EMERGENETICS DATA PROCESSING ADDENDUM

THIS EMERGENETICS DATA PROCESSING ADDENDUM (“Addendum”) is made and entered into by and between The Browning Group International, Inc. d/b/a Emergenetics International and its affiliates (including STEP, LLC and Emergenetics Europe Limited) as applicable (collectively, “Emergenetics”) and you (the “Client” or “Partner”, as applicable, each as defined below) (each a “Party” and collectively the “Parties”). This Addendum governs your Processing of Personal Data on the Emergenetics Platform. If you are accepting the terms of this Addendum on behalf of an entity, you represent and warrant to Emergenetics that you have the authority to bind that entity and its affiliates, where applicable, to the terms and conditions of this Addendum. This Addendum is effective as of the date on which you agree to it (the “Addendum Date”) by clicking the “I Accept” button in the applicable online form or webpage that makes reference to this Addendum.

RECITALS

WHEREAS, Emergenetics and you have executed an agreement for services (the “Services Agreement”) involving the Processing of Personal Data (as defined below) of Data Subjects (as defined below) that the Parties now desire to amend as provided herein;

WHEREAS, in the course of providing its services under the Services Agreement you, as a Data Controller, Process certain Personal Data of Data Subjects;

WHEREAS, Emergenetics, as a Data Controller, requires that you and any subsequent Personal Data recipients who, in the course of your work with Emergenetics, may Process Personal Data, take all necessary measures to handle such information in compliance with the General Data Protection Regulation of the EU (GDPR) and other applicable laws and regulations;

WHEREAS, whenever both Parties jointly determine the purposes and means of Processing, they shall act as Joint Controllers; and

WHEREAS, the Parties enter into this Addendum wishing to comply with the principles and standards for data protection as required by the GDPR and other applicable laws and regulations, with respect to the Processing of Personal Data under the Services Agreement.

NOW, THEREFORE, in consideration of the mutual agreements set forth in this Addendum and for other good and valuable consideration, the receipt and sufficiency of which the Parties both acknowledge, the Parties agree as follows:

DEFINITIONS

Capitalized terms used but not defined in this Addendum shall have the meanings assigned to them in the Services Agreement.

For purposes of this Addendum, the following capitalized terms shall have the meanings ascribed to them as set forth below wherever they appear within the provisions of this Addendum:

· “Applicable Laws” means all laws applicable to the Processing of Personal Data, including the GDPR, laws implementing or supplementing the GDPR, EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced, or superseded from time to time, other laws of the European Union or any Member State thereof, and the laws of any other country to which the Personal Data is subject;

· “Client” means a legal entity with whom Emergenetics has executed the Services Agreement who uses the Platform for the benefit of its own employees, prospective employees, or other organizational team members such as contractors;

· “GDPR” and “General Data Protection Regulation” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC;

· “Data Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data; where the purposes and means of such Processing are determined by Union or Member State law, the Data Controller or the specific criteria for its nomination may be provided for by Union or Member State law. For the purposes of this Addendum, Data Controller or Data Controllers also refers specifically to a Party or the Parties to this Addendum;

· “Data Processor” means a natural or legal person, public authority, agency or other body which Processes Personal Data on Behalf of a Data Controller;

· “Joint Controllers” means two or more Data Controllers that jointly determine the purposes and means of Processing;

· “Partner” means a third-party contractor filling a role as an Emergenetics Associate, Domain Administrator, Country Representative, or other applicable role on the Platform as a member of Emergenetics’ network of licensed resellers of Emergenetics products and services;

· “Personal Data” means any information relating to an identified or identifiable natural person within the scope of this Addendum (“Data Subject“); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

· “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed;

· “Platform” means the Emergenetics web application(s), including Emergenetics+, ESP, or STEP, as applicable;

· “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; and

· “Restricted Transfer” means any transfer of Personal Data that would be prohibited by Applicable Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Applicable Laws) in the absence of the execution of the Standard Contractual Clauses or another lawful data transfer mechanism, as set out in Section 12 below.

TERMS

The Parties agree as follows:

1. Effective Date. The Terms of this Addendum shall take effect on the later of the Addendum Date, or May 25, 2018 (the “Effective Date”) and continue on concurrently for the term of the Services Agreement.

2. Scope. This Addendum serves as a framework for Personal Data Processing under the Services Agreement, as applicable, alone or jointly, as well as Personal Data sharing between the Parties as Data Controllers, and defines the principles and procedures that the Parties shall adhere to and the respective responsibilities of the Parties.

3. Applicability. This Addendum will not apply to the Processing of Personal Data, where such Processing is not regulated by the Applicable Laws.

4. Controllership Representations and Warranties. Each Party represents, warrants, and covenants that:

a) With respect to the Processing of Personal Data under the Services Agreement, it is a Data Controller within the meaning of this Addendum and the GDPR;

b) all Personal Data has been and will be collected, transferred, and otherwise Processed in accordance with the GDPR;

c) it will only conduct transfers of Personal Data, where such transfers would be subject to mandatory requirements under the Applicable Laws (and no lawful exemption or derogation applies), in compliance with all applicable conditions, as laid down in the Applicable Laws;

d) it will, upon request of the respective other Party, provide that other Party with copies of all relevant data protection laws or references to them (where relevant, and not including legal advice).

5. Joint Controllership Representation and Warranties. Each Party, when acting as a Joint Controller together with the other Party, warrants and covenants that:

a) It will determine its respective responsibilities for compliance with its obligations under the Applicable Laws;

b) it will determine its respective responsibilities vis-a-vis Data Subjects, taking into account the circumstances of each specific Processing situation, and, where necessary, duly communicate such information to the respective other Data Controller in the Joint Controllership context;

c) in consideration of the fact, as set out in the GDPR, that irrespective of the terms of the arrangement between the Parties, Data Subjects may exercise their rights under the GDPR in respect of and against each of the Data Controllers, each Data Controller in the Joint Controllership context will proactively, without having been requested to do so, provide all due assistance and information to the respective other Data Controller in the Joint Controllership context, including but not limited to forwarding requests lodged by Data Subjects to exercise their rights under Chapter III of the GDPR. Where a Data Controller has not fulfilled its obligation under this provision, it shall be fully liable with regard to the response, or lack thereof, to the respective request by the Data Subject to exercise his rights; and

d) where a conflict of competence occurs with regard to a specific set of Processing operations in the Joint Controllership context, each Data Controller shall act in good faith to communicate and resolve said conflict with the other respective Data Controller in an amicable manner, by taking into account and respecting, firstly, the interests and rights of the respective Data Subject(s), and, secondly, the mutual interest of both Parties, so as to avoid joint and several liability, where the Parties fail to respect the rights of a Data Subject(s) because of an unresolved conflict of competence.

6. Records of Processing Activities. Each Data Controller agrees to maintain a record of Processing activities of Personal Data under its responsibility, in accordance with Article 30 of the GDPR.

7. Processing of Personal Data. Within the context of this Addendum, the Parties are joint Controllers of the Personal Data of the Data Subjects. Clients and Partners each jointly control the Personal Data Processed via the Emergenetics Platform with Emergenetics. Processing of Personal Data by each of the Data Controllers within the scope of this Addendum is subject to the following:

(a) Processing is limited to those services and tasks outlined in the Services Agreement for services and any subsequent orders, statements of work, or work orders executed between the Parties.

(b) Each Data Controller shall ensure that the Processing of the Personal Data for the purposes set out in the Services Agreement, is performed only on lawful grounds, as provided by Article 6 of the GDPR, and as further limited by Article 9 of the GDPR, or the equivalent provisions of any Applicable Laws, as the case may be.

(c) The respective Data Controllers must ensure that persons they authorize to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

8. Security Measures. Both Parties will implement appropriate technical and organizational security measures to ensure and to be able to demonstrate that Processing is performed in accordance with the GDPR, and as required by Article 24 of the GDPR.

9. Data Subject Requests. Each Party will be responsible for responding to requests for the exercise of a Data Subject’s rights under Chapter III of the GDPR or the equivalent provisions of other Applicable Laws, with regard to the Personal Data Processed by that Party. Each Party will designate an appropriate point of contact for Data Subject requests within its respective organization. Each Party will maintain a record of Data Subjects’ requests to exercise their rights, the decisions made, and any information that was exchanged. In situations where the Parties are Joint Controllers, the Parties will provide notice to each other of all such Data Subject requests they receive. Before deleting Personal Data or restricting Processing in response to a Data Subject request, each Party will obtain the approval of the other Party, which shall not be unreasonably withheld by that other Party, so as to avoid the possibility of one Party’s actions causing the other Party to be in breach of this Addendum or any applicable laws. The Parties agree to provide prompt and reasonable assistance to each other, if required, to enable them to comply with Data Subject requests. Each Party will ensure that its relevant privacy notices, where applicable, are published in accordance with the requirements of the GDPR and other Applicable Laws and that no conflicts exist among the Parties’ privacy notices that would create confusion or mislead Data Subjects. In particular, each Party will ensure that its relevant privacy notices, where applicable, contain accurate contact information to which Data Subjects can submit requests to the respective Party to exercise their rights under the GDPR and other Applicable Laws, as the case may be.

10.Security of Processing and Personal Data Breach Notifications. Both Parties agree to implement and maintain technical and organizational security measures to ensure that the level of security of Personal Data Processed by them is appropriate to the risk, pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of Processing and the information available to each Party. Each Party shall provide notification of a Personal Data Breach to the competent supervisory authority or the affected Data Subject(s), as required by Articles 33 and 34 of the GDPR, or the equivalent provisions of other Applicable Laws, as the case may be, as well as all due assistance to the other respective party, as necessary.

11.Processors. Each Party shall only engage a Data Processor to Process the Personal Data on its behalf if that Data Processor provides sufficient guarantees, by way of a written contract or other legal act under European Union or Member State law, that it will implement the same data protection obligations as this Addendum and the requirements of the GDPR. Such obligations shall include, in particular, the requirement that the Data Processor implements appropriate technical and organizational security measures in such a manner that Processing will meet the requirements of the GDPR, including, but not limited to, applicable requirements of Articles 28, 29, and 30 of the GDPR, and ensure the protection of the rights of the Data Subject. Where that Data Processor fails to fulfill its data protection obligations, the respective Party shall remain fully liable to Data Subjects for the performance of that Data Processor's obligations.

12.Restricted Transfers. Emergenetics (as “data exporter”) and the Client (as “data importer”) hereby enter into, as of the Addendum Date, the Standard Contractual Clauses (as set out in Exhibit A), which are incorporated by this reference and constitute an integral part of this Addendum. The Parties are deemed to have accepted, executed, and signed, where necessary, the Standard Contractual Clauses in their entirety, including the appendices on the Effective Date.

13.With regard to any Restricted Transfer from Emergenetics to the Client within the scope of this Addendum, one of the following transfer mechanisms shall apply, in the following order of precedence:

(a) the Standard Contractual Clauses; or

(b) any other lawful basis, as laid down in Applicable Laws, as the case may be.

In cases where the Standard Contractual Clauses apply, and there is a conflict between the terms of the Addendum and the terms of the Standard Contractual Clauses, the terms of the Standard Contractual Clauses shall control.

14.Liability. Without prejudice to any form of direct liability of a Party or a Data Processor before Data Subjects, each Party shall be liable to the other respective non-defaulting Party for damages the defaulting Party has caused to the non-defaulting Party by any breach of its obligations, as set out in this Addendum.

15.Disputes. In the event of a dispute or claim brought by a Data Subject or an EEA or UK data protection authority concerning the Processing of Personal Data against either or both of the Parties, the Parties will inform each other about any such disputes or claims, and will cooperate with a view to settling them amicably in a timely fashion.

16. Contact Points for Data Protection Enquiries:

Emergenetics’ Data Protection Officer (DPO):
E-mail: privacy@emergenetics.com
Name: Steven Douglas
Address: 2 Inverness Dr East, Suite 188, Centennial, CO 80112, USA

17.No Further Amendment. Except as expressly provided in this Addendum, the Parties intend no amendment or modification of the Services Agreement or in any other document signed or otherwise entered into by the Parties.

18.Primary Agreement. The terms of the Services Agreement, together with any addendum or supplemental agreement executed prior to this Addendum, are preserved and remain in full force and effect. To the extent that any terms of this Addendum conflict with any terms contained within the Services Agreement, the terms of this Addendum shall control with respect to the subject matter described herein.

19.Confidentiality. This Addendum is confidential information. Each Party agrees:

(a) to not disclose this Addendum to any third parties except (1) to legal counsel or privacy consultants who have executed a nondisclosure agreement or who are under a statutory obligation of confidentiality; (2) as permitted or reasonably anticipated by this Addendum; or (3) as required by the GDPR or other Applicable Laws (each, a “Permitted Disclosure”); and

(b) to exercise at least the same degree of care that each Party generally uses to protect its own information of similar nature to protect this Addendum from any possession, use, or disclosure that is not a Permitted Disclosure, but in no case less than a reasonable degree of care.

(c)

Exhibit A

Commission Decision C(2004)5721

SET II

Standard contractual clauses for the transfer of personal data from the Community to third countries (controller to controller transfers)

Data transfer agreement

between

The Browning Group International, Inc.

2 Inverness Dr East

Suite 189

Centennial, CO, 80112

U.S.A.

hereinafter “data exporter”

and

the Client, as defined in the Emergenetics Data Processing Addendum (the “Addendum”) above

hereinafter “data importer”

each a “party”; together “the parties”.

Definitions

For the purposes of the clauses:

a) “personal data”, “special categories of data/sensitive data”, “process/processing”, “controller”, “processor”, “data subject” and “supervisory authority/authority” shall have the same meaning as in Directive 95/46/EC of 24 October 1995 (whereby “the authority” shall mean the competent data protection authority in the territory in which the data exporter is established);

b) “the data exporter” shall mean the controller who transfers the personal data;

c) “the data importer” shall mean the controller who agrees to receive from the data exporter personal data for further processing in accordance with the terms of these clauses and who is not subject to a third country’s system ensuring adequate protection;

d) “clauses” shall mean these contractual clauses, which are a free-standing document that does not incorporate commercial business terms established by the parties under separate commercial arrangements.

The details of the transfer (as well as the personal data covered) are specified in Annex B, which forms an integral part of the clauses.

I. Obligations of the data exporter

The data exporter warrants and undertakes that:

a) The personal data have been collected, processed and transferred in accordance with the laws applicable to the data exporter.

b) It has used reasonable efforts to determine that the data importer is able to satisfy its legal obligations under these clauses.

c) It will provide the data importer, when so requested, with copies of relevant data protection laws or references to them (where relevant, and not including legal advice) of the country in which the data exporter is established.

d) It will respond to enquiries from data subjects and the authority concerning processing of the personal data by the data importer, unless the parties have agreed that the data importer will so respond, in which case the data exporter will still respond to the extent reasonably possible and with the information reasonably available to it if the data importer is unwilling or unable to respond. Responses will be made within a reasonable time.

e) It will make available, upon request, a copy of the clauses to data subjects who are third party beneficiaries under clause III, unless the clauses contain confidential information, in which case it may remove such information. Where information is removed, the data exporter shall inform data subjects in writing of the reason for removal and of their right to draw the removal to the attention of the authority. However, the data exporter shall abide by a decision of the authority regarding access to the full text of the clauses by data subjects, as long as data subjects have agreed to respect the confidentiality of the confidential information removed. The data exporter shall also provide a copy of the clauses to the authority where required.

II. Obligations of the data importer

The data importer warrants and undertakes that:

a) It will have in place appropriate technical and organisational measures to protect the personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, and which provide a level of security appropriate to the risk represented by the processing and the nature of the data to be protected.

b) It will have in place procedures so that any third party it authorises to have access to the personal data, including processors, will respect and maintain the confidentiality and security of the personal data. Any person acting under the authority of the data importer, including a data processor, shall be obligated to process the personal data only on instructions from the data importer. This provision does not apply to persons authorised or required by law or regulation to have access to the personal data.

c) It has no reason to believe, at the time of entering into these clauses, in the existence of any local laws that would have a substantial adverse effect on the guarantees provided for under these clauses, and it will inform the data exporter (which will pass such notification on to the authority where required) if it becomes aware of any such laws.

d) It will process the personal data for purposes described in Annex B, and has the legal authority to give the warranties and fulfil the undertakings set out in these clauses.

e) It will identify to the data exporter a contact point within its organisation authorised to respond to enquiries concerning processing of the personal data, and will cooperate in good faith with the data exporter, the data subject and the authority concerning all such enquiries within a reasonable time. In case of legal dissolution of the data exporter, or if the parties have so agreed, the data importer will assume responsibility for compliance with the provisions of clause I(e).

f) At the request of the data exporter, it will provide the data exporter with evidence of financial resources sufficient to fulfil its responsibilities under clause III (which may include insurance coverage).

g) Upon reasonable request of the data exporter, it will submit its data processing facilities, data files and documentation needed for processing to reviewing, auditing and/or certifying by the data exporter (or any independent or impartial inspection agents or auditors, selected by the data exporter and not reasonably objected to by the data importer) to ascertain compliance with the warranties and undertakings in these clauses, with reasonable notice and during regular business hours. The request will be subject to any necessary consent or approval from a regulatory or supervisory authority within the country of the data importer, which consent or approval the data importer will attempt to obtain in a timely fashion.

h) It will process the personal data, at its option, in accordance with:

i. the data protection laws of the country in which the data exporter is established, or

ii. the relevant provisions^{^[1]} of any Commission decision pursuant to Article 25(6) of Directive 95/46/EC, where the data importer complies with the relevant provisions of such an authorisation or decision and is based in a country to which such an authorisation or decision pertains, but is not covered by such authorisation or decision for the purposes of the transfer(s) of the personal data^{^[2]}, or

iii. the data processing principles set forth in Annex A.

Data importer to indicate which option it selects: Section II(h)(iii);

i) It will not disclose or transfer the personal data to a third party data controller located outside the European Economic Area (EEA) unless it notifies the data exporter about the transfer and

i. the third party data controller processes the personal data in accordance with a Commission decision finding that a third country provides adequate protection, or

ii. the third-party data controller becomes a signatory to these clauses or another data transfer agreement approved by a competent authority in the EU, or

iii. data subjects have been given the opportunity to object, after having been informed of the purposes of the transfer, the categories of recipients and the fact that the countries to which data is exported may have different data protection standards, or

iv. with regard to onward transfers of sensitive data, data subjects have given their unambiguous consent to the onward transfer

III. Liability and third party rights

a) Each party shall be liable to the other parties for damages it causes by any breach of these clauses. Liability as between the parties is limited to actual damage suffered. Punitive damages (i.e. damages intended to punish a party for its outrageous conduct) are specifically excluded. Each party shall be liable to data subjects for damages it causes by any breach of third party rights under these clauses. This does not affect the liability of the data exporter under its data protection law.

b) The parties agree that a data subject shall have the right to enforce as a third party beneficiary this clause and clauses I(b), I(d), I(e), II(a), II(c), II(d), II(e), II(h), II(i), III(a), V, VI(d) and VII against the data importer or the data exporter, for their respective breach of their contractual obligations, with regard to his personal data, and accept jurisdiction for this purpose in the data exporter’s country of establishment. In cases involving allegations of breach by the data importer, the data subject must first request the data exporter to take appropriate action to enforce his rights against the data importer; if the data exporter does not take such action within a reasonable period (which under normal circumstances would be one month), the data subject may then enforce his rights against the data importer directly. A data subject is entitled to proceed directly against a data exporter that has failed to use reasonable efforts to determine that the data importer is able to satisfy its legal obligations under these clauses (the data exporter shall have the burden to prove that it took reasonable efforts).

IV. Law applicable to the clauses

These clauses shall be governed by the law of the country in which the data exporter is established, with the exception of the laws and regulations relating to processing of the personal data by the data importer under clause II(h), which shall apply only if so selected by the data importer under that clause.

V. Resolution of disputes with data subjects or the authority

a) In the event of a dispute or claim brought by a data subject or the authority concerning the processing of the personal data against either or both of the parties, the parties will inform each other about any such disputes or claims, and will cooperate with a view to settling them amicably in a timely fashion.

b) The parties agree to respond to any generally available non-binding mediation procedure initiated by a data subject or by the authority. If they do participate in the proceedings, the parties may elect to do so remotely (such as by telephone or other electronic means). The parties also agree to consider participating in any other arbitration, mediation or other dispute resolution proceedings developed for data protection disputes.

c) Each party shall abide by a decision of a competent court of the data exporter’s country of establishment or of the authority which is final and against which no further appeal is possible.

VI. Termination

a) In the event that the data importer is in breach of its obligations under these clauses, then the data exporter may temporarily suspend the transfer of personal data to the data importer until the breach is repaired or the contract is terminated.

b) In the event that:

i. the transfer of personal data to the data importer has been temporarily suspended by the data exporter for longer than one month pursuant to paragraph (a);

ii. compliance by the data importer with these clauses would put it in breach of its legal or regulatory obligations in the country of import;

iii. the data importer is in substantial or persistent breach of any warranties or undertakings given by it under these clauses;

iv. a final decision against which no further appeal is possible of a competent court of the data exporter’s country of establishment or of the authority rules that there has been a breach of the clauses by the data importer or the data exporter; or

v. a petition is presented for the administration or winding up of the data importer, whether in its personal or business capacity, which petition is not dismissed within the applicable period for such dismissal under applicable law; a winding up order is made; a receiver is appointed over any of its assets; a trustee in bankruptcy is appointed, if the data importer is an individual; a company voluntary arrangement is commenced by it; or any equivalent event in any jurisdiction occurs

then the data exporter, without prejudice to any other rights which it may have against the data importer, shall be entitled to terminate these clauses, in which case the authority shall be informed where required. In cases covered by (i), (ii), or (iv) above the data importer may also terminate these clauses.

c) Either party may terminate these clauses if (i) any Commission positive adequacy decision under Article 25(6) of Directive 95/46/EC (or any superseding text) is issued in relation to the country (or a sector thereof) to which the data is transferred and processed by the data importer, or (ii) Directive 95/46/EC (or any superseding text) becomes directly applicable in such country.

d) The parties agree that the termination of these clauses at any time, in any circumstances and for whatever reason (except for termination under clause VI(c)) does not exempt them from the obligations and/or conditions under the clauses as regards the processing of the personal data transferred.

VII. Variation of these clauses

The parties may not modify these clauses except to update any information in Annex B, in which case they will inform the authority where required. This does not preclude the parties from adding additional commercial clauses where required.

VIII. Description of the Transfer

The details of the transfer and of the personal data are specified in Annex B. The parties agree that Annex B may contain confidential business information which they will not disclose to third parties, except as required by law or in response to a competent regulatory or government agency, or as required under clause I(e). The parties may execute additional annexes to cover additional transfers, which will be submitted to the authority where required. Annex B may, in the alternative, be drafted to cover multiple transfers.

ANNEX A

DATA PROCESSING PRINCIPLES

1. Purpose limitation: Personal data may be processed and subsequently used or further communicated only for purposes described in Annex B or subsequently authorised by the data subject.

2. Data quality and proportionality: Personal data must be accurate and, where necessary, kept up to date. The personal data must be adequate, relevant and not excessive in relation to the purposes for which they are transferred and further processed.

3. Transparency: Data subjects must be provided with information necessary to ensure fair processing (such as information about the purposes of processing and about the transfer), unless such information has already been given by the data exporter.

4. Security and confidentiality: Technical and organisational security measures must be taken by the data controller that are appropriate to the risks, such as against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, presented by the processing. Any person acting under the authority of the data controller, including a processor, must not process the data except on instructions from the data controller.

5. Rights of access, rectification, deletion and objection: As provided in Article 12 of Directive 95/46/EC, data subjects must, whether directly or via a third party, be provided with the personal information about them that an organisation holds, except for requests which are manifestly abusive, based on unreasonable intervals or their number or repetitive or systematic nature, or for which access need not be granted under the law of the country of the data exporter. Provided that the authority has given its prior approval, access need also not be granted when doing so would be likely to seriously harm the interests of the data importer or other organisations dealing with the data importer and such interests are not overridden by the interests for fundamental rights and freedoms of the data subject. The sources of the personal data need not be identified when this is not possible by reasonable efforts, or where the rights of persons other than the individual would be violated. Data subjects must be able to have the personal information about them rectified, amended, or deleted where it is inaccurate or processed against these principles. If there are compelling grounds to doubt the legitimacy of the request, the organisation may require further justifications before proceeding to rectification, amendment or deletion. Notification of any rectification, amendment or deletion to third parties to whom the data have been disclosed need not be made when this involves a disproportionate effort. A data subject must also be able to object to the processing of the personal data relating to him if there are compelling legitimate grounds relating to his particular situation. The burden of proof for any refusal rests on the data importer, and the data subject may always challenge a refusal before the authority.

6. Sensitive data: The data importer shall take such additional measures (e.g. relating to security) as are necessary to protect such sensitive data in accordance with its obligations under clause II.

7. Data used for marketing purposes: Where data are processed for the purposes of direct marketing, effective procedures should exist allowing the data subject at any time to “opt-out” from having his data used for such purposes.

8. Automated decisions: For purposes hereof “automated decision” shall mean a decision by the data exporter or the data importer which produces legal effects concerning a data subject or significantly affects a data subject and which is based solely on automated processing of personal data intended to evaluate certain personal aspects relating to him, such as his performance at work, creditworthiness, reliability, conduct, etc. The data importer shall not make any automated decisions concerning data subjects, except when:

a) i. such decisions are made by the data importer in entering into or performing a contract with the data subject, and
ii. the data subject is given an opportunity to discuss the results of a relevant automated decision with a representative of the parties making such decision or otherwise to make representations to that parties.

b) where otherwise provided by the law of the data exporter.

ANNEX B

DESCRIPTION OF THE TRANSFER

By entering into the Standard Contractual Clauses, pursuant to Section 12 of the Addendum, the parties are deemed to have signed this Annex B.

Data subjects
The personal data transferred concern the following categories of data subjects:
The personal data transferred typically concern the individuals being evaluated or assessed via the Emergenetics Platform.

Purposes of the transfer(s)
The transfer is made for the following purposes:
Enabling the data importer to offer and/or provide the Emergenetics services on behalf of the data exporter.

Categories of data
The personal data transferred typically concern the following categories of data:
Personal data typically include biographical data, contact data, learning/management and personality styles evaluation outcomes.

Recipients
The personal data transferred may be disclosed only to the following recipients or categories of recipients:
Parties that would need such personal data to facilitate the provision of the Emergenetics services.

Contact points for data protection enquiries shall be provided by both parties, as set out in the Addendum.

[1] “Relevant provisions” means those provisions of any authorisation or decision except for the enforcement provisions of any authorisation or decision (which shall be governed by these clauses).

[2] However, the provisions of Annex A.5 concerning rights of access, rectification, deletion and objection must be applied when this option is chosen and take precedence over any comparable provisions of the Commission Decision selected.