27 April 2022

Data Protection Schedule – Client

Data Protection Legislation means up to but excluding 25 May 2018 the Data Protection Act 1998 and thereafter (i)unless and until the GDPR is no longer directly applicable in the UK, the General Data Protection Regulation ((EU) 2016/679) and anynational implementing laws, regulations and secondary legislation, as amended or updated from time to time, in the UK and then (ii) any successor legislation to the GDPR or the Data Protection Act 1998.

1. Both parties will comply with all applicable requirements of the Data Protection This clause is in addition to, anddoes not relieve, remove or replace, a party’s obligations under the Data Protection Legislation.
2. The parties acknowledge that for the purposes of the Data Protection Legislation, the Company is a Data Controller and the Client is a Data Controller (where Data Controller has the meaning as defined in the Data Protection Legislation) but they arenot Joint Controllers unless a specific agreement is made to that effect between the parties.
3. The Company will use all reasonable endeavours to ensure that it has all necessary appropriate consents and notices in placeto ensure lawful transfer of Personal Data (as defined in the Data Protection Legislation) to the Client for the purposes of the The Client shall ensure it has lawful processing grounds to process the Personal Data once transferred and shall not rely on the Company’s collection of necessary consent and notices given, unless expressly agreed by the parties.
4. The Client shall only process a Consultant’s Personal Data for the agreed purposes for which an introduction was made and the Personal Data transferred, including with regard to transfers of data outside the EEA to a third country, unless it first obtains allnecessary appropriate consents from the Data Subject (as defined in the Data Protection Legislation) , provides necessary notices to the Data Subject and where the Client intends to process information beyond that reasonably envisaged by the Company, informs the Company before undertaking any further
5. The parties shall ensure that:

• they have in place appropriate technical and organisational measures, to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost ofimplementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring thatavailability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it);
• all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential;
• the Data Subject has enforceable rights and effective legal remedies;
• they provide reasonable assistance to the other in responding to any request from a Data Subject and in ensuring compliance with their respective obligations under the Data Protection Legislation with respect to data subject accessrequests and other data subject rights, data security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
• they notify the other without undue delay on becoming aware of a Personal Data breach relevant to Personal Data transferred pursuant to this Agreement; and
• they maintain complete and accurate records and information to demonstrate their compliance with this Data Protection Schedule.

6. The Client shall where required make available to the Company all information necessary to demonstrate compliance with the obligations associated with Data Protection Legislation and this clause and allow for audits and inspections in order toensure compliance throughout the Company supply chain.
7. Notwithstanding sub clauses 4 and 5.5, in the event of any suspected or actual breach of Data Protection Legislation , the Client shall (at its own expense):

• notify Company immediately; and provide such information, assistance and cooperation and do such things asCompany may request to (i) investigate and defend any claim or regulatory investigation; (ii) mitigate, remedy and/or rectify such breach; and (iii) prevent future breaches.