Common use of OBLIGATIONS OF THE DATA PROCESSOR Clause in Contracts

OBLIGATIONS OF THE DATA PROCESSOR. 5.1 The Data Controller instructs the Data Processor to only Process Personal Data according to its lawful instructions, that have been described in Schedule 1 (instructions to the Data Processor). It is the Data Controller's responsibility to ensure that the instructions are not contrary to Personal Data Legislation. 5.2 In addition to what otherwise follows from the Agreement, the Data Processor undertakes: a) to assist the Data Controller in ensuring compliance with the obligations deriving from applicable Personal Data Legislation, taking into account the nature of Processing and the information available to the Data Processor; b) to immediately inform the Data Controller if, in the Data Processors opinion, an instruction infringes the applicable Personal Data Legislation and the Data Processor is then not obligated to carry out the relevant Processing until the parties have decided how to solve the matter or until a supervisory authority declares the instruction as lawful. c) to implement appropriate technical and organisational measures according to Schedule 1 in order to protect and safeguard the Personal Data that is Processed against Personal Data Breaches (Data Processor may amend the technical and organizational measures from time to time provided that the amended technical and organizational measures are not less protective of the Personal Data as those set out in Appendix 1); d) to maintain records of all categories of Processing performed on behalf of the Data Controller, including name and contact details and, where applicable, transfers of Personal Data to a Third Country or international organisation and, where possible, a general description of the technical and organisational security measures; e) to ensure that only authorised persons can Process Personal Data, and ensure that these persons have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; f) to without undue delay refer any third party requesting information relating to the Personal Data to the Data Controller, unless such reference is prohibited under criminal law (e.g. to preserve the confidentiality of a law enforcement investigation) and on request cooperate with relevant supervisory authority in the performance of its tasks and without undue delay inform the Data Controller of this; g) to assist the Data Controller through appropriate technical and organisational measures, to the extent possible, so that the Data Controller can fulfil its obligation to respond to a request following a data subject exercising its rights under applicable Personal Data Legislation; h) to, considering the type of Processing and the information available to the Data Processor, at the request of the Data Controller, assist the Data Controller in ensuring that the obligations regarding carrying out an impact assessment for data protection and preceding consultation with responsible supervisory authority, are met in accordance with applicable Personal Data Legislation; i) to transfer Personal Data belonging to the Data Controller, to a third country, provided that: (a) the third country according to a decision issued by the EU Commission provides an adequate level of protection for Personal Data which comprises the Processing of Personal Data; (b) Data Processor ensures that there are appropriate safeguards in place in accordance with Personal Data Legislation, e.g. standard data protection clauses adopted by the EU Commission under applicable Personal Data Legislation, that comprises the transfer and the Processing of Personal Data; or (c) if there are any other exemptions under applicable Personal Data Legislation that comprise the Processing of Personal Data; and j) to make available to the Data Controller, upon the Data Controller's request, information in order to demonstrate compliance with the obligations of Data Processor laid down in Art. 28 GDPR. The audit shall be carried out by the Data Controller or such independent third party that the Data Controller appoints (that is not a competitor to the Data Processor), provided that such person is bound by a duty of confidentiality (which the Data Processor in its reasonable opinion considers to be acceptable). Data Controller shall bear any costs arising out of or in connection with an audit.

OBLIGATIONS OF THE DATA PROCESSOR. 5.1 The Data Controller instructs the Processor warrants and undertakes that: 4.1 It will comply with all applicable law including Applicable Data Processor to only Process Personal Data according to Protection law in its lawful instructions, that have been described in Schedule 1 (instructions to the Data Processor). It is the Data Controller's responsibility to ensure that the instructions are not contrary to Personal Data Legislationperformance of this Agreement. 5.2 In addition to what otherwise follows from the Agreement, the Data Processor undertakes: a) to assist the Data Controller in ensuring compliance with the obligations deriving from applicable Personal Data Legislation, taking into account the nature of Processing and the information available to the Data Processor; b) to immediately inform the Data Controller if, in the Data Processors opinion, an instruction infringes the applicable Personal Data Legislation and the Data Processor is then not obligated to carry out the relevant Processing until the parties have decided how to solve the matter or until a supervisory authority declares the instruction as lawful. c) to implement appropriate technical and organisational measures according to Schedule 1 in order to protect and safeguard 4.2 It will only process the Personal Data that is Processed against Personal Data Breaches (Data Processor may amend on the technical and organizational measures from time to time provided that the amended technical and organizational measures are not less protective of the Personal Data as those set out in Appendix 1); d) to maintain records of all categories of Processing performed on behalf instructions of the Data Controller, including name and contact details and, where applicable, transfers of . 4.3 It will not transfer Personal Data to a Third Country or international organisation and, where possible, a general description without the prior written approval of the Data Controller and only then once the transfer to the Third Country has been legitimised and the Data Controller and the Data Processor are satisfied that an adequate Data Protection regime exists in the Third Country. 4.4 It will not appoint sub-processors to process the Personal Data on its behalf without the prior written approval of the Data Controller. Data Processor will impose on such Sub-Processors data protection terms that protect the Protected Data to the same standard provided for by this DPA. Upon Data Controllers request, the Data Processor will provide to Customer a list of the then-current Sub- Processors. For the avoidance of doubt, the Data Controller hereby authorises the engagement by Data Processor of the Sub-processors set out in Schedule 2. 4.5 Once approved by the Data Controllers, sub-processors will only process the Personal Data on the instructions of the Data Processor and the Data Processor will put in place a legal agreement in writing to govern the sub-processing. 4.6 It will have in place appropriate technical and organisational measures, and all measures pursuant to Article 32 of the GDPR, to protect the confidentiality of the Personal Data and to protect the Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, and which provide a level of security measures;appropriate to the risk represented by the processing and the nature of the data to be protected. e) to ensure that only authorised persons can Process 4.7 It will obtain guarantees from any sub-processors processing the Personal Data, that they will have in place appropriate technical and ensure organisational measures, and all measures pursuant to Article 32 of the GDPR, to protect the confidentiality of the Personal Data and to protect the Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, and which provide a level of security appropriate to the risk represented by the processing and the nature of the data to be protected, including as a minimum implementing those measures specified in Schedule 3. 4.8 It will have in place procedures so that these persons any individual party it authorises to have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; f) to without undue delay refer any third party requesting information relating access to the Personal Data, including employees of the Data Processor, will respect and maintain the confidentiality and security of the Personal Data. Any person acting under the authority of the Data Processor shall be obligated to process the Personal Data only on instructions from the Data Processor. This provision does not apply to persons authorised or required by law or regulation to have access to the Personal Data. 4.9 It will not disclose any Personal Data to a third party in any circumstances other than at the specific written request of the Data Controller, unless such reference disclosure is prohibited under criminal law (e.g. necessary in order to preserve fulfil the confidentiality obligations of a law enforcement investigation) and on request cooperate with relevant supervisory authority in the performance of its tasks and without undue delay inform Services Agreement, or is required by applicable law. 4.10 It will notify the Data Controller of this; g) to assist any request for information by the Data Controller through DPC or other supervisiory authority where appropriate technical and organisational measures, to the extent possible, so that the Data Controller can fulfil its obligation to respond to a request following a data subject exercising its rights under applicable will not disclose any Personal Data Legislation; h) to, considering without the type of Processing and the information available to the Data Processor, at the request prior consent of the Data Controller, assist . 4.11 It will notify the Data Controller in ensuring that the obligations regarding carrying out an impact assessment for data protection and preceding consultation with responsible supervisory authorityof any complaint, are met in accordance with applicable Personal Data Legislation; i) to transfer Personal Data belonging notice or communication received which relates directly or indirectly to the Data Controller, to a third country, provided that: (a) processing of the third country according to a decision issued by the EU Commission provides an adequate level of protection for Personal Data which comprises the Processing of Personal Data; (b) , or other connected activities, or which relates directly or indirectly to the compliance of the Data Processor ensures that there are appropriate safeguards in place in accordance with Personal Data Legislation, e.g. standard data protection clauses adopted by the EU Commission under applicable Personal Data Legislation, that comprises the transfer and the Processing of Personal Data; or (c) if there are any other exemptions under applicable Personal Data Legislation that comprise the Processing of Personal Data; and j) to make available to the Data Controller, upon the Data Controller's request, information in order to demonstrate compliance with the obligations of Data Processor laid down in Art. 28 GDPR. The audit shall be carried out by and/or the Data Controller or such independent third party that the with relevant applicable law including Applicable Data Controller appoints (that is not a competitor to the Data Processor), provided that such person is bound by a duty of confidentiality (which the Data Processor in its reasonable opinion considers to be acceptable). Data Controller shall bear any costs arising out of or in connection with an auditProtection law.

OBLIGATIONS OF THE DATA PROCESSOR. 5.1 The 46.1 Foreseeti agrees that it will, unless otherwise required by applicable law: 1) process personal data solely in accordance with the instructions of the Data Controller instructs for the purpose set forth in the License Agreement, and according to the rules and the provisions contained in this DPA and in accordance with the applicable Data Privacy Law. Instructions in the License Agreement and in this DPA, together with any amended instructions are to be considered instructions as stipulated in applicable Privacy Law and are jointly referred to as “Instructions” herein. 2) will implement the security measures in accordance with applicable Data Privacy Law, including Art 32 in the EU General Data Protection Regulation and as further specified herein, 3) not acquire any rights in or to the personal data, 4) not use the personal data for any purpose other than for the performance of its obligations under this DPA and the License Agreement, and for fault localization in Foreseeti ’s system used for providing the agreed services, 5) refer to Data Controller in the event a data subject, supervisory or governmental authority or any third party is requesting Personal Data processed under this Agreement from Foreseeti, 6) notify Data Controller, without undue delay, in writing or email (unless prohibited by law) in the event that Foreseeti is legally obliged to disclose personal data to third parties or to a relevant supervisory authority to satisfy legal requirements, comply with law or respond to lawful requests or binding decisions by relevant authority. Foreseeti shall wait, unless prohibited by law, for further Instructions concerning the requested disclosure. 46.2 Where Foreseeti reasonably believes that any Instruction would result in a violation of the applicable Data Privacy Law, Foreseeti shall inform the Data Processor to only Process Personal Data according to Controller without undue delay of any such instruction and may suspend the execution of the Instruction until its lawful instructions, that have been described in Schedule 1 (instructions to the Data Processor). It lawfulness is confirmed by an authorized person of the Data Controller's responsibility to ensure that the instructions are not contrary to Personal , or it is changed in writing in a way which Foreseeti reasonably believes is compliant with applicable Data LegislationPrivacy Law. 5.2 In addition to what otherwise follows from the Agreement, 46.3 Foreseeti will assist the Data Processor undertakes:Controller for the fulfilment of the Data Controller’s obligations to respond to requests for exercising the data subject’s rights as stated in Chapter II of the GDPR. a) to 46.4 Foreseeti shall assist the Data Controller in ensuring compliance with any request made by the obligations deriving from applicable Personal Data Legislation, taking into account the nature of Processing and the information available to the Data Processor; b) to immediately inform the Data Controller if, in the Data Processors opinion, an instruction infringes the applicable Personal Data Legislation and the Data Processor is then not obligated to carry out the relevant Processing until the parties have decided how to solve the matter or until a supervisory authority declares the instruction as lawful. c) to implement appropriate technical and organisational measures according to Schedule 1 in order to protect and safeguard the Personal Data that is Processed against Personal Data Breaches (Data Processor may amend the technical and organizational measures from time to time provided that the amended technical and organizational measures are not less protective of the Personal Data as those set out in Appendix 1); d) to maintain records of all categories of Processing performed on behalf of the Data Controller, including name and contact details and, where applicable, transfers of Personal Data to a Third Country or international organisation and, where possible, a general description of the technical and organisational security measures; e) to ensure that only authorised persons can Process Personal Data, and ensure that these persons have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; f) to without undue delay refer any third party requesting information relating to the Personal Data to the Data Controller, unless such reference is prohibited under criminal law (e.g. to preserve the confidentiality of a law enforcement investigation) and on request cooperate with relevant supervisory authority in relation to Foreseeti’s processing of personal data. 46.5 In the performance of its tasks and without undue delay inform the Data Controller of this; g) to assist the Data Controller through appropriate technical and organisational measures, to the extent possible, so that the Data Controller can fulfil its obligation to respond to a request following a data subject exercising its rights under applicable Personal Data Legislation; h) to, considering the type of Processing and the information available to the Data Processor, at the request of event the Data Controller’s changes its instructions in a manner that goes beyond what the applicable Data Privacy Law requires, assist the Data Controller in ensuring that the obligations regarding carrying out an impact assessment for data protection and preceding consultation with responsible supervisory authority, are met in accordance with applicable Personal Data Legislation; i) to transfer Personal Data belonging or if such changes will require changes to the Data Controller, to a third country, service provided that: (a) the third country according to the License Agreement, and such changes will cause a decision issued by significant increase in cost for Foreseeti, the EU Commission provides an adequate level of protection for Personal Data which comprises parties shall, before Foreseeti starts implementing such changes, enter into a separate written agreement. In this agreement, the Processing of Personal Data; (b) Data Processor ensures that there are appropriate safeguards in place in accordance with Personal Data Legislation, e.g. standard data protection clauses adopted by the EU Commission under applicable Personal Data Legislation, that comprises the transfer and the Processing of Personal Data; or (c) if there are any other exemptions under applicable Personal Data Legislation that comprise the Processing of Personal Data; and j) to make available to the Data Controller, upon the Data Controller's request, information in order to demonstrate compliance with the obligations of Data Processor laid down in Art. 28 GDPR. The audit new actions shall be carried out by defined, as well as the Data Controller or such independent third party that compensation Foreseeti shall receive for implementing the Data Controller appoints (that is not a competitor to the Data Processor), provided that such person is bound by a duty of confidentiality (which the Data Processor in its reasonable opinion considers to be acceptable). Data Controller shall bear any costs arising out of or in connection with an auditnew instructions.

OBLIGATIONS OF THE DATA PROCESSOR. 5.1 The Data Controller instructs Processor acknowledges and agrees that it shall only process Personal Data upon the written instructions of the Data Processor to only Process Personal Data according to its lawful instructions, that have been described Controller as set out in Schedule Exhibit 1 (instructions to the Data Processor)of this Agreement. It is the Data Controller's responsibility to ensure that the instructions are not contrary to Personal Data Legislation. 5.2 In addition to what otherwise follows from the AgreementAccordingly, the Data Processor undertakes: a) undertakes not to assist use the Personal Data of the Data Controller in ensuring for purposes other than those indicated by the Data Controller, or for the Data Processor’s own activity or for that of a third party. If the Data Processor can’t comply with the instructions of the Data Controller for any reason, other than non-compliance with the legal obligations deriving from applicable Personal Data Legislationof these instructions, taking into account the nature of Processing and the information available to the Data Processor; b) to immediately inform the Data Controller ifshall be informed promptly. In such a case, in the Data Processors opinion, an instruction infringes Parties shall discuss the applicable Personal Data Legislation and modifications that the Data Processor is then not obligated to carry out the relevant Processing until the parties have decided how to solve the matter or until a supervisory authority declares the instruction as lawful. c) would agree to implement or that the Data Controller could apply to its instructions. The Data Processor ensures that its authorized personnel have receive an appropriate technical training and organisational measures according to Schedule 1 in order to protect and safeguard has been made aware of the applicable security procedures before processing Personal Data that is Processed against Personal entrusted by the Data Breaches (Controller. The Data Processor may amend shall furthermore ensure that its authorized personnel in charge of Data Processing is bound by an appropriate obligation of confidentiality. The Data Processor further agrees: - that the technical and organizational security measures described in Exhibit 2 are based on the instructions and information received from time to time provided the Data Controller as set out in Exhibit 1; and, - that the amended technical and organizational security measures are adequate considering the processing risks and the defined Data Processing purposes. In particular, the Data Processor undertakes not less protective to reduce the overall security of the Personal Data Processing during the term of this Agreement without the prior consent of the Data Controller; and, - to provide the Data Controller with reasonably accessible and relevant information concerning the Data Processing carried out, such as those set out in Appendix 1); d) the information necessary to maintain records conduct a data protection impact assessment on the Data Processing; and, - to keep a record of processing activities of all categories of Data Processing performed activity carried out on behalf of the Data Controller, including name Controller and contact details and, where applicable, transfers of Personal Data to a Third Country or international organisation and, where possible, a general description of the technical and organisational security measures; e) to ensure that only authorised persons can Process Personal Data, and ensure that these persons have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; f) to without undue delay refer any third party requesting information relating to the Personal Data to the Data Controller, unless make such reference is prohibited under criminal law (e.g. to preserve the confidentiality of a law enforcement investigation) and on request cooperate with relevant supervisory authority in the performance of its tasks and without undue delay inform the Data Controller of this; g) to assist the Data Controller through appropriate technical and organisational measures, to the extent possible, so that the Data Controller can fulfil its obligation to respond to a request following a data subject exercising its rights under applicable Personal Data Legislation; h) to, considering the type of Processing and the information record available to the Data ProcessorController upon request; and, at - to comply with the request principles of the Data Controllerdata protection by design and by default; and, assist - to provide the Data Controller with the reasonably cooperation and assistance to answer to requests from data subjects, in ensuring that particular the rights of access, rectification, erasure, restriction or portability; and, - to provide the Data Controller with all the documentation justifying the compliance with the Data Processor’s obligations regarding carrying out an impact assessment for data protection and preceding consultation as per this Agreement; and, - to deal with responsible supervisory authority, are met Incidents in accordance with applicable Personal Data Legislation; i) to transfer Personal Data belonging to the Data Controllerthis Agreement, to a third country, provided that: (a) the third country according to a decision issued by the EU Commission provides an adequate level of protection for Personal Data which comprises the Processing of Personal Data; (b) Data Processor ensures that there are appropriate safeguards and in place particular in accordance with Personal Data Legislation, e.g. standard data protection clauses adopted by the EU Commission under applicable Personal Data Legislation, that comprises the transfer and the Processing Section “Management of Personal Data; or (c) if there are any other exemptions under applicable Personal Data Legislation that comprise the Processing of Personal Data; and j) to make available to the Data Controller, upon the Data Controller's request, information in order to demonstrate compliance with the obligations of Data Processor laid down in Art. 28 GDPR. The audit shall be carried out by the Data Controller or such independent third party that the Data Controller appoints (that is not a competitor to the Data Processor), provided that such person is bound by a duty of confidentiality (which the Data Processor in its reasonable opinion considers to be acceptable). Data Controller shall bear any costs arising out of or in connection with an auditIncidents”.

OBLIGATIONS OF THE DATA PROCESSOR. 5.1 The Data Controller instructs the Data Processor to only Process process Personal Data according to its lawful instructions, that have been described in Schedule 1 (instructions to the Data Processor). It is the Data Controller's responsibility to ensure that the instructions are not contrary to Personal Data Legislation. 5.2 In addition to what otherwise follows from the Agreement, the Data Processor undertakes: a) to assist the Data Controller in ensuring compliance with the obligations deriving from applicable Personal Data Legislation, taking into account the nature of Processing and the information available to the Data Processor; b) to immediately inform the Data Controller if, in the Data Processors opinion, an instruction infringes the applicable Personal Data Legislation and the Data Processor is then not obligated to carry out the relevant Processing until the parties have decided how to solve the matter or until a supervisory authority declares the instruction as lawful. c) to implement appropriate technical and organisational measures according to Schedule 1 in order to protect and safeguard the Personal Data that is Processed against Personal Data Breaches (Data Processor may amend the technical and organizational measures from time to time provided that the amended technical and organizational measures are not less protective of the Personal Data as those set out in Appendix 1); d) to maintain records of all categories of Processing performed on behalf of the Data Controller, including name and contact details and, where applicable, transfers of Personal Data to a Third Country or international organisation and, where possible, a general description of the technical and organisational security measures; e) to ensure that only authorised persons can Process Personal Data, and ensure that these persons have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; f) to without undue delay refer any third party requesting information relating to the Personal Data to the Data Controller, unless such reference is prohibited under criminal law (e.g. to preserve the confidentiality of a law enforcement investigation) and on request cooperate with relevant supervisory authority in the performance of its tasks and without undue delay inform the Data Controller of this; g) to assist the Data Controller through appropriate technical and organisational measures, to the extent possible, so that the Data Controller can fulfil its obligation to respond to a request following a data subject exercising its rights under applicable Personal Data Legislation; h) to, considering the type of Processing and the information available to the Data Processor, at the request of the Data Controller, assist the Data Controller in ensuring that the obligations regarding carrying out an impact assessment for data protection and preceding consultation with responsible supervisory authority, are met in accordance with applicable Personal Data Legislation; i) to transfer Personal Data belonging to the Data Controller, to a third country, provided that: (a) the third country according to a decision issued by the EU Commission provides an adequate level of protection for Personal Data which comprises the Processing of Personal Data; (b) Data Processor ensures that there are appropriate safeguards in place in accordance with Personal Data Legislation, e.g. standard data protection clauses adopted by the EU Commission under applicable Personal Data Legislation, that comprises the transfer and the Processing of Personal Data; or (c) if there are any other exemptions under applicable Personal Data Legislation that comprise the Processing of Personal Data; and j) to make available to the Data Controller, upon the Data Controller's request, information in order to demonstrate compliance with the obligations of Data Processor laid down in Art. 28 GDPR. The audit shall be carried out by the Data Controller or such independent third party that the Data Controller appoints (that is not a competitor to the Data Processor), provided that such person is bound by a duty of confidentiality (which the Data Processor in its reasonable opinion considers to be acceptable). Data Controller shall bear any costs arising out of or in connection with an audit.