Data Processing Agreement Payroll

Any transfer is subject to compliance with all other guarantees under these clauses by the data importer, in particular purpose limitation. (i) the processing services are performed by the sub-processor in accordance with clause 11; (c) the data importer undertakes to provide the minimum allowable amount of information when responding to a request for information on the basis of an appropriate interpretation of the request for information; 3.10 The Supplier assists the Customer in the processing of all requests from a data subject covered by Chapter III of the General Data Protection Regulation, including requests for access, rectification, blocking and deletion. (a) the terms `personal data`, `special categories of data`, `processing/processing`, `controller`, `processor`, `data subject` and `supervisory authority` shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24. October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data; (b) it has given instructions to the data importer and, throughout the duration of the processing of the personal data, will request the data importer to process the personal data transmitted solely on behalf of the data exporter and in accordance with the applicable data protection law and clauses; Obligation after termination of services for the processing of personal data (b) “data exporter” means the controller who transmits the personal data; 7 Duration and termination 7.1 The term of the agreement is the duration of the agreement on accounting, bookkeeping and payroll accounting. Upon termination of the Accounting, Accounting and Payroll Agreement, the Agreement terminates. 7.2 Either party may terminate the Agreement under the same terms as the Accounting, Accounting and Payroll Agreement. 7.3 Regardless of the formal duration of the contract, the Contract remains in force as long as the Supplier processes the Personal Data on behalf of the Customer of which the Customer is the Data Controller, but only for the processing of such Personal Data by the Supplier. 7.4 In the event of termination and at the request of the contract, the supplier must contribute fairly to the data processing being transmitted to another supplier or transferred to the customer. What is a subcontractor? A processor is an external data processor engaged by Oyster, including the Oyster Companies, who has access to or may process data on behalf of Oyster, which may contain personal data. Oyster uses different types of subprocessors to perform different functions, as explained below.

APPOGEE HR DATA PROCESSING AGREEMENT V2.1The Customer who accepts these Terms (“Customer”, “you”) and Appogee HR Ltd (if applicable, “Appogee HR”, “We”) have entered into an agreement to provide the services provided by Appogee HR Ltd (each, as amended, an “Agreement”). You acknowledge that Oyster is a recipient of European data in the United States in connection with the provision of the Services. The parties agree to respect and process European data in accordance with the standard contractual clauses (see Annex 4). The parties agree that for the purposes of the Standard Contractual Clauses: Oyster shall be the “Data Importer” and the Client Company shall be the “Data Exporter” If and to the extent that the Standard Contractual Clauses (if any) conflict with any of the provisions of this DPA, the Standard Contractual Clauses shall prevail to the extent of such conflict. 5. We have rules! We have controls in place to ensure the configuration, monitoring and maintenance of technology and information systems in accordance with internal standards prescribed and adopted by the industry (for example. B, safe disposal of media to make all data contained therein indecipherable or unrecoverable). 3.4 The Supplier must also comply with all legally binding standards for security measures that directly bind it, including all standards for security measures in the country in which the Supplier is established or in the country in which the data processing takes place.

9 Priority 9.1 In the event of any conflict between the provisions of the Contract and the provisions of other written or oral agreements between the parties, the provisions of the Agreement shall prevail. HAVE AGREED on the following contractual clauses (the clauses) in order to provide adequate safeguards with regard to the protection of privacy and fundamental rights and freedoms of natural persons for the transfer of the personal data referred to in Annex 1 by the data exporter to the data importer. 3 Requirements for the Provider 3.1 The Provider will process the personal data in accordance with the applicable Danish data protection legislation, including the General Data Regulation, upon its entry into force (c) The Data Importer warrants that it has made every effort to provide relevant information to the Data Exporter when carrying out the assessment referred to in paragraph (b); and agrees that it will continue to work with the data exporter to ensure compliance with these clauses. (e) where the requests of a data subject are excessive, in particular because of their repetitive nature, the data importer may either charge a reasonable fee, taking into account the administrative costs associated with granting the request, or refuse to process the request. (iii) requests received directly from data subjects without responding to them, unless otherwise authorised; Section 15: Obligations of the data importer in case of access by the authorities 5 Confidentiality 5.1 The supplier must treat personal data confidentially. (e) the data importer complies with a binding decision under Union law or the law of an applicable Member State; Clause 10: Rights of the data subject (a) The data importer must immediately inform the data exporter of any request received from a data subject. It does not itself respond to that request unless it has been authorised to do so by the data exporter. Clause 8: Data Protection Safeguards The data exporter warrants that it has made reasonable efforts to determine that the data importer is able to meet its obligations under these clauses through the implementation of appropriate technical and organisational measures.

(f) where the transfer concerns special categories of data, the data subject has been or will be informed before or as soon as possible after the transfer that his or her data may be transferred to a third country which does not offer adequate protection within the meaning of Directive 95/46/EC; (d) Personal data transmitted before the termination of the contract referred to in point (c) shall be returned to the data exporter without undue delay or completely erased at the choice of the data exporter. The same applies to all copies of the data. The data importer certifies the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer will continue to ensure compliance with these clauses. In the case of local laws applicable to the data importer that prohibit the return or deletion of the personal data transferred, the data importer guarantees that it will continue to ensure compliance with these clauses and process the data only to the extent and for as long as required by such local law. (iii) any relevant contractual, technical or organisational safeguards put in place to complement the safeguards provided for in those clauses, including the measures applied when transferring and processing personal data in the country of destination. The personal data transferred concern the following categories of data subjects: this Directive does not grant any additional rights or remedies to business customers and should not be interpreted as a binding agreement. The information is provided to illustrate Oyster`s process for sub-processors and to provide the actual list of third-party processors and content delivery networks used by Oyster at the time of this Policy. (b) point (a) is without prejudice to the rights of data subjects under Regulation (EU) 2016/679. (e) the data importer agrees with the sub-processor on a third-party beneficiary clause under which the data exporter has the right to terminate the sub-processor and to request the sub-processor to delete or return the personal data if the data importer has effectively disappeared, ceases to exist legally or has become insolvent.

8.6 Sensitive data If the transfer consists of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, genetic or biometric data for the purpose of uniquely identifying a natural person, data on a person`s health, sex life or sexual orientation, or data on criminal convictions, or Criminal offences (hereinafter referred to as “sensitive data”), the data importer applies specific restrictions and/or additional safeguards appropriate to the particular nature of the data and the risks associated with it. This may include restricting who can access personal data, additional security measures (e.g. B, pseudonymization) and/or additional restrictions on further disclosure. (d) the data importer shall cooperate with and assist the data exporter in order to enable it to comply with its obligations under Regulation (EU) 2016/679, in particular the competent supervisory authority and the data subjects, taking into account the nature of the processing and the information available to the data importer; How we protect your outsourced data. Oyster is working hard to use an appropriate selection process to assess the security, privacy and confidentiality practices of proposed subcontractors who may have access to or otherwise process personal data. .