Common use of Protection of Personal Data Clause in Contracts

Protection of Personal Data. Where any Personal Data are Processed in connection with the exercise of the Parties’ rights and obligations under this Call Off Contract, the Parties acknowledge that the Customer is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Customer to perform its obligations under this Call Off Contract; ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data, including the measures as are set out in Clauses 34.1 (Security Requirements) and 34.3 (Protection of Customer Data); not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Goods and Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Customer (save where such disclosure or transfer is specifically authorised under this Call Off Contract) take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 34.7.2 and Clauses 34.1 (Security Requirements), 34.3 (Protection of Customer Data) and 34.4 (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Customer or as otherwise permitted by this Call Off Contract; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Customer within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request) a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the Customer's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Customer with full cooperation and assistance (within the timescales reasonably required by the Customer) in relation to any complaint, communication or request made (as referred to at Clause 34.7.2(e)), including by promptly providing: the Customer with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Customer to enable the Customer to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the Customer, on request by the Customer, with any Personal Data it holds in relation to a Data Subject; and if requested by the Customer, provide a written description of the measures that has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 34.7.2 and provide to the Customer copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not Process or cause or permit any Personal Data to be transferred in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together Restricted Countries) without Approval. If, after the Call Off Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to any outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a Variation to the Customer which, if it is agreed by the Customer, shall be dealt with in accordance with the Variation Procedure and Clauses 34.7.3(b) to 34.7.3(d); the Supplier shall set out in its proposal to the Customer for a Variation details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries, including the purpose for the transfer; (if applicable) the countries through which the Personal Data will be transited and the nature of the transit; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the Customer’s compliance with the DPA; in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with then-current Customer, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Customer may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Call Off Contract or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Customer on such terms as may be required by the Customer; or a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Customer and the Sub-Contractor relating to the relevant Personal Data transfer, and in each case which the Supplier acknowledges may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Customer deems necessary for the purpose of protecting Personal Data. The Supplier shall use its reasonable endeavours to assist the Customer to comply with any obligations under the DPA and shall not perform its obligations under this Call Off Contract in such a way as to cause the Customer to breach any of the Customer’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations.

Protection of Personal Data. Where any Personal Data are Processed in connection with the exercise of the Parties’ rights and obligations under this Call Off Contract, the Parties acknowledge that the Customer is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Customer to perform its obligations under this Call Off Contract; ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data, including the measures as are set out in Clauses 34.1 37.1 (Security Requirements) and 34.3 37.2 (Protection of Customer Data); not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Goods and Services andProducts and/or Servicesand, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Customer (save where such disclosure or transfer is specifically authorised under this Call Off Contract) take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 34.7.2 37.5.2 and Clauses 34.1 37.1 (Security Requirements), 34.3 37.2 (Protection of Customer Data) and 34.4 37.3 (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Customer or as otherwise permitted by this Call Off Contract; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Customer within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request) a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the Customer's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Customer with full cooperation and assistance (within the timescales reasonably required by the Customer) in relation to any complaint, communication or request made (as referred to at Clause 34.7.2(e37.5.2(e)), including by promptly providing: the Customer with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Customer to enable the Customer to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the Customer, on request by the Customer, with any Personal Data it holds in relation to a Data Subject; and if requested by the Customer, provide a written description of the measures that has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 34.7.2 37.5.2 and provide to the Customer copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not Process or cause or permit otherwise transfer any Personal Data to be transferred in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together a Restricted Countries) without ApprovalCountry. If, after the Call Off Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to any outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a Variation to the Customer which, if it is agreed by the Customer, shall be dealt with in accordance with the Variation Procedure and Clauses 34.7.3(b37.5.3(b) to 34.7.3(d37.5.3(c); the Supplier shall set out in its proposal to the Customer for a Variation details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries, including the purpose for the transfer; (if applicable) the countries through which the Personal Data will be transited and the nature of the transit; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the Customer’s compliance with the DPA; in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with then-current Customer, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Customer may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Call Off Contract or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Customer on such terms as may be required by the Customer; or a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Customer and the Sub-Contractor relating to the relevant Personal Data transfer, and in each case which the Supplier acknowledges may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Customer deems necessary for the purpose of protecting Personal Data. The Supplier shall use its reasonable endeavours to assist the Customer to comply with any obligations under the DPA and shall not perform its obligations under this Call Off Contract in such a way as to cause the Customer to breach any of the Customer’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations.

Protection of Personal Data. Where any Personal Data are Processed in connection with With respect to the exercise of the Parties’ parties' rights and obligations under this Call Off Contract, the Parties acknowledge parties agree that the Customer is the Data Controller and that the Supplier Service Provider is the Data Processor. The Supplier Service Provider shall: Process the Personal Data only in accordance with instructions from the Customer (which may be specific instructions or instructions of a general nature as set out in this Contract or as otherwise notified by the Customer to perform its obligations under this Call Off Contractthe Service Provider during the Contract Period); ensure that at all times it has Process the Personal Data only to the extent, and in place such manner, as is necessary for the provision of the Services or as is required by Law or any Regulatory Body; implement appropriate technical and organisational measures to guard protect the Personal Data against unauthorised or unlawful Processing of the Personal Data and/or and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data, including Data and having regard to the measures as are set out in Clauses 34.1 (Security Requirements) and 34.3 (Protection nature of Customer Data); not disclose or transfer the Personal Data which is to any third party or Supplier Personnel unless necessary for the provision of the Goods and Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Customer (save where such disclosure or transfer is specifically authorised under this Call Off Contract) be protected; take reasonable steps to ensure the reliability and integrity of any Supplier Personnel Staff who have access to the Personal Data; obtain prior written consent from the Customer in order to transfer the Personal Data and to any Sub-contractors or Affiliates for the provision of the Services; ensure that all Staff required to access the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 34.7.2 and Clauses 34.1 (Security Requirements), 34.3 (Protection of Customer Data) and 34.4 (Confidentiality); Personal Data are informed of the confidential nature of the Personal Data and do not comply with the obligations set out in this clause 6.4; ensure that none of Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Customer or as otherwise permitted by this Call Off Contract; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA)Customer; notify the Customer (within five (5) Working Days or such other period as specified in the Order Form (if any)) if it receives: a request from a Data Subject (to have access to that person's Personal Data; or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request) a request to rectify, block or erase any Personal Data or any other request, complaint or communication request relating to the Customer's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by LawProtection Legislation; provide the Customer with full cooperation and assistance (within the timescales reasonably required by the Customer) in relation to any complaint, communication complaint or request made (as referred to at Clause 34.7.2(e))made, including by promptly providingby: providing the Customer with full details and copies of the complaint, communication complaint or request; where applicable, such assistance as is reasonably requested by the Customer to enable the Customer to comply complying with the Data Subject Access Request a data access request within the relevant timescales set out in the DPA; Data Protection Legislation and in accordance with the Customer, on request by 's instructions; providing the Customer, Customer with any Personal Data it holds in relation to a Data SubjectSubject (within the timescales required by the Customer); and if providing the Customer with any information requested by the Customer; permit the Customer or the Customer Representative (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit, the Service Provider's data Processing activities (and/or those of its agents, subsidiaries and Sub-contractors) and comply with all reasonable requests or directions by the Customer to enable the Customer to verify and/or procure that the Service Provider is in full compliance with its obligations under this Contract; provide a written description of the measures that has taken and technical and organisational security measures in place, methods employed by the Service Provider for Processing Personal Data (within the purpose of compliance with its obligations pursuant to this Clause 34.7.2 timescales required by the Customer); and provide to the Customer copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not Process or cause or permit any Personal Data to be transferred in or to any country outside the European Economic Area or any country which is not determined without the prior written consent of the Customer and, where the Customer consents to be adequate by the European Commission pursuant a transfer, to Article 25(6) of Directive 95/46/EC (together Restricted Countries) without Approval. If, after the Call Off Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to any outside the European Economic Area, the following provisions shall applycomply with: the Supplier shall propose obligations of a Variation to Data Controller under the Customer which, if it is agreed by the Customer, shall be dealt with in accordance with the Variation Procedure and Clauses 34.7.3(b) to 34.7.3(d); the Supplier shall Eighth Data Protection Principle set out in its proposal to the Customer for a Variation details Schedule 1 of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries, including the purpose for the transfer; (if applicable) the countries through which the Personal Data will be transited and the nature of the transit; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure Protection Act 1998 by providing an adequate level of protection and adequate safeguards in respect of the to any Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the Customer’s compliance with the DPAis transferred; in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with then-current Customer, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data reasonable instructions notified to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Customer may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Call Off Contract or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Customer on such terms as may be required it by the Customer; or a data processing agreement . The Service Provider shall comply at all times with the Supplier on terms which are equivalent to those agreed between the Customer and the Sub-Contractor relating to the relevant Personal Data transfer, and in each case which the Supplier acknowledges may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Customer deems necessary for the purpose of protecting Personal Data. The Supplier shall use its reasonable endeavours to assist the Customer to comply with any obligations under the DPA Protection Legislation and shall not perform its obligations under this Call Off Contract in such a way as to cause the Customer to breach any of the Customer’s its applicable obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligationsData Protection Legislation.

Protection of Personal Data. Where any Personal Data are Processed in connection with the exercise of the Parties’ rights and obligations under this Call Off ContractFramework Agreement, the Parties acknowledge that the Customer Authority is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Customer Authority to perform its obligations under this Call Off ContractFramework Agreement; ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data, including the measures as are set out in Clauses 34.1 (Security Requirements) and 34.3 (Protection of Customer Data); not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Goods and and/or Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Customer Authority (save where such disclosure or transfer is specifically authorised under this Call Off Contract) Framework Agreement); take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 34.7.2 27.4.2 and Clauses 34.1 (Security Requirements), 34.3 (Protection of Customer Data) and 34.4 Clause 27.2 (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Customer Authority or as otherwise permitted by this Call Off ContractFramework Agreement; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Customer Authority within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request) ), a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the CustomerAuthority's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Customer Authority with full cooperation and assistance (within the timescales reasonably required by the CustomerAuthority) in relation to any complaint, communication or request made (as referred to at Clause 34.7.2(e)27.4.2(e), including by promptly providing: the Customer Authority with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Customer Authority to enable the Customer Authority to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the CustomerAuthority, on request by the CustomerAuthority, with any Personal Data it holds in relation to a Data Subject; and if requested by the CustomerAuthority, provide a written description of the measures that the Supplier has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 34.7.2 27.4.2 and provide to the Customer Authority copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not Process or cause or permit otherwise transfer any Personal Data to be transferred in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together a Restricted Countries) without ApprovalCountry. If, after the Call Off Framework Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to any anywhere outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a Variation variation to the Customer Authority which, if it is agreed by the CustomerAuthority, shall be dealt with in accordance with the Clause 19.1 (Variation Procedure Procedure) and Clauses 34.7.3(b27.4.3(b) to 34.7.3(d27.4.3(d); the Supplier shall set out in its proposal to the Customer Authority for a Variation Variation, details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries, including the purpose for the transfer; (if applicable) the countries through which the Personal Data will be transited and the nature of the transit; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the CustomerAuthority’s compliance with the DPA; in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with then-current Customerthe Authority, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Customer Authority may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Call Off Contract Framework Agreement or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Customer Authority on such terms as may be required by the CustomerAuthority; or a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Customer Authority and the Sub-Contractor Supplier relating to the relevant Personal Data transfer, and in each case which the Supplier acknowledges that in each case, this may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Customer Authority deems necessary for the purpose of protecting Personal Data. The Supplier shall use its reasonable endeavours to assist the Customer Authority to comply with any obligations under the DPA and shall not perform its obligations under this Call Off Contract Framework Agreement in such a way as to cause the Customer Authority to breach any of the CustomerAuthority’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations. PUBLICITY AND BRANDING Subject to Clause 29 (Marketing), the Supplier shall not: make any press announcements or publicise this Framework Agreement in any way; or use the Authority's name or brand in any promotion or marketing or announcement of Orders, without Approval (the decision of the Authority to Approve or not shall not be unreasonably withheld or delayed). Each Party acknowledges to the other that nothing in this Framework Agreement either expressly or by implication constitutes an approval and/or endorsement of any products or services of the other Party (including the Goods and/or Services) and each Party agrees not to conduct itself in such a way as to imply or express any such approval and/or endorsement. The Authority shall be entitled to publicise this Framework Agreement in accordance with any legal obligation upon the Authority, including any examination of this Framework Agreement by the National Audit Office pursuant to the National Audit Acx 0000 xr otherwise.

Protection of Personal Data. Where any Personal Data are Processed in connection with the exercise of the Parties’ rights and obligations under this Call Off ContractFramework Agreement, the Parties acknowledge that the Customer Fund is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Customer Fund to perform its obligations under this Call Off ContractFramework Agreement; ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data, including the measures as are set out in Clauses 34.1 (Security Requirements) and 34.3 (Protection of Customer Data); not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Goods and and/or Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Customer Fund (save where such disclosure or transfer is specifically authorised under this Call Off Contract) Framework Agreement); take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 34.7.2 22.5.2 and Clauses 34.1 (Security Requirements), 34.3 (Protection of Customer Data) and 34.4 Clause 22.2 (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Customer Fund or as otherwise permitted by this Call Off ContractFramework Agreement; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Customer Fund within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request) ), a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the CustomerFund's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Customer Fund with full cooperation and assistance (within the timescales reasonably required by the CustomerFund) in relation to any complaint, communication or request made (as referred to at Clause 34.7.2(e)22.5.2(e), including by promptly providing: the Customer Fund with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Customer Fund to enable the Customer Fund to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the CustomerFund, on request by the CustomerFund, with any Personal Data it holds in relation to a Data Subject; and if requested by the CustomerFund, provide a written description of the measures that the Supplier has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 34.7.2 22.5.2 and provide to the Customer Fund copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not Process or cause or permit otherwise transfer any Personal Data to be transferred in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “Restricted Countries) without Approval”). If, after the Call Off Framework Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to any anywhere outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a Variation variation to the Customer Fund which, if it is agreed by the CustomerFund, shall be dealt with in accordance with the Clause 17.1 (Variation Procedure Procedure) and Clauses 34.7.3(b22.5.3(b) to 34.7.3(d22.5.3(d); the Supplier shall set out in its proposal to the Customer Fund for a Variation Variation, details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries, including the purpose for the transfer; (if applicable) the countries through which the Personal Data will be transited and the nature of the transit; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the CustomerFund’s compliance with the DPA; in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with then-current Customerthe Fund, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Customer Fund may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Call Off Contract Framework Agreement or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Customer Fund on such terms as may be required by the CustomerFund; or a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Customer Fund and the Sub-Contractor Supplier relating to the relevant Personal Data transfer, and in each case which the Supplier acknowledges that in each case, this may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Customer Fund deems necessary for the purpose of protecting Personal Data. The Supplier shall use its reasonable endeavours to assist the Customer Fund to comply with any obligations under the DPA and shall not perform its obligations under this Call Off Contract Framework Agreement in such a way as to cause the Customer Fund to breach any of the CustomerFund’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations. PUBLICITY AND BRANDING Subject to Clause 244 (Marketing), the Supplier shall not: make any press announcements or publicise this Framework Agreement in any way; or use the Fund's name or brand in any promotion or marketing or announcement of Orders, without Approval (the decision of the Fund to Approve or not shall not be unreasonably withheld or delayed). Each Party acknowledges to the other that nothing in this Framework Agreement either expressly or by implication constitutes an approval and/or endorsement of any products or services of the other Party (including the Goods and/or Services) and each Party agrees not to conduct itself in such a way as to imply or express any such approval and/or endorsement. The Fund shall be entitled to publicise this Framework Agreement in accordance with any legal obligation upon the Fund, including any examination of this Framework Agreement by the National Audit Office pursuant to the National Audit Xxx 0000 or otherwise.

Protection of Personal Data. Where any Personal Data are Processed in connection with the exercise of the Parties’ rights and obligations under this Call Off Contract, the Parties acknowledge that the Customer is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Customer to perform its obligations under this Call Off Contract; ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data, including the measures as are set out in Clauses 34.1 (Security Requirements) and 34.3 34.2 (Protection of Customer Data); not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Goods and and/or Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Customer (save where such disclosure or transfer is specifically authorised under this Call Off Contract) take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 34.7.2 34.6.2 and Clauses 34.1 (Security Requirements), 34.3 34.2 (Protection of Customer Data) and 34.4 34.3 (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Customer or as otherwise permitted by this Call Off Contract; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Customer within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request) a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the Customer's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Customer with full cooperation and assistance (within the timescales reasonably required by the Customer) in relation to any complaint, communication or request made (as referred to at Clause 34.7.2(e34.6.2(e)), including by promptly providing: the Customer with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Customer to enable the Customer to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the Customer, on request by the Customer, with any Personal Data it holds in relation to a Data Subject; and if requested by the Customer, provide a written description of the measures that has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 34.7.2 34.6.2 and provide to the Customer copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not Process or cause or permit otherwise transfer any Personal Data to be transferred in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “Restricted Countries) without Approval”). If, after the Call Off Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to any outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a Variation to the Customer which, if it is agreed by the Customer, shall be dealt with in accordance with the Variation Procedure and Clauses 34.7.3(b34.6.3(b) to 34.7.3(d34.6.3(c); the Supplier shall set out in its proposal to the Customer for a Variation details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries, including the purpose for the transfer; (if applicable) the countries through which the Personal Data will be transited and the nature of the transit; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the Customer’s compliance with the DPA; in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with then-current Customer, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Customer may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Call Off Contract or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Customer on such terms as may be required by the Customer; or a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Customer and the Sub-Contractor relating to the relevant Personal Data transfer, and in each case which the Supplier acknowledges may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Customer deems necessary for the purpose of protecting Personal Data. The Supplier shall use its reasonable endeavours to assist the Customer to comply with any obligations under the DPA and shall not perform its obligations under this Call Off Contract in such a way as to cause the Customer to breach any of the Customer’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations.

Protection of Personal Data. Where any Personal Data are Processed in connection with the exercise of With respect to the Parties’ rights and obligations under this Call Off ContractAgreement, the Parties acknowledge agree that the Customer is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Customer (which may be specific instructions or instructions of a general nature as set out in this Agreement or as otherwise notified by the Customer to perform its obligations under this Call Off Contractthe Supplier during the Term); ensure that at all times it has Process the Personal Data only to the extent, and in place such manner, as is necessary for the provision of the Supply or as is required by Applicable Law or any Regulatory Body; implement appropriate technical and organisational measures to guard protect the Personal Data against unauthorised or unlawful Processing of the Personal Data and/or and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data, including Data and having regard to the measures as are set out in Clauses 34.1 (Security Requirements) and 34.3 (Protection nature of Customer Data); not disclose or transfer the Personal Data which is to any third party or Supplier Personnel unless necessary for the provision of the Goods and Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Customer (save where such disclosure or transfer is specifically authorised under this Call Off Contract) be protected; take reasonable steps to ensure the reliability and integrity of any of the Supplier Personnel Staff who have access to the Personal Data; not transfer the Personal Data and to any sub-contractors or Affiliates without first obtaining prior written consent from the Customer; ensure that all Supplier Staff required to access the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 34.7.2 and Clauses 34.1 (Security Requirements), 34.3 (Protection of Customer Data) and 34.4 (Confidentiality); Personal Data are informed of the confidential nature of the Personal Data and do not comply with the obligations set out in this Clause 19; ensure that none of the Supplier Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Customer or as otherwise permitted by this Call Off Contract; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA)Customer; notify the Customer (within five (5) Working Days Days) if it receives: a request from a Data Subject to have access to that person’s Personal Data (or third party on their behalf) a “Data Subject Access Request (or purported Data Subject Access Request) ”); or a request to rectify, block or erase any Personal Data or any other request, complaint or communication request relating to the Customer's ’s obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by LawProtection Requirements; provide the Customer with full cooperation and assistance (within the timescales reasonably required by the Customer) in relation to any complaint, communication complaint or request made (as referred to at Clause 34.7.2(e))made, including by promptly providingby: providing the Customer with full details and copies of the complaint, communication complaint or request; where applicable, such assistance as is reasonably requested by the Customer to enable the Customer to comply complying with the a Data Subject Access Request within the relevant timescales set out in the DPA; Data Protection Requirements and in accordance with the Customer, on request by ’s instructions; providing the Customer, Customer with any Personal Data it holds in relation to a Data SubjectSubject (within the timescales required by the Customer); and if providing the Customer with any information requested by the Customer; permit the Customer (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit the Supplier’s data Processing activities (and/or those of its agents, subsidiaries and sub-contractors) and comply with all reasonable requests or directions by the Customer to enable the Customer to verify and/or procure that the Supplier is in full compliance with its obligations under this Agreement; provide a written description of the measures that has taken and technical and organisational security measures in place, methods employed by the Supplier for processing Personal Data (within the purpose of compliance with its obligations pursuant to this Clause 34.7.2 timescales required by the Customer); and provide to the Customer copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not Process or cause or permit any Personal Data to be transferred in or to any country outside the European Economic Area or any country which is not determined without the prior written consent of the Customer and, where the Customer consents to be adequate by a transfer of the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together Restricted Countries) without Approval. If, after the Call Off Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to any outside the European Economic Areaaccordance with Clause 19.2.5, the following provisions shall applycomply with: the Supplier shall propose obligations of a Variation to Data Controller under the Customer which, if it is agreed by the Customer, shall be dealt with in accordance with the Variation Procedure and Clauses 34.7.3(b) to 34.7.3(d); the Supplier shall Eighth Data Protection Principle set out in its proposal to the Customer for a Variation details Schedule 1 of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries, including the purpose for the transfer; (if applicable) the countries through which the Personal Data will be transited and the nature of the transit; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure Protection Act 1998 by providing an adequate level of protection and adequate safeguards in respect of the to any Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the Customer’s compliance with the DPAis transferred; in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with then-current Customer, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data reasonable instructions notified to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Customer may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Call Off Contract or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Customer on such terms as may be required it by the Customer; or a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Customer and the Sub-Contractor relating to the relevant Personal Data transfer, and in each case which the Supplier acknowledges may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Customer deems necessary for the purpose of protecting Personal Data. The Supplier shall use its reasonable endeavours to assist comply at all times with the Customer to comply with any obligations under the DPA Data Protection Requirements and shall not perform its obligations under this Call Off Contract Agreement in such a way as to cause the Customer to breach any of its applicable obligations under the Data Protection Requirements. CONFIDENTIALITY Except to the extent set out in this Clause 20 or where disclosure is expressly permitted elsewhere in this Agreement, each Party shall: treat the other Party’s Confidential Information as confidential and safeguard it accordingly; and not disclose the other Party’s Confidential Information to any other person without the owner’s prior written consent. Clause 20.1 shall not apply to the extent that: such disclosure is a requirement of an Applicable Law placed upon the Party making the disclosure, including any requirements for disclosure under the FOIA or the Environmental Information Regulations pursuant to Clause 21; such information was in the possession of the Party making the disclosure without obligation of confidentiality prior to its disclosure by the information owner; such information was obtained from a third party without obligation of confidentiality; such information was already in the public domain at the time of disclosure otherwise than by a breach of this Agreement; or such information is independently developed without access to the other Party’s Confidential Information. The Supplier may only disclose the Customer’s Confidential Information to the Supplier Staff who are directly involved in the provision of the Supply and who need to know the information, and shall ensure that such Supplier Staff are aware of and shall comply with the obligations set out in this Clause 20 in respect of such information. The Supplier shall not, and shall procure that the Supplier Staff do not, use any of the Customer’s Confidential Information received otherwise than for the purposes of this Agreement. Nothing in this Agreement shall prevent the Customer from disclosing the Supplier’s Confidential Information: to any Crown Body or any other Contracting Authority on the basis that the information is confidential and is not to be disclosed to a third party which is not part of any Crown Body or any Contracting Authority. All Crown Bodies or Contracting Authorities receiving such Confidential Information shall be entitled to further disclose the Confidential Information to other Crown Bodies or other Contracting Authorities on the basis that the information is confidential and is not to be disclosed to a third party which is not part of any Crown Body or any Contracting Authority; to any consultant, contractor or other person engaged by the Customer, or to any person conducting a government gateway or other review on the basis that the information is confidential and is not to be disclosed to a third party which is not part of any Crown Body or any Contracting Authority; for the purpose of the examination and certification of the Customer’s accounts; or for any examination pursuant to Section 6(1) of the National Audit Act 1983 of the economy, efficiency and effectiveness with which the Customer has used its resources. The Customer shall ensure that any government department, Contracting Authority, employee, third party or sub-contractor to whom the Supplier’s Confidential Information is disclosed pursuant to Clause 20.5 is notified in writing of the Customer’s obligations under of confidentiality set out in this Agreement. Nothing in this Clause 20 shall prevent either Party from using any techniques, ideas or know-how gained during the DPA performance of the Agreement in the course of its normal business to the extent that this use does not result in a disclosure of the other Party’s Confidential Information or an infringement of IPR. FREEDOM OF INFORMATION The Supplier acknowledges that the Customer is subject to the requirements of the FOIA and the Environmental Information Regulations and shall assist and cooperate with the Customer, to enable the Customer to comply with its Information disclosure obligations. The Supplier shall (and shall procure that its sub-contractors shall) provide all necessary assistance as reasonably requested by the Customer to enable the Customer to respond to a Request for Information within the time for compliance set out in Section 10 of the FOIA or regulation 5 of the Environmental Information Regulations, to include providing the Customer with a copy of all Information in its possession, or power in the form that the Customer requires within five (5) Working Days (or such other period as the Customer may specify) of the Customer’s request. The Customer shall be responsible for determining in its absolute discretion and notwithstanding any other provision in this Agreement or any other agreement whether Information deemed commercially sensitive and/or any other Information is exempt from disclosure in accordance with the provisions of the FOIA or the Environmental Information Regulations. In no event shall the Supplier is awarerespond directly to a Request for Information unless expressly authorised to do so by the Customer. The Supplier acknowledges that the Customer may, acting in accordance with the Department of Constitutional Affairs’ Code of Practice on the Discharge of the Functions of Public Authorities under Part 1 of the Freedom of Information Act 2000 (“the Code”), be obliged under the FOIA, or ought reasonably the Environmental Information Regulations to have been aware, disclose information concerning the Supplier or the services provided by the Supplier under this Agreement unless an exemption applies. The Customer may at its discretion consult the Supplier with regard to whether the FOIA applies to the Information or whether an exemption applies. The Supplier shall ensure that all Information produced in the course of this Agreement or relating to this Agreement is retained for disclosure in a manner agreed by the Parties and shall permit the Customer to inspect such records as requested from time to time. The Supplier acknowledges that any Information it deems commercially sensitive is of indicative value only and that the same would Customer may be a breach of such obligationsobliged to disclose it in accordance with Clause 21.5.

Protection of Personal Data. Where any Personal Data are Processed in connection with the exercise of the Parties’ rights and obligations under this Call Off ContractFramework Agreement, the Parties acknowledge that the Customer Authority is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Customer Authority to perform its obligations under this Call Off ContractFramework Agreement; ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data, including the measures as are set out in Clauses 34.1 (Security Requirements) and 34.3 (Protection of Customer Data); not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Goods and and/or Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Customer Authority (save where such disclosure or transfer is specifically authorised under this Call Off Contract) Framework Agreement); take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 34.7.2 60.5.2 and Clauses 34.1 (Security Requirements), 34.3 (Protection of Customer Data) and 34.4 Clause 60.2 (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Customer Authority or as otherwise permitted by this Call Off ContractFramework Agreement; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Customer Authority within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request) ), a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the CustomerAuthority's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Customer Authority with full cooperation and assistance (within the timescales reasonably required by the CustomerAuthority) in relation to any complaint, communication or request made (as referred to at Clause 34.7.2(e))60.5.10, including by promptly providing: the Customer Authority with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Customer Authority to enable the Customer Authority to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the CustomerAuthority, on request by the CustomerAuthority, with any Personal Data it holds in relation to a Data Subject; and if requested by the CustomerAuthority, provide a written description of the measures that the Supplier has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 34.7.2 60.5.2 and provide to the Customer Authority copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not Process or cause or permit otherwise transfer any Personal Data to be transferred in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “Restricted Countries) without Approval”). If, after the Call Off Framework Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to any anywhere outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a Variation variation to the Customer Authority which, if it is agreed by the CustomerAuthority, shall be dealt with in accordance with the Clause 46.1 (Variation Procedure Procedure) and Clauses 34.7.3(b) 60.5.21 to 34.7.3(d)60.5.27; the Supplier shall set out in its proposal to the Customer Authority for a Variation Variation, details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries, including the purpose for the transfer; (if applicable) the countries through which the Personal Data will be transited and the nature of the transit; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the CustomerAuthority’s compliance with the DPA; in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with then-current Customerthe Authority, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Customer Authority may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Call Off Contract Framework Agreement or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Customer Authority on such terms as may be required by the CustomerAuthority; or a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Customer Authority and the Sub-Contractor Supplier relating to the relevant Personal Data transfer, and in each case which the Supplier acknowledges that in each case, this may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Customer Authority deems necessary for the purpose of protecting Personal Data. The Supplier shall use its reasonable endeavours to assist the Customer Authority to comply with any obligations under the DPA and shall not perform its obligations under this Call Off Contract Framework Agreement in such a way as to cause the Customer Authority to breach any of the CustomerAuthority’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations.

Protection of Personal Data. Where any Personal Data are Processed in connection with the exercise of the Parties’ rights and obligations under this Call Off ContractLease Agreement, the Parties acknowledge that the Customer is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Customer to perform its obligations under this Call Off ContractLease Agreement; ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data, including the measures as are set out in Clauses 34.1 43 (Security Requirements) and 34.3 43.2.3(c) (Protection of Customer Data); not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Goods and and/or Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Customer (save where such disclosure or transfer is specifically authorised under this Call Off ContractLease Agreement) take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 34.7.2 43.2.30 and Clauses 34.1 43 (Security Requirements), 34.3 (Protection 43.2.3(c)(Protection of Customer Data) and 34.4 43.2.11(c) (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Customer or as otherwise permitted by this Call Off ContractLease Agreement; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Customer within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request) a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the Customer's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Customer with full cooperation and assistance (within the timescales reasonably required by the Customer) in relation to any complaint, communication or request made (as referred to at Clause 34.7.2(e43.2.30(e)), including by promptly providing: the Customer with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Customer to enable the Customer to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the Customer, on request by the Customer, with any Personal Data it holds in relation to a Data Subject; and if requested by the Customer, provide a written description of the measures that has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 34.7.2 43.2.30 and provide to the Customer copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not Process or cause or permit otherwise transfer any Personal Data to be transferred in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “Restricted Countries) without Approval”). If, after the Call Off Lease Agreement Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to any outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a Variation to the Customer which, if it is agreed by the Customer, shall be dealt with in accordance with the Variation Procedure and Clauses 34.7.3(b43.2.31(b) to 34.7.3(d43.2.31(c); the Supplier shall set out in its proposal to the Customer for a Variation details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries, including the purpose for the transfer; (if applicable) the countries through which the Personal Data will be transited and the nature of the transit; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the Customer’s compliance with the DPA; in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with then-current Customer, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Customer may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Call Off Contract Lease Agreement or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Customer on such terms as may be required by the Customer; or a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Customer and the Sub-Contractor relating to the relevant Personal Data transfer, and in each case which the Supplier acknowledges may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Customer deems necessary for the purpose of protecting Personal Data. The Supplier shall use its reasonable endeavours to assist the Customer to comply with any obligations under the DPA and shall not perform its obligations under this Call Off Contract Lease Agreement in such a way as to cause the Customer to breach any of the Customer’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations.

Protection of Personal Data. Where any Personal Data are Processed in connection with the exercise of the Parties’ rights and obligations under this Call Off ContractFramework Agreement, the Parties acknowledge that the Customer Fund is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Customer Fund to perform its obligations under this Call Off ContractFramework Agreement; ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data, including the measures as are set out in Clauses 34.1 (Security Requirements) and 34.3 (Protection of Customer Data); not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Goods and and/or Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Customer Fund (save where such disclosure or transfer is specifically authorised under this Call Off Contract) Framework Agreement); take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 34.7.2 21.5.2 and Clauses 34.1 (Security Requirements), 34.3 (Protection of Customer Data) and 34.4 Clause 21.2 (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Customer Fund or as otherwise permitted by this Call Off ContractFramework Agreement; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Customer Fund within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request) ), a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the CustomerFund's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority the Fund in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Customer Fund with full cooperation and assistance (within the timescales reasonably required by the CustomerFund) in relation to any complaint, communication or request made (as referred to at Clause 34.7.2(e)21.5.2(e), including by promptly providing: the Customer Fund with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Customer Fund to enable the Customer Fund to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the CustomerFund, on request by the CustomerFund, with any Personal Data it holds in relation to a Data Subject; and if requested by the CustomerFund, provide a written description of the measures that the Supplier has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 34.7.2 21.5.2 and provide to the Customer Fund copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not Process or cause or permit otherwise transfer any Personal Data to be transferred in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “Restricted Countries) without Approval”). If, after the Call Off Framework Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to any anywhere outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a Variation variation to the Customer Fund which, if it is agreed by the CustomerFund, shall be dealt with in accordance with the Clause 16.1 (Variation Procedure Procedure) and Clauses 34.7.3(b21.5.3(b) to 34.7.3(d21.5.3(d); the Supplier shall set out in its proposal to the Customer Fund for a Variation Variation, details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries, including the purpose for the transfer; (if applicable) the countries through which the Personal Data will be transited and the nature of the transit; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the CustomerFund’s compliance with the DPA; in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with then-current Customerthe Fund, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Customer Fund may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Call Off Contract Framework Agreement or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Customer Fund on such terms as may be required by the CustomerFund; or a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Customer Fund and the Sub-Contractor Supplier relating to the relevant Personal Data transfer, and in each case which the Supplier acknowledges that in each case, this may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Customer Fund deems necessary for the purpose of protecting Personal Data. The Supplier shall use its reasonable endeavours to assist the Customer Fund to comply with any obligations under the DPA and shall not perform its obligations under this Call Off Contract Framework Agreement in such a way as to cause the Customer Fund to breach any of the CustomerFund’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations.

Protection of Personal Data. Where any Personal Data are Processed in connection with the exercise of the Parties’ rights and obligations under this Call Off Contract, the Parties acknowledge that the Customer is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Customer to perform its obligations under this Call Off Contract; ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data, including the measures as are set out in Clauses 34.1 35.1 (Security Requirements) and 34.3 35.2 (Protection of Customer Data); not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Goods and Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Customer (save where such disclosure or transfer is specifically authorised under this Call Off Contract) take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 34.7.2 35.6.2 and Clauses 34.1 35.1 (Security Requirements), 34.3 35.2 (Protection of Customer Data) and 34.4 35.3 (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Customer or as otherwise permitted by this Call Off Contract; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Customer within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request) a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the Customer's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Customer with full cooperation and assistance (within the timescales reasonably required by the Customer) in relation to any complaint, communication or request made (as referred to at Clause 34.7.2(e35.(e)), including by promptly providing: the Customer with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Customer to enable the Customer to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the Customer, on request by the Customer, with any Personal Data it holds in relation to a Data Subject; and if requested by the Customer, provide a written description of the measures that has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 34.7.2 35.6.2 and provide to the Customer copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not Process or cause or permit otherwise transfer any Personal Data to be transferred in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “Restricted Countries) without Approval”). If, after the Call Off Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to any outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a Variation to the Customer which, if it is agreed by the Customer, shall be dealt with in accordance with the Variation Procedure and Clauses 34.7.3(b35.(b) to 34.7.3(d35.(c); the Supplier shall set out in its proposal to the Customer for a Variation details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries, including the purpose for the transfer; (if applicable) the countries through which the Personal Data will be transited and the nature of the transit; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the Customer’s compliance with the DPA; in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with then-current Customer, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Customer may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Call Off Contract or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Customer on such terms as may be required by the Customer; or a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Customer and the Sub-Contractor relating to the relevant Personal Data transfer, and in each case which the Supplier acknowledges may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Customer deems necessary for the purpose of protecting Personal Data. The Supplier shall use its reasonable endeavours to assist the Customer to comply with any obligations under the DPA and shall not perform its obligations under this Call Off Contract in such a way as to cause the Customer to breach any of the Customer’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations.

Protection of Personal Data. Where any Personal Data are Processed in connection with the exercise of the Parties’ rights and obligations under this Call Off Contract, the Parties acknowledge that the Customer is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Customer to perform its obligations under this Call Off Contract; ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data, including the measures as are set out in Clauses 34.1 (Security Requirements) and 34.3 34.2 (Protection of Customer Data); not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Goods and and/or Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Customer (save where such disclosure or transfer is specifically authorised under this Call Off Contract) take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 34.7.2 34.6.2 and Clauses 34.1 (Security Requirements), 34.3 34.2 (Protection of Customer Data) and 34.4 34.3 (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Customer or as otherwise permitted by this Call Off Contract; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Customer within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request) a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the Customer's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Customer with full cooperation and assistance (within the timescales reasonably required by the Customer) in relation to any complaint, communication or request made (as referred to at Clause 34.7.2(e34.6.2(e)), including by promptly providing: the Customer with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Customer to enable the Customer to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the Customer, on request by the Customer, with any Personal Data it holds in relation to a Data Subject; and if requested by the Customer, provide a written description of the measures that has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 34.7.2 34.6.2 and provide to the Customer copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not Process or cause or permit otherwise transfer any Personal Data to be transferred in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “Restricted Countries) without Approval”). If, after the Call Off Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to any outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a Variation to the Customer which, if it is agreed by the Customer, shall be dealt with in accordance with the Variation Procedure and Clauses 34.7.3(b34.6.3(b) to 34.7.3(d34.6.3(c); the Supplier shall set out in its proposal to the Customer for a Variation details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries, including the purpose for the transfer; (if applicable) the countries through which the Personal Data will be transited and the nature of the transit; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the Customer’s compliance with the DPA; in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with then-current Customer, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Customer may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Call Off Contract or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Customer on such terms as may be required by the Customer; or a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Customer and the Sub-Contractor relating to the relevant Personal Data transfer, and in each case which the Supplier acknowledges may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Customer deems necessary for the purpose of protecting Personal Data. The Supplier shall use its reasonable endeavours to assist the Customer to comply with any obligations under the DPA and shall not perform its obligations under this Call Off Contract in such a way as to cause the Customer to breach any of the Customer’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations.

Protection of Personal Data. Where any Personal Data are Processed in connection with the exercise of the Parties’ rights and obligations under this Call Off Contract, the Parties acknowledge that the Customer is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Customer to perform its obligations under this Call Off Contract; ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data, including the measures as are set out in Clauses 34.1 (Security Requirements) and 34.3 34.2 (Protection of Customer Data); not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Goods and Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Customer (save where such disclosure or transfer is specifically authorised under this Call Off Contract) take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 34.7.2 34.6.2 and Clauses 34.1 (Security Requirements), 34.3 34.2 (Protection of Customer Data) and 34.4 34.3 (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Customer or as otherwise permitted by this Call Off Contract; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Customer within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request) a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the Customer's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Customer with full cooperation and assistance (within the timescales reasonably required by the Customer) in relation to any complaint, communication or request made (as referred to at Clause 34.7.2(e34.6.2(e)), including by promptly providing: the Customer with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Customer to enable the Customer to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the Customer, on request by the Customer, with any Personal Data it holds in relation to a Data Subject; and if requested by the Customer, provide a written description of the measures that has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 34.7.2 34.6.2 and provide to the Customer copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not Process or cause or permit otherwise transfer any Personal Data to be transferred in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “Restricted Countries) without Approval”). If, after the Call Off Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to any outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a Variation to the Customer which, if it is agreed by the Customer, shall be dealt with in accordance with the Variation Procedure and Clauses 34.7.3(b34.6.3(b) to 34.7.3(d34.6.3(c); the Supplier shall set out in its proposal to the Customer for a Variation details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries, including the purpose for the transfer; (if applicable) the countries through which the Personal Data will be transited and the nature of the transit; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the Customer’s compliance with the DPA; in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with then-current Customer, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Customer may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Call Off Contract or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Customer on such terms as may be required by the Customer; or a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Customer and the Sub-Contractor relating to the relevant Personal Data transfer, and in each case which the Supplier acknowledges may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Customer deems necessary for the purpose of protecting Personal Data. The Supplier shall use its reasonable endeavours to assist the Customer to comply with any obligations under the DPA and shall not perform its obligations under this Call Off Contract in such a way as to cause the Customer to breach any of the Customer’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations.

Protection of Personal Data. Where any Personal Data are Processed in connection with the exercise of the Parties’ rights and obligations under this Call Off Contract, the Parties acknowledge that the Customer is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Customer to perform its obligations under this Call Off Contract; ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data, including the measures as are set out in Clauses 34.1 (Security Requirements) and 34.3 34.2 (Protection of Customer Data); not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Goods and Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Customer (save where such disclosure or transfer is specifically authorised under this Call Off Contract) take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s Suppliers duties under this Clause 34.7.2 34.5.2 and Clauses 34.1 (Security Requirements), 34.3 34.2 (Protection of Customer Data) and 34.4 34.3 (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Customer or as otherwise permitted by this Call Off Contract; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Customer within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request) a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the Customer's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Customer with full cooperation and assistance (within the timescales reasonably required by the Customer) in relation to any complaint, communication or request made (as referred to at Clause 34.7.2(e34.5.2(e)), including by promptly providing: the Customer with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Customer to enable the Customer to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the Customer, on request by the Customer, with any Personal Data it holds in relation to a Data Subject; and if requested by the Customer, provide a written description of the measures that has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 34.7.2 34.5.2 and provide to the Customer copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not Process or cause or permit otherwise transfer any Personal Data to be transferred in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “Restricted Countries) without Approval”). If, after the Call Off Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to any outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a Variation to the Customer which, if it is agreed by the Customer, shall be dealt with in accordance with the Variation Procedure and Clauses 34.7.3(b34.5.3(b) to 34.7.3(d34.5.3(c); the Supplier shall set out in its proposal to the Customer for a Variation details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries, including the purpose for the transfer; (if applicable) the countries through which the Personal Data will be transited and the nature of the transit; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the Customer’s compliance with the DPA; in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with then-current Customer, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Customer may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Call Off Contract or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Customer on such terms as may be required by the Customer; or a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Customer and the Sub-Contractor relating to the relevant Personal Data transfer, and in each case which the Supplier acknowledges may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Customer deems necessary for the purpose of protecting Personal Data. The Supplier shall use its reasonable endeavours to assist the Customer to comply with any obligations under the DPA and shall not perform its obligations under this Call Off Contract in such a way as to cause the Customer to breach any of the Customer’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations.

Protection of Personal Data. Where any Personal Data are Processed in connection with the exercise of With respect to the Parties’ ' rights and obligations under this Call Off Contract, the Parties acknowledge that the Customer is the a Data Controller and that the Supplier is the a Data Processor. The Supplier shall: prior to the processing of any Personal Data under this Call Off Contract and where requested by the Customer provide a Privacy Impact Assessment (“PIA”) to the Authority which will include (but not be limited to): a systematic description of the envisaged processing operations and the purpose of the processing; an assessment of the necessity and proportionality on the processing operations in relation to the Services; an assessment of the risks to the rights and freedoms of Data Subjects; and the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data; Process the Personal Data only in accordance with instructions from the Customer to perform its obligations under this Call Off Contract; ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data, including the measures as are set out in Clauses 34.1 (Security Requirements) and 34.3 34.2 (Protection of Customer Data); not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for allow the provision of the Goods and Services and, for any disclosure or transfer processing of Personal Data to by any Sub-Contractor, Affiliate and third party, obtain party without the prior written consent of the Customer (save where such disclosure or transfer is specifically authorised under this Call Off Contract) Customer; take all reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 34.7.2 34.5.2 and Clauses 34.1 (Security Requirements), and 34.3 (Protection of Customer Data) and 34.4 (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Customer or as otherwise permitted by this Call Off Contract; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPAData Protection Laws); notify the Customer within five fourty eight (548) Working Days hours if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request) a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the Customer's obligations under the DPAData Protection Laws ; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or considers that any instructions from the Customer infringe the Data Protection Laws; receives any Regulator Correspondence or any other any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Call Off Contract; or is required by Xxx to commit an act or omission that would constitute a breach of this Clause 34.5; provide the Customer with full cooperation and assistance (within the timescales reasonably required by the Customer) in relation to either Party’s obligations uder the Data Protection Laws or any complaint, communication or request made (as referred to at Clause 34.7.2(e(f)), including by promptly providing: the Customer with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Customer to enable the Customer to comply with the Data Subject Access Request within the relevant timescales set out in the DPAData Protection Laws; and the Customer, on request by the Customer, with any Personal Data it holds in relation to a Data Subject; and assistance following a Data Loss Event as required by the Customer including with respect to the conduct of a data protection impact assessment and the Customer's consultation with the Information Commissioner's Office; if requested by the Customer, provide a written description of the measures that has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 34.7.2 34.5.2 and provide to the Customer copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. keep a record of all categories of processing activities carried out on behalf of the Customer, containing; the categories of processing carried out on behalf of the Customer; where applicable, any transfers of Personal Data to Restricted Countries or an international organisation The Supplier shall not Process or cause or permit otherwise transfer any Personal Data to be transferred in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together a Restricted Countries) without ApprovalCountry. If, after the Call Off Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to any outside the European Economic Area, the following provisions shall apply: the Supplier shall propose submit a Variation Form to the Customer which, if it is agreed by the CustomerCustomer agrees to such Variation, shall be dealt with in accordance with the Variation Procedure and Clauses 34.7.3(b) to 34.7.3(d)Procedure; the Supplier shall set out in its proposal to the Customer for a Variation details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries, including the purpose for the transfer; (if applicable) the countries through which the Personal Data will be transited and the nature of the transit; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the Customer’s compliance with the DPAData Protection Laws; in providing and evaluating the Variation, and the Impact Assessment, the Parties shall ensure that they have regard to and comply with then-current Customer, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Customer may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPAData Protection Laws) into this Call Off Contract or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Customer on such terms as may be required by the Customer; or a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Customer and the Sub-Contractor relating to the relevant Personal Data transfer, and in each case which the Supplier acknowledges may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPAData Protection Laws ) and technical and organisation measures which the Customer deems necessary for the purpose of protecting Personal Data. The Supplier shall use its reasonable endeavours to assist the Customer to comply with any obligations under the DPA Data Protection Laws and shall not perform its obligations under this Call Off Contract in such a way as to cause the Customer to breach any of the Customer’s obligations under the DPA Data Protection Laws to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations. The Supplier shall (and shall procure that all Supplier Personnel) comply with any notification requirements under Data Protection Laws and both Parties will duly observe all their obligations under Data Protection Laws which arise in connection with the Call Off Contract. The Supplier will, in conjunction with the Customer, in its own right and in respect of the Services, make all necessary preparations to ensure it will be compliant with the provisions of the GDPR upon its implementation The Supplier will provide the Customer with the contact details of its data protection officer or other designated individual with responsibility for data protection and privacy to act as the point of contact for the purpose of observing its obligations under Clause 34.5. The Supplier will notify the Customer immediately, and in any event no later than 12 hours, after becoming aware of a Data Loss Event, in particular the Supplier will; when notifying the Customer of a Data Loss Event, describe the nature of the event including the categories and approximate number of data subjects concerned and the categories and approximate number of Personal Data records concerned; cooperate fully with any Customer investigation into the Data Loss Event including but not limited to the causes and effects (actual or potential); provide immediate access to the Supplier’s premises and systems for the purposes of any Customer investigation under this Call Off Contract; take all necessary actions to remedy the causes of the Data Loss Event and to ensure the protection of Personal Data from any further loss; not make any public statement of any kind without the prior approval of the Customer; where appropriate, provide all assistance necessary to enable the Customer to fulfil its obligations to notify the Information Commissioner within 72 hours after becoming aware of the Data Loss Event. The Supplier shall indemnify the Customer on a continuing basis against any and all Losses incurred by the Customer arising from the Supplier’s Default under this Clause 34.5 and/or any failure by the Supplier or any Sub-Contractor to comply with their respective obligations under Data Protection Laws. Nothing in this Clause 34.5 shall be construed as requiring the Supplier or any relevant Sub-Contractor to be in breach of any Data Protection Laws.

Protection of Personal Data. Where any Personal Data are Processed in connection with the exercise of the Parties’ rights and obligations under this Call Call-Off Contract, the Parties acknowledge that the Customer is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Customer to perform its obligations under this Call Call-Off Contract; ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data, including the measures as are set out in Clauses 34.1 31.1 (Security Requirements) and 34.3 31.2 (Protection of Customer Data); not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Goods and Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Customer (save where such disclosure or transfer is specifically authorised under this Call Call-Off Contract) take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 34.7.2 31.6.2 and Clauses 34.1 31.1 (Security Requirements), 34.3 Requirements),31.2 (Protection of Customer Data) and 34.4 31.3 (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Customer or as otherwise permitted by this Call Call-Off Contract; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Customer within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request) a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the Customer's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Customer with full cooperation and assistance (within the timescales reasonably required by the Customer) in relation to any complaint, communication or request made (as referred to at Clause 34.7.2(e)), 31.6.2(e) including by promptly providing: the Customer with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Customer to enable the Customer to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the Customer, on request by the Customer, with any Personal Data it holds in relation to a Data Subject; and if requested by the Customer, provide a written description of the measures that has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 34.7.2 31.6.2 and provide to the Customer copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not Process or cause or permit otherwise transfer any Personal Data to be transferred in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “Restricted Countries) without Approval”). If, after the Call Call-Off Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to any outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a Variation to the Customer which, if it is agreed by the Customer, shall be dealt with in accordance with the Variation Procedure and Clauses 34.7.3(b31.6.3(b) to 34.7.3(d31.6.3(c); the Supplier shall set out in its proposal to the Customer for a Variation details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries, including the purpose for the transfer; (if applicable) the countries through which the Personal Data will be transited and the nature of the transit; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the Customer’s compliance with the DPA; in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with then-current Customer, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Customer may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Call Call-Off Contract or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Customer on such terms as may be required by the Customer; or a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Customer and the Sub-Contractor relating to the relevant Personal Data transfer, and in each case which the Supplier acknowledges may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Customer deems necessary for the purpose of protecting Personal Data. The Supplier shall use its reasonable endeavours to assist the Customer to comply with any obligations under the DPA and shall not perform its obligations under this Call Call-Off Contract in such a way as to cause the Customer to breach any of the Customer’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations.

Protection of Personal Data. Where any Personal Data are Processed in connection with the exercise of the Parties’ rights and obligations under this Call Off Contract, the Parties acknowledge that the Customer is the Data Controller and that the Supplier is the Data Processor. Notwithstanding clause 34.5.1 the Supplier shall comply with its obligations under the DPA. The Supplier shall: Process the Personal Data only in accordance with instructions from the Customer to perform its obligations under this Call Off Contract; ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data, including the measures as are set out in Clauses 34.1 (Security Requirements) and 34.3 34.2 (Protection of Customer Data); not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Goods and and/or Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Customer (save where such disclosure or transfer is specifically authorised under this Call Off Contract) take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 34.7.2 34.5.3 and Clauses 34.1 (Security Requirements), 34.3 34.2 (Protection of Customer Data) and 34.4 34.3 (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Customer or as otherwise permitted by this Call Off Contract; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Customer within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request) a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the Customer's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Customer with full cooperation and assistance (within the timescales reasonably required by the Customer) in relation to any complaint, communication or request made (as referred to at Clause 34.7.2(e34.(e)), including by promptly providing: the Customer with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Customer to enable the Customer to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the Customer, on request by the Customer, with any Personal Data it holds in relation to a Data Subject; and if requested by the Customer, provide a written description of the measures that has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 34.7.2 34.5.3 and provide to the Customer copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not Process or cause or permit otherwise transfer any Personal Data to be transferred in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together a Restricted Countries) without ApprovalCountry. If, after the Call Off Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to any outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a Variation to the Customer which, if it is agreed by the Customer, shall be dealt with in accordance with the Variation Procedure and Clauses 34.7.3(b34.(b) to 34.7.3(d34.(c); the Supplier shall set out in its proposal to the Customer for a Variation details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries, including the purpose for the transfer; (if applicable) the countries through which the Personal Data will be transited and the nature of the transit; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the Customer’s compliance with the DPA; in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with then-current Customer, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Customer may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Call Off Contract or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Customer on such terms as may be required by the Customer; or a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Customer and the Sub-Contractor relating to the relevant Personal Data transfer, and in each case which the Supplier acknowledges may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Customer deems necessary for the purpose of protecting Personal Data. The Supplier shall use its reasonable endeavours to assist the Customer to comply with any obligations under the DPA and DPA. The Supplier shall not perform its obligations under this Call Off Contract in such a way as to cause the Customer to breach any of the Customer’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations.

Protection of Personal Data. Where any Personal Data are Processed in connection with the exercise of the Parties’ rights and obligations under this Call Off Contract, the Parties acknowledge that the Customer is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Customer to perform its obligations under this Call Off Contract; ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data, including the measures as are set out in Clauses 34.1 43 (Security Requirements) and 34.3 43.2.3(c) (Protection of Customer Data); not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Goods and and/or Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Customer (save where such disclosure or transfer is specifically authorised under this Call Off Contract) take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 34.7.2 43.2.30 and Clauses 34.1 43 (Security Requirements), 34.3 (Protection 43.2.3(c)(Protection of Customer Data) and 34.4 43.2.11(c) (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Customer or as otherwise permitted by this Call Off Contract; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Customer within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request) a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the Customer's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Customer with full cooperation and assistance (within the timescales reasonably required by the Customer) in relation to any complaint, communication or request made (as referred to at Clause 34.7.2(e43.2.30(e)), including by promptly providing: the Customer with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Customer to enable the Customer to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the Customer, on request by the Customer, with any Personal Data it holds in relation to a Data Subject; and if requested by the Customer, provide a written description of the measures that has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 34.7.2 43.2.30 and provide to the Customer copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not Process or cause or permit otherwise transfer any Personal Data to be transferred in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “Restricted Countries) without Approval”). If, after the Call Off Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to any outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a Variation to the Customer which, if it is agreed by the Customer, shall be dealt with in accordance with the Variation Procedure and Clauses 34.7.3(b43.2.31(b) to 34.7.3(d43.2.31(c); the Supplier shall set out in its proposal to the Customer for a Variation details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries, including the purpose for the transfer; (if applicable) the countries through which the Personal Data will be transited and the nature of the transit; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the Customer’s compliance with the DPA; in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with then-current Customer, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Customer may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Call Off Contract or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Customer on such terms as may be required by the Customer; or a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Customer and the Sub-Contractor relating to the relevant Personal Data transfer, and in each case which the Supplier acknowledges may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Customer deems necessary for the purpose of protecting Personal Data. The Supplier shall use its reasonable endeavours to assist the Customer to comply with any obligations under the DPA and shall not perform its obligations under this Call Off Contract in such a way as to cause the Customer to breach any of the Customer’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations.

Protection of Personal Data. Where any Personal Data are Processed in connection with the exercise of the Parties’ rights and obligations under this Call Off Contract, the Parties acknowledge that the Customer is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Customer to perform its obligations under this Call Off Contract; ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data, including the measures as are set out in Clauses 34.1 36.1 (Security Requirements) and 34.3 36.2 (Protection of Customer Data); not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Goods and and/or Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Customer (save where such disclosure or transfer is specifically authorised under this Call Off Contract) take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 34.7.2 36.5.2 and Clauses 34.1 36.1 (Security Requirements), 34.3 36.2 (Protection of Customer Data) and 34.4 36.3 (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Customer or as otherwise permitted by this Call Off Contract; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Customer within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request) a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the Customer's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Customer with full cooperation and assistance (within the timescales reasonably required by the Customer) in relation to any complaint, communication or request made (as referred to at Clause 34.7.2(e36.5.2(e)), including by promptly providing: the Customer with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Customer to enable the Customer to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the Customer, on request by the Customer, with any Personal Data it holds in relation to a Data Subject; and if requested by the Customer, provide a written description of the measures that has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 34.7.2 36.5.2 and provide to the Customer copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not Process or cause or permit otherwise transfer any Personal Data to be transferred in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together a Restricted Countries) without ApprovalCountry. If, after the Call Off Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to any outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a Variation to the Customer which, if it is agreed by the Customer, shall be dealt with in accordance with the Variation Procedure and Clauses 34.7.3(b36.5.3(b) to 34.7.3(d36.5.3(c); the Supplier shall set out in its proposal to the Customer for a Variation details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries, including the purpose for the transfer; (if applicable) the countries through which the Personal Data will be transited and the nature of the transit; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the Customer’s compliance with the DPA; in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with then-current Customer, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Customer may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Call Off Contract or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Customer on such terms as may be required by the Customer; or a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Customer and the Sub-Contractor relating to the relevant Personal Data transfer, and in each case which the Supplier acknowledges may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Customer deems necessary for the purpose of protecting Personal Data. The Supplier shall use its reasonable endeavours to assist the Customer to comply with any obligations under the DPA and shall not perform its obligations under this Call Off Contract in such a way as to cause the Customer to breach any of the Customer’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations.

Protection of Personal Data. Where any Personal Data are Processed in connection with the exercise of the Parties’ rights and obligations under this Call Off Contract, the Parties acknowledge that the Customer is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Customer to perform its obligations under this Call Off Contract; ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data, including the measures as are set out in Clauses 34.1 (Security Requirements) and 34.3 (Protection of Customer Data); not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Goods and Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Customer (save where such disclosure or transfer is specifically authorised under this Call Off Contract) take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 34.7.2 39.1.31 and Clauses 34.1 (Security Requirements), 34.3 (Protection of Customer Data) and 34.4 (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Customer or as otherwise permitted by this Call Off Contract; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Customer within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request) a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the Customer's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Customer with full cooperation and assistance (within the timescales reasonably required by the Customer) in relation to any complaint, communication or request made (as referred to at Clause 34.7.2(e39.(e)), including by promptly providing: the Customer with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Customer to enable the Customer to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the Customer, on request by the Customer, with any Personal Data it holds in relation to a Data Subject; and if requested by the Customer, provide a written description of the measures that has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 34.7.2 39.1.31 and provide to the Customer copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not Process or cause or permit otherwise transfer any Personal Data to be transferred in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together a Restricted Countries) without ApprovalCountry. If, after the Call Off Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to any outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a Variation to the Customer which, if it is agreed by the Customer, shall be dealt with in accordance with the Variation Procedure and Clauses 34.7.3(b39.(b) to 34.7.3(d39.(c); the Supplier shall set out in its proposal to the Customer for a Variation details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries, including the purpose for the transfer; (if applicable) the countries through which the Personal Data will be transited and the nature of the transit; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the Customer’s compliance with the DPA; in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with then-current Customer, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Customer may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Call Off Contract or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Customer on such terms as may be required by the Customer; or a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Customer and the Sub-Contractor relating to the relevant Personal Data transfer, and in each case which the Supplier acknowledges may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Customer deems necessary for the purpose of protecting Personal Data. The Supplier shall use its reasonable endeavours to assist the Customer to comply with any obligations under the DPA and shall not perform its obligations under this Call Off Contract in such a way as to cause the Customer to breach any of the Customer’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations.

Protection of Personal Data. Where any Personal Data are Processed in connection with the exercise of the Parties’ rights and obligations under this Call Off Contract, the Parties acknowledge that the Customer is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Customer to perform its obligations under this Call Off Contract; ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data, including the measures as are set out in Clauses 34.1 46 (Security Requirements) and 34.3 46.1.5 (Protection of Customer Data); not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Goods and Services the delivery of purchased Goods and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Customer (save where such disclosure or transfer is specifically authorised under this Call Off Contract) ); take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 34.7.2 46.1.32 and Clauses 34.1 46 (Security Requirements), 34.3 46.1.5 (Protection of Customer Data) and 34.4 46.1.13(c) (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Customer or as otherwise permitted by this Call Off Contract; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Customer within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request) a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the Customer's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Customer with full cooperation and assistance (within the timescales reasonably required by the Customer) in relation to any complaint, communication or request made (as referred to at Clause 34.7.2(e46.1.32(h)), including by promptly providing: the Customer with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Customer to enable the Customer to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the Customer, on request by the Customer, with any Personal Data it holds in relation to a Data Subject; and if requested by the Customer, provide a written description of the measures that has have been taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 34.7.2 46.1.32 and provide to the Customer copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not Process or cause or permit otherwise transfer any Personal Data to be transferred in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “Restricted Countries) without Approval”). If, after the Call Off Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to any outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a Variation to the Customer which, if it is agreed by the Customer, shall be dealt with in accordance with the Variation Procedure and Clauses 34.7.3(b46.1.33(b) to 34.7.3(d46.1.33(g); the Supplier shall set out in its proposal to the Customer for a Variation details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries, including the purpose for the transfer; (if applicable) the countries through which the Personal Data will be transited and the nature of the transit; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the Customer’s compliance with the DPA; in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with then-current Customer, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Customer may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Call Off Contract or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Customer on such terms as may be required by the Customer; or a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Customer and the Sub-Contractor relating to the relevant Personal Data transfer, and in each case which the Supplier acknowledges may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Customer deems necessary for the purpose of protecting Personal Data. The Supplier shall use its reasonable endeavours to assist the Customer to comply with any obligations under the DPA and shall not perform its obligations under this Call Off Contract in such a way as to cause the Customer to breach any of the Customer’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations.

Protection of Personal Data. Where any Personal Data are Processed in connection with the exercise of the Parties’ rights and obligations under this Call Off Contract, the Parties acknowledge that the Customer is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Customer to perform its obligations under this Call Off Contract; ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data, including the measures as are set out in Clauses 34.1 45 (Security Requirements) and 34.3 45.1.5 (Protection of Customer Data); not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Goods and and/or Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Customer (save where such disclosure or transfer is specifically authorised under this Call Off Contract) take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 34.7.2 45.1.32 and Clauses 34.1 45 (Security Requirements), 34.3 45.1.5 (Protection of Customer Data) and 34.4 45.1.13(c) (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Customer or as otherwise permitted by this Call Off Contract; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Customer within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request) a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the Customer's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Customer with full cooperation and assistance (within the timescales reasonably required by the Customer) in relation to any complaint, communication or request made (as referred to at Clause 34.7.2(e45.1.32(h)), including by promptly providing: the Customer with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Customer to enable the Customer to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the Customer, on request by the Customer, with any Personal Data it holds in relation to a Data Subject; and if requested by the Customer, provide a written description of the measures that has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 34.7.2 45.1.32 and provide to the Customer copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not Process or cause or permit otherwise transfer any Personal Data to be transferred in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “Restricted Countries) without Approval”). If, after the Call Off Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to any outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a Variation to the Customer which, if it is agreed by the Customer, shall be dealt with in accordance with the Variation Procedure and Clauses 34.7.3(b45.1.33(b) to 34.7.3(d45.1.33(g); the Supplier shall set out in its proposal to the Customer for a Variation details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries, including the purpose for the transfer; (if applicable) the countries through which the Personal Data will be transited and the nature of the transit; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the Customer’s compliance with the DPA; in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with then-current Customer, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Customer may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Call Off Contract or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Customer on such terms as may be required by the Customer; or a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Customer and the Sub-Contractor relating to the relevant Personal Data transfer, and in each case which the Supplier acknowledges may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Customer deems necessary for the purpose of protecting Personal Data. The Supplier shall use its reasonable endeavours to assist the Customer to comply with any obligations under the DPA and shall not perform its obligations under this Call Off Contract in such a way as to cause the Customer to breach any of the Customer’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations.

Protection of Personal Data. Where any Personal Data are Processed in connection with the exercise of the Parties’ rights and obligations under this Call Off Contract, the Parties acknowledge that the Customer is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Customer to perform its obligations under this Call Off Contract; ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data, including the measures as are set out in Clauses 34.1 46 (Security Requirements) and 34.3 46.1.5 (Protection of Customer Data); not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Goods and and/or Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Customer (save where such disclosure or transfer is specifically authorised under this Call Off Contract) take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 34.7.2 47.1.11 and Clauses 34.1 46 (Security Requirements), 34.3 46.1.5 (Protection of Customer Data) and 34.4 46.1.13(c) (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Customer or as otherwise permitted by this Call Off Contract; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Customer within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request) a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the Customer's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Customer with full cooperation and assistance (within the timescales reasonably required by the Customer) in relation to any complaint, communication or request made (as referred to at Clause 34.7.2(e47.1.11(e)), including by promptly providing: the Customer with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Customer to enable the Customer to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the Customer, on request by the Customer, with any Personal Data it holds in relation to a Data Subject; and if requested by the Customer, provide a written description of the measures that has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 34.7.2 47.1.11 and provide to the Customer copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not Process or cause or permit otherwise transfer any Personal Data to be transferred in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together a Restricted Countries) without ApprovalCountry. If, after the Call Off Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to any outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a Variation to the Customer which, if it is agreed by the Customer, shall be dealt with in accordance with the Variation Procedure and Clauses 34.7.3(b47.1.12(b) to 34.7.3(d47.1.12(c); the Supplier shall set out in its proposal to the Customer for a Variation details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries, including the purpose for the transfer; (if applicable) the countries through which the Personal Data will be transited and the nature of the transit; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the Customer’s compliance with the DPA; in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with then-current Customer, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Customer may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Call Off Contract or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Customer on such terms as may be required by the Customer; or a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Customer and the Sub-Contractor relating to the relevant Personal Data transfer, and in each case which the Supplier acknowledges may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Customer deems necessary for the purpose of protecting Personal Data. The Supplier shall use its reasonable endeavours to assist the Customer to comply with any obligations under the DPA and shall not perform its obligations under this Call Off Contract in such a way as to cause the Customer to breach any of the Customer’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations.

Protection of Personal Data. Where any Personal Data are Processed in connection with the exercise of the Parties’ rights and obligations under this Call Off Contract, the Parties acknowledge that the Customer is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Customer to perform its obligations under this Call Off Contract; ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data, including the measures as are set out in Clauses 34.1 24.1 (Security Requirements) and 34.3 24.2 (Protection of Customer Data); not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Goods and Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Customer (save where such disclosure or transfer is specifically authorised under this Call Off Contract) take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 34.7.2 24.6.2 and Clauses 34.1 24.1 (Security Requirements), 34.3 24.2 (Protection of Customer Data) and 34.4 24.3 (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Customer or as otherwise permitted by this Call Off Contract; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Customer within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request) a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the Customer's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Customer with full cooperation and assistance (within the timescales reasonably required by the Customer) in relation to any complaint, communication or request made (as referred to at Clause 34.7.2(e24.6.2(e)), including by promptly providing: the Customer with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Customer to enable the Customer to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the Customer, on request by the Customer, with any Personal Data it holds in relation to a Data Subject; and if requested by the Customer, provide a written description of the measures that has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 34.7.2 24.6.2 and provide to the Customer copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not Process or cause or permit otherwise transfer any Personal Data to be transferred in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “Restricted Countries) without Approval”). If, after the Call Off Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to any outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a Variation to the Customer which, if it is agreed by the Customer, shall be dealt with in accordance with the Variation Procedure and Clauses 34.7.3(b24.6.3(b) to 34.7.3(d24.6.3(c); the Supplier shall set out in its proposal to the Customer for a Variation details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries, including the purpose for the transfer; (if applicable) the countries through which the Personal Data will be transited and the nature of the transit; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; and how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the Customer’s compliance with the DPA; in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with then-the current Customer, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Customer may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Call Off Contract or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Customer on such terms as may be required by the Customer; or a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Customer and the Sub-Contractor relating to the relevant Personal Data transfer, and in each case which the Supplier acknowledges may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Customer deems necessary for the purpose of protecting Personal Data. The Supplier shall use its reasonable endeavours to assist the Customer to comply with any obligations under the DPA and shall not perform its obligations under this Call Off Contract in such a way as to cause the Customer to breach any of the Customer’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations.:

Protection of Personal Data. Where any Personal Data are is Processed in connection with the exercise of the Parties’ rights and obligations under this Call Off Contractthe Commercial Agreement, the Parties acknowledge that the Customer Authority is the Data Controller and that the Supplier is the Data Processor. The Supplier Supplier, including any Sub-Contractors shall: Process the Personal Data only in accordance with instructions from the Customer Authority to perform its obligations under this Call Off Contractthe Commercial Agreement; ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data, including the measures as are set out in Clauses 34.1 (Security Requirements) and 34.3 (Protection of Customer Data); not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Goods and Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Customer Authority (save where such disclosure or transfer is specifically authorised under this Call Off Contract) the Commercial Agreement); take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 34.7.2 B14.2 and Clauses 34.1 (Security Requirements), 34.3 (Protection of Customer Data) and 34.4 (Confidentiality)Clause B11 above; are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Customer Authority or as otherwise permitted by this Call Off Contractthe Commercial Agreement; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Customer Authority within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request) ), a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the CustomerAuthority's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Customer Authority with full cooperation and assistance (within the timescales reasonably required by the CustomerAuthority) in relation to any complaint, communication or request made (as referred to at Clause 34.7.2(e))B14.2(e) above, including by promptly providing: the Customer Authority with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Customer Authority to enable the Customer Authority to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the CustomerAuthority, on request by the CustomerAuthority, with any Personal Data it holds in relation to a Data Subject; and if requested by the CustomerAuthority, provide a written description of the measures that the Supplier has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 34.7.2 B14.2 and provide to the Customer Authority copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not not, without the consent of the Customer, Process or cause or permit otherwise transfer any Personal Data to be transferred in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together the “Restricted Countries) without Approval”). If, after the Call Off Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to any anywhere outside the European Economic AreaArea (a “Restricted Data Transfer”) then, the following provisions shall applyapply in respect of such Restricted Data Transfer: the Supplier shall propose a Variation to inform the Customer which, if that it is agreed wishes to Process or transfer Personal Data controlled by the Customer, shall be dealt with Customer in accordance with the Variation Procedure and Clauses 34.7.3(b) or to 34.7.3(d)a Restricted Country; the Supplier shall set out in its proposal provide to the Customer for Customer, the following details relating to the Restricted Data Transfer in writing (a Variation details of the following: “Data Transfer Notice”): the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries, including the purpose for the transfer; (if applicable) the countries through which the Personal Data will be transited and the nature of the transit; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors Contractor or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; and how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the Customer’s compliance with the DPA; in providing and evaluating the VariationData Transfer Notice, the Parties shall ensure that they have regard to and comply with then-current the Customer, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Customer may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Call Off Contract the Commercial Agreement or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Customer on such terms as may be required by the Customer; or a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Customer and the Sub-Contractor Supplier relating to the relevant Personal Data transfer, and in each case which the Supplier acknowledges that in each case, this may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Customer deems necessary for the purpose of protecting Personal Data. Upon receipt of a Data Transfer Notice, the Customer shall obtain approval from GSIRO in respect of the Restricted Data Transfer. If GSIRO and the Customer accept (i) the terms and information set out in the Data Transfer Notice; and (ii) the circumstances surrounding such proposed Restricted Data Transfer, then the Customer shall provide the Supplier with its written consent to such Restricted Data Transfer. However, if the requirement to seek GSIRO approval shall not apply if the Restricted Data Transfer relates to processing by an off shored third party service provider on an individual travel transactional basis (e.g., a Hotel outside the EEA). The Supplier will process the Customer’s Personal Identifiable Information (PII) and privacy related data in compliance with current UK legislation and in particular the Data Protection Act. Prior to completion of the Enabling Agreement the Supplier shall be required to support the Customer in obtaining the relevant Customer Data Controller’s approval. In support of this approval the Supplier shall be required to produce a Privacy Impact Assessment (PIA), to be agreed by the Customer before the Commencement Date of the Enabling Agreement. The Supplier shall use its reasonable endeavours to assist the Customer Authority to comply with any obligations under the DPA and shall not perform its obligations under this Call Off Contract the Commercial Agreement in such a way as to cause the Customer Authority to breach any of the CustomerAuthority’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations. Publicity and Branding The Supplier shall not: make any press announcements or publicise the Commercial Agreement in any way; or use the Authority's name or brand in any promotion or marketing or announcement, without Approval (the decision of the Authority to Approve or not shall not be unreasonably withheld or delayed). Each Party acknowledges to the other that nothing in the Commercial Agreement either expressly or by implication constitutes an approval and/or endorsement of any products or services of the other Party (including the Services) and each Party agrees not to conduct itself in such a way as to imply or express any such approval and/or endorsement. The Authority shall be entitled to publicise the Commercial Agreement in accordance with any legal obligation upon the Authority, including any examination of the Commercial Agreement by the National Audit Office pursuant to the National Audit Act 1983 or otherwise. All Publications The Supplier shall obtain the Authority's Approval prior to publishing any content in relation to the Commercial Agreement using any media, including on any electronic medium, if the content published requires updating the Supplier will ensure that such content is regularly maintained and updated. In the event that the Supplier fails to maintain or update the content, the Authority may give the Supplier notice to rectify the failure and if the failure is not rectified to the reasonable satisfaction of the Authority within one (1) Month of receipt of such notice, the Authority shall have the right to remove such content itself or require that the Supplier immediately arranges the removal of such content.

Protection of Personal Data. Where any Personal Data are Processed in connection with the exercise of the Parties’ rights and obligations under this Call Off ContractContract , the Parties acknowledge that the Customer is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Customer to perform its obligations under this Call Off ContractContract ; ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data, including the measures as are set out in Clauses 34.1 (Security Requirements) and 34.3 34.2 (Protection of Customer Data); not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Goods and and/or Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Customer (save where such disclosure or transfer is specifically authorised under this Call Off ContractContract ) take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s Suppliers duties under this Clause 34.7.2 34.6.2 and Clauses 34.1 (Security Requirements), 34.3 34.2 (Protection of Customer Data) and 34.4 34.3 (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Customer or as otherwise permitted by this Call Off ContractContract ; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Customer within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request) a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the Customer's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Customer with full cooperation and assistance (within the timescales reasonably required by the Customer) in relation to any complaint, communication or request made (as referred to at Clause 34.7.2(e34.6.2(e)), including by promptly providing: the Customer with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Customer to enable the Customer to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the Customer, on request by the Customer, with any Personal Data it holds in relation to a Data Subject; and if requested by the Customer, provide a written description of the measures that has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 34.7.2 34.6.2 and provide to the Customer copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not Process or cause or permit otherwise transfer any Personal Data to be transferred in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “Restricted Countries) without Approval”). If, after the Call Off Contract Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to any outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a Variation to the Customer which, if it is agreed by the Customer, shall be dealt with in accordance with the Variation Procedure and Clauses 34.7.3(b34.6.3(b) to 34.7.3(d34.6.3(c); the Supplier shall set out in its proposal to the Customer for a Variation details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries, including the purpose for the transfer; (if applicable) the countries through which the Personal Data will be transited and the nature of the transit; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the Customer’s compliance with the DPA; in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with then-current Customer, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Customer may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Call Off Contract or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Customer on such terms as may be required by the Customer; or a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Customer and the Sub-Contractor relating to the relevant Personal Data transfer, and in each case which the Supplier acknowledges may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Customer deems necessary for the purpose of protecting Personal Data. The Supplier shall use its reasonable endeavours to assist the Customer to comply with any obligations under the DPA and shall not perform its obligations under this Call Off Contract in such a way as to cause the Customer to breach any of the Customer’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations.

Protection of Personal Data. Where any Personal Data are Processed in connection with the exercise of the Parties’ rights and obligations under this Call Off Contract, the Parties acknowledge that the Customer is the Data Controller and that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the Customer to perform its obligations under this Call Off Contract; ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data, including the measures as are set out in Clauses 34.1 32.1 (Security Requirements) and 34.3 32.2 (Protection of Customer Data); not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Goods and Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Customer (save where such disclosure or transfer is specifically authorised under this Call Off Contract) take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 34.7.2 32.6.2 and Clauses 34.1 32.1 (Security Requirements), 34.3 32.2 (Protection of Customer Data) and 34.4 32.3 (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Customer or as otherwise permitted by this Call Off Contract; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Customer within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request) a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the Customer's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide the Customer with full cooperation and assistance (within the timescales reasonably required by the Customer) in relation to any complaint, communication or request made (as referred to at Clause 34.7.2(e32.6.2(e)), including by promptly providing: the Customer with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Customer to enable the Customer to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the Customer, on request by the Customer, with any Personal Data it holds in relation to a Data Subject; and if requested by the Customer, provide a written description of the measures that has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 34.7.2 32.6.2 and provide to the Customer copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not Process or cause or permit otherwise transfer any Personal Data to be transferred in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “Restricted Countries) without Approval”). If, after the Call Off Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to any outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a Variation to the Customer which, if it is agreed by the Customer, shall be dealt with in accordance with the Variation Procedure and Clauses 34.7.3(b32.6.3(b) to 34.7.3(d32.6.3(c); the Supplier shall set out in its proposal to the Customer for a Variation details of the following: the Personal Data which will be transferred to and/or Processed in or to any Restricted Countries, including the purpose for the transfer; (if applicable) the countries through which the Personal Data will be transited and the nature of the transit; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the Customer’s compliance with the DPA; in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with then-current Customer, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Customer may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Call Off Contract or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Customer on such terms as may be required by the Customer; or a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Customer and the Sub-Contractor relating to the relevant Personal Data transfer, and in each case which the Supplier acknowledges may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Customer deems necessary for the purpose of protecting Personal Data. The Supplier shall use its reasonable endeavours to assist the Customer to comply with any obligations under the DPA and shall not perform its obligations under this Call Off Contract in such a way as to cause the Customer to breach any of the Customer’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations.