DATA PROCESSING ANNEX

This annex on personal data processing (DPA) is an integral and irrevocable part of the Terms and Conditions and regulates only the personal data processing relationship between the Company, undertaking the role of Data Processor, and the Client, undertaking a role of the Data Controller .

Both the Company and the Client will comply with all applicable requirements of the DPersonal Data Protection Laws. This DPA is in addition to, and does not relieve, remove or replace any obligations under the Personal Data Protection Laws.

All capitalised terms used in this DPA shall have the meanings ascribed to them in Terms and Conditions, this DPA and/or applicable data protection laws, as defined below.

1. DEFINITIONS

Unless defined otherwise under the applicable Order Form and/or Terms and Conditions, wherever used in this DPA, the following terms shall have the meaning as provided below:

Personal Data Protection Laws shall mean the General Data Protection Regulation (EU) 2016/679 (GDPR), the Republic of Lithuania Law on Legal Protection of Personal Data and/or other applicable legislation governing the processing of personal data.

Personal Data shall mean any information related to any identified or identifiable natural person, in light of this DPA mainly personal Data that is provided by or collected from the Client during the provision of Services.

Controller, Processor, Data Subject, Personal Data Breach, Process (including ‘processing’) and other capitalised terms shall have the meaning ascribed to them under Personal Data Protection Laws.

2. OBLIGATIONS OF DATA CONTROLLER

The Client shall, in relation to any Personal Data processed when providing the Services under the Terms and Conditions:

• ensure compliance with all Personal Data Protection Laws while collecting and providing any Personal Data to the Company, including without limitation, ensuring that all required consents, to the extent applicable, have been taken from Data Subjects;
• duly notify Data Subjects of their data processing and transfer to the Company in accordance with the requirements of Personal Data Protection Laws;
• duly notify all natural persons (employees, authorised representatives and/or authorised representatives of the Client’s Affiliate) whom he engages in the performance of the Terms and Conditions of the fact that their Personal Data may be transferred to and processed by the Company for the purpose of provision of Services.

3. OBLIGATIONS OF DATA PROCESSOR

The Company shall, in relation to any Personal Data processed when providing the Services under the Terms and Conditions:

• process that Personal Data in accordance with the written instructions of the Client unless the Company is required by Personal Data Protection Laws. For the purpose of clarity it is noted that this DPA (including Schedule 1) constitutes the finalised instructions of the Client;
• ensure that it has implemented appropriate technical and organisational security measures to protect Personal Data against unauthorised or unlawful processing and against accidental loss or destruction of, or damage to, Personal Data, at the scope required by the Personal Data Protection Laws.
• ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential;
• assist the Client in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Personal Data Protection Laws at Client’s reasonable expense;
• notify the Client without undue delay on becoming aware of a Personal Data breach and provide the Client with such assistance as it may reasonably require to comply with its obligations in respect of such personal data breach under Personal Data Protection Laws;
• at the written direction of the Client, delete or return Personal Data and copies thereof on termination of the Terms and Conditions unless Personal Data Protection Laws require to store the Personal Data.

4. SUB-PROCESSORS

The Client hereby grants the Company with a general authorisation to engage sub-processors and service providers (Sub-processors) in the Processing of personal data controlled by the Client.

The Company shall notify the Client regarding the onboarding of the new Sub-processors no later than within 20 days after the onboarding.

When engaging Sub-processors the Company shall assign the duties of Personal Data protection to them to the extent not smaller than duties assigned to the Company under this DPA. All Personal Data transfers in relation to the onboarding of Sub-processors shall be performed in accordance with the Personal Data Protection Laws.

5. LIABILITY

The Company shall not be held liable for any breach of the DPA or any breach of personal data processing arising from the DPA in cases where improper performance of this Agreement or breach of personal data processing have been determined by inaccurate, improper Client’s instructions, inaccurate, incomplete or incorrect (provided in inappropriate format) personal data provided by the Client.

In no event shall the Company be liable for any indirect, incidental, special, punitive, or

consequential damages incurred by the Client.

Limitations of liability established under the Terms and Conditions shall continue to apply to this DPA

SCHEDULE 1: DATA PROCESSING INFORMATION