Contractual standards for Data Processing on Behalf, last revised December 8, 2014 (3) Processor must inform Controller without delay should any suspicion arise that there has been a violation of data protection requirements (in particular, unlawful forwarding of Controller’s data to third parties or unlawful access by third parties to Controller’s data), a violation of banking secrecy, a breach of security, or other manipulation during data processing. In consultation with Controller, Processor must initiate all necessary steps to rectify the problem and prevent further data protection and/or security violations. (4) If Controller's data held by Processor is placed at risk as a result of seizure, distraint, judicial inquiries, or other enforcement of legal control by relevant authorities, as a result of insolvency or composition proceedings, or as a result of other events or action taken by third parties, Processor must inform Controller without delay. Processor shall inform all parties involved in any such action without delay that the power of control over the data subject to this Agreement lies with Controller and shall not transfer any data to third parties or allow access to the data by third parties without the consent of Controller. 7 DATA PROCESSING IN A NON-EEA COUNTRY (1) If Processor or its subcontractor processes personal data emanating from the European Union (EU) outside the European Economic Area (EU member states together with Iceland, Liechtenstein, Norway) or outside a country recognized by the European Commission as having an appropriate level of data protection, or if Processor or its subcontractor accesses EU-sourced personal data from outside the countries specified above • Controller must come to a written agreement with Processor or its subcontractor to include the EU's standard contractual clauses governing Data Processing on Behalf in non-EEA countries, or • Processor must participate in a certification system recognized by the EU and satisfy the requirements of this system, or • the data processing must be subject to binding rules and regulations that have been put in place by Processor and are recognized by a relevant regulatory authority as providing a sufficient basis for creating an appropriate level of data protection within the meaning of EU law. (2) In the case of personal data that emanates from countries other than those specified in subclause 1 and that also gives rise to requirements under data protection law in respect of data processing abroad, appropriate measures must be implemented in accordance with provisions under national law. Page 7 of 20