Contractual standards for Data Processing on Behalf, last revised December 8, 2014 processing. In the event of any foreseeable reduction in the effectiveness of the data protection, the consent of Controller must be obtained in writing or by electronic mail before the related change is carried out. 5 SUBCONTRACTORS AND ACCESS CONTROL (1) If Processor involves subcontractors or freelancers it must first obtain the prior consent of Controller in writing or by electronic mail. The contractual arrangements between Processor and the subcontractor or freelancer must be drafted in such a way that they correspond with the arrangements contained in the contractual relationship between Controller and Processor. In particular, Processor must ensure that Controller can also carry out the checks specified in clause 6 of this Contract in respect of the subcontractors or freelancers. Controller is entitled to receive information from Processor concerning the essential contractual provisions and the implementation of the obligations in this Contract – if necessary by means of inspecting the relevant contract documents. (2) Controller is deemed to have consented to the subcontractors and functions listed in Part 3 when Controller signs this Agreement. Processor must ensure that these subcontractors comply with the technical and organizational requirements specified in Part 2 in the same way as Processor itself. If subcontractors are replaced or added during the course of the contractual relationship, Processor must first obtain the consent of Controller in writing or by electronic mail. (3) Processor may only authorize access to Controller's data for its own employees in accordance with the authorization rules and only to the extent necessary to allow the employee concerned to carry out the relevant task in connection with fulfillment of contractual requirements. If it is necessary to issue access authorizations to employees of subcontractors or to freelancers to facilitate fulfillment of contractual requirements, this can only be done with the prior consent of Controller in writing or by electronic mail and only to the extent necessary for the task concerned. Upon request, Processor must supply Controller with the names of persons or groups of persons to whom access authorization has been granted. Processor undertakes not to disclose to any unauthorized person the access authorizations granted to enable Processor to use the system. (4) If Processor is granted access to the IT systems of Controller, its representatives, or subcontractors, Processor undertakes only to access the data and information necessary to enable it to satisfy its obligations under this Agreement. 6 CHECKS (1) Controller or its representatives have the right to carry out checks on compliance with the requirements of this Agreement. Processor shall provide the desired information and, at the request of Controller and within a reasonable period, submit documentary evidence that it has met its obligations by completing a questionnaire supplied by Controller. (2) Subject to advance notice, Controller or its representative shall be granted access to the offices and IT systems in/on which Controller's data is used or processed so that the implementation of the contractual agreements and the appropriateness of the technical and organizational data security measures can be verified. Page 6 of 20