
(ii) additional measures are reasonably necessary to enable the transfer to be compliant with
the Data Protection Laws; and
(iii) it is still appropriate for Personal Data to be transferred to the relevant Data Importer,
taking into account all relevant information available to the parties, together with guidance provided
by the supervisory authorities.
6.6.4 If Data Protection Laws require the Data Exporter to execute the Standard Contractual Clauses
applicable to a particular transfer of Personal Data to a Data Importer as a separate agreement, the
Data Importer shall, on request of the Data Exporter, promptly execute such Standard Contractual
Clauses incorporating such amendments as may reasonably be required by the Data Exporter to
reflect the applicable appendices and annexes, the details of the transfer and the requirements of
the relevant Data Protection Laws.
6.6.5 If either (i) any of the means of legitimizing transfers of Personal Data outside of the EEA or UK set
forth in this DPA cease to be valid or (ii) any supervisory authority requires transfers of Personal Data
pursuant to those means to be suspended, then Data Importer may by notice to the Data Exporter,
with effect from the date set out in such notice, amend or put in place alternative arrangements in
respect of such transfers, as required by Data Protection Laws.
6.7 Company and Customer agree that the data export solution identified in Sections 6.2 through 6.5 shall not
apply if and to the extent that Company adopts an alternative data export solution for the lawful transfer of Personal
Data, as recognized under applicable Data Protection Laws (“Alternative Transfer Mechanism”), in which event, the
Alternative Transfer Mechanism shall apply instead (but only to the extent such Alternative Transfer Mechanism
extends to the territories to which Personal Data is transferred).
7. Rights of Data Subjects
7.1 Company shall, to the extent permitted by law, notify Customer upon receipt of a request by a Data Subject
to exercise the Data Subject’s right of: access, rectification, erasure, data portability, restriction or cessation of
processing, withdrawal of consent to processing, and/or objection to being subject to processing that constitutes
automated decision-making (such requests individually and collectively “Data Subject Request(s)”). If Company
receives a Data Subject Request in relation to Customer’s data, Company will advise the Data Subject to submit their
request to Customer and Customer will be responsible for responding to such request, including, where necessary, by
using the functionality of the Services. Customer is solely responsible for ensuring that Data Subject Requests for
erasure, restriction or cessation of processing, or withdrawal of consent to processing of any Personal Data are
communicated to Company, and, if applicable, for ensuring that a record of consent to processing is maintained with
respect to each Data Subject.
7.2 Company shall, at the request of the Customer, and taking into account the nature of the processing
applicable to any Data Subject Request, apply appropriate technical and organizational measures to assist Customer
in complying with Customer’s obligation to respond to such Data Subject Request and/or in demonstrating such
compliance, where possible, provided that (i) Customer is itself unable to respond without Company’s assistance and
(ii) Company is able to do so in accordance with all applicable laws, rules, and regulations. Customer shall be
responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Company.
8. Actions and Access Requests; Audits
8.1 Company shall, taking into account the nature of the processing and the information available to Company,
provide Customer with reasonable cooperation and assistance where necessary for Customer to comply with its
obligations under the GDPR to conduct a data protection impact assessment and/or to demonstrate such compliance,
provided that Customer does not otherwise have access to the relevant information. Customer shall be responsible to
the extent legally permitted for any costs and expenses arising from any such assistance by Company.
8.2 Company shall, taking into account the nature of the processing and the information available to Company,
provide Customer with reasonable cooperation and assistance with respect to Customer’s cooperation and/or prior
consultation with any Supervisory Authority, where necessary and where required by the GDPR. Customer shall be
responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Company.