Common use of Processor’s Processing of Personal Data Clause in Contracts

Processor’s Processing of Personal Data. Processor shall only Process Personal Data to the extent necessary to perform the Services specified in the Agreement and only in accordance with Controller’s written instructions and shall treat Personal Data as Confidential Information. In Processing Personal Data, Processor shall at all times comply with the Privacy Requirements. Controller hereby instructs Processor to Process Personal Data for the following purposes: (i) Processing in accordance with the Agreement and applicable Order Form(s); (ii) Processing initiated by users in their use of the Services; and (iii) Processing to comply with other reasonable written instructions by Controller that are consistent with the terms of the Agreement. Processor acknowledges and agrees that it does not own or control the Personal Data. Further, Processor agrees that it shall, in its capacity as Processor: 2.3.1. Only carry out Processing of Personal Data on Controller’s instructions, as set forth in the Agreement; 2.3.2. Provide at least the same level of protection to Personal Data as is required by this Data Protection Addendum and the Data Protection Requirements; 2.3.3. Promptly notify Controller if it determines that it can no longer meet its obligation to provide the same level of protection as is required by the Data Protection Requirements and this Data Protection Addendum, and in such event, to work with Controller to take prompt, reasonable and appropriate steps to stop and remediate any Processing until such time as the Processing meets the level of protection as is required by the Data Protection Requirements and this Data Protection Addendum; 2.3.4. Implement and maintain throughout the term of this Data Protection Addendum appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful Processing and accidental destruction or loss (including ensuring the reliability of employees), so as to allow Controller to comply with the requirement to implement appropriate technical and organizational security measures, in accordance with the Security Specifications and other applicable provisions of the Data Protection Requirements; 2.3.5. At Controller’s sole election, to cease Processing Personal Data promptly if in Controller’s reasonable determination, Processor is not providing the same level of protection to Personal Data as is required by the Data Protection Requirements or this Data Protection Addendum. 2.3.6. Keep or cause to be kept full and accurate records relating to all Processing of Personal Data on behalf of Controller as part of the Services (“Records”); 2.3.7. Promptly refer to Controller any requests, notices or other communication from Data Subjects, any national data protection authority established in the jurisdiction of Controller, or any other law enforcement authority, for Controller to resolve; 2.3.8. Promptly inform the Controller about every inquiry, action, investigation, inspection by any data protection authorities or by judicial authorities; 2.3.9. Comply with the orders of any data protection authorities or the judicial authorities, unless Controller has promptly informed Processor of the intention of filing opposition to the orders; 2.3.10. Provide all assistance reasonably required by Controller to enable Controller to respond to, comply with or otherwise resolve any request, question or complaint made to it by a Data Subject in relation to the Processing of Personal Data associated with such Data Subject; 2.3.11. If required by the Data Protection Requirements, provide reasonable assistance to Controller with any data protection impact assessments and with any prior consultations to any supervisory authority of Controller, in each case solely in relation to processing of Personal Data, and taking into account the nature of the Processing and information available to Processor. 2.3.12. Provide all assistance reasonably required by Controller to enable Controller to respond to, comply with or otherwise resolve any request, question or complaint made to it that is received from any regulatory or data protection authority including, but not limited to, any applicable U.S., EU or Swiss regulator or data protection authorities. 2.3.13. Take all reasonable steps to ensure the reliability of any of its employees who have access to the Personal Data. 2.3.14. Appoint a Data Protection Officer, if this is legally required by the Data Protection Requirements. The Processor shall promptly notify the Controller of the appointment and the contact information of the Data Protection Officer. If not legally required, assign responsibility for compliance with this Data Protection Addendum to a designated person or group within the company. The authority and accountability of this person or group that demonstrates a privacy and/or security role must be made available to Controller on request. 2.3.15. To the extent Controller, in its use of the Processor’s services, does not have the ability to correct, amend, block, or delete Personal Data, as required by the Data Protection Requirements, Processor shall comply with any commercially reasonable request by Controller to facilitate such actions to the extent Processor is legally permitted to do so. To the extent legally permitted, Controller shall be responsible for any reasonable costs arising from Processor’s provision of such assistance. 2.3.16. Processor shall not direct any of its own marketing materials to any of Controller’s customers without first obtaining all necessary consents to do so from the Controller in accordance with the Data Protection Requirements. 2.3.17. Processor agrees it shall not, in its capacity as Processor: 2.3.17.1. Disclose Personal Data to any third party other than i) for the purposes of complying with Data Subject access requests and Data Subject Rights in accordance with the Data Protection Requirements, as may be required by local laws and regulations, and ii) in accordance with Sections 2.3.8 to 2.3.13, as applicable, unless required by applicable law to which Processor is subject; in such a case, Processor shall notify Controller of that legal requirement before disclosing the Personal Data, unless that law prohibits such notification on important grounds of public interest; this Clause 2.3.16.1 shall be without prejudice to clause 2.3.17.2; 2.3.17.2. Notwithstanding clause 2.3.17.1 or anything else to the contrary in this Data Protection Addendum or the Agreement, Process Personal Information that is subject to the GDPR in any other way than on documented instructions from Controller, including with regard to transfers of personal data to a third country or an international organization, unless required to do so by European Union or EU Member State law to which Processor is subject; in such a case, Processor shall notify Controller of that legal requirement before Processing, unless that law prohibits such notification on important grounds of public interest; 2.3.17.3. Include Personal Data in any product or service offered by Processor to third parties; 2.3.17.4. With the exception of those pre-approved subcontractors listed in Appendix 3 hereto who are engaged in the performance of the Services, share or allow access to files containing Personal Data to any third party for further Processing by that third party or its agents (except for the purposes of mere routing of Personal Data through a third party telecommunications carrier). It is expressly agreed and understood that Processor’s obligations as set forth in Sections 2.3.4, and 2.3.6 through

Processor’s Processing of Personal Data. Processor shall only Process Personal Data to the extent necessary to perform the Services specified in the Agreement and this Data Protection Addendum and only in accordance with Controller’s written instructions and shall treat Personal Data as Confidential Information. In Processing Personal Data, Processor shall at all times comply with the Privacy Requirements. Controller hereby instructs Processor to Process Personal Data for the following purposes: (i) Processing in accordance with the Agreement Agreement, this Data Protection Addendum, and applicable Order Form(s); (ii) Processing initiated by users in their use of the Services; and (iii) Processing to comply with other reasonable written instructions by Controller that are consistent with the terms of the Agreement. Processor acknowledges and agrees that it does not own own, have any proprietary or intellectual property interest in, or control the Personal Data, whether anonymized or not. Further, Processor agrees that it shall, in its capacity as ProcessorProcessor in Processing Personal Data: 2.3.1. Only carry out Processing of Personal Data on Controller’s instructions, as set forth in the Agreement, this Data Protection Addendum, and Data Protection Requirements; 2.3.2. Provide at least the same level of protection to Personal Data as is required by this Data Protection Addendum and the Data Protection Requirements; 2.3.3. Promptly Immediately notify Controller if it determines that it can no longer meet its obligation to provide the same level of protection as is required by the Data Protection Requirements and this Data Protection Addendum, and in such event, to work with Controller to take prompt, reasonable and appropriate steps to stop and remediate any Processing until such time as the Processing meets the level of protection as is required by the Data Protection Requirements and this Data Protection Addendum; 2.3.4. Implement and maintain throughout the term of this Data Protection Addendum appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful Unlawful Processing and accidental destruction or loss (including ensuring the reliability of employees), so as to allow Controller to comply with the requirement to implement appropriate technical and organizational security measures, in accordance with the Security Specifications and other applicable provisions of the Data Protection Requirements; 2.3.5. At Controller’s sole election, to cease Processing Personal Data promptly if in Controller’s reasonable determination, Processor is not providing the same level of protection to Personal Data as is required by the Data Protection Requirements or this Data Protection Addendum.; 2.3.6. Keep or cause to be kept full and accurate records relating to all Processing of Personal Data on behalf of Controller as part of the Services (“Records”); 2.3.7. Promptly refer to Controller any requests, notices or other communication relating to Personal Data from Data Subjects, any national data protection authority established in the jurisdiction of Controller, or any other law enforcement authority, for Controller to resolve; 2.3.8. Promptly If permitted by the applicable Data Protection Requirements, promptly inform the Controller about every (i) any legally binding request, which may include an inquiry, action, investigation, inspection or inspection, by any data protection authorities or by judicial authoritiesauthorities relating to Personal Data, or (ii) on becoming aware of any direct access by public authorities to Personal Data, including at regular intervals in either case, as much relevant information as possible as soon as possible; 2.3.9. Comply with the orders of any data protection authorities or the judicial authorities, unless Controller has promptly informed Processor of the intention of filing opposition to the orders; 2.3.10. Provide all assistance reasonably required by Controller to enable Controller to respond to, comply with or otherwise resolve any request, question or complaint made to it by a Data Subject in relation to the Processing of Personal Data associated with such Data Subject; 2.3.11. If required by the Data Protection Requirements, provide reasonable assistance to Controller with any data protection impact assessments and with any prior consultations to any supervisory authority of Controller, in each case solely in relation to processing Processing of Personal Data, and taking into account the nature of the Processing and information available to Processor. 2.3.12. Provide all assistance reasonably required by Controller to enable Controller to respond to, comply with or otherwise resolve any request, question or complaint relating to Personal Data made to it that is received from any regulatory or data protection authority including, but not limited to, any applicable U.S., EU EU, UK, Canadian, Bermuda, Bahamas, Mexico, Peoples Republic of China, New Zealand, Japanese, South African, or Swiss regulator or data protection authoritiesauthorities or those of any political subdivision thereof. 2.3.13. Take all reasonable steps to ensure the reliability of any of its employees who have access to the Personal Data. 2.3.14. Appoint a Data Protection Officer, Officer if this is legally required by the Data Protection Requirements. The Processor shall promptly notify the Controller of the appointment and the contact information of the Data Protection Officer. If not legally required, assign responsibility for compliance with this Data Protection Addendum to a designated person or group within the company. The authority and accountability of this person or group that demonstrates a privacy and/or security role must be made available to Controller on request. 2.3.15. To the extent Controller, in its use of the Processor’s servicesServices, does not have the ability to correct, amend, block, or delete Personal Data, as required by the Data Protection Requirements, Processor shall comply with any commercially reasonable request by Controller to facilitate such actions to the extent Processor is legally permitted to do so. To the extent legally permitted, Controller shall be responsible for any reasonable costs arising from Processor’s provision of such assistance. 2.3.16. Processor shall not direct any of its own marketing materials to any of Controller’s customers without first obtaining all necessary consents to do so from the Controller in accordance with the Data Protection Requirements. 2.3.17. Processor agrees it shall not, in its capacity as Processor: 2.3.17.1. Disclose Personal Data to any third party other than i) for the purposes of complying with Data Subject access requests and Data Subject Rights in accordance with the Data Protection Requirements, as may be required by local laws and regulations, and ii) in accordance with Sections 2.3.8 2.3.7 to 2.3.132.3.12, as applicable, unless required by applicable law Law to which Processor is subject; in such a case, Processor shall notify Controller of that legal requirement before disclosing the Personal Data, unless that law prohibits such notification on important grounds of public interest; this Clause 2.3.16.1 Section 2.3.17.1 shall be without prejudice to clause Section 2.3.17.2; 2.3.17.2. Notwithstanding clause Section 2.3.17.1 or anything else to the contrary in this Data Protection Addendum or the Agreement, Process Personal Information Data that is subject to the GDPR in any other way than on documented instructions from Controller, including with regard to transfers of personal data to a third country or an international organization, unless required to do so by European Union or EU Member State law Law to which Processor is subject; in such a case, Processor shall notify Controller of that legal requirement before Processing, unless that law Law prohibits such notification on important grounds of public interest; 2.3.17.3. Include Personal Data in any product or service offered by Processor to third partiesparties nor sell, transfer, or otherwise disclose any Personal Data that has been anonymized to any third party, nor aggregate Controller’s Personal Data, or any part of it, into a larger data set with other personal data whether anonymized or not except only as necessary to provide the Services; 2.3.17.4. With the exception of those pre-approved subcontractors listed in Appendix 3 2 hereto who are engaged in the performance of the Services, share or allow access to files containing Personal Data to any third party for further Processing by that third party or its agents (except for the purposes of mere routing of Personal Data through a third party telecommunications carrier). It is expressly agreed and understood that Processor’s obligations as set forth in Sections 2.3.4, and 2.3.6 through.