IMPORTANT! PLEASE CAREFULLY READ THESE DATA PROCESSING TERMS (“DPT”) BEFORE USING THE PRODUCTS OR SERVICES OFFERED ON THIS WEB SITE, AS THEY AFFECT YOUR LEGAL RIGHTS AND OBLIGATIONS.

• The Data Protection Laws mandate that the Processing of Customer Personal Data that Jalubro carries out on your behalf is subject to a contract containing certain specific terms (these are set out in Article 28(3) of the GDPR). We have prepared this Data Processing Agreement to ensure that these mandated terms are in place.
• Furthermore, following the UK ceasing to be a member state of the European Union (“Brexit”), and the subsequent expiry of post-Brexit transitional arrangements agreed between the UK and the EU, the EU GDPR has been replaced in the UK by the UK GDPR. Accordingly, the Parties need to reflect the application of the UK GDPR as well as, potentially, the continued application of the EU GDPR (as and where applicable).

Jalubro (“Company”, “Vendor” or “we,” “our,” or “us”) owns or controls, and provides access to, products, services and Work Product (as defined herein) (if any) (the “Services”).

By agreeing to these terms, each user represents that such individual is duly authorised to execute this Agreement on behalf of the applicable party and, on behalf of such party, acknowledges and agrees that such party is bound by this Agreement. 

1. INTERPRETATION AND APPLICATION

1.1.In this Data Processing Addendum, including the ‘Important Notes’ (above), the following terms shall have the meanings set out in this Section 1.1, unless expressly stated otherwise:

(a)“Agreement” means the agreement entered into by and between the Parties pursuant to which Jalubro agrees to provide, and Customer agrees to procure, the Relevant Services (Including any Order Agreements, Statements of Work, amendments or similar documents used to define the nature and scope of such services).

(b)“Anonymised Data” means any Customer Personal Data, which has been anonymised such that the Data Subject to whom it relates cannot be identified, directly or indirectly, by Jalubro or another party reasonably likely to receive or access that anonymised Personal Data.

(c)“Cessation Date” has the meaning given in Section 10.1.

(d)“Customer Personal Data” means any Personal Data Processed by or on behalf of Jalubro on behalf of Customer under the Agreement.

(e)“Data Processing Addendum” means this Data Processing Addendum (as amended from time to time).

(f)“Data Protection Laws” means the GDPR, together with any applicable implementing or supplementary legislation in the UK or any applicable member state of the EEA (including the UK Data Protection Act 2018).

(g)“Data Subject Request” means the exercise by Data Subjects of their rights under, and in accordance with, Chapter III of the GDPR.

(h)“Data Subject” means the identified or identifiable natural person to whom Customer Personal Data relates, the relevant Processing of whose Personal Data falls within the territorial scope of the GDPR (as determined by Article 3 thereof).

(i)“Delete” means to remove or obliterate Personal Data such that it cannot be recovered or reconstructed, and “Deletion” shall be construed accordingly.

(j)“DPA Effective Date” has the meaning as determined pursuant to Section 2.1.

(k)“EEA” means the European Economic Area.

(l)“EU GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27April 2016.

(m)“GDPR” means the UK GDPR and/or EU GDPR (as applicable in the context). References to “Articles” and “Chapters” of, and to relevant defined terms in, the GDPR shall be construed accordingly.

(n)“Hosting Services Provider” means those third party(ies) listed in the then-current Sub processor List as providing certain hosting services to Jalubro in connection with the Relevant Services.

(o)“Personal Data Breach” an actual (and not simply a suspected) personal data breach (as defined in the Data Protection Laws) that: (i) is confirmed by Jalubro ’s Risk Committee following appropriate investigations, (ii) affects Customer Personal Data and (iii) which Jalubro is required to notify to Customer under Data Protection Laws.

(p)“Personnel” means a person’s employees, agents, consultants or contractors.

(q)“Relevant Services” means the relevant services agreed to be provided by Jalubro  under and in accordance with the Agreement.

(r)“Relevant Body”:

(i)in the context of the UK and the UK GDPR, means the UK Information Commissioner’sOffice and/or UK Government (as applicable in the context); and/or

(ii)in the context of the EEA and EU GDPR, means the European Commission.

(s)“Restricted Country”:

(i)in the context of the UK, means a country or territory outside the UK; and/or in the context of the EEA, means a ‘third country’ or territory outside the EEA (which 

shall, as and where applicable, be interpreted in line with Article FINPROV.10A(1) of 

the Trade and Cooperation Agreement between the EU and the UK), that the Relevant Body has not deemed to provide an ‘adequate’ level of protection 

for Personal Data pursuant to a decision made or approved under Article 45 of the 

GDPR.

(t)“Restricted Transfer” means (i) a transfer of Customer Personal Data from Customer to Jalubro in a Restricted Country; or (ii) an onward transfer of Customer Personal Data from Jalubro to a Sub processor in a Restricted Country, (in each case) where such transfer would be prohibited by Data Protection Laws without a legal basis therefor under Chapter V of the GDPR

(u)“Standard Contractual Clauses” means the standard contractual clauses issued or approved from time-to-time by the Relevant Body under Article 46 of the GDPR for the transfer of PersonalData from Controllers to Processors established in Restricted Countries

(v)“Sub processor” means any third party appointed by or on behalf of Jalubro to Process Customer Personal Data.

(w)“Sub processor List” means the list of sub processors (including those 

sub processors’ locations) that are engaged in certain specified Processing activities on behalf of Jalubro from time-to-time in connection with its provision of the Relevant Services.

(x)“Supervisory Authority”:

(i)in the context of the UK and the UK GDPR, means the UK Information Commissioner’s Office; and/or

(ii)in the context of the EEA and EU GDPR, shall have the meaning given to that term inArticle 4(21) of the EU GDPR.

(y)“UK GDPR” means the EU GDPR as it forms part of UK law by virtue of section 3 of the EuropeanUnion (Withdrawal) Act 2018, as amended (including by the various Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations).

1.2.In this Data Processing Addendum, including the ‘Important Notes’ (above):

(a)the terms, “Controller”, “Processor”, “Personal Data” and “Process” (and its inflections) shall have the meaning ascribed to the corresponding terms in the Data Protection Laws;

(b)unless otherwise defined in this Data Processing Addendum, all capitalised terms shall have the meaning given to them in the Agreement; and

(c)any words following the terms “including”, “include” or any similar expression shall be construed as illustrative and shall not limit the sense of the description, definition, phrase or terms that comes before the relevant term.

1.3.Customer warrants and represents that it is subject to the territorial scope of the Data Protection Laws as determined in accordance therewith (including pursuant to Article 3 of the GDPR). Customer further agrees that to the extent that it is not in fact subject to the territorial scope of the Data Protection Laws, this Data Processing Addendum shall be deemed automatically void with effect from the DPA EffectiveDate or the date when it was no longer subject to the territorial scope of the Data Protection Laws, if later, without requirement of notice.

2.EFFECT AND PRECEDENCE

2.1.This Data Processing Addendum shall come into force and effect from the “DPA Effective Date”, being either:

(a)where the terms of this Data Processing Addendum are incorporated into the Agreement by reference, the later of:

(i)1 January 2021; or

(ii)the Effective Date of the Agreement (as defined therein); or

(b)1 January 2021, where either:

(i)Jalubro ’s Processing of Customer Personal Data is otherwise subject to a prior version of this Data Processing Addendum agreed between parties (including through any deemed acceptance mechanism provided for in such prior version); or

(ii)subject to Section 2.2 below, none of the foregoing provisions in Section 2.1(a) or Section 2.1(b)(i) apply and Customer continues to access or use the Relevant Service(s) (or any portion thereof), without having first notified Jalubro (by email to    

dpo@Jalubro.com) of Customer’s rejection of this Data Processing Addendum within fourteen (14) days of this Data Processing Addendum being notified to Customer (notwithstanding any ‘No Variation’, ‘Entire Agreement’ or similar provisions in the Agreement).

2.2.The deemed acceptance through continued use provision of Section 2.1(b)(ii) shall not apply to any Customer with whom Jalubro has (prior to 1 January 2021) separately agreed data processing terms otherwise than on the basis of a version of this online Data Processing Addendum, which establish the contractual terms required by Article 28(3) of the GDPR and cover the use and provision of the Relevant Services.

2.3.With effect from the DPA Effective Date, this Data Processing Addendum:

(a)shall hereby be incorporated into, and shall form an effective part of, the Agreement; and

(b)will replace and disapply any previously applicable data processing agreement, addendum or similar and any other terms previously applicable to privacy, data processing, data security and/or otherwise relating to Jalubro ’s Processing of Customer Personal Data (including any previous version of this Data Processing Addendum).

2.4.In the event of any conflict or inconsistency between this Data Processing Addendum and the Agreement,this Data Processing Addendum shall prevail.

3.PROCESSING OF CUSTOMER PERSONAL DATA

3.1.In respect of Customer Personal Data, the Parties acknowledge that (as between the Parties):

(a)Jalubro acts as a Processor; and

(b)Customer acts as the Controller.

3.2.Jalubro shall not Process Customer Personal Data other than:

(a)on Customer’s instructions (subject always to Section 3.7); or

(b)as required by applicable European Union, UK or European Union Member State laws.

3.3.To the extent permitted by applicable laws, Jalubro shall inform Customer of:

(a)any Processing to be carried out under Section 3.2(b); and

(b)the relevant legal requirements that require it to carry out suchProcessing, before the relevantProcessing of that Customer Personal Data.

3.4.Customer instructs Jalubro to Process Customer Personal Data as necessary:

(a)to provide the Relevant Services to Customer; and

(b)to perform Jalubro ’s obligations and exercise Jalubro’s rights under the Agreement.

3.5.Annex 1 (Data Processing Details) sets out certain information regarding Jalubro’s Processing of CustomerPersonal Data as required by Article 28(3) of the GDPR.

3.6.Where Jalubro receives an instruction from Customer that, in its reasonable opinion, infringes the GDPR, Jalubro shall inform Customer.

3.7.Customer acknowledges and agrees that any instructions additional to those set out in this Data ProcessingAddendum or the Agreement issued by Customer with regards to the Processing of Customer PersonalData by or on behalf of Jalubro pursuant to or in connection with the Agreement:

(a)shall be strictly required for the sole purpose of ensuring compliance with Data Protection Laws; and

(b)shall not relate to the scope of, or otherwise materially change, the Relevant Services to be provided by Jalubro under the Agreement.

3.8.Notwithstanding anything to the contrary herein, Jalubro may without liability to Customer and with immediate effect terminate the Agreement in its entirety upon written notice to Customer if Jalubro considers (in its reasonable discretion) that:

(a)it is unable to adhere to, perform or implement any instructions issued by Customer due to the technical limitations of its systems, equipment and/or facilities; and/or

(b)to adhere to, perform or implement any such instructions would require disproportionate effort(whether in terms of time, cost, available technology, manpower or otherwise),

provided that, in each case (a) and (b), the relevant instructions issued by Customer relate to matters(including Processing operations) that fall outside the scope of that which is reasonably contemplated by the Agreement.

3.9.Customer represents and warrants on an ongoing basis that:

(a)there is, and will be throughout the term of the Agreement, a valid legal basis (whether under Articles 6, 9 and/or 10 of the GDPR or otherwise as required under Data Protection Laws) for the Processing by Jalubro of Customer Personal Data in accordance with this Data ProcessingAddendum and the Agreement (including, any and all instructions issued by Customer from time to time in respect of such Processing); and where applicable, Customer has been instructed by, and obtained the valid and effective authorisation of, any relevant third party Controller(s) (including, for these purposes, Customer Affiliates) to instruct Jalubro(and its Sub processors that are approved subject to and in accordance with Section 6) to Process Customer Personal Data as set out in and contemplated by this Data Processing Addendum and the Agreement.

4. JALUBRO PERSONNEL

Jalubro shall take reasonable steps to ensure the reliability of any Jalubro Personnel who Process Customer Personal Data, ensuring:

(a)that access is strictly limited to those individuals who need to know or access the relevant CustomerPersonal Data for the purposes described in this Data Processing Addendum; and

(b)that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

5.SECURITY

5.1.Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk (which may be of varying likelihood and severity) for therights and freedoms of natural persons, Jalubro  shall in relation to Customer Personal Data implement appropriate technical and organisational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.

5.2.In assessing the appropriate level of security, Jalubro shall take into account the risks presented by theProcessing, in particular from a Personal Data Breach.

6.SUBPROCESSING

6.1.Customer authorises Jalubro to appoint Sub processors in accordance with this Section 6 and Jalubro acknowledges that it shall remain liable for any acts or omissions of such Sub processors with respect to their Processing of Customer Personal Data.

6.2.Jalubro may continue to use those Sub processors already engaged by Jalubro as at the DPA Effective Date, as such are shown in the Sub processor List on such date as Processing Personal Data on Jalubro’s behalf in connection with the Relevant Services (a copy of which shall be provided to Customer on request).

6.3.Jalubro shall give Customer prior written notice of the appointment of any new Sub processor, including reasonable details of the Processing to be undertaken by the Sub processor by way of Jalubro providingCustomer with an updated copy of the Sub processor List via a ‘mailshot’ or similar mass distribution mechanism sent via email to Customer’s normal addressees for system updates.

6.4.If within fourteen (14) days of receipt of notice given to Customer pursuant to Section 6.3, Customer notifies Jalubro in writing of any objections to the proposed appointment of any new Sub processor on reasonable grounds (e.g., if a proposed Sub processors Processing of Customer Personal Data would cause Customer to violate Data Protection Laws), Jalubro shall either:

(a)recommend a commercially reasonable change to Customer’s configuration or use of the RelevantServices to avoid Processing of Customer Personal Data by the proposed Sub processor objected to by Customer; and/or

(b)use reasonable efforts to make available a commercially reasonable change in the provision of theRelevant Services which avoids the use of that proposed Sub processor.

Where no changes referenced in Sections 6.4(a) or 6.4(b) can be made, or any such changes proposed by Jalubro are expressly rejected by the Customer,  within the thirty (30) day period following Jalubro ’s receipt of Customer’s notice of objections (the “Change Period”), either Party may by written notice to the other, to be served within fourteen (14) days of the expiration of that Change Period, terminate the Agreement (either in whole or to the extent that it relates to the portion of the Relevant Services which requires the use of the proposed Sub processor) with immediate effect.

6.5.If Customer (having not raised an objection to a new Sub processor) uses the Relevant Services (or the relevant portion thereof) after the expiry of the fourteen (14) day period referred to in Section 6.4,Customer agrees that it shall be deemed to have approved the ongoing use of that Sub processor.

6.6.With respect to each Sub processor, Jalubro shall:

(a)before the Sub processor first Processes Customer Personal Data (or, as soon as reasonably practicable, in accordance with Section 6.2), carry out adequate due diligence to ensure that the Sub processor is capable of providing the level of protection for Customer Personal Data required by this Data Processing Addendum; and

(b)ensure that the arrangement between Jalubro and the Sub processor is governed by a written contract including terms which offer at least an equivalent level of protection for Customer Personal Data as those set out in this Data Processing Addendum (including those set out in Section 5).

7.DATA SUBJECT RIGHTS

7.1.Taking into account the nature of the Processing, Jalubro shall (at the Customer’s cost) assist the Customer by appropriate technical and organisational measures, insofar as this is possible (having regard to the nature of the Processing), for the fulfilment of the Customer’s obligation to respond to Data SubjectRequests.

7.2.Jalubro shall:

(a)promptly notify Customer if Jalubro receives a Data Subject Request; and

(b)ensure that Jalubro does not respond to any Data Subject Request except on the written instructions of Customer (and in such circumstances, at Customer’s cost) or as required by applicable laws.

8.PERSONAL DATA BREACH

8.1.Jalubro shall notify Customer without undue delay upon Jalubro becoming aware of a Personal Data Breach affecting Customer Personal Data, providing Customer with sufficient information (insofar as such information is, at such time, within Jalubro ’s possession) to allow Customer to meet any obligations under Data Protection Laws to report the Personal Data Breach to:

(a)affected Data Subjects; or

(b)the relevant Supervisory Authority(ies) (as may be determined in accordance with the Data Protection Laws).

8.2.Jalubro shall co-operate with Customer and take such commercially reasonable steps as may be directed byCustomer to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

9.DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION

Jalubro shall assist the Customer, at Customer’s cost, with any data protection impact assessments, and prior consultations with Supervisory Authorities, which Customer reasonably considers to be required of Customer by Article 35 or Article 36 of the GDPR, in each case solely in relation to Processing of Customer Personal Data and taking into account the nature of the Processing by, and information available to, Jalubro.

10.DELETION

10.1.Subject to Section 10.4, upon the date of cessation of the Relevant Services (the “Cessation Date”),Jalubro shall immediately cease all Processing of the Customer Personal Data for any purpose other than for storage.

10.2.To the fullest extent technically possible in the circumstances, promptly following the Cessation Date, Jalubro shall either (at its option):

(a)Delete; or

(b)irreversibly render Anonymised Data, all Customer Personal Data then within Jalubro’s possession.

10.3.In the event that, on or prior to the Cessation Date, the Customer requests return of Personal Data, Jalubro shall (at the Customer’s cost) return a copy of Customer Personal Data to the Customer in a standard, interoperable format.

10.4.Jalubro and any Sub processor may retain Customer Personal Data where required by applicable European Union, UK or European Union Member State law, for such period as may be required by such applicable law, provided that Jalubro and any such Sub processor shall ensure:

(a)the confidentiality of all such Customer Personal Data; and

(b)that such Customer Personal Data is only Processed as necessary for the purpose(s) specified in the applicable European Union, UK or European Union Member State law requiring its storage and for no other purpose.

11.AUDIT RIGHTS

11.1.Jalubro shall make available to Customer on request the most recent copies of any relevant third-party certifications and audits obtained or procured by Jalubro, together with any other relevant information as Jalubro considers necessary in the circumstances, in each case to demonstrate its ongoing compliance with applicable provisions of this Data Processing Addendum (including Section 5).

11.2.Notwithstanding anything to the contrary in this Data Processing Addendum or the Agreement, audits of any Hosting Services Provider(s)’s Processing of Customer Personal Data will be subject to Jalubro’s agreement with the applicable Hosting Services Provider and will not be subject to this Data Processing Addendum or the Agreement. On request from Customer (which shall be limited to one such request in each calendar year during the term of the Agreement), if and to the extent Jalubro is permitted to do sounder its agreement with the applicable Hosting Services Provider(s), Jalubro will deliver (at the Customers expense):

(a)Jalubro ’s latest audit of the applicable Hosting Services Provider(s); or

(b)such Hosting Services Provider(s)’ own self-audits, carried out in respect of such Hosting ServicesProvider(s)’s Processing of Personal Data on Jalubro ’s behalf – Customer acknowledges and agrees that any such (self-)audits will be general in their content and will not be specific to Customer or Customer Personal Data, and in the case of self-audits by the Hosting ServicesProvider(s) may also not be specific to Jalubro.

12.RESTRICTED TRANSFERS

Restricted Transfers: Customer to Jalubro

12.1.Subject to Section 12.3, to the extent that any Processing by Jalubro of Customer Personal Data involves a Restricted Transfer, the Parties agree that:

(a)Customer – as “data exporter”; and

(b)Jalubro – as “data importer”,shall enter into the Standard Contractual Clauses in respect of thatRestricted Transfer and the associated Processing in accordance with Section 12.3.

12.2.In respect of any Standard Contractual Clauses entered into pursuant to Section 12.1:

(a)Clause 9 of such Standard Contractual Clauses shall be populated as follows:

“The Clauses shall be governed by the law of the Member State in which the data exporter is established.”

(b)Clause 11(3) of such Standard Contractual Clauses shall be populated as follows:

“The provisions relating to data protection aspects for sub-processing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.”

(c)Appendix 1 to such Standard Contractual Clauses shall be populated with the corresponding information set out in Annex 1 (Data Processing Details); and

(d)Appendix 2 to such Standard Contractual Clauses shall be populated as follows:

“The technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) are those established and maintained under Paragraph 5 of the Data Processing Addendum.”

12.3.In respect of any Restricted Transfer between Customer and Jalubro  described in Section 12.1, theStandard Contractual Clauses shall be deemed to come into effect under Section 12.1 automatically upon the commencement of the relevant Restricted Transfer provided that Section 12.1 shall not apply to a Restricted Transfer unless its effect is to allow the relevant Restricted Transfer and the associated Processing to take place without breach of Data Protection Laws (e.g., Section 12.1, together with any associated Standard Contractual Clauses, will not apply or will cease to apply (as applicable), if and when the European Commission issues an ‘adequacy decision’ in respect of the UK under Article 45 of the GDPR that covers Customer’s transfer of Customer Personal Data to Jalubro under the Agreement).

Restricted Transfers: Jalubro to Sub processor

12.4.Subject to Section 12.5 and Section 12.6, to the extent that Jalubro effects a Restricted Transfer to a Sub processor, Jalubro agrees that it shall enter into the Standard Contractual Clauses as agent forCustomer (as “data exporter”) with that Sub processor (as “data importer”).

12.5.In respect of any Restricted Transfer between Jalubro and a Sub processor described in Section 12.4,Customer acknowledges and agrees that Jalubro ’s obligation to enter into the Standard Contractual Clauses as required by that Section 12.4 shall be satisfied by the inclusion of the details of the Customer Personal Data in the general description of the “personal data” referred to in any existing or futureStandard Contractual Clauses entered into by and between Jalubro and that Sub processor.

12.6.Section 12.4 shall not apply to a Restricted Transfer unless entry into the Standard Contractual Clauses referred to therein is required to allow the relevant Restricted Transfer and the associated Processing to take place without breach of Data Protection Laws.

13.VARIATION

13.1.Jalubro reserves the right to amend this Data Processing Addendum from time-to-time (including by posting an updated form hereof on the page on which this document is currently posted or any successor page thereto),provided always that in its amended form this Data Processing Addendum contains such contractual terms as may then be required by applicable Data Protection Laws.

13.2.In the event that there is a change in the Data Protection Laws that Jalubro considers (acting reasonably)would mean that Jalubro is no longer able to provide the Relevant Services in accordance with its obligations under Data Protection Laws, Jalubro reserves the right to make such changes to the Relevant Services as it considers reasonably necessary to ensure that Jalubro is able to provide theRelevant Services in accordance with Data Protection Laws.

13.3.In the event that Customer (acting reasonably and in good faith) considers that any changes made either to the Relevant Services and/or this Data Processing Addendum pursuant to Section 13.1 or Section 13.2(as applicable) will cause material and irreparable harm to it, Customer may terminate the Agreement in its entirety with immediate effect upon written notice to Jalubro to be served within thirty (30) days of Customer becoming aware of said changes.

14.ANONYMOUS DATA

Customer acknowledges and agrees that Jalubro shall be freely able to create, use and disclose Anonymised Data for Jalubro ’s own business purposes without restriction; provided that it is acknowledged and agreed that in respect of the Processing involved in the creation of such Anonymised Data, Jalubro:

(a)will act as an independent Controller; and

(b)shall seek to ensure that that Processing is carried out in accordance with Data Protection Laws.

15.CUSTOMER AFFILIATES’ RIGHTS

15.1.The Parties acknowledge and agree that Customer has entered into this Data Processing Addendum for both itself and on behalf of, and for the benefit of, those companies that are:

(a)controlled by Customer, which control Customer or which are under common control with Customer and are (as between those companies and Jalubro) Controllers of any Customer Personal Data; and

(b)properly entitled to use and receive the benefit of the Relevant Services pursuant to and in accordance with the Agreement, such companies, “Customer Affiliates”. For the purposes ofSection 15.1(a) “control” and its derivatives mean to hold, directly or indirectly, more than50% of the respective shares with voting rights in a company

15.2.The Parties acknowledge and agree that all references to Customer in the other Sections of this Data Processing Addendum shall, where the context permits and requires, be construed to refer to eachCustomer Affiliate, provided that it is acknowledged and agreed that:

(a)any rights and any remedies available to Customer Affiliates under this Data Processing Addendum shall accrue, and may only be exercised and sought by Customer, on a collective, and not an individual basis, on behalf of Customer and all Customer Affiliates – as examples:

(i)any on-premise inspections that may occur in accordance with Section 11 shall be conducted for the benefit of Customer and all Customer Affiliates collectively, and the limits on the frequency of such audits shall apply on a collective basis; and (ii) any relevant notices(such as that referred to in Section 6.3 concerning new Sub processors) shall be given by Jalubro to Customer only, and Customer (and not Jalubro ) shall be responsible for disseminating such notices to Customer Affiliates; and

(b)Jalubro ’s total liability (whether in contract, tort (including for negligence), breach of statutory duty(howsoever arising), misrepresentation (whether innocent or negligent), restitution or otherwise) arising out of or in connection with this Data Processing Addendum shall be subject to those limitations on, and exclusions of, Jalubro ’s liability under the Agreement, which it is agreed shall apply on a collective basis (and not an individual and several basis) to Customer and all Customer Affiliates.

16.LEGAL REQUIREMENTS

16.1.Customer acknowledges that both Jalubro and its Sub processors may themselves be subject to certain legal or regulatory reporting or notification requirements. In the event that Jalubro’s or its Sub processors’ discharge or intended discharge of such requirements (as reasonably understood by them) involves theProcessing of Customer Personal Data, it is acknowledged that, such Processing shall be carried out by Jalubro or its Sub processor(s) as Controllers, independently of the Customer, not as Customer’s(Sub)Processor(s).

16.2.Jalubro shall seek to ensure, and as between Customer and Jalubro shall be responsible for procuring that its Sub processors seek to ensure, that any Processing of Customer Personal Data described in Section16.1 is carried out in accordance with Data Protection Laws and any other applicable legal or regulatory requirements related to that activity.