Common use of PERSONAL DATA PROTECTION Clause in Contracts

PERSONAL DATA PROTECTION. Consultant is responsible for ensuring its compliance with any applicable data protection laws related to its services, including but not limited to, General Data Protection Regulation (GDPR), UK-GDPR, Protection of Personal Information (POPI) Act, Nigeria Data Protection Regulation (NDPR), Brazilian General Data Protection Law (LGPD) and the Kenya Data Protection Act. To the extent Consultant processes any personal data on behalf of FHI 360 and in relation to which FHI 360 is the Controller, as defined by applicable data protection laws, Consultant shall: (a) act only on instructions from FHI 360 when processing personal data and keep records of all processing activities; (b) take all appropriate technical and organizational measures to protect against unauthorized or unlawful processing of, or accidental loss, destruction, or damage to, personal data; (c) process personal data in accordance with the applicable data protection laws; (d) not do or permit anything to be done which might cause FHI 360 or any of its affiliates to be in violation of applicable data protection laws; (e) immediately inform FHI 360 if it believes performance of the services or compliance with any FHI 360 instruction violates or might reasonably be considered to violate any applicable data protection laws; (f) immediately notify FHI 360 of receipt of any complaint, data subject access request, notice, or communication which relates directly or indirectly to the processing of personal data under this Agreement, and provide full co-operation and assistance to FHI 360 in responding to such complaint, request, notice, or communication; (g) notify FHI 360 promptly and without undue delay upon becoming aware of any unauthorized loss, corruption, damage, destruction, alteration, disclosure, or access to, or unauthorized or unlawful processing of, any personal data ("Personal Data Breach"), or any circumstances that are likely to give rise to a Personal Data Breach, timely providing FHI 360 with sufficient information for it to meet its obligation, if any, to report a Personal Data Breach under applicable data protection laws; (h) cooperate with FHI 360 and take commercially reasonable steps as may be directed by FHI 360 to assist in the investigation, mitigation, and remediation of any Personal Data Breach; (i) cooperate as requested by FHI 360 to enable it to comply with any exercise by a data subject of rights under applicable data protection laws with respect to personal data processed by Consultant under this Agreement, or to comply with any assessment, inquiry, notice, or investigation under applicable data protection laws; (j) only permit a third party sub-processor to process personal data subject to FHI 360's prior written consent and provided that the sub-processor's contract includes terms that are substantially the same as those set out in this section; and (k) not transfer, permit a third-party processor to transfer, or allow access to personal data outside the country with restrictions on transferring data to another country without FHI 360's prior written consent, subject to any conditions FHI 360 may impose, at its sole discretion. Consultant agrees that FHI 360 may from time to time have reasonable access to Consultant's premises, systems, and records in order to audit Consultant's security measures and procedures in connection with the processing of personal data and to ensure Consultant's compliance with this section. Consultant shall indemnify, defend, and hold FHI 360 and its affiliates harmless from and against all costs, claims, damages, or expenses incurred by them due to any failure by Consultant to comply with any of its obligations under this section Compliance Provisions

PERSONAL DATA PROTECTION. Consultant Vendor is responsible for ensuring its compliance with any applicable data protection laws related to its services, including but not limited to, General Data Protection Regulation (GDPR), UK-GDPR, Protection of Personal Information (POPI) Act, Nigeria Data Protection Regulation (NDPR), Brazilian General Data Protection Law (LGPD) and the Kenya Data Protection Act. To the extent Consultant Vendor processes any personal data on behalf of FHI 360 and in relation to which FHI 360 is the Controller, as defined by applicable data protection laws, Consultant Vendor shall: (a) act only on instructions from FHI 360 when processing personal data and keep records of all processing activities; (b) take all appropriate technical and organizational measures to protect against unauthorized or unlawful processing of, or accidental loss, destruction, or damage to, personal data; (c) process personal data in accordance with the applicable data protection laws; (d) not do or permit anything to be done which might cause FHI 360 or any of its affiliates to be in violation of applicable data protection laws; (e) immediately inform FHI 360 if it believes performance of the services or compliance with any FHI 360 instruction violates or might reasonably be considered to violate any applicable data protection laws; (f) immediately notify FHI 360 of receipt of any complaint, data subject access request, notice, or communication which relates directly or indirectly to the processing of personal data under this Agreement, and provide full co-operation and assistance to FHI 360 in responding to such complaint, request, notice, or communication; (g) notify FHI 360 promptly and without undue delay upon becoming aware of any unauthorized loss, corruption, damage, destruction, alteration, disclosure, or access to, or unauthorized or unlawful processing of, any personal data ("“Personal Data Breach"”), or any circumstances that are likely to give rise to a Personal Data Breach, timely providing FHI 360 with sufficient information for it to meet its obligation, if any, to report a Personal Data Breach under applicable data protection laws; (h) cooperate with FHI 360 and take commercially reasonable steps as may be directed by FHI 360 to assist in the investigation, mitigation, and remediation of any Personal Data Breach; (i) cooperate as requested by FHI 360 to enable it to comply with any exercise by a data subject of rights under applicable data protection laws with respect to personal data processed by Consultant Vendor under this Agreement, or to comply with any assessment, inquiry, notice, or investigation under applicable data protection laws; (j) only permit a third party sub-processor to process personal data subject to FHI 360's prior written consent and provided that the sub-processor's contract includes terms that are substantially the same as those set out in this section; and (k) not transfer, permit a third-party processor to transfer, or allow access to personal data outside the country with restrictions on transferring data to another country without FHI 360's prior written consent, subject to any conditions FHI 360 may impose, at its sole discretion. Consultant agrees that FHI 360 may from time to time have reasonable access to Consultant's premises, systems, and records in order to audit Consultant's security measures and procedures in connection with the processing of personal data and to ensure Consultant's compliance with this section. Consultant shall indemnify, defend, and hold FHI 360 and its affiliates harmless from and against all costs, claims, damages, or expenses incurred by them due to any failure by Consultant to comply with any of its obligations under this section Compliance Provisions;

PERSONAL DATA PROTECTION. Consultant is responsible for ensuring its compliance with any applicable data protection laws related to its services, including but not limited to, General Data Protection Regulation (GDPR), UK-GDPR, Protection of Personal Information (POPI) Act, Nigeria Data Protection Regulation (NDPR), Brazilian General Data Protection Law (LGPD) and the Kenya Data Protection Act. To the extent Consultant processes any personal data on behalf of FHI 360 and in relation to which FHI 360 is the Controller, as defined by applicable data protection laws, Consultant shall: (a) act only on instructions from FHI 360 when processing personal data and keep records of all processing activities; (b) take all appropriate technical and organizational measures to protect against unauthorized or unlawful processing of, or accidental loss, destruction, or damage to, personal data; (c) process personal data in accordance with the applicable data protection laws; (d) not do or permit anything to be done which might cause FHI 360 or any of its affiliates to be in violation of applicable data protection laws; (e) immediately inform FHI 360 if it believes performance of the services or compliance with any FHI 360 instruction violates or might reasonably be considered to violate any applicable data protection laws; (f) immediately notify FHI 360 of receipt of any complaint, data subject access request, notice, or communication which relates directly or indirectly to the processing of personal data under this Agreement, and provide full co-operation and assistance to FHI 360 in responding to such complaint, request, notice, or communication; (g) notify FHI 360 promptly and without undue delay upon becoming aware of any unauthorized loss, corruption, damage, destruction, alteration, disclosure, or access to, or unauthorized or unlawful processing of, any personal data ("“Personal Data Breach"”), or any circumstances that are likely to give rise to a Personal Data Breach, timely providing FHI 360 with sufficient information for it to meet its obligation, if any, to report a Personal Data Breach under applicable data protection laws; (h) cooperate with FHI 360 and take commercially reasonable steps as may be directed by FHI 360 to assist in the investigation, mitigation, and remediation of any Personal Data Breach; (i) cooperate as requested by FHI 360 to enable it to comply with any exercise by a data subject of rights under applicable data protection laws with respect to personal data processed by Consultant under this Agreement, or to comply with any assessment, inquiry, notice, or investigation under applicable data protection laws; (j) only permit a third party sub-processor to process personal data subject to FHI 360's ’s prior written consent and provided that the sub-processor's ’s contract includes terms that are substantially the same as those set out in this section; and (k) not transfer, permit a third-party processor to transfer, or allow access to personal data outside the country with restrictions on transferring data to another country without FHI 360's prior written consent, subject to any conditions FHI 360 may impose, at its sole discretion. Consultant agrees that FHI 360 may from time to time have reasonable access to Consultant's premises, systems, and records in order to audit Consultant's security measures and procedures in connection with the processing of personal data and to ensure Consultant's compliance with this section. Consultant shall indemnify, defend, and hold FHI 360 and its affiliates harmless from and against all costs, claims, damages, or expenses incurred by them due to any failure by Consultant to comply with any of its obligations under this section Compliance Provisionsthe

PERSONAL DATA PROTECTION. Consultant is responsible for ensuring its compliance with any applicable data protection laws related to its servicesAs used in this section, including but not limited to"GDPR" means Regulation (EU) 2016/679, the General Data Protection Regulation (Regulation, and any implementing legislation, rules, or regulations issued by applicable supervisory authorities. The terms "Controller", "Personal Data", "Data Subject", "Processor", and "Processing" shall have the meanings set forth in Article 4 of the GDPR), UK-GDPR, Protection of Personal Information (POPI) Act, Nigeria Data Protection Regulation (NDPR), Brazilian General Data Protection Law (LGPD) and the Kenya Data Protection Act. To the extent Consultant Vendor processes any personal data GDPR-governed Personal Data on behalf of FHI 360 and in relation to which FHI 360 is the Controller, as defined by applicable data protection laws, Consultant Vendor shall: . (a) act only on instructions from FHI 360 when processing personal data Personal Data and keep records of all processing Processing activities; (b) take all appropriate technical and organizational measures to protect against unauthorized or unlawful processing Processing of, or accidental loss, destruction, or damage to, personal dataPersonal Data; (c) process personal data Personal Data in accordance with the applicable data protection lawsGDPR; (d) not do or permit anything to be done which might cause FHI 360 or any of its affiliates to be in violation of applicable data protection lawsGDPR; (e) immediately inform FHI 360 if it believes performance of the services Services or compliance with any FHI 360 instruction violates or might reasonably be considered to violate any applicable data protection lawsGDPR; (f) immediately notify FHI 360 of receipt of any complaint, data subject Data Subject access request, notice, or communication which relates directly or indirectly to the processing of personal data Personal Data under this Agreement, and provide full co-operation and assistance to FHI 360 in responding to such complaint, request, notice, or communication; (g) notify FHI 360 promptly and without undue delay upon becoming aware of any unauthorized loss, corruption, damage, destruction, alteration, disclosure, or access to, or unauthorized or unlawful processing of, any personal data Personal Data ("Personal Data Breach"), or any circumstances that are likely to give rise to a Personal Data Breach, timely providing FHI 360 with sufficient information for it to meet its obligation, if any, to report a Personal Data Breach under applicable data protection lawsGDPR; (h) cooperate with FHI 360 and take commercially reasonable steps as may be directed by FHI 360 to assist in the investigation, mitigation, and remediation of any Personal Data Breach; (i) cooperate as requested by FHI 360 to enable it to comply with any exercise by a data subject Data Subject of rights under applicable data protection laws GDPR with respect to personal data Personal Data processed by Consultant Vendor under this Agreement, or to comply with any assessment, inquiry, notice, or investigation under applicable data protection lawsGDPR; (j) only permit a third party sub-processor to process personal data Personal Data subject to FHI 360's prior written consent and provided that the sub-processor's contract includes terms that are substantially the same as those set out in this section; and (k) not transfer, permit a third-party processor to transfer, or allow access to personal data Personal Data outside the country with restrictions on transferring data to another country European Economic Area without FHI 360's prior written consent, subject to any conditions FHI 360 may impose, at its sole discretion. Consultant Vendor agrees that FHI 360 may from time to time have reasonable access to ConsultantVendor's premises, systems, and records in order to audit ConsultantVendor's security measures and procedures in connection with the processing of personal data Personal Data and to ensure ConsultantVendor's compliance with this section. Consultant Vendor shall indemnify, defend, and hold FHI 360 and its affiliates harmless from and against all costs, claims, damages, or expenses incurred by them due to any failure by Consultant Vendor to comply with any of its obligations under this section Compliance Provisionssection.

PERSONAL DATA PROTECTION. Consultant Vendor is responsible for ensuring its compliance with any applicable data protection laws related to its services, including but not limited to, General Data Protection Regulation (GDPR), UK-GDPR, Protection of Personal Information (POPI) Act, Nigeria Data Protection Regulation (NDPR), Brazilian General Data Protection Law (LGPD) and the Kenya Data Protection Act. To the extent Consultant Vendor processes any personal data on behalf of FHI 360 and in relation to which FHI 360 is the Controller, as defined by applicable data protection laws, Consultant Vendor shall: (a) act only on instructions from FHI 360 when processing personal data and keep records of all processing activities; (b) take all appropriate technical and organizational measures to protect against unauthorized or unlawful processing of, or accidental loss, destruction, or damage to, personal data; (c) process personal data in accordance with the applicable data protection laws; (d) not do or permit anything to be done which might cause FHI 360 or any of its affiliates to be in violation of applicable data protection laws; (e) immediately inform FHI 360 if it believes performance of the services or compliance with any FHI 360 instruction violates or might reasonably be considered to violate any applicable data protection laws; (f) immediately notify FHI 360 of receipt of any complaint, data subject access request, notice, or communication which relates directly or indirectly to the processing of personal data under this Agreement, and provide full co-operation and assistance to FHI 360 in responding to such complaint, request, notice, or communication; (g) notify FHI 360 promptly and without undue delay upon becoming aware of any unauthorized loss, corruption, damage, destruction, alteration, disclosure, or access to, or unauthorized or unlawful processing of, any personal data ("“Personal Data Breach"”), or any circumstances that are likely to give rise to a Personal Data Breach, timely providing FHI 360 with sufficient information for it to meet its obligation, if any, to report a Personal Data Breach under applicable data protection laws; (h) cooperate with FHI 360 and take commercially reasonable steps as may be directed by FHI 360 to assist in the investigation, mitigation, and remediation of any Personal Data Breach; (i) cooperate as requested by FHI 360 to enable it to comply with any exercise by a data subject of rights under applicable data protection laws with respect to personal data processed by Consultant Vendor under this Agreement, or to comply with any assessment, inquiry, notice, or investigation under applicable data protection laws; (j) only permit a third party sub-processor to process personal data subject to FHI 360's ’s prior written consent and provided that the sub-processor's ’s contract includes terms that are substantially the same as those set out in this section; and (k) not transfer, permit a third-party processor to transfer, or allow access to personal data outside the country with restrictions on transferring data to another country without FHI 360's ’s prior written consent, subject to any conditions FHI 360 may impose, at its sole discretion. Consultant Vendor agrees that FHI 360 may from time to time have reasonable access to Consultant's Vendor’s premises, systems, and records in order to audit Consultant's Vendor’s security measures and procedures in connection with the processing of personal data and to ensure Consultant's Vendor’s compliance with this section. Consultant Vendor shall indemnify, defend, and hold FHI 360 and its affiliates harmless from and against all costs, claims, damages, or expenses incurred by them due to any failure by Consultant Vendor to comply with any of its obligations under this section Compliance Provisionssection.

PERSONAL DATA PROTECTION. Consultant is responsible for ensuring its compliance with any applicable data protection laws related to its services, including but not limited to, General Data Protection Regulation (GDPR), UK-GDPR, Protection of Personal Information (POPI) Act, Nigeria Data Protection Regulation (NDPR), Brazilian General Data Protection Law (LGPD) and the Kenya Data Protection Act. To the extent Consultant processes any personal data on behalf of FHI 360 and in relation to which FHI 360 is the Controller, as defined by applicable data protection laws, Consultant shall: (a) act only on instructions from FHI 360 when processing personal data and keep records of all processing activities; (b) take all appropriate technical and organizational measures to protect against unauthorized or unlawful processing of, or accidental loss, destruction, or damage to, personal data; (c) process personal data in accordance with the applicable data protection laws; (d) not do or permit anything to be done which might cause FHI 360 or any of its affiliates to be in violation of applicable data protection laws; (e) immediately inform FHI 360 if it believes performance of the services or compliance with any FHI 360 instruction violates or might reasonably be considered to violate any applicable data protection laws; (f) immediately notify FHI 360 of receipt of any complaint, data subject access request, notice, or communication which relates directly or indirectly to the processing of personal data under this Agreement, and provide full co-operation and assistance to FHI 360 in responding to such complaint, request, notice, or communication; (g) notify FHI 360 promptly and without undue delay upon becoming aware of any unauthorized loss, corruption, damage, destruction, alteration, disclosure, or access to, or unauthorized or unlawful processing of, any personal data ("“Personal Data Breach"”), or any circumstances that are likely to give rise to a Personal Data Breach, timely providing FHI 360 with sufficient information for it to meet its obligation, if any, to report a Personal Data Breach under applicable data protection laws; (h) cooperate with FHI 360 and take commercially reasonable steps as may be directed by FHI 360 to assist in the investigation, mitigation, and remediation of any Personal Data Breach; (i) cooperate as requested by FHI 360 to enable it to comply with any exercise by a data subject of rights under applicable data protection laws with respect to personal data processed by Consultant under this Agreement, or to comply with any assessment, inquiry, notice, or investigation under applicable data protection laws; (j) only permit a third party sub-processor to process personal data subject to FHI 360's ’s prior written consent and provided that the sub-processor's ’s contract includes terms that are substantially the same as those set out in this section; and (k) not transfer, permit a third-party processor to transfer, or allow access to personal data outside the country with restrictions on transferring data to another country without FHI 360's prior written consent14. Protection des données à caractère personnel : Il incombe au Consultant de respecter l’ensemble des xxxx de protection des données relativement à ses services, subject to any conditions notamment le Règlement général sur la protection des données (RGPD), le UK-GDPR, la loi POPI (Protection of Personal Information Act), le règlement NDPR du Nigéria (Nigeria Data Protection Regulation), la loi LGPD du Brésil (Brazilian General Data Protection Law) et la loi de protection des données du Kenya. Si le Consultant traite des données à caractère personnel au nom de FHI 360 may impose, at its sole discretion. Consultant agrees that et pour lesquelles FHI 360 may from time to time have reasonable access to Consultant's premisesest le Responsable du traitement, systemsau sens des xxxx de protection des données applicables, and records in order to audit Consultant's security measures and procedures in connection with the processing of personal data and to ensure Consultant's compliance with this section. le Consultant shall indemnify, defend, and hold xxxxx : (a) n’agir que sur instruction de FHI 360 and its affiliates harmless from and against all costss’agissant de traiter des données à caractère personnel et conserver des registres de toutes ses activités de traitement ; (b) prendre toutes les mesures techniques et organisationnelles appropriées pour se protéger contre le traitement non autorisé ou illicite et contre la perte accidentelle, claimsla destruction ou la détérioration des données à caractère personnel ; (c) traiter les données à caractère personnel conformément aux xxxx de protection des données applicables ; (d) ne rien faire et ne pas permettre que quiconque xxxxx xxxx que ce soit qui pourrait amener FHI 360 ou ses filiales à enfreindre les xxxx de protection des données applicables ; (e) informer immédiatement FHI 360 s’il xxxxxx que l’exécution des services ou le respect d’une instruction de FHI 360 enfreint les xxxx de protection des données applicables ou pourraient légitimement être considérés comme contrevenant aux xxxx de protection des données applicables ; (f) informer immédiatement FHI 360 de la réception de toute réclamation, damagesdemande d’accès, or expenses incurred by them due to any failure by Consultant to comply with any of its notification ou communication concernant directement ou indirectement le traitement des données à caractère personnel en vertu du présent Contrat, et apporter toute sa coopération et son assistance pour répondre auxdites réclamation, demande, notification ou communication ; (g) aviser FHI 360 sans délai et sans retard injustifié s’il a connaissance d’une perte, corruption, destruction, altération, divulgation ou d’un dommage ou accès non autorisés à des données à caractère personnel (une « atteinte à la protection des données à caractère personnel »), de toute circonstance susceptible de xxxxxx xxxx à une atteinte aux données à caractère personnel, ou de tout traitement non autorisé ou illicite de ces données, en fournissant rapidement à FHI 360 assez d’informations pour permettre à FHI 360 de respecter ses éventuelles obligations under this section Compliance Provisionsde signalement des atteintes à la protection des données à caractère personnel en vertu des xxxx de protection des données applicables ; (h) coopérer avec FHI 360 et prendre les mesures commercialement raisonnables que FHI 360 est susceptible d’ordonner pour contribuer à l’enquête, à l’atténuation et à la rectification de toute atteinte à la protection données à caractère personnel ; (i) coopérer à la demande de FHI 360 pour permettre à FHI 360 de

PERSONAL DATA PROTECTION. Consultant Vendor is responsible for ensuring its compliance with any applicable data protection laws related to its services, including but not limited to, General Data Protection Regulation (GDPR), UK-GDPR, Protection of Personal Information (POPI) Act, Nigeria Data Protection Regulation (NDPR), Brazilian General Data Protection Law (LGPD) and the Kenya Data Protection Act. To the extent Consultant Vendor processes any personal data on behalf of FHI 360 and in relation to which FHI 360 is the Controller, as defined by applicable data protection laws, Consultant Vendor shall: (a) act only on instructions from FHI 360 when processing personal data and keep records of all processing activities; (b) take all appropriate technical and organizational measures to protect against unauthorized or unlawful processing of, or accidental loss, destruction, or damage to, personal data; (c) process personal data in accordance with the applicable data protection laws; (d) not do or permit anything to be done which might cause FHI 360 or any of its affiliates to be in violation of applicable data protection laws; (e) immediately inform FHI 360 if it believes performance of the services or compliance with any FHI 360 instruction violates or might reasonably be considered to violate any applicable data protection laws; (f) immediately notify FHI 360 of receipt of any complaint, data subject access request, notice, or communication which relates directly or indirectly to the processing of personal data under this Agreement, and provide full co-operation and assistance to FHI 360 in responding to such complaint, request, notice, or communication; (g) notify FHI 360 promptly and without undue delay upon becoming aware of any unauthorized loss, corruption, damage, destruction, alteration, disclosure, or access to, or unauthorized or unlawful processing of, any personal data ("“Personal Data Breach"”), or any circumstances that are likely to give rise to a Personal Data Breach, timely providing FHI 360 with sufficient information for it to meet its obligation, if any, to report a Personal Data Breach under applicable data protection laws; (h) cooperate with FHI 360 and take commercially reasonable steps as may be directed by FHI 360 to assist in the investigation, mitigation, and remediation of any Personal Data Breach; (i) cooperate as requested by FHI 360 to enable it to comply with any exercise by a data subject of rights under applicable data protection laws with respect to personal data processed by Consultant Vendor under this Agreement, or to comply with any assessment, inquiry, notice, or investigation under applicable data protection laws; (j) only permit a third party sub-processor to process personal data subject to FHI 360's ’s prior written consent and provided that the sub-sub- processor's ’s contract includes terms that are substantially the same as those set out in this section39. Protección de los datos personales. El Proveedor es responsable de garantizar su cumplimiento con cualquier ley de protección de datos aplicable relacionada con sus servicios, incluidos, entre otros, el Reglamento General de Protección de Datos (RGPD), el RGPD del Reino Unido, xx Xxx de Protección de la Información Personal (POPI), el Reglamento de Protección de Datos de Nigeria (NDPR), xx Xxx General de Protección de Datos de Brasil (LGPD) y xx Xxx de Protección de Datos de Xxxxx. En la medida en que el Proveedor procese algún Dato personal en nombre de FHI 360 y en relación con el cual FHI 360 sea el Controlador, según se define en las leyes de protección de datos pertinente, el Proveedor: (a) actuará solo siguiendo las instrucciones de FHI 360 cuando procese los datos personales y mantenga registros de todas las actividades de procesamiento; and (kb) not transfertomará todas las medidas técnicas y organizativas apropiadas para brindar protección contra el procesamiento ilícito o no autorizado o la pérdida accidental, permit la destrucción o el daño a third-party processor to transferlos datos personales; (c) procesará los datos personales de conformidad con las leyes de protección de datos correspondientes; (d) no hará algo ni permitirá que xx xxxx algo que pudiera provocar que FHI 360 o cualquiera de sus filiales viole las leyes de protección de datos aplicable; (e) informará de inmediato a FHI 360 si considera que la prestación de los Servicios o el cumplimiento de cualquier instrucción de FHI 360 xxxxx o puede considerarse razonablemente que xxxxx alguna de las leyes de protección de datos pertinente; (f) notificará de inmediato a FHI 360 la recepción de cualquier xxxxx, or allow access to solicitud de acceso del sujeto de datos, notificación o comunicación que se relaciona, directa o indirectamente, con el procesamiento de los datos personales en virtud de este Contrato, y proporcionará plena cooperación y asistencia a FHI 360 como respuesta a xxx xxxxx, solicitud, notificación o comunicación; (g) notificará a FHI 360 de inmediato y sin dilaciones innecesarias después xx xxxxx conocimiento de cualquier pérdida, corrupción, xxxxx, destrucción, alteración, divulgación o acceso no autorizados, o procesamiento ilegal no autorizado de algún dato personal data outside the country with restrictions on transferring data to another country without (la “Violación de los datos personales”), o cualquier circunstancia que pudiera xxx xxxxx a una Violación de los datos personales, suministrando oportunamente a FHI 360 la información suficiente para cumplir con xx xxxxxxxxxx, si corresponde, de informar una Violación de los datos personales en virtud de las leyes de protección de los datos pertinentes; (h) cooperará con FHI 360 y tomará las medidas comerciales razonables que pueda ordenar FHI 360 para asistir en la investigación, mitigación y subsanación de cualquier Violación de los datos personales; (i) cooperará, según lo solicite FHI 360's prior written consent, subject to any conditions FHI 360 may impose, at its sole discretion. Consultant agrees that FHI 360 may from time to time have reasonable access to Consultant's premises, systems, and records in order to audit Consultant's security measures and procedures in connection with the processing of personal data and to ensure Consultant's compliance with this section. Consultant shall indemnify, defend, and hold FHI 360 and its affiliates harmless from and against all costs, claims, damages, or expenses incurred by them due to any failure by Consultant to comply with any of its obligations under this section Compliance Provisionsa los fines de

PERSONAL DATA PROTECTION. Consultant is responsible for ensuring its compliance with any applicable data protection laws related to its services, including but not limited to, General Data Protection Regulation (GDPR), UK-GDPR, Protection of Personal Information (POPI) Act, Nigeria Data Protection Regulation (NDPR), Brazilian General Data Protection Law (LGPD) and the Kenya Data Protection Act. To the extent Consultant processes any personal data on behalf of FHI 360 and in relation to which FHI 360 is the Controller, as defined by applicable data protection laws, Consultant shall: (a) act only on instructions from FHI 360 when processing personal data and keep records of all processing activities; (b) take all appropriate technical and organizational measures to protect against unauthorized or unlawful processing of, or accidental loss, destruction, or damage to, personal data; (c) process personal data in accordance with the applicable data protection laws; (d) not do or permit anything to be done which might cause FHI 360 or any of its affiliates to be in violation of applicable data protection laws; (e) immediately inform FHI 360 if it believes performance of the services or compliance with any FHI 360 instruction violates or might reasonably be considered to violate any applicable data protection laws; (f) immediately notify FHI 360 of receipt of any complaint, data subject access request, notice, or communication which relates directly or indirectly to the processing of personal data under this Agreement, and provide full co-operation and assistance to FHI 360 in responding to such complaint, request, notice, or communication; (g) notify FHI 360 promptly and without undue delay upon becoming aware of any unauthorized loss, corruption, damage, destruction, alteration, disclosure, or access to, or unauthorized or unlawful processing of, any personal data ("“Personal Data Breach"”), or any circumstances that are likely to give rise to a Personal Data Breach, timely providing FHI 360 with sufficient information for it to meet its obligation, if any, to report a Personal Data Breach under applicable data protection laws; (h) cooperate with FHI 360 and take commercially reasonable steps as may be directed by FHI 360 to assist in the investigation, mitigation, and remediation of any Personal Data Breach; (i) cooperate as requested by FHI 360 to enable it to comply with any exercise by a data subject of rights under applicable data protection laws with respect to personal data processed by Consultant under this Agreement, or to comply with any assessment, inquiry, notice, or investigation under applicable data protection laws; (j) only permit a third party sub-processor to process personal data subject to FHI 360's ’s prior written consent and provided that the sub-processor's ’s contract includes terms that are substantially the same as those set out in this section; and (k) not transfer, permit a third-party processor to transfer, or allow access to personal data outside the country with restrictions on transferring data to another country without FHI 360's prior written consent, subject to any conditions FHI 360 may impose, at its sole discretion. Consultant agrees that FHI 360 may from time to time have reasonable access to Consultant's premises, systems, and records in order to audit Consultant's security measures and procedures in connection with the processing of personal data and to ensure Consultant's compliance with this section. Consultant shall indemnify, defend, and hold FHI 360 and its affiliates harmless from and against all costs, claims, damages, or expenses incurred by them due to any failure by Consultant to comply with any of its obligations under this section Compliance Provisions14.

PERSONAL DATA PROTECTION. Consultant Vendor is responsible for ensuring its compliance with any applicable data protection laws related to its services, including but not limited to, General Data Protection Regulation (GDPR), UK-GDPR, Protection of Personal Information (POPI) Act, Nigeria Data Protection Regulation (NDPR), Brazilian General Data Protection Law (LGPD) and the Kenya Data Protection Act. To the extent Consultant Vendor processes any personal data on behalf of FHI 360 and in relation to which FHI 360 is the Controller, as defined by applicable data protection laws, Consultant Vendor shall: (a) act only on instructions from FHI 360 when processing personal data and keep records of all processing activities; (b) take all appropriate technical and organizational measures to protect against unauthorized or unlawful processing of, or accidental loss, destruction, or damage to, personal data; (c) process personal data in accordance with the applicable data protection laws; (d) not do or permit anything to be done which might cause FHI 360 or any of its affiliates to be in violation of applicable data protection laws; (e) immediately inform FHI 360 if it believes performance of the services or compliance with any FHI 360 instruction violates or might reasonably be considered to violate any applicable data protection laws; (f) immediately notify FHI 360 of receipt of any complaint, data subject access request, notice, or communication which relates directly or indirectly to the processing of personal data under this Agreement, and provide full co-operation and assistance to FHI 360 in responding to such complaint, request, notice, or communication; (g) notify FHI 360 promptly and without undue delay upon becoming aware of any unauthorized loss, corruption, damage, destruction, alteration, disclosure, or access to, or unauthorized or unlawful processing of, any personal data ("“Personal Data Breach"”), or any circumstances that are likely to give rise to a Personal Data Breach, timely providing FHI 360 with sufficient information for it to meet its obligation, if any, to report a Personal Data Breach under applicable data protection laws; (h) cooperate with FHI 360 and take commercially reasonable steps as may be directed by FHI 360 to assist in the investigation, mitigation, and remediation of any Personal Data Breach; (i) cooperate as requested by FHI 360 to enable it to comply with any exercise by a data subject of rights under applicable data protection laws with respect to personal data processed by Consultant Vendor under this Agreement, or to comply with any assessment, inquiry, notice, or investigation under applicable data protection laws; (j) only permit a third party sub-processor to process personal data subject to FHI 360's ’s prior written consent and provided that the sub-processor's ’s contract includes terms that are substantially the same as those set out in this section; and (k) not transfer, permit a third-party processor to transfer, or allow access to personal data outside the country with restrictions on transferring data to another country without FHI 360's ’s prior written consent, subject to any conditions FHI 360 may impose, at its sole discretion. Consultant Vendor agrees that FHI 360 may from time to time have reasonable access to Consultant's Vendor’s premises, systems, and records in order to audit Consultant's Vendor’s security measures and procedures in connection with the processing of personal data and to ensure Consultant's Vendor’s compliance with this section. Consultant Vendor shall indemnify, defend, and hold FHI 360 and its affiliates harmless from and against all costs, claims, damages, or expenses incurred by them due to any failure by Consultant Vendor to comply with any of its obligations under this section Compliance Provisionssection. 39. Protecção de dados pessoais. O Fornecedor é responsável por garantir a sua conformidade com quaisquer xxxx de protecção de dados aplicáveis relacionadas com os seus serviços, incluindo, mas não se limitando a, Regulamento Geral de Protecção de Dados (RGPD), o RGPD do Reino Unido, a Lei de Protecção de Informações Pessoais (POPI), o Regulamento de Protecção de Dados da Nigéria (NDPR), a Xxx Xxxxx sobre Protecção de Dados do Brasil (LGPD) x x Xxx sobre Protecção de Dados do Quénia. Se o Fornecedor tratar quaisquer dados pessoais em nome da FHI 360 e em relação à mesma, sendo esta o Responsável pelo Tratamento, conforme definido pelas xxxx de protecção de dados aplicáveis, deve: (a) apenas actuar mediante instruções da FHI 360 no respeitante ao tratamento dos Dados Pessoais e xxxxxx registos de todas as actividades de tratamento; (b) xxxxx todas as medidas técnicas e organizativas adequadas no sentido de proteger os referidos Dados Pessoais contra um tratamento não autorizado ou ilícito, ou a perda, destruição ou xxxxx acidentais; (c) tratar dados pessoais de acordo com as xxxx de protecção de dados aplicáveis; (d) abster-se de praticar ou autorizar qualquer acto que possa dar origem a uma violação das xxxx de protecção de dados aplicáveis por parte da FHI 360 ou de qualquer das suas filiais; (e) informar imediatamente a FHI 360 se considerar que a execução dos Serviços ou o cumprimento de qualquer instrução recebida constitui uma violação ou pode ser razoavelmente entendida como uma violação das xxxx de protecção de dados aplicáveis; (f) informar imediatamente a FHI 360 da recepção de qualquer reclamação, pedido de acesso de um Titular de Dados, aviso ou comunicação que se relacione, directa ou indirectamente, com o tratamento dos Dados Pessoais previstos no presente Acordo e prestar-lhe toda a colaboração e assistência na resposta à reclamação, ao pedido, ao aviso ou à comunicação acima referidos; (g) notificar a FHI 360 de imediato e sem demora injustificada, xx xxxxx conhecimento de qualquer perda, adulteração, dano, destruição, alteração, divulgação ou acesso a quaisquer Dados Pessoais, ou do seu tratamento não autorizado ou ilícito (“violação de Dados Pessoais”), ou de qualquer circunstância que possa dar origem a uma Violação de Dados Pessoais, facultando à FHI 360, em tempo útil, informações suficientes que lhe permitam cumprir a sua obrigação, se for o caso, de comunicar a Violação dos Dados Pessoais previstos nas xxxx de protecção de dados aplicáveis; (h) cooperar com a FHI 360 e xxxxx as medidas razoáveis em termos comerciais indicadas pela FHI 360, que permitam apoiar na investigação, mitigação e resolução de qualquer Violação de Dados Pessoais; (i) cooperar com a FHI 360, tal como solicitado, de forma a permitir-lhe dar cumprimento ao pedido de exercício dos direitos do Titular dos Dados previstos nas xxxx de protecção de dados aplicáveis, no respeitante aos Dados Pessoais tratados pelo Fornecedor no âmbito do presente Contrato, ou dar cumprimento a qualquer avaliação, inquérito, aviso ou investigação prevista nas xxxx de protecção de dados aplicáveis; (j) apenas permitir o tratamento dos Dados Pessoais por um terceiro subcontratante ulterior, mediante o consentimento prévio, por escrito, da FHI 360 e desde que o contrato com o subcontratante ulterior contemple termos substancialmente idênticos aos estabelecidos na presente secção; e (k) não transferir, autorizar a transferência por um terceiro subcontratante ulterior, ou o acesso a Dados Pessoais fora de um país com restrições à transferência de dados para outro país sem o consentimento prévio por escrito da FHI 360, sob reserva de quaisquer condições que a FHI 360 venha a impor, a seu critério exclusivo. O Fornecedor aceita que a FHI 360 poderá, ocasionalmente, ter um acesso razoável às suas instalações, sistemas e registos, no sentido de fiscalizar as suas medidas e os procedimentos de segurança, relacionados com o tratamento de dados pessoais e garantir a sua conformidade com o disposto na presente secção. O Fornecedor deve indemnizar, defender e xxxxxx indemne a FHI 360 e as suas filiais em relação a qualquer responsabilidade relativamente a todos os custos, reclamações, despesas ou xxxxx, incorridos em virtude do seu incumprimento de qualquer das suas obrigações previstas na presente secção.

PERSONAL DATA PROTECTION. Consultant is responsible for ensuring its compliance with any applicable data protection laws related to its services, including but not limited to, General Data Protection Regulation (GDPR), UK-GDPR, Protection of Personal Information (POPI) Act, Nigeria Data Protection Regulation (NDPR), Brazilian General Data Protection Law (LGPD) and the Kenya Data Protection Act. To the extent Consultant processes any personal data on behalf of FHI 360 and in relation to which FHI 360 is the Controller, as defined by applicable data protection laws, Consultant shall: (a) act only on instructions from FHI 360 when processing personal data and keep records of all processing activities; (b) take all appropriate technical and organizational measures to protect against unauthorized or unlawful processing of, or accidental loss, destruction, or damage to, personal data; (c) process personal data in accordance with the applicable data protection laws; (d) not do or permit anything to be done which might cause FHI 360 or any of its affiliates to be in violation of applicable data protection laws; (e) immediately inform FHI 360 if it believes performance of the services or compliance with any FHI 360 instruction violates or might reasonably be considered to violate any applicable data protection laws; (f) immediately notify FHI 360 of receipt of any complaint, data subject access request, notice, or communication which relates directly or indirectly to the processing of personal data under this Agreement, and provide full co-operation and assistance to FHI 360 in responding to such complaint, request, notice, or communication; (g) notify FHI 360 promptly and without undue delay upon becoming aware of any unauthorized loss, corruption, damage, destruction, alteration, disclosure, or access to, or unauthorized or unlawful processing of, any personal data ("“Personal Data Breach"”), or any circumstances that are likely to give rise to a Personal Data Breach, timely providing FHI 360 with sufficient information for it to meet its obligation, if any, to report a Personal Data Breach under applicable data protection laws; (h) cooperate with FHI 360 and take commercially reasonable steps as may be directed by FHI 360 to assist in the investigation, mitigation, and remediation of any Personal Data Breach; (i) cooperate as requested by FHI 360 to enable it to comply with any exercise by a data subject of rights under applicable data protection laws with respect to personal data processed by Consultant under this Agreement, or to comply with any assessment, inquiry, notice, or investigation under applicable data protection laws; (j) only permit a third party sub-processor to process personal data subject to FHI 360's ’s prior written consent and provided that the sub-processor's ’s contract includes terms that are substantially the same as those set out in this section; and (k) not transfer, permit a third-party processor to transfer, or allow access to personal data outside the country with restrictions on transferring data to another country without 14. Protecção de dados pessoais: o Consultor é responsável por garantir a sua conformidade com quaisquer xxxx de protecção de dados aplicáveis relacionadas com os seus serviços, incluindo, mas não se limitando a, Regulamento Geral de Protecção de Dados (RGPD), o RGPD do Reino Unido, a Lei de Protecção de Informações Pessoais (POPI), o Regulamento de Protecção de Dados da Nigéria (NDPR), a Xxx Xxxxx sobre Protecção de Dados do Brasil (LGPD) x x Xxx sobre Protecção de Dados do Quénia. Se o Consultor tratar quaisquer dados pessoais em e em relação à nome da FHI 360's prior written consent, subject to any conditions sendo esta o Responsável pelo Tratamento, conforme definido pelas xxxx de protecção de dados aplicáveis, deve: (a) apenas actuar mediante instruções da FHI 360 may imposeno respeitante ao tratamento dos Dados Pessoais e xxxxxx registos de todas as actividades de tratamento; (b) xxxxx todas as medidas técnicas e organizativas adequadas no sentido de proteger os referidos Dados Pessoais contra um tratamento não autorizado ou ilícito, at its sole discretion. Consultant agrees that ou a perda, destruição ou xxxxx acidentais; (c) tratar dados pessoais de acordo com as xxxx de protecção de dados aplicáveis; (d) abster-se de praticar ou autorizar qualquer acto que possa dar origem a uma violação das xxxx de protecção de dados aplicáveis por parte da FHI 360 may from time to time have reasonable access to Consultant's premises, systems, and records in order to audit Consultant's security measures and procedures in connection with the processing of personal data and to ensure Consultant's compliance with this section. Consultant shall indemnify, defend, and hold ou de qualquer das suas filiais; (e) informar imediatamente a FHI 360 and its affiliates harmless from and against all costsse considerar que a execução dos Serviços ou o cumprimento de qualquer instrução recebida constitui uma violação ou pode ser razoavelmente entendida como uma violação das xxxx de protecção de dados aplicáveis; (f) informar imediatamente a FHI 360 da recepção de qualquer reclamação, claimspedido de acesso de um Titular de Dados, damagesaviso ou comunicação que se relacione, or expenses incurred by them due to any failure by Consultant to comply with any of its obligations under this section Compliance Provisionsdirecta ou indirectamente, com o tratamento dos Dados Pessoais previstos no presente Acordo e prestar-lhe toda a colaboração e assistência na resposta à reclamação, ao pedido, ao aviso ou à comunicação acima referidos; (g) notificar a FHI 360 de imediato e sem demora injustificada, xx xxxxx conhecimento de qualquer perda, adulteração, dano, destruição, alteração, divulgação ou acesso a quaisquer Dados Pessoais, ou do seu tratamento não autorizado ou ilícito (“violação de Dados Pessoais”), ou de qualquer circunstância que possa dar origem a uma Violação de Dados Pessoais, facultando à FHI 360, em tempo útil, informações suficientes que lhe permitam cumprir a sua obrigação, se for o caso, de comunicar a Violação dos Dados Pessoais previstos nas xxxx de protecção de dados aplicáveis; (h) cooperar com a FHI 360 e xxxxx as medidas razoáveis em termos comerciais indicadas pela FHI 360, que permitam apoiar na investigação, mitigação e resolução de qualquer Violação de Dados Pessoais; (i) cooperar com a FHI 360, tal como solicitado, de forma a permitir-lhe dar cumprimento ao pedido de exercício dos direitos do Titular dos Dados previstos nas xxxx de protecção de dados aplicáveis, no respeitante aos Dados Pessoais tratados pelo Consultor

PERSONAL DATA PROTECTION. Consultant is responsible for ensuring its compliance with any applicable data protection laws related to its servicesAs used in this section, including but not limited to"GDPR" means Regulation (EU) 2016/679, the General Data Protection Regulation (Regulation, and any implementing legislation, rules, or regulations issued by applicable supervisory authorities. The terms "Controller", "Personal Data", "Data Subject", "Processor", and "Processing" shall have the meanings set forth in Article 4 of the GDPR), UK-GDPR, Protection of Personal Information (POPI) Act, Nigeria Data Protection Regulation (NDPR), Brazilian General Data Protection Law (LGPD) and the Kenya Data Protection Act. To the extent Consultant Vendor processes any personal data GDPR-governed Personal Data on behalf of FHI 360 and in relation to which FHI 360 is the Controller, as defined by applicable data protection laws, Consultant Vendor shall: . (a) act only on instructions from FHI 360 when processing personal data Personal Data and keep records of all processing Processing activities; (b) take all appropriate technical and organizational measures to protect against unauthorized or unlawful processing Processing of, or accidental loss, destruction, or damage to, personal dataPersonal Data; (c) process personal data Personal Data in accordance with the applicable data protection lawsGDPR; (d) not do or permit anything to be done which might cause FHI 360 or any of its affiliates to be in violation of applicable data protection lawsGDPR; (e) immediately inform FHI 360 if it believes performance of the services Services or compliance with any FHI 360 instruction violates or might reasonably be considered to violate any applicable data protection lawsGDPR; (f) immediately notify FHI 360 of receipt of any complaint, data subject Data Subject access request, notice, or communication which relates directly or indirectly to the processing of personal data Personal Data under this Agreement, and provide full co-operation and assistance to FHI 360 in responding to such complaint, request, notice, or communication; (g) notify FHI 360 promptly and without undue delay upon becoming aware of any unauthorized loss, corruption, damage, destruction, alteration, disclosure, or access to, or unauthorized or unlawful processing of, any personal data Personal Data ("Personal Data Breach"), or any circumstances that are likely to give rise to a Personal Data Breach, timely providing FHI 360 with sufficient information for it to meet its obligation, if any, to report a Personal Data Breach under applicable data protection lawsGDPR; (h) cooperate with FHI 360 and take commercially reasonable steps as may be directed by FHI 360 to assist in the investigation, mitigation, and remediation of any Personal Data Breach; (i) cooperate as requested by FHI 360 to enable it to comply with any exercise by a data subject Data Subject of rights under applicable data protection laws GDPR with respect to personal data Personal Data processed by Consultant Vendor under this Agreement, or to comply with any assessment, inquiry, notice, or investigation under applicable data protection lawsGDPR; (j) only permit a third party sub-processor to process personal data Personal Data subject to FHI 360's prior written consent and provided that the sub-processor's contract includes terms that are substantially the same as those set out in this section; and (k) not transfer, permit a third-party processor to transfer, or allow access to personal data Personal Data outside the country with restrictions on transferring data to another country European Economic Area without FHI 360's prior written consent, subject to any conditions FHI 360 may impose, at its sole discretion. Consultant Vendor agrees that FHI 360 may from time to time have reasonable access to ConsultantVendor's premises, systems, and records in order to audit ConsultantVendor's security measures and procedures in connection with the processing of personal data Personal Data and to ensure ConsultantVendor's compliance with this section. Consultant Vendor shall indemnify, defend, and hold FHI 360 and its affiliates harmless from and against all costs, claims, damages, or expenses incurred by them due to any failure by Consultant Vendor to comply with any of its obligations under this section Compliance Provisionssection.‌

PERSONAL DATA PROTECTION. Consultant Vendor is responsible for ensuring its compliance with any applicable data protection laws related to its services, including but not limited to, General Data Protection Regulation (GDPR), UK-GDPR, Protection of Personal Information (POPI) Act, Nigeria Data Protection Regulation (NDPR), Brazilian General Data Protection Law (LGPD) and the Kenya Data Protection Act. To the extent Consultant Vendor processes any personal data on behalf of FHI 360 and in relation to which FHI 360 is the Controller, as defined by applicable data protection laws, Consultant Vendor shall: (a) act only on instructions from FHI 360 when processing personal data and keep records of all processing activities; (b) take all appropriate technical and organizational measures to protect against unauthorized or unlawful processing of, or accidental loss, destruction, or damage to, personal data; (c) process personal data in accordance with the applicable data protection laws; (d) not do or permit anything to be done which might cause FHI 360 or any of its affiliates to be in violation of applicable data protection laws; (e) immediately inform FHI 360 if it believes performance of the services or compliance with any FHI 360 instruction violates or might reasonably be considered to violate any applicable data protection laws; (f) immediately notify FHI 360 of receipt of any complaint, data subject access request, notice, or communication which relates directly or indirectly to the processing of personal data under this Agreement, and provide full co-operation and assistance to FHI 360 in responding to such complaint, request, notice, or communication; (g) notify FHI 360 promptly and without undue delay upon becoming aware of any unauthorized loss, corruption, damage, destruction, alteration, disclosure, or access to, or unauthorized or unlawful processing of, any personal data ("Personal Data Breach"), or any circumstances that are likely to give rise to a Personal Data Breach, timely providing FHI 360 with sufficient information for it to meet its obligation, if any, to report a Personal Data Breach under applicable data protection laws; (h) cooperate with FHI 360 and take commercially reasonable steps as may be directed by FHI 360 to assist in the investigation, mitigation, and remediation of any Personal Data Breach; (i) cooperate as requested by FHI 360 to enable it to comply with any exercise by a data subject of rights under applicable data protection laws with respect to personal data processed by Consultant Vendor under this Agreement, or to comply with any assessment, inquiry, notice, or investigation under applicable data protection laws; (j) only permit a third party sub-processor to process personal data subject to FHI 360's prior written consent and provided that the sub-processor's contract includes terms that are substantially the same as those set out in this section; and (k) not transfer, permit a third-party processor to transfer, or allow access to personal data outside the country with restrictions on transferring data to another country without FHI 360's prior written consent, subject to any conditions FHI 360 may impose, at its sole discretion. Consultant agrees that FHI 360 may from time to time have reasonable access to Consultant's premises, systems, and records in order to audit Consultant's security measures and procedures in connection with the processing of personal data and to ensure Consultant's compliance with this section. Consultant shall indemnify, defend, and hold FHI 360 and its affiliates harmless from and against all costs, claims, damages, or expenses incurred by them due to any failure by Consultant to comply with any of its obligations under this section Compliance Provisions;

PERSONAL DATA PROTECTION. Consultant Vendor is responsible for ensuring its compliance with any applicable data protection laws related to its services, including but not limited to, General Data Protection Regulation (GDPR), UK-GDPR, Protection of Personal Information (POPI) Act, Nigeria Data Protection Regulation (NDPR), Brazilian General Data Protection Law (LGPD) and the Kenya Data Protection Act. To the extent Consultant Vendor processes any personal data on behalf of FHI 360 and in relation to which FHI 360 is the Controller, as defined by applicable data protection laws, Consultant Vendor shall: (a) act only on instructions from FHI 360 when processing personal data and keep records of all processing activities; (b) take all appropriate technical and organizational measures to protect against unauthorized or unlawful processing of, or accidental loss, destruction, or damage to, personal data; (c) process personal data in accordance with the applicable data protection laws; (d) not do or permit anything to be done which might cause FHI 360 or any of its affiliates to be in violation of applicable data protection laws; (e) immediately inform FHI 360 if it believes performance of the services or compliance with any FHI 360 instruction violates or might reasonably be considered to violate any applicable data protection laws; (f) immediately notify FHI 360 of receipt of any complaint, data subject access request, notice, or communication which relates directly or indirectly to the processing of personal data under this Agreement, and provide full co-operation and assistance to FHI 360 in responding to such complaint, request, notice, or communication; (g) notify FHI 360 promptly and without undue delay upon becoming aware of any unauthorized loss, corruption, damage, destruction, alteration, disclosure, or access to, or unauthorized or unlawful processing of, any personal data ("Personal Data Breach"), or any circumstances that are likely to give rise to a Personal Data Breach, timely providing FHI 360 with sufficient information for it to meet its obligation, if any, to report a Personal Data Breach under applicable data protection laws; (h) cooperate with FHI 360 and take commercially reasonable steps as may be directed by FHI 360 to assist in the investigation, mitigation, and remediation of any Personal Data Breach; (i) cooperate as requested by FHI 360 to enable it to comply with any exercise by a data subject of rights under applicable data protection laws with respect to personal data processed by Consultant Vendor under this Agreement, or to comply with any assessment, inquiry, notice, or investigation under applicable data protection laws; (j) only permit a third party sub-processor to process personal data subject to FHI 360's prior written consent and provided that the sub-processor's contract includes terms that are substantially the same as those set out in this section; and (k) not transfer, permit a third-party processor to transfer, or allow access to personal data outside the country with restrictions on transferring data to another country without FHI 360's prior written consent, subject to any conditions FHI 360 may impose, at its sole discretion. Consultant Vendor agrees that FHI 360 may from time to time have reasonable access to ConsultantVendor's premises, systems, and records in order to audit ConsultantVendor's security measures and procedures in connection with the processing of personal data and to ensure ConsultantVendor's compliance with this section. Consultant Vendor shall indemnify, defend, and hold FHI 360 and its affiliates harmless from and against all costs, claims, damages, or expenses incurred by them due to any failure by Consultant Vendor to comply with any of its obligations under this section Compliance Provisionssection.