Contractual standards for Data Processing on Behalf, last revised December 8, 2014 (5) The group of people (data subjects) affected by the handling of their personal data in the context of this Contract is as follows: (Please describe in concrete terms whose data are affected by the service, e.g. employees of company XY , customer of service A, users of application B, drivers, suppliers, etc. Should this already be described in the Main Agreement, a reference to the Main Agreement may be used: e.g. “The persons concerned by the services are described under section … of the Main Agreement”) 2 NON-DISCLOSURE (1) Processor undertakes to treat as confidential all information – including, but not limited to, technical and commercial information, plans, findings, intelligence, designs, and documents – that becomes known to it or that it receives from Controller under this Agreement, not to disclose this information to third parties, to protect it from third-party access, to use it only for purposes in connection with this Agreement, and only to disclose it to employees who are themselves under an obligation to observe confidentiality, unless otherwise agreed in writing between the Parties. (2) This confidentiality undertaking shall not apply in respect of information • that can be proven to have been known to Processor before this Agreement came into effect, • that can be proven to have been lawfully obtained by Processor from a third party without being subject to a confidentiality obligation, • that is already in the public domain or that enters into the public domain without any infringement of the obligations under this Agreement, • that can be proven to have been developed by Processor during the course of its own independent work. (3) As far as the Controller is a financial services company and is obliged to observe requirements of banking secrecy, the same requirements shall apply to the Processor. (4) Processor agrees to impose upon its employees to whom this information is disclosed the same duty of confidentiality as Processor has entered into above unless these employees are already subject to an equivalent non-disclosure obligation by virtue of their contracts of employment. (5) If notified of any development results that are capable of being protected by intellectual property rights, the Parties reserve all rights in respect of any such property rights subsequently applied for or granted. (6) The non-disclosure obligations in respect of information that has been made available during the term of this Agreement shall continue to apply for a period of five years after the Agreement has ended. 3 DATA PROTECTION (1) Processor collects, processes, and uses personal data on behalf of Controller. Controller is responsible for complying with the provisions of data protection law. (2) Processor shall follow solely the instructions issued by Controller when collecting, processing, and using personal data. Such instructions must be given in writing or by electronic mail. Other than as instructed by Controller, Processor may not use, either for its own purposes or the purposes of third parties, the data to Page 4 of 20