Common use of Contact with Third Parties Clause in Contracts

Contact with Third Parties. In the event that (a) Supplier receives a request from a third party (including an individual) to access any Personal Data in Supplier’s possession, and (b) Supplier acts as a Data Processor, Supplier will promptly forward a copy of such request to DXC and will cooperate with DXC in responding to any such request. Upon DXC’s request, Supplier will make Personal Data in its possession available to DXC or any third party designated in writing by DXC and will update Personal Data in Supplier’s possession in accordance with DXC's written instructions. If any government or competent authority requests Supplier to disclose or allow access to Personal Data, Supplier shall, unless legally prohibited, immediately notify DXC of such request and shall not disclose or allow access to such Personal Data without first giving DXC an opportunity to consult with such government or authority to seek to prevent such disclosure or accessing. The Parties shall discuss and agree to any lawful actions or steps which may be taken to avoid or prevent such disclosure or accessing. Supplier shall promptly notify DXC if any complaints are received from third parties about its Processing of Personal Data, and Supplier shall not make any admissions or take any action that may be prejudicial to the defense or settlement of any such complaint. Supplier shall provide DXC with such reasonable assistance as it may require in connection with resolving any such complaint. Access to Personal Data by Subcontractors. Supplier will require any subcontractors or agents to which it discloses Personal Data under this Agreement or under any SOW to provide reasonable assurance, evidenced by written contract, that it will comply with the same or substantially identical confidentiality, privacy and security obligations with respect to such Personal Data as apply to Supplier under this Section (hereinafter “Personal Data Related Obligations”). Supplier shall confirm in writing to DXC that such contract is in place as a condition to DXC’s approval of use of a subcontractor in connection with any SOW. Upon request of DXC, Supplier will provide to DXC a copy of the subcontract or an extract of the relevant clauses. Supplier shall ensure that any failure on the part of any subcontractor or agent to comply with the Personal Data Related Obligations shall be grounds to promptly terminate such subcontractor or agent. If during the term of this Agreement or any SOW DXC determines, in its exclusive discretion, that any Supplier subcontractor or agent cannot comply with the Personal Data Related Obligations, then DXC may terminate this Agreement in whole or in part (with respect to any SOW for which such subcontractor or agent is providing services), if not cured by Supplier within the time prescribed in the notice of such deficiency. HIPAA. To the extent (if any) that DXC discloses PHI to Supplier or Supplier accesses, maintains, uses, or discloses PHI in connection with the performance of Services or functions under this Agreement, Supplier will: (a) not use or further disclose PHI other than as permitted or required by this Agreement or as required by law; (b) use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement, including implementing requirements of the HIPAA Security Rule with regard to electronic PHI; (c) report to DXC any use or disclosure of PHI not provided for under this Agreement of which Supplier becomes aware, including breaches of unsecured protected health information as required by 45 CFR §164.410, (d) in accordance with 45 CFR §164.502(e)(1)(ii), ensure that any subcontractors or agents of Supplier that create, receive, maintain, or transmit PHI created, received, maintained or transmitted by Supplier on DXC’s behalf, agree to the same restrictions and conditions that apply to Supplier with respect of such PHI; (e) make available PHI in a Designated Record Set (if any is maintained by Supplier) in accordance with 45 CFR section 164.524; (f) make available PHI for amendment and incorporate any amendments to PHI in a Designated Record Set in accordance 45 CFR section 164.526; (g) make available PHI required to provide an accounting of disclosures in accordance with 45 CFR section 164.528, (h) make Supplier’s internal practices, applicable documentation and records to the extent that such relate to the use and disclosure of PHI received from DXC, or created or received by Supplier on DXC’s behalf, available to the Secretary of the HHS for the purpose of determining DXC’s compliance with the HIPAA Privacy and Security Rules, (i) in the event Supplier is to carry out any obligations by or on behalf of DXC that DXC performs on behalf of a covered entity arising under the Privacy Rule, comply with the requirements of the Privacy Rule that apply to the performance of such obligations, and (j) at termination of this Agreement, return or destroy all PHI received from, or created or received by Supplier on behalf of DXC that Supplier still maintains in any form and retain no copies of such information or, if such return or destruction is not feasible, extend the protections of the Agreement to the information and limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible.

Contact with Third Parties. In the event that (a) Supplier receives a request from a third party (including an individual) to access any Personal Data in Supplier’s possession, and (b) Supplier acts as a Data Processor, Supplier will promptly forward a copy of such request to DXC and will cooperate with DXC in responding to any such request. Upon DXC’s request, Supplier will make Personal Data in its possession available to DXC or any third party designated in writing by DXC and will update Personal Data in Supplier’s possession in accordance with DXC's written instructions. If any government or competent authority requests Supplier to disclose or allow access to Personal Data, Supplier shall, unless legally prohibited, immediately notify DXC of such request and shall not disclose or allow access to such Personal Data without first giving DXC an opportunity to consult with such government or authority to seek to prevent such disclosure or accessing. The Parties shall discuss and agree to any lawful actions or steps which may be taken to avoid or prevent such disclosure or accessing. Supplier shall promptly notify DXC if any complaints are received from third parties about its Processing of Personal Data, and Supplier shall not make any admissions or take any action that may be prejudicial to the defense or settlement of any such complaint. Supplier shall provide DXC with such reasonable assistance as it may require in connection with resolving any such complaint. Access to Personal Data by Subcontractors. Supplier will require any subcontractors or agents to which it discloses Personal Data under this Agreement or under any SOW to provide reasonable assurance, evidenced by written contract, that it will comply with the same or substantially identical confidentiality, privacy and security obligations with respect to such Personal Data as apply to Supplier under this Section (hereinafter “Personal Data Related Obligations”). Supplier shall confirm in writing to DXC that such contract is in place as a condition to DXC’s approval of use of a subcontractor in connection with any SOW. Upon request of DXC, Supplier will provide to DXC a copy of the subcontract or an extract of the relevant clauses. Supplier shall ensure that any failure on the part of any subcontractor or agent to comply with the Personal Data Related Obligations shall be grounds to promptly terminate such subcontractor or agent. If during the term of this Agreement or any SOW DXC determines, in its exclusive discretion, that any Supplier subcontractor or agent cannot comply with the Personal Data Related Obligations, then DXC may terminate this Agreement in whole or in part (with respect to any SOW for which such subcontractor or agent is providing services), if not cured by Supplier within the time prescribed in the notice of such deficiency. HIPAA. To the extent (if any) that DXC discloses PHI to Supplier or Supplier accesses, maintains, uses, or discloses PHI in connection with the performance of Services or functions under this Agreement, Supplier will: (a) not use or further disclose PHI other than as permitted or required by this Agreement or as required by law; (b) use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement, including implementing requirements of the HIPAA Security Rule with regard to electronic PHI; (c) report to DXC any use or disclosure of PHI not provided for under this Agreement of which Supplier becomes aware, including breaches of unsecured protected health information as required by 45 CFR §164.410, (d) in accordance with 45 CFR §164.502(e)(1)(ii), ensure that any subcontractors or agents of Supplier that create, receive, maintain, or transmit PHI created, received, maintained or transmitted by Supplier on DXC’s behalf, agree to the same restrictions and conditions that apply to Supplier with respect of such PHI; (e) make available PHI in a Designated Record Set (if any is maintained by Supplier) in accordance with 45 CFR section 164.524; (f) make available PHI for amendment and incorporate any amendments to PHI in a Designated Record Set in accordance 45 CFR section 164.526; (g) make available PHI required to provide an accounting of disclosures in accordance with 45 CFR section 164.528, (h) make Supplier’s internal practices, applicable documentation and records to the extent that such relate to the use and disclosure of PHI received from DXC, or created or received by Supplier on DXC’s behalf, available to the Secretary of the HHS for the purpose of determining DXC’s compliance with the HIPAA Privacy and Security Rules, (i) in the event Supplier is to carry out any obligations by or on behalf of DXC that DXC performs on behalf of a covered entity arising under the Privacy Rule, comply with the requirements of the Privacy Rule that apply to the performance of such obligations, and (j) at termination of this Agreement, return or destroy all PHI received from, or created or received by Supplier on behalf of DXC that Supplier still maintains in any form and retain no copies of such information or, if such return or destruction is not feasible, extend the protections of the Agreement to the information and limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible.;

Contact with Third Parties. In the event that (a) Supplier receives a request from a third party (including an individual) to access any Personal Data Information in Supplier’s possession, and (b) Supplier acts as a Data Processor, Supplier will promptly forward a copy of such request to DXC and will cooperate with DXC in responding to any such request. Upon DXC’s request, Supplier will make Personal Data Information in its possession available to DXC or any third party Third Party designated in writing by DXC and will update Personal Data Information in Supplier’s possession in accordance with DXC's written instructions. If any government or competent authority requests Supplier to disclose or allow access to Personal DataInformation, Supplier shall, unless legally prohibited, immediately notify DXC of such request and shall not disclose or allow access to such Personal Data Information without first giving DXC an opportunity to consult with such the requesting government or authority to seek to prevent such disclosure or accessingaccess. The Parties shall discuss and agree Supplier will respond to any lawful actions such government or steps which may be taken to avoid or prevent such disclosure or accessingenforcement authority request only after consultation with DXC and at DXC’s discretion, unless otherwise required by law. Supplier shall promptly notify DXC if any complaints are received from third parties Third Parties about its Processing of Personal DataInformation, and Supplier shall not make any admissions or take any action that may be prejudicial to the defense or settlement of any such complaint. Supplier shall provide DXC with such reasonable assistance as it may require in connection with resolving any such complaint. Access to Personal Data Information by Subcontractors. Supplier will agrees to require any subcontractors or agents to which it discloses Personal Data Information under this Agreement or under any SOW to provide reasonable assurance, evidenced by written contract, that it they will comply with the same or substantially identical similar confidentiality, privacy and security obligations with respect to such Personal Data Information as apply to Supplier under this Section (hereinafter “Personal Data Related Obligations”)Agreement or any SOW. Supplier shall confirm in writing to DXC that such contract is in place as a condition to DXC’s approval of use of a subcontractor in connection with any SOW. Upon request of DXC, Supplier will provide to DXC a copy of the subcontract or an extract of the relevant clauses. Supplier shall ensure that any failure on the part of any subcontractor or agent to comply with the Personal Data Related Obligations Supplier obligations under this Agreement or any SOW shall be grounds to promptly terminate such subcontractor or agent. If during the term of this Agreement or any SOW SOW, DXC determines, in its exclusive discretion, that any Supplier subcontractor or agent cannot comply with the Personal Data Related ObligationsSupplier obligations under this Agreement or with any SOW, then DXC may terminate this Agreement in whole or in part (with respect to any SOW for which such subcontractor or agent is providing services), if not cured by Supplier within the time prescribed in the notice of such deficiency. HIPAAData Privacy Obligations. To In the extent (if any) event that DXC discloses PHI country-specific privacy obligations applies to Supplier or Supplier accesses, maintains, uses, or discloses PHI in connection with the performance of Services or functions under this AgreementSupplier, Supplier will: (a) not use or further disclose PHI other than as permitted or required by this Agreement or as required by law; (b) use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement, including implementing requirements of the HIPAA Security Rule with regard to electronic PHI; (c) report to DXC any use or disclosure of PHI not provided for under this Agreement of which Supplier becomes aware, including breaches of unsecured protected health information as required by 45 CFR §164.410, (d) in accordance with 45 CFR §164.502(e)(1)(ii), ensure that any subcontractors or agents of Supplier that create, receive, maintain, or transmit PHI created, received, maintained or transmitted by Supplier on DXC’s behalf, agree to the same restrictions and conditions that apply to Supplier with respect of such PHI; (e) make available PHI in a Designated Record Set (if any is maintained by Supplier) in accordance with 45 CFR section 164.524; (f) make available PHI for amendment and incorporate any amendments to PHI in a Designated Record Set in accordance 45 CFR section 164.526; (g) make available PHI required to provide an accounting of disclosures in accordance with 45 CFR section 164.528, (h) make Supplier’s internal practices, applicable documentation and records to the extent that such relate to the use and disclosure of PHI received from DXC, or created or received by Supplier on DXC’s behalf, available to the Secretary of the HHS for the purpose of determining DXC’s compliance with the HIPAA Privacy and Security Rules, (i) in the event Supplier is to carry out any obligations by or on behalf of DXC that DXC performs on behalf of a covered entity arising under the Privacy Rule, shall comply with the requirements stipulated in the Data Privacy Supplement and the relevant country-specific supplements as set forth therein on the DXC Portal at (DXC-Data Privacy Supplement). The Data Privacy Supplement sets out the terms and conditions for the Processing of the Privacy Rule that apply to the performance of such obligations, and (j) at termination of this Agreement, return or destroy all PHI received from, or created or received Personal Information by Supplier on behalf of DXC that Supplier still maintains in any form under the Agreement and retain no copies of such information or, if such return or destruction is not feasible, extend the protections forms an integral part of the Agreement to Agreement. In the information and limit further uses and disclosures to those purposes that make event of any conflict between the return or destruction terms of the information infeasible.Data Privacy Supplement, the Agreement, or Data Protection Laws, the following order of precedence shall apply:

Contact with Third Parties. In the event that (a) Supplier receives a request from a third party (including an individual) to access any Personal Data Information in Supplier’s possession, and (b) Supplier acts as a Data Processor, Supplier will promptly forward a copy of such request to DXC and will cooperate with DXC in responding to any such request. Upon DXC’s request, Supplier will make Personal Data Information in its possession available to DXC or any third party Third Party designated in writing by DXC and will update Personal Data Information in Supplier’s possession in accordance with DXC's written instructions. If any government or competent authority requests Supplier to disclose or allow access to Personal DataInformation, Supplier shall, unless legally prohibited, immediately notify DXC of such request and shall not disclose or allow access to such Personal Data Information without first giving DXC an opportunity to consult with such the requesting government or authority to seek to prevent such disclosure or accessingaccess. The Parties shall discuss and agree Supplier will respond to any lawful actions such government or steps which may be taken to avoid or prevent such disclosure or accessingenforcement authority request only after consultation with DXC and at DXC’s discretion, unless otherwise required by law. Supplier shall promptly notify DXC if any complaints are received from third parties Third Parties about its Processing of Personal DataInformation, and Supplier shall not make any admissions or take any action that may be prejudicial to the defense or settlement of any such complaint. Supplier shall provide DXC with such reasonable assistance as it may require in connection with resolving any such complaint. Access to Personal Data Information by Subcontractors. Supplier will agrees to require any subcontractors or agents to which it discloses Personal Data Information under this Agreement or under any SOW to provide reasonable assurance, evidenced by written contract, that it they will comply with the same or substantially identical similar confidentiality, privacy and security obligations with respect to such Personal Data Information as apply to Supplier under this Section (hereinafter “Personal Data Related Obligations”)Agreement or any SOW. Supplier shall confirm in writing to DXC that such contract is in place as a condition to DXC’s approval of use of a subcontractor in connection with any SOW. Upon request of DXC, Supplier will provide to DXC a copy of the subcontract or an extract of the relevant clauses. Supplier shall ensure that any failure on the part of any subcontractor or agent to comply with the Personal Data Related Obligations Supplier obligations under this Agreement or any SOW shall be grounds to promptly terminate such subcontractor or agent. If during the term of this Agreement or any SOW SOW, DXC determines, in its exclusive discretion, that any Supplier subcontractor or agent cannot comply with the Personal Data Related ObligationsSupplier obligations under this Agreement or with any SOW, then DXC may terminate this Agreement in whole or in part (with respect to any SOW for which such subcontractor or agent is providing services), if not cured by Supplier within the time prescribed in the notice of such deficiency. HIPAAEuropean Economic Area (“EEA”) Applicability. To In the extent event that the General Data Protection Regulation (if anyEU Regulation 2016/679) that DXC discloses PHI as amended from time to Supplier or Supplier accesses, maintains, uses, or discloses PHI in connection with the performance of Services or functions under this Agreementtime applies to Supplier, Supplier will: (a) not use or further disclose PHI other than as permitted or required by this Agreement or as required by law; (b) use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement, including implementing requirements of the HIPAA Security Rule with regard to electronic PHI; (c) report to DXC any use or disclosure of PHI not provided for under this Agreement of which Supplier becomes aware, including breaches of unsecured protected health information as required by 45 CFR §164.410, (d) in accordance with 45 CFR §164.502(e)(1)(ii), ensure that any subcontractors or agents of Supplier that create, receive, maintain, or transmit PHI created, received, maintained or transmitted by Supplier on DXC’s behalf, agree to the same restrictions and conditions that apply to Supplier with respect of such PHI; (e) make available PHI in a Designated Record Set (if any is maintained by Supplier) in accordance with 45 CFR section 164.524; (f) make available PHI for amendment and incorporate any amendments to PHI in a Designated Record Set in accordance 45 CFR section 164.526; (g) make available PHI required to provide an accounting of disclosures in accordance with 45 CFR section 164.528, (h) make Supplier’s internal practices, applicable documentation and records to the extent that such relate to the use and disclosure of PHI received from DXC, or created or received by Supplier on DXC’s behalf, available to the Secretary of the HHS for the purpose of determining DXC’s compliance with the HIPAA Privacy and Security Rules, (i) in the event Supplier is to carry out any obligations by or on behalf of DXC that DXC performs on behalf of a covered entity arising under the Privacy Rule, shall comply with the requirements GDPR Supplement as set forth herein on the DXC Supplier Portal at xxxx://xxxxxx0.xxx.xxxxxxxxxx/contact_us/downloads/General-Data-Protection- Regulation-GDPR.pdf). This GDPR Supplement sets out the terms and conditions for the Processing of the Privacy Rule that apply to the performance of such obligations, and (j) at termination of this Agreement, return or destroy all PHI received from, or created or received Personal Information by Supplier on behalf of DXC that Supplier still maintains in any form and retain no copies of such information or, if such return or destruction is not feasible, extend under the protections Agreement. This GDPR Supplement forms an integral part of the Agreement to Agreement. In the information and limit further uses and disclosures to those purposes that make event of any conflict between the return terms of this GDPR Supplement, the Agreement, Data Protection Laws or destruction Standard Contractual Clauses, the following order of the information infeasible.precedence shall apply:

Contact with Third Parties. In the event that (a) Supplier receives a request from a third party (including an individual) to access any Personal Data Information in Supplier’s possession, and (b) Supplier acts as a Data Processor, Supplier will promptly forward a copy of such request to DXC and will cooperate with DXC in responding to any such request. Upon DXC’s request, Supplier will make Personal Data Information in its possession available to DXC or any third party Third Party designated in writing by DXC and will update Personal Data Information in Supplier’s possession in accordance with DXC's written instructions. If any government or competent authority requests Supplier to disclose or allow access to Personal DataInformation, Supplier shall, unless legally prohibited, immediately notify DXC of such request and shall not disclose or allow access to such Personal Data Information without first giving DXC an opportunity to consult with such the requesting h government or authority to seek to prevent such disclosure or accessingaccess. The Parties shall discuss and agree Supplier will respond to any lawful actions such government or steps which may be taken to avoid or prevent such disclosure or accessing. enforcement authority request only after consultation with DXC and at DXC’s discretion, unless otherwise required by law.. Supplier shall promptly notify DXC if any complaints are received from third parties Third Parties about its Processing of Personal DataInformation, and Supplier shall not make any admissions or take any action that may be prejudicial to the defense or settlement of any such complaint. Supplier shall provide DXC with such reasonable assistance as it may require in connection with resolving any such complaint. Access to Personal Data Information by Subcontractors. Supplier will agrees to require any subcontractors or agents to which it discloses Personal Data Information under this Agreement or under any SOW to provide reasonable assurance, evidenced by written contract, that it they will comply with the same or substantially identical similar confidentiality, privacy and security obligations with respect to such Personal Data Information as apply to Supplier under this Section (hereinafter “Personal Data Related Obligations”)Agreement or any SOW. Supplier shall confirm in writing to DXC that such contract is in place as a condition to DXC’s approval of use of a subcontractor in connection with any SOW. Upon request of DXC, Supplier will provide to DXC a copy of the subcontract or an extract of the relevant clauses. Supplier shall ensure that any failure on the part of any subcontractor or agent to comply with the Personal Data Related Obligations Supplier obligations under this Agreement or any SOW shall be grounds to promptly terminate such subcontractor or agent. If during the term of this Agreement or any SOW SOW, DXC determines, in its exclusive discretion, that any Supplier subcontractor or agent cannot comply with the Personal Data Related ObligationsSupplier obligations under this Agreement or with any SOW, then DXC may terminate this Agreement in whole or in part (with respect to any SOW for which such subcontractor or agent is providing services), if not cured by Supplier within the time prescribed in the notice of such deficiency. HIPAAEuropean Economic Area (“EEA”) Applicability. To In the extent event that the General Data Protection Regulation (if anyEU Regulation 2016/679) that DXC discloses PHI as amended from time to time applies to Supplier or Supplier accesses, maintains, uses, or discloses PHI in connection with the performance of Services or functions under this Agreement, Supplier will: (a) not use or further disclose PHI other than as permitted or required by this Agreement or as required by law; (b) use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement, including implementing requirements of the HIPAA Security Rule with regard to electronic PHI; (c) report to DXC any use or disclosure of PHI not provided for under this Agreement of which Supplier becomes aware, including breaches of unsecured protected health information as required by 45 CFR §164.410, (d) in accordance with 45 CFR §164.502(e)(1)(ii), ensure that any subcontractors or agents of Supplier that create, receive, maintain, or transmit PHI created, received, maintained or transmitted by Supplier on DXC’s behalf, agree to the same restrictions and conditions that apply to Supplier with respect of such PHI; (e) make available PHI in a Designated Record Set (if any is maintained by Supplier) in accordance with 45 CFR section 164.524; (f) make available PHI for amendment and incorporate any amendments to PHI in a Designated Record Set in accordance 45 CFR section 164.526; (g) make available PHI required to provide an accounting of disclosures in accordance with 45 CFR section 164.528, (h) make Supplier’s internal practices, applicable documentation and records to the extent that such relate to the use and disclosure of PHI received from DXC, or created or received by Supplier on DXC’s behalf, available to the Secretary of the HHS for the purpose of determining DXC’s compliance with the HIPAA Privacy and Security Rules, (i) in the event Supplier is to carry out any obligations by or on behalf of DXC that DXC performs on behalf of a covered entity arising under the Privacy Rule, shall comply with the requirements GDPR Supplement as set forth herein on the DXC Supplier Portal at (xxxx://xxxxxx0.xxx.xxxxxxxxxx/contact_us/downloads/General-Data-Protection- Regulation-GDPR.pdf). This GDPR Supplement sets out the terms and conditions for the Processing of the Privacy Rule that apply to the performance of such obligations, and (j) at termination of this Agreement, return or destroy all PHI received from, or created or received Personal Information by Supplier on behalf of DXC that Supplier still maintains in any form and retain no copies of such information or, if such return or destruction is not feasible, extend under the protections Agreement. This GDPR Supplement forms an integral part of the Agreement to Agreement. In the information and limit further uses and disclosures to those purposes that make event of any conflict between the return terms of this GDPR Supplement, the Agreement, Data Protection Laws or destruction Standard Contractual Clauses, the following order of the information infeasible.precedence shall apply:

Contact with Third Parties. In the event that (a) Supplier receives a request from a third party (including an individual) to access any Personal Data in Supplier’s possession, and (b) Supplier acts as a Data Processor, Supplier will promptly forward a copy of such request to DXC and will cooperate with DXC in responding to any such request. Upon DXC’s request, Supplier will make Personal Data in its possession available to DXC or any third party designated in writing by DXC and will update Personal Data in Supplier’s possession in accordance with DXC's written instructions. If any government or competent authority requests Supplier to disclose or allow access to Personal Data, Supplier shall, unless legally prohibited, immediately notify DXC of such request and shall not disclose or allow access to such Personal Data without first giving DXC an opportunity to consult with such government or authority to seek to prevent such disclosure or accessing. The Parties shall discuss and agree to any lawful actions or steps which may be taken to avoid or prevent such disclosure or accessing. Supplier shall promptly notify DXC if any complaints are received from third parties about its Processing of Personal Data, and Supplier shall not make any admissions or take any action that may be prejudicial to the defense or settlement of any such complaint. Supplier shall provide DXC with such reasonable assistance as it may require in connection with resolving any such complaint. Access to Personal Data by Subcontractors. Supplier will require any subcontractors or agents to which it discloses Personal Data under this Agreement or under any SOW to provide reasonable assurance, evidenced by written contract, that it will comply with the same or substantially identical confidentiality, privacy and security obligations with respect to such Personal Data as apply to Supplier under this Section (hereinafter “Personal Data Related Obligations”). Supplier shall confirm in writing to DXC that such contract is in place as a condition to DXC’s approval of use of a subcontractor in connection with any SOW. Upon request of DXC, Supplier will provide to DXC a copy of the subcontract or an extract of the relevant clauses. Supplier shall ensure that any failure on the part of any subcontractor or agent to comply with the Personal Data Related Obligations shall be grounds to promptly terminate such subcontractor or agent. If during the term of this Agreement or any SOW DXC determines, in its exclusive discretion, that any Supplier subcontractor or agent cannot comply with the Personal Data Related Obligations, then DXC may terminate this Agreement in whole or in part (with respect to any SOW for which such subcontractor or agent is providing services), if not cured by Supplier within the time prescribed in the notice of such deficiency. HIPAA. To the extent (if any) that DXC discloses PHI to Supplier or Supplier accesses, maintains, uses, or discloses PHI in connection with the performance of Services or functions under this Agreement, Supplier will: (a) not use or further disclose PHI other than as permitted or required by this Agreement or as required by law; (b) use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement, including implementing requirements of the HIPAA Security Rule with regard to electronic PHI; (c) report to DXC any use or disclosure of PHI not provided for under this Agreement of which Supplier becomes aware, including breaches of unsecured protected health information as required by 45 CFR §164.410, (d) in accordance with 45 CFR §164.502(e)(1)(ii), ensure that any subcontractors or agents of Supplier that create, receive, maintain, or transmit PHI created, received, maintained or transmitted by Supplier on DXC’s behalf, agree to the same restrictions and conditions that apply to Supplier with respect of such PHI; (e) make available PHI in a Designated Record Set (if any is maintained by Supplier) in accordance with 45 CFR section 164.524; (f) make available PHI for amendment and incorporate any amendments to PHI in a Designated Record Set in accordance 45 CFR section 164.526; (g) make available PHI required to provide an accounting of disclosures in accordance with 45 CFR section 164.528, (h) make Supplier’s internal practices, applicable documentation and records to the extent that such relate to the use and disclosure of PHI received from DXC, or created or received by Supplier on DXC’s behalf, available to the Secretary of the HHS for the purpose of determining DXC’s compliance with the HIPAA Privacy and Security Rules, (i) in the event Supplier is to carry out any obligations by or on behalf of DXC that DXC performs on behalf of a covered entity arising under the Privacy Rule, comply with the requirements of the Privacy Rule that apply to the performance of such obligations, and (j) at termination of this Agreement, return or destroy all PHI received from, or created or received by Supplier on behalf of DXC that Supplier still maintains in any form and retain no copies of such information or, if such return or destruction is not feasible, extend the protections of the Agreement to the information and limit further uses and disclosures to those purposes that make the return or destruction of the information infeasibleinfeasible 17 DATA AND NETWORK SECURITY SCHEDULE (“DNSS”) Purpose of the DNSS. To establish minimum data security standards applicable to the Services or Products provided by Supplier and minimum security standards to be met by Supplier in relation to the Processing of Data and access to DXC Information Systems as set forth on the DXC Supplier Portal at (xxxx://xxxxxx0.xxx.xxxxxxxxxx/contact_us/downloads/Data_Network_and_Security_ Schedule-DNSS.pdf). Additionally, these terms may be updated from time to time, and any such update may be reflected on the DXC Supplier Portal. Any terms not defined within this Agreement will rely on the definition in the DNSS. These Data & Network Security requirements (“DNSS”) form part of the Agreement. Capitalized terms not specifically defined herein shall have the meaning set forth in the Agreement. In the event any term or condition in this DNSS conflicts with a term or condition of any Agreement with Supplier, the term or condition of this DNSS shall take precedence.

Contact with Third Parties. In the event that (a) Supplier receives a request from a third party (including an individual) to access any Personal Data in Supplier’s possession, and (b) Supplier acts as a Data Processor, Supplier will promptly forward a copy of such request to DXC and will cooperate with DXC in responding to any such request. Upon DXC’s request, Supplier will make Personal Data in its possession available to DXC or any third party designated in writing by DXC and will update Personal Data in Supplier’s possession in accordance with DXC's written instructions. If any government or competent authority requests Supplier to disclose or allow access to Personal Data, Supplier shall, unless legally prohibited, immediately notify DXC of such request and shall not disclose or allow access to such Personal Data without first giving DXC an opportunity to consult with such government or authority to seek to prevent such disclosure or accessing. The Parties shall discuss and agree to any lawful actions or steps which may be taken to avoid or prevent such disclosure or accessing. Supplier shall promptly notify DXC if any complaints are received from third parties about its Processing of Personal Data, and Supplier shall not make any admissions or take any action that may be prejudicial to the defense or settlement of any such complaint. Supplier shall provide DXC with such reasonable assistance as it may require in connection with resolving any such complaint. Access to Personal Data by Subcontractors. Supplier will require any subcontractors or agents to which it discloses Personal Data under this Agreement or under any SOW to provide reasonable assurance, evidenced by written contract, that it will comply with the same or substantially identical confidentiality, privacy and security obligations with respect to such Personal Data as apply to Supplier under this Section (hereinafter “Personal Data Related Obligations”). Supplier shall confirm in writing to DXC that such contract is in place as a condition to DXC’s approval of use of a subcontractor in connection with any SOW. Upon request of DXC, Supplier will provide to DXC a copy of the subcontract or an extract of the relevant clauses. Supplier shall ensure that any failure on the part of any subcontractor or agent to comply with the Personal Data Related Obligations shall be grounds to promptly terminate such subcontractor or agent. If during the term of this Agreement or any SOW DXC determines, in its exclusive discretion, that any Supplier subcontractor or agent cannot comply with the Personal Data Related Obligations, then DXC may terminate this Agreement in whole or in part (with respect to any SOW for which such subcontractor or agent is providing services), if not cured by Supplier within the time prescribed in the notice of such deficiency. HIPAA. To the extent (if any) that DXC discloses PHI to Supplier or Supplier accesses, maintains, uses, or discloses PHI in connection with the performance of Services or functions under this Agreement, Supplier will: (a) not use or further disclose PHI other than as permitted or required by this Agreement or as required by law; (b) use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement, including implementing requirements of the HIPAA Security Rule with regard to electronic PHI; (c) report to DXC any use or disclosure of PHI not provided for under this Agreement of which Supplier becomes aware, including breaches of unsecured protected health information as required by 45 CFR §164.410, (d) in accordance with 45 CFR §164.502(e)(1)(ii), ensure that any subcontractors or agents of Supplier that create, receive, maintain, or transmit PHI created, received, maintained or transmitted by Supplier on DXC’s behalf, agree to the same restrictions and conditions that apply to Supplier with respect of such PHI; (e) make available PHI in a Designated Record Set (if any is maintained by Supplier) in accordance with 45 CFR section 164.524; (f) make available PHI for amendment and incorporate any amendments to PHI in a Designated Record Set in accordance 45 CFR section 164.526; (g) make available PHI required to provide an accounting of disclosures in accordance with 45 CFR section 164.528, (h) make Supplier’s internal practices, applicable documentation and records to the extent that such relate to the use and disclosure of PHI received from DXC, or created or received by Supplier on DXC’s behalf, available to the Secretary of the HHS for the purpose of determining DXC’s compliance with the HIPAA Privacy and Security Rules, (i) in the event Supplier is to carry out any obligations by or on behalf of DXC that DXC performs on behalf of a covered entity arising under the Privacy Rule, comply with the requirements of the Privacy Rule that apply to the performance of such obligations, and (j) at termination of this Agreement, return or destroy all PHI received from, or created or received by Supplier on behalf of DXC that Supplier still maintains in any form and retain no copies of such information or, if such return or destruction is not feasible, extend the protections of the Agreement to the information and limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible.

Contact with Third Parties. In the event that (a) Supplier receives a request from a third party (including an individual) to access any Personal Data in Supplier’s possession, and (b) Supplier acts as a Data Processor, Supplier will promptly forward a copy of such request to DXC and will cooperate with DXC in responding to any such request. Upon DXC’s request, Supplier will make Personal Data in its possession available to DXC or any third party designated in writing by DXC and will update Personal Data in Supplier’s possession in accordance with DXC's written instructions. If any government or competent authority requests Supplier to disclose or allow access to Personal Data, Supplier shall, unless legally prohibited, immediately notify DXC of such request and shall not disclose or allow access to such Personal Data without first giving DXC an opportunity to consult with such government or authority to seek to prevent such disclosure or accessing. The Parties shall discuss and agree to any lawful actions or steps which may be taken to avoid or prevent such disclosure or accessing. Supplier shall promptly notify DXC if any complaints are received from third parties about its Processing of Personal Data, and Supplier shall not make any admissions or take any action that may be prejudicial to the defense or settlement of any such complaint. Supplier shall provide DXC with such reasonable assistance as it may require in connection with resolving any such complaint. Access to Personal Data by Subcontractors. Supplier will require any subcontractors or agents to which it discloses Personal Data under this Agreement or under any SOW to provide reasonable assurance, evidenced by written contract, that it will comply with the same or substantially identical confidentiality, privacy and security obligations with respect to such Personal Data as apply to Supplier under this Section (hereinafter “Personal Data Related Obligations”). Supplier shall confirm in writing to DXC that such contract is in place as a condition to DXC’s approval of use of a subcontractor in connection with any SOW. Upon request of DXC, Supplier will provide to DXC a copy of the subcontract or an extract of the relevant clauses. Supplier shall ensure that any failure on the part of any subcontractor or agent to comply with the Personal Data Related Obligations shall be grounds to promptly terminate such subcontractor or agent. If during the term of this Agreement or any SOW DXC determines, in its exclusive discretion, that any Supplier subcontractor or agent cannot comply with the Personal Data Related Obligations, then DXC may terminate this Agreement in whole or in part (with respect to any SOW for which such subcontractor or agent is providing services), if not cured by Supplier within the time prescribed in the notice of such deficiency. HIPAA. To the extent (if any) that DXC discloses PHI to Supplier or Supplier accesses, maintains, uses, or discloses PHI in connection with the performance of Services or functions under this Agreement, Supplier will: (a) not use or further disclose PHI other than as permitted or required by this Agreement or as required by law; (b) use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement, including implementing requirements of the HIPAA Security Rule with regard to electronic PHI; (c) report to DXC any use or disclosure of PHI not provided for under this Agreement of which Supplier becomes aware, including breaches of unsecured protected health information as required by 45 CFR §164.410, (d) in accordance with 45 CFR §164.502(e)(1)(ii), ensure that any subcontractors or agents of Supplier that create, receive, maintain, or transmit PHI created, received, maintained or transmitted by Supplier on DXC’s behalf, agree to the same restrictions and conditions that apply to Supplier with respect of such PHI; (e) make available PHI in a Designated Record Set (if any is maintained by Supplier) in accordance with 45 CFR section 164.524; (f) make available PHI for amendment and incorporate any amendments to PHI in a Designated Record Set in accordance 45 CFR section 164.526; (g) make available PHI required to provide an accounting of disclosures in accordance with 45 CFR section 164.528, (h) make Supplier’s internal practices, applicable documentation and records to the extent that such relate to the use and disclosure of PHI received from DXC, or created or received by Supplier on DXC’s behalf, available to the Secretary of the HHS for the purpose of determining DXC’s compliance with the HIPAA Privacy and Security Rules, (i) in the event Supplier is to carry out any obligations by or on behalf of DXC that DXC performs on behalf of a covered entity arising under the Privacy Rule, comply with the requirements of the Privacy Rule that apply to the performance of such obligations, and (j) at termination of this Agreement, return or destroy all PHI received from, or created or received by Supplier on behalf of DXC that Supplier still maintains in any form and retain no copies of such information or, if such return or destruction is not feasible, extend the protections of the Agreement to the information and limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible.,