adequate level of Processingrisk, in compliance with the provisions of article 32 of the Regulation, as well as the risk further measures provided for by article 10 of varying likelihood and severity for this Data Processing Agreement; m) designate, where applicable, the rights and freedoms of natural persons, so as Union Representative pursuant to ensure a level of security appropriate to the risks represented by the Processing and the nature article 27 of the Regulation; n) cooperate with the Data Controller on the implementation of any further measure that becomes necessary in order to be protectedguarantee compliance of the Personal Data processing with the applicable provisions; 4.2.4. to notify Data Controller, o) without undue delaydelay and in any case no later than 24 hours from the time it has become aware of it, in notify the event Data Controller of a confirmed Data Security Breach affecting Data Controller's Data any breach of personal data and to cooperate with Data Controller as necessary to mitigate or remediate the Data Security Breach; 4.2.5. to comply with the requirements of Clause 5 (Use of Sub-processors) when engaging a Sub-processor; 4.2.6. taking into account the nature of the Processing, to assist Data Controller (including by appropriate technical and organisational measures), insofar as it is commercially reasonable, to fulfil Data Controller's obligation to respond to requests from Data Subjects to exercise their rights under Data Protection Law (a "Data Subject Request"). In the event Data Processor receives a Data Subject Request directly from a Data Subject, it shall (unless prohibited by law) direct the Data Subject to the Data Controller in relation to the first instance. However, in analysis and assessments to carry out for the event Data Controller is unable to address the Data Subject Request, taking into account the nature purposes of the Processing, notification to the complexity and frequency supervisory authority pursuant to article 33 of the request(s), Regulation and of the information available communication to Data Processor, Data Processor, shall, on Data Controller's request and at Data Controller's reasonable expense, address data subjects pursuant to article 34 of the Data Subject RequestRegulation, as required under well as for the Data Protection Law; 4.2.7. upon request, to provide Data Controller with commercially reasonable information and assistance, taking into account the nature preparation of the Processing and the information available to Data Processor, to help Data Controller to conduct any data protection impact assessment or Supervisor consultation it is required to conduct under Data Protection Law; 4.2.8. upon termination of Data Controller's access to and use of the Service, to comply with the requirements of Clause 9 of this DP Agreement (Return and Destruction of Personal Data); 4.2.9. to comply with the requirements of Clause 6 of this DP Agreement (Audit) in order to make available to Data Controller information that demonstrates Data Processor’s compliance with this DP Agreement; and 4.2.10. to appoint a security officer who will act as a point of contact for Data Controller, and coordinate and control compliance with this DP Agreementrelative documentation, including the Security Measures.notification pursuant to article 35, paragraph 3; 4.3. p) keep the Data Controller informed in writing, on written request from the latter, of details relative to compliance with the applicable provisions and this Data Processing Agreement; q) the Data Processor shall immediately inform notifies, without delay, the Data Controller if, in its opinion, Data Controller's Processing instructions infringe any law or regulation. In such event, Data Processor is entitled to refuse Processing of Personal Data that it believes to be in violation of any law or regulationissue relevant for the purposes of this Data Processing Agreement, such as, simply by way of example: - Requests from the Authority; - Outcomes of inspections; - Request of access to data by public authorities.

OBLIGATIONS OF THE DATA PROCESSOR. 4.16.1. The Parties agree that For the subject-matter purposes of Processing performed by Data Processor under this DP Agreement, including the nature and purpose of Processing, the type correct processing of Personal Data, and categories of Data Subjects, shall be as described in Schedule 1 and Schedule 2 of this DP Agreement. 4.2. As part of the Data Processor providing the Service to Data Controller under the Agreement, Data Processor agrees and declares as followsundertakes to: 4.2.1. a) carry out any Personal Data processing operation in compliance with the applicable regulations relating to process the protection of personal data, including the principles referred to in chapter II of the Regulation (articles 5-11); b) carry out the processing of Personal Data in accordance with Data Controller's documented instructions as set out in the implementation of this Framework Agreement and this DP Agreement or for the purposes relative to the provision of the services therein referred to, for the time period strictly necessary for the performance of the above mentioned purposes as otherwise necessary well as the purposes strictly linked and instrumental to provide the Servicemanagement of technical issues linked thereto; c) guarantee the full compliance with the obligations imposed by the Regulation directly onto the Data Processor, except including by way of example, the obligation to hold a register of the operations carried out on behalf of the Data Controller pursuant to article 30, paragraph 2 of the Regulation and, where required otherwise by applicable laws (and provided such laws do not conflict with required, the obligation to appoint a Data Protection Law); in such caseOfficer pursuant to article 37, Data Processor shall inform Data Controller of that legal requirement upon becoming aware paragraph 1 of the same (except where prohibited by applicable laws)Regulation; 4.2.2. to ensure that all staff and management are fully aware d) in compliance with article 32 of their responsibilities to protect Personal Data in accordance with this DP Agreement and have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; 4.2.3. to the Regulation, implement and maintain appropriate technical and organisational measures to protect guarantee an adequate level of security for the processing operations carried out on behalf of the Data Controller, as well as cooperate with the latter by providing the same with the information and documentation required by the same in order to assess and check from time to time that the Data Processor has adopted technical and administrative measures; e) in the performance of the data processing operations on behalf of the Data Controller, follow the provisions and instructions included in this Data Processing Agreement; f) in relation to the collection of Personal Data against accidental from data subjects, where required, the Data Processor ensures this is done in compliance with the specific procedures agreed with the Data Controller in order to guarantee that the collection of Personal Data and their subsequent processing comply with the law (e.g. privacy policy and requests of consent for the processing of data provided by the Data Controller; tracing and archiving of consents given by the data subjects); g) with the exclusion of cases strictly necessary for the provision of Services, not to disclose or unlawful destruction share Personal Data with third parties without the previous written consent of the Data Controller and to adopt the organisational and technical measures necessary to ensure the maximum confidentiality of the Personal Data acquired and used in the performance of the activities object of this designation; h) not transfer the Personal Data outside of the European Union, directly or accidental lossindirectly (possibly through third party suppliers that have been authorised in writing by the Data Controller) without the previous written consent of the Data Controller and in compliance with the general principles and conditions applicable to the transfer required by chapter V of the Regulation, alteration, unauthorized disclosure or access (a "notifying the Data Security Breach"), provided that such Controller of the measures shall take into account adopted in order to ensure an adequate level of protection for the costs of implementation transferred data and the naturerights of the data subjects (for example, scopeadequacy decisions, context type of clauses, binding regulations on the company, code of conduct, certification, etc.); i) guarantee that access to Personal Data by personnel takes place only on the basis of the principle of need and that the processing operations linked to the execution of the Framework Agreement are carried out only by authorised persons acting on the authority of the Data Processor on the basis of adequate instructions; j) adequately train authorised persons, tasked with the execution of the Framework Agreement, providing the same with precise instructions and supervising their compliance to the same. The updated list of personnel authorised to process Personal Data will be made available to the Data Controller on request from the latter; k) guarantee that all physical persons (employees and/or collaborators) authorised to process personal data for the above stated purposes are committed to confidentiality or have a legal obligation to confidentiality; l) regularly adopt, update and assess all the technical and organisational measures necessary to guarantee an adequate level of Processingrisk, in compliance with the provisions of article 32 of the Regulation, as well as the risk further measures provided for by article 10 of varying likelihood and severity for this Data Processing Agreement; m) designate, where applicable, the rights and freedoms of natural persons, so as Union Representative pursuant to ensure a level of security appropriate to the risks represented by the Processing and the nature article 27 of the Regulation; n) cooperate with the Data Controller on the implementation of any further measure that becomes necessary in order to be protectedguarantee compliance of the Personal Data processing with the applicable provisions; 4.2.4. to notify Data Controller, o) without undue delaydelay and in any case no later than 24 hours from the time it has become aware of it, in notify the event Data Controller of a confirmed Data Security Breach affecting Data Controller's Data any breach of personal data and to cooperate with Data Controller as necessary to mitigate or remediate the Data Security Breach; 4.2.5. to comply with the requirements of Clause 5 (Use of Sub-processors) when engaging a Sub-processor; 4.2.6. taking into account the nature of the Processing, to assist Data Controller (including by appropriate technical and organisational measures), insofar as it is commercially reasonable, to fulfil Data Controller's obligation to respond to requests from Data Subjects to exercise their rights under Data Protection Law (a "Data Subject Request"). In the event Data Processor receives a Data Subject Request directly from a Data Subject, it shall (unless prohibited by law) direct the Data Subject to the Data Controller in relation to the first instance. However, in analysis and assessments to carry out for the event Data Controller is unable to address the Data Subject Request, taking into account the nature purposes of the Processing, notification to the complexity and frequency supervisory authority pursuant to article 33 of the request(s), Regulation and of the information available communication to Data Processor, Data Processor, shall, on Data Controller's request and at Data Controller's reasonable expense, address data subjects pursuant to article 34 of the Data Subject RequestRegulation, as required under well as for the Data Protection Law; 4.2.7. upon request, to provide Data Controller with commercially reasonable information and assistance, taking into account the nature preparation of the Processing and the information available to Data Processor, to help Data Controller to conduct any data protection impact assessment or Supervisor consultation it is required to conduct under Data Protection Law; 4.2.8. upon termination of Data Controller's access to and use of the Service, to comply with the requirements of Clause 9 of this DP Agreement (Return and Destruction of Personal Data); 4.2.9. to comply with the requirements of Clause 6 of this DP Agreement (Audit) in order to make available to Data Controller information that demonstrates Data Processor’s compliance with this DP Agreement; and 4.2.10. to appoint a security officer who will act as a point of contact for Data Controller, and coordinate and control compliance with this DP Agreementrelative documentation, including the Security Measures.notification pursuant to article 35, paragraph 3; 4.3. p) keep the Data Controller informed in writing, on written request from the latter, of details relative to compliance with the applicable provisions and this Data Processing Agreement; q) the Data Processor shall immediately inform notifies, without delay, the Data Controller if, in its opinion, Data Controller's Processing instructions infringe any law or regulation. In such event, Data Processor is entitled to refuse Processing of Personal Data that it believes to be in violation of any law or regulationissue relevant for the purposes of this Data Processing Agreement, such as, simply by way of example: - Requests from the Authority; - Outcomes of inspections; - Request of access to data by public authorities.

OBLIGATIONS OF THE DATA PROCESSOR. 4.1. 3.1 The Parties agree that the subject-matter of Processing performed by Data Processor under this DP Agreement, including shall process the nature and purpose of Processing, the type of Personal Data, and categories of Data Subjects, shall be as described in Schedule 1 and Schedule 2 of this DP Agreement. 4.2. As part of Data Processor providing the Service to Data Controller under the Agreement, Data Processor agrees and declares as follows: 4.2.1. to process Personal Data in accordance with the provisions of the Main Contract, this Agreement, and on the documented instructions of the Data Controller's documented instructions as set out . It is not entitled to disclose the Data to third parties without authorization. This shall not apply if this (i) is done in accordance with the Agreement and this DP Agreement the Main Agreement, (ii) is requested in writing by the Data Controller or as otherwise necessary (iii) is required by statutory or legal requirements. Data Processor shall, in cases under (iii), to provide the Service, except where required otherwise extent permitted by applicable laws (law, inform Data Controller in advance of the intended disclosure and provided such laws do not conflict coordinate with Data Protection Law); in such case, Controller. 3.2 The Data Processor shall inform Data Controller of that legal requirement upon becoming aware of the same (except where prohibited by applicable laws); 4.2.2. to ensure that all staff and management are fully aware of their responsibilities to protect Personal Data in accordance with this DP Agreement and have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; 4.2.3. to implement and maintain appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access (a "Data Security Breach"), provided that such measures shall take into account the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, so as to ensure a level of security appropriate to the risks represented by the Processing and the nature of the Data to be protected; 4.2.4. to notify Data Controller, without undue delay, in the event of a confirmed Data Security Breach affecting Data Controller's Data and to cooperate with Data Controller as necessary to mitigate or remediate the Data Security Breach; 4.2.5. to comply with the requirements of Clause 5 (Use of Sub-processors) when engaging a Sub-processor; 4.2.6. taking into account the nature of the Processing, to assist Data Controller (including by appropriate technical and organisational measures), insofar as it is commercially reasonable, to fulfil Data Controller's obligation to respond to requests from Data Subjects to exercise their rights under Data Protection Law (a "Data Subject Request"). In the event Data Processor receives a Data Subject Request directly from a Data Subject, it shall (unless prohibited by law) direct the Data Subject to support the Data Controller in the first instanceevent of inspections by the supervisory authorities within the scope of what is reasonable and necessary, insofar as these inspections concern Data processing by the Data Processor. However, in It shall provide the event Data Controller is unable with the information that the latter requires to address prove that it has complied with the requirements of the applicable Data protection law with regard to this processing. 3.3 The Data Processor shall also support the Data Subject RequestController, taking into account the nature of the Processing, the complexity and frequency of the request(s), Data processing and the information available to Data Processorit, Data Processorupon request, shall, on in complying with the following Data Controller's request obligations: 3.3.1 ensuring the security of Personal Data processing, 3.3.2 notification of Personal Data breaches to supervisory authorities and at Data Subjects, 3.3.3 if necessary, carrying out a Data protection impact assessment, insofar as the Data processing by the Data Processor is affected by this, 3.3.4 if necessary, carrying out a required prior consultation with the Data protection authority, insofar as the Data processing by the Data Processor is affected by this. 3.4 The Data Processor shall inform the Data Controller without undue delay if it becomes aware of a Personal Data breach within the scope of its processing for the Data Controller's reasonable expense, address . 3.5 The Data Processor shall oblige the persons employed in the processing of the Data Subject Request, as required under to handle the Data Protection Law;confidentially. 4.2.7. upon request, 3.6 The Data Processor may demand reasonable remuneration according to provide Data Controller with commercially reasonable information and assistance, taking into account the nature of the Processing and the information available to Data Processor, to help Data Controller to conduct any data protection impact assessment or Supervisor consultation it is required to conduct under Data Protection Law; 4.2.8. upon termination of Data Controller's access to and use of the Service, to comply with the requirements of Clause 9 of this DP Agreement (Return and Destruction of Personal Data); 4.2.9. to comply with the requirements of Clause 6 of this DP Agreement (Audit) in order to make available to Data Controller information that demonstrates Data Processor’s compliance with usual rates at the time for the cooperation services pursuant to Sections 3.2 and 3.3. However, this DP Agreement; and 4.2.10. shall not apply to appoint a security officer who will act as a point of contact for the cooperation pursuant to Section 3.3.2 if the violation is due to the Data Controller, and coordinate and control compliance with this DP Agreement, including the Security MeasuresProcessor's fault. 4.3. Data Processor shall immediately inform Data Controller if, in its opinion, Data Controller's Processing instructions infringe any law or regulation. In such event, Data Processor is entitled to refuse Processing of Personal Data that it believes to be in violation of any law or regulation.

OBLIGATIONS OF THE DATA PROCESSOR. 4.16.1. The Parties agree that For the subject-matter purposes of Processing performed by Data Processor under this DP Agreement, including the nature and purpose of Processing, the type correct processing of Personal Data, and categories of Data Subjects, shall be as described in Schedule 1 and Schedule 2 of this DP Agreement. 4.2. As part of the Data Processor providing the Service to Data Controller under the Agreement, Data Processor agrees and declares as followsundertakes to: 4.2.1. a) carry out any Personal Data processing operation in compliance with the applicable regulations relating to process the protection of personal data, including the principles referred to in Chapter II of the Regulation (Articles 5-11); b) carry out the processing of Personal Data in accordance with Data Controller's documented instructions as set out in the implementation of this Framework Agreement and this DP Agreement or for the purposes relative to the provision of the services therein referred to, for the time period strictly necessary for the performance of the above-mentioned purposes as otherwise necessary well as the purposes strictly related and instrumental to provide the Servicemanagement of technical issues associated therewith; c) ensure full compliance with the obligations imposed by the Regulation directly on the Data Processor, except including, for example, the obligation to maintain a register of the operations carried out on behalf of the Data Controller pursuant to article 30, paragraph 2 of the Regulation and, where required otherwise by applicable laws (and provided such laws do not conflict with required, the requirement to appoint a Data Protection Law); in such caseOfficer pursuant to article 37, Data Processor shall inform Data Controller of that legal requirement upon becoming aware paragraph 1 of the same (except where prohibited by applicable laws)Regulation; 4.2.2. to ensure that all staff and management are fully aware d) in compliance with article 32 of their responsibilities to protect Personal Data in accordance with this DP Agreement and have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; 4.2.3. to the Regulation, implement and maintain appropriate technical and organisational measures to protect guarantee an adequate level of security for the processing operations carried out on behalf of the Data Controller, as well as cooperate with the latter by providing the latter with the information and documentation required by the latter in order to assess and check from time to time that the Data Processor has adopted technical and administrative measures; e) in the performance of the data processing operations on behalf of the Data Controller, follow the provisions and instructions included in this Data Processing Agreement; f) in relation to the collection of Personal Data against accidental from data subjects, where required, the Data Processor ensures this is done in compliance with the specific procedures agreed with the Data Controller in order to guarantee that the collection of Personal Data and their subsequent processing comply with the law (e.g. privacy policy and requests of consent for the processing of data provided by the Data Controller; tracing and archiving of consent given by data subjects); g) with the exclusion of cases strictly necessary for the provision of Services, not to disclose or unlawful destruction share Personal Data with third parties without the previous written consent of the Data Controller and to adopt the organisational and technical measures necessary to ensure the maximum confidentiality of the Personal Data acquired and used in the performance of the activities object of this designation; h) not transfer the Personal Data outside of the European Union, directly or accidental lossindirectly (possibly through third party suppliers that have been authorised in writing by the Data Controller) without the previous written consent of the Data Controller and in compliance with the general principles and conditions applicable to the transfer required by Chapter V of the Regulation, alteration, unauthorized disclosure or access (a "notifying the Data Security Breach"), provided that such Controller of the measures shall take into account adopted in order to ensure an adequate level of protection for the costs of implementation transferred data and the naturerights of the data subjects (for example, scopeadequacy decisions, context type of clauses, binding regulations on the Company, Code of Conduct, certification, etc.); i) guarantee that access to Personal Data by personnel takes place only based on the principle of need and that the processing operations related to the execution of the Framework Agreement are carried out only by authorised persons acting on the authority of the Data Processor on the basis of adequate instructions; j) adequately train authorised persons, tasked with the execution of the Framework Agreement, providing the latter with precise instructions and supervising their compliance with said Agreement. The updated list of personnel authorised to process Personal Data shall be made available to the Data Controller at the latter's request; k) guarantee that all physical persons (employees and/or collaborators) authorised to process personal data for the above stated purposes are committed to confidentiality or have a legal obligation to confidentiality; l) regularly adopt, update and assess all the technical and organisational measures necessary to guarantee an adequate level of Processingrisk, in compliance with the provisions of article 32 of the Regulation, as well as the risk further measures provided for by article 10 of varying likelihood and severity for this Data Processing Agreement; m) designate, where applicable, the rights and freedoms Union Representative pursuant to article 27 of natural persons, so as the Regulation; n) cooperate with the Data Controller on the implementation of any further measure that becomes necessary in order to ensure a level of security appropriate to the risks represented by the Processing and the nature compliance of the Personal Data to be protectedprocessing with the applicable provisions; 4.2.4. to notify Data Controller, o) without undue delaydelay and in any case no later than 24 hours from the time it has become aware of it, in notify the event Data Controller of a confirmed Data Security Breach affecting Data Controller's Data any breach of personal data and to cooperate with Data Controller as necessary to mitigate or remediate the Data Security Breach; 4.2.5. to comply with the requirements of Clause 5 (Use of Sub-processors) when engaging a Sub-processor; 4.2.6. taking into account the nature of the Processing, to assist Data Controller (including by appropriate technical and organisational measures), insofar as it is commercially reasonable, to fulfil Data Controller's obligation to respond to requests from Data Subjects to exercise their rights under Data Protection Law (a "Data Subject Request"). In the event Data Processor receives a Data Subject Request directly from a Data Subject, it shall (unless prohibited by law) direct the Data Subject to the Data Controller in relation to the first instance. However, in analysis and assessments to carry out for the event Data Controller is unable to address the Data Subject Request, taking into account the nature purposes of the Processing, notification to the complexity and frequency supervisory authority pursuant to article 33 of the request(s), Regulation and of the information available communication to Data Processor, Data Processor, shall, on Data Controller's request and at Data Controller's reasonable expense, address data subjects pursuant to article 34 of the Data Subject RequestRegulation, as required under well as for the Data Protection Law; 4.2.7. upon request, to provide Data Controller with commercially reasonable information and assistance, taking into account the nature preparation of the Processing and the information available to Data Processor, to help Data Controller to conduct any data protection impact assessment or Supervisor consultation it is required to conduct under Data Protection Law; 4.2.8. upon termination of Data Controller's access to and use of the Service, to comply with the requirements of Clause 9 of this DP Agreement (Return and Destruction of Personal Data); 4.2.9. to comply with the requirements of Clause 6 of this DP Agreement (Audit) in order to make available to Data Controller information that demonstrates Data Processor’s compliance with this DP Agreement; and 4.2.10. to appoint a security officer who will act as a point of contact for Data Controller, and coordinate and control compliance with this DP Agreementrelative documentation, including the Security Measures.notification pursuant to article 35, paragraph 3; 4.3. p) keep the Data Controller informed in writing, on written request from the latter, of details relative to compliance with the applicable provisions and this Data Processing Agreement; q) the Data Processor shall immediately inform notifies, without delay, the Data Controller if, in its opinion, Data Controller's Processing instructions infringe any law or regulation. In such event, Data Processor is entitled to refuse Processing of Personal Data that it believes to be in violation of any law or regulationissue relevant for the purposes of this Data Processing Agreement, such as, for example: - Requests from the Authority; - Outcomes of inspections; - Request of access to data by public authorities.

OBLIGATIONS OF THE DATA PROCESSOR. 4.16.1. The Parties agree that For the subject-matter purposes of Processing performed by Data Processor under this DP Agreement, including the nature and purpose of Processing, the type correct processing of Personal Data, and categories of Data Subjects, shall be as described in Schedule 1 and Schedule 2 of this DP Agreement. 4.2. As part of the Data Processor providing the Service to Data Controller under the Agreement, Data Processor agrees and declares as followsundertakes to: 4.2.1. a) carry out any Personal Data processing operation in compliance with the applicable regulations relating to process the protection of personal data, including the principles referred to in Chapter II of the Regulation (Articles 5-11); b) carry out the processing of Personal Data in accordance with Data Controller's documented instructions as set out in the implementation of this Framework Agreement and this DP Agreement or for the purposes relating to the provision of the services therein referred to, for the time period strictly necessary for the performance of the above-mentioned purposes as otherwise necessary well as the purposes strictly related and instrumental to provide the Servicemanagement of technical issues associated therewith; c) ensure full compliance with the obligations imposed by the Regulation directly on the Data Processor, except including, for example, the obligation to maintain a register of the processing operations carried out on behalf of the Data Controller pursuant to article 30, paragraph 2 of the Regulation and, where required otherwise by applicable laws (and provided such laws do not conflict with required, the requirement to appoint a Data Protection Law); in such caseOfficer pursuant to article 37, Data Processor shall inform Data Controller of that legal requirement upon becoming aware paragraph 1 of the same (except where prohibited by applicable laws)Regulation; 4.2.2. to ensure that all staff and management are fully aware d) in compliance with article 32 of their responsibilities to protect Personal Data in accordance with this DP Agreement and have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; 4.2.3. to the Regulation, implement and maintain appropriate technical and organisational measures to protect guarantee an adequate level of security for the processing operations carried out on behalf of the Data Controller, as well as cooperate with the Data Controller by providing the latter with the information and documentation required by the latter in order to assess and check from time to time that the Data Processor has adopted technical and administrative measures; e) in the performance of the data processing operations on behalf of the Data Controller, follow the provisions and instructions included in this Data Processing Agreement; f) in relation to the collection of Personal Data against accidental from data subjects, where required, the Data Processor ensures this is done in compliance with the specific procedures agreed with the Data Controller in order to guarantee that the collection of Personal Data and their subsequent processing comply with the law (e.g. privacy policy and requests of consent for the processing of data provided by the Data Controller; tracing and archiving of consent given by data subjects); g) with the exclusion of cases strictly necessary for the provision of Services, not to disclose or unlawful destruction share Personal Data with third parties without the previous written consent of the Data Controller and to adopt the organisational and technical measures necessary to ensure the maximum confidentiality of the Personal Data acquired and used in the performance of the activities cover by this designation; h) not transfer the Personal Data outside of the European Union, directly or accidental lossindirectly (possibly through third party suppliers that have been authorised in writing by the Data Controller) without the previous written consent of the Data Controller and in compliance with the general principles and conditions applicable to the transfer required by Chapter V of the Regulation, alteration, unauthorized disclosure or access (a "notifying the Data Security Breach"), provided that such Controller of the measures shall take into account adopted in order to ensure an adequate level of protection for the costs of implementation transferred data and the naturerights of the data subjects (for example, scopeadequacy decisions, context type of clauses, binding regulations on the Company, Code of Conduct, certification, etc.); i) guarantee that access to Personal Data by personnel takes place only based on the principle of need and that the processing operations related to the performance of the Framework Agreement are carried out only by authorised persons acting on the authority of the Data Processor on the basis of adequate instructions; j) adequately train authorised persons, tasked with the performance of the Framework Agreement, providing the latter with precise instructions and supervising their compliance with said Agreement. The updated list of personnel authorised to process Personal Data shall be made available to the Data Controller at the latter’s request; k) guarantee that all physical persons (employees and/or independent contractors) authorised to process personal data for the above stated purposes are committed to confidentiality or have a legal obligation to confidentiality; l) regularly adopt, update and assess all the technical and organisational measures necessary to guarantee an adequate level of Processingrisk, in compliance with the provisions of article 32 of the Regulation, as well as the risk further measures provided for by article 10 of varying likelihood and severity for this Data Processing Agreement; m) designate, where applicable, the rights and freedoms of natural persons, so as Union Representative pursuant to ensure a level of security appropriate to the risks represented by the Processing and the nature article 27 of the Data to be protected; 4.2.4. to notify Data Controller, without undue delay, in the event of a confirmed Data Security Breach affecting Data Controller's Data and to Regulation; n) cooperate with Data Controller as necessary to mitigate or remediate the Data Security Breach; 4.2.5. to comply with the requirements of Clause 5 (Use of Sub-processors) when engaging a Sub-processor; 4.2.6. taking into account the nature of the Processing, to assist Data Controller (including by appropriate technical and organisational measures), insofar as it is commercially reasonable, to fulfil Data Controller's obligation to respond to requests from Data Subjects to exercise their rights under Data Protection Law (a "Data Subject Request"). In the event Data Processor receives a Data Subject Request directly from a Data Subject, it shall (unless prohibited by law) direct the Data Subject to the Data Controller in on the first instance. However, in the event Data Controller is unable to address the Data Subject Request, taking into account the nature implementation of the Processing, the complexity and frequency of the request(s), and the information available to Data Processor, Data Processor, shall, on Data Controller's request and at Data Controller's reasonable expense, address the Data Subject Request, as required under the Data Protection Law; 4.2.7. upon request, to provide Data Controller with commercially reasonable information and assistance, taking into account the nature of the Processing and the information available to Data Processor, to help Data Controller to conduct any data protection impact assessment or Supervisor consultation it is required to conduct under Data Protection Law; 4.2.8. upon termination of Data Controller's access to and use of the Service, to comply with the requirements of Clause 9 of this DP Agreement (Return and Destruction of Personal Data); 4.2.9. to comply with the requirements of Clause 6 of this DP Agreement (Audit) further measure that becomes necessary in order to make available to Data Controller information that demonstrates Data Processor’s ensure compliance with this DP Agreement; and 4.2.10. to appoint a security officer who will act as a point of contact for Data Controller, and coordinate and control compliance with this DP Agreement, including the Security Measures. 4.3. Data Processor shall immediately inform Data Controller if, in its opinion, Data Controller's Processing instructions infringe any law or regulation. In such event, Data Processor is entitled to refuse Processing of Personal Data that it believes to be in violation of any law or regulation.processing with the applicable provisions;