Common use of Data Protection Clause in Contracts

Data Protection. a. The provisions of this Section 1 shall apply to the personal data the Service Provider processes in the course of providing Customer the Services. Service Provider is the data processor in relation to the personal data that it processes in the course of providing Services to Customer. Customer is the data controller in relation to the personal data that it processed by data processor on its behalf in the course of providing Services to Customer. b. The subject matter of the data processing is providing the Services and the processing will be carried out until Service Provider ceases to provide any Services to Customer. Annex 1 of this Addendum sets out the nature and purpose of the processing, the types of personal data Service Provider processes and the data subjects whose personal data is processed. c. When the Service Provider processes personal data in the course of providing Services to you, Service Provider will: i. process the personal data only in accordance with documented instructions from Customer (as set forth in this Addendum or the Agreement or as directed by Customer). If applicable law requires Service Provider to process the personal data for any other purpose, Service Provider will inform Customer of this requirement first, unless such law(s) prohibit this; ii. notify Customer promptly if, in Service Provider’s opinion, an instruction for the processing of personal data given by Customer infringes applicable Data Protection Legislation; iii. assist Customer, taking into account the nature of the processing: 1. by appropriate technical and organizational measures and where possible, in fulfilling Customer’s obligations to respond to requests from data subjects exercising their rights; 2. in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the General Data Protection Regulation, taking into account the information available to Service Provider; and 3. by making available to Customer all information reasonably requested by Customer for the purpose of demonstrating that Customer’s obligations relating to the appointment of processors as set out in Article 28 of the General Data Protection Regulation have been met. iv. implement and maintain appropriate technical and organizational measures to protect the personal data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorized or unlawful processing, accidental loss, destruction, damage or theft of personal data and appropriate to the nature of the personal data which is to be protected; v. in the event of third-party subprocessing that is subject to Data Protection Legislation, (A) inform ▇▇▇▇▇▇▇▇ and obtain its prior written consent (execution of this Addendum shall be deemed as Customer’s prior written consent to such third- party subprocessing); (B) provide a list of third-party subprocessors upon Customer’s request; and (C) inform Customer of any intended changes to third-party subprocessors, thereby giving Customer the opportunity to object to such changes. Service Provider will not give access to or transfer any personal data to any third party for such third party's independent use (e.g., not directly related to providing the Services) without Customer’s prior written consent. If Service Provider provides personal data to third party subprocessors involved in providing the Service, Service Provider will include in its agreement with any such third party subprocessor terms which are at least as favorable to Customer as those contained herein and as are required by applicable Data Protection Legislation; vi. ensure that Service Provider personnel required to access the personal data are subject to a binding duty of confidentiality with regard to such personal data; vii. except as set forth in Section 2.c.v. above or in accordance with documented instructions from Customer (as set forth in this Addendum or the Agreement or as directed by ▇▇▇▇▇▇▇▇), ensure that none of Service Provider personnel publish, disclose or divulge any personal data to any third party; viii. upon expiration or earlier termination of the Agreement, upon ▇▇▇▇▇▇▇▇’▇ written request, securely destroy or return to you such personal data, and destroy existing copies unless applicable laws require storage of such personal data; and ix. at Service Provider’s option, allow Customer and Customer’s authorized representatives to either (i) access and review up-to-date attestations, reports or extracts thereof from independent bodies (e.g. external auditors, , data protection auditors) or suitable certifications to ensure compliance with the terms of this Addendum; or (ii) conduct audits or inspections, upon the parties mutual agreement, during the term of the Agreement to ensure compliance with the terms of this Addendum in accordance with this Section c.ix.. Notwithstanding the foregoing, any audit must be conducted during Service Provider’s regular business hours, with reasonable advance notice to Service Provider and subject to reasonable confidentiality procedures. In addition, audits shall be limited to once per year.

Data Protection. a. The provisions of this Section 1 shall apply to the personal data the Service Provider processes in the course of providing Customer the Services. Service Provider is the data processor in relation to the personal data that it processes in the course of providing Services to Customer. Customer is the data controller in relation to the personal data that it processed by data processor on its behalf in the course of providing Services to Customer. b. The subject matter of the data processing is providing the Services and the processing will be carried out until Service Provider ceases to provide any Services to Customer. Annex 1 of this Addendum sets out the nature and purpose of the processing, the types of personal data Service Provider processes and the data subjects whose personal data is processed. c. When the Service Provider processes personal data in the course of providing Services to you, Service Provider will: i. process the personal data only in accordance with documented instructions from Customer (as set forth in this Addendum or the Agreement or as directed by Customer). If applicable law requires Service Provider us to process the personal data for any other purpose, Service Provider will inform Customer of this requirement first, unless such law(s) prohibit this; ii. notify Customer promptly if, in Service Provider’s opinion, an instruction for the processing of personal data given by Customer infringes applicable Data Protection Legislation; iii. assist Customer, taking into account the nature of the processing: 1. by appropriate technical and organizational measures and where possible, in fulfilling Customer’s obligations to respond to requests from data subjects exercising their rights; 2. in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the General Data Protection Regulation, taking into account the information available to Service Provider; and 3. by making available to Customer all information reasonably requested by Customer for the purpose of demonstrating that Customer’s obligations relating to the appointment of processors as set out in Article 28 of the General Data Protection Regulation have been met. iv. implement and maintain appropriate technical and organizational measures to protect the personal data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorized or unlawful processing, accidental loss, destruction, damage or theft of personal data and appropriate to the nature of the personal data which is to be protected; v. in the event of third-party subprocessing that is subject to Data Protection Legislation, (A) inform ▇▇▇▇▇▇▇▇ and obtain its prior written consent (execution of this Addendum shall be deemed as Customer’s prior written consent to such third- party subprocessing); (B) provide a list of third-party subprocessors upon Customer’s request; and (C) inform Customer of any intended changes to third-party subprocessors, thereby giving Customer the opportunity to object to such changes. Service Provider will not give access to or transfer any personal data to any third party for such third party's independent use (e.g., not directly related to providing the Services) without Customer’s prior written consent. If Service Provider provides personal data to third party subprocessors involved in providing the Service, Service Provider will include in its our agreement with any such third party subprocessor terms which are at least as favorable to Customer you as those contained herein and as are required by applicable Data Protection Legislation; vi. ensure that Service Provider personnel required to access the personal data are subject to a binding duty of confidentiality with regard to such personal data; vii. except as set forth in Section 2.c.v. C.5 above or in accordance with documented instructions from Customer (as set forth in this Addendum or the Agreement or as directed by ▇▇▇▇▇▇▇▇Customer), ensure that none of Service Provider personnel publish, disclose or divulge any personal data to any third party; viii. upon expiration or earlier termination of the Agreement, upon ▇▇▇▇▇▇▇▇’▇ written request, securely destroy or return to you such personal data, and destroy existing copies unless applicable laws require storage of such personal data; and ix. at Service Provider’s option, allow Customer and Customer’s authorized representatives to either (i) access and review up-to-date attestations, reports or extracts thereof from independent bodies (e.g. external auditors, internal audit, data protection auditors) or suitable certifications to ensure compliance with the terms of this Addendum; or (ii) conduct audits or inspections, upon the parties mutual agreement, during the term of the Agreement to ensure compliance with the terms of this Addendum in accordance with this Section c.ix.. Notwithstanding the foregoing, any audit must be conducted during Service Provider’s regular business hours, with reasonable advance notice to Service Provider and subject to reasonable confidentiality procedures. In addition, audits shall be limited to once per year.Section