Contractual standards for Data Processing on Behalf, last revised December 8, 2014 which it has been given access for processing or use or the data it has collected. In accordance with the instructions issued by Controller, Processor must amend, delete, or block the data it is processing on behalf of Controller. (3) Processor shall assist Controller in satisfying the rights of the persons whose personal data is stored (data subjects), which may include correcting, deleting, blocking, or providing information about such data. If a data subject contacts Processor directly to ask for information or request that his/her personal data be corrected, deleted, or blocked, Processor shall forward this request to Controller without delay. (4) Processor undertakes to provide data protection training for its employees entrusted with the processing and use of the data provided by Controller and to impose on such employees an obligation to observe data secrecy (obligation not to disclose personal data). (5) Processor must provide Controller with the details of contacts for data protection and information security. If Processor is subject to a statutory obligation to appoint a data protection officer, Processor shall appoint such an officer in writing and shall send Controller the name(s) of the person(s) concerned. (6) Upon request, Processor shall provide Controller with the information necessary to enable Controller to satisfy reporting obligations and maintain a systems and procedures overview. (7) Processor shall inform Controller without delay of any checks or action taken by the relevant regulatory authorities in its organization or in connection with the IT infrastructure it uses. 4 INFORMATION SECURITY (1) Processor undertakes, as part of an information security strategy, to use state of the art technology to safeguard all Controller's information and data immediately and effectively against unauthorized access, modification, destruction or loss, unauthorized transfer, other unauthorized processing, and other misuse. The security strategy must be described in detail by completing the fields in Part 2. Processor shall agree its information security strategy with Controller's relevant information security officer. Part 2 need not be completed if Processor has suitable certification (for example, in accordance with ISO 2700x) covering the services that form the subject matter of this Contract. In this case, a reference to the certification must be inserted and the certification attached as an annex to this Agreement. If this certification becomes invalid and re-certification is not obtained within a reasonable period, this Agreement and the Main Agreement may be terminated by Controller. (2) Processor must store Controller's data for a period of six months, even after the relevant service agreement has ended. Within this six-month period, the data must be returned in a generally readable format or, if instructed, deleted. If the data is deleted, action must be taken to ensure that the data cannot be reconstructed. Processor shall prove to Controller and confirm in writing or by electronic mail that all the data, copies, and storage media have been returned and deleted. Controller may at any time specify an earlier date for data deletion. Regardless of this provision, Processor shall be under an obligation to surrender the data in a generally readable format at any time upon request by Controller. (3) Processor must ensure that the technical and organizational measures described in Part 2 are implemented before data processing begins and that the associated activities are regularly reviewed and adjusted. Processor must inform Controller in writing or by electronic mail if there are any material changes to data Page 5 of 20