Establishing a “Privacy First” culture demonstrates the clearest commitment of the entire organization to setting the highest standards of confidentiality. This is necessary to quickly adapt to the different regulatory framework conditions around the world. As the volume and complexity of information types, flows, and access increases, so do the risks and impacts in all areas of the business. Organizations need to address this issue by building cross-functional teams to lead information governance efforts and develop a framework and approach for ongoing data protection compliance. Obligation after the cessation of the processing of personal data 1.1 The Buyer and Devo acknowledge that for the purposes of the applicable data protection requirements, the Buyer is the Data Controller and Devo is the Processor. (c) the data importer provides sufficient guarantees with regard to the technical and organisational security measures referred to in Annex 2 to this contract; Enterprise Information Management (EIM) technologies are the key to an effective and robust data protection strategy. As a leader in EIM, OpenText is committed to helping its customers on their journey to GDPR readiness and compliance. However, it is important to recognize that compliance is a shared responsibility. Regulatory compliance requires a combination of processes, policies, expertise, education and training, and the right technological tools.

We believe that the path to compliance requires a common understanding and culture of data protection. a) any unauthorised or unlawful processing of personal data; or 11.2 In the event of termination of the Terms of Use for any reason or after the expiration of their term, Devo will securely destroy or, if indicated in writing, return and not retain all or part of the personal data relating to this Agreement in its possession or control. It is important that we fulfil our obligations under the GDPR as a data processor to our customers, the data controllers, who use a third party such as us to process personal data. This Annex contains a description of the technical and organisational security measures implemented by the data importer in accordance with clauses 4(d) and 5(c) (or the attached document/law). (b) bring the dispute before the courts of the Member State in which the data exporter is established. This Agreement was concluded on the date indicated at the beginning. The GDPR came into force on 25 May 2018 and heralds a new era of data protection. The European Union (EU) has reformed laws on the processing of personal data by giving EU citizens control over their own personal data, regardless of where it has been collected, stored or processed, and has increased an organisation`s susceptibility to severe penalties for non-compliance. (d) `sub-processor` means any processor engaged by the data importer or by another sub-processor of the data importer who agrees to receive from the data importer or another sub-processor of the data importer personal data intended exclusively for processing activities and to be carried out on behalf of the data exporter after transmission in accordance with its instructions; the terms of the clauses and the terms of the written subcontract; 1.2 The Buyer retains control of the personal data and remains responsible for its compliance obligations in accordance with the applicable data protection requirements, including providing all necessary communications and obtaining all necessary consents, as well as the processing instructions it gives to Devo. (h) in the event of sub-processing, it has previously informed the data exporter and obtained its prior written consent; (h) to provide data subjects, upon request, with a copy of the clauses, with the exception of Annex 2, and a summary description of the security measures, as well as a copy of a contract for the subcontracting of services to be concluded in accordance with the clauses, unless the clauses or the contract contain commercial information, in which case it may delete that commercial information; 12.1 Devo keeps detailed, accurate and up-to-date records of the processing of personal data it carries out for the Buyer, including, but not limited to, access, control and security of personal data, authorized subcontractors and affiliates, and the purposes of the processing (registrations).

10.3 In the event of a breach by Devo of this DPA, the parties will suspend the processing of personal data until Devo has remedied the breach, but no later than 5 working days. In the event that Devo is unable to remedy the breach within 5 working days, or in the event of a material breach, the Buyer may terminate the part of the GTCU authorising the processing of personal data with immediate effect after written notification to Devo without further liability or obligation. .