3. Obligations of the Data Importer

(1) The Data Importer warrants and undertakes that —
(a) it will have in place appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful processing and against accidental loss or destruction or damage, and which provide a level of security appropriate to the risk represented by the Processing and the nature of the data to be protected;
(b) it will have in place procedures so that any Third Party it authorises to have access to the Personal Data, including Data Processors, will respect and maintain the confidentiality and security of the Personal Data. Any person acting under the authority of the Data Importer, including a Data Processor, shall be obligated to Process the Personal Data only on instructions from the Data Importer. This provision does not apply to persons authorised or required by the Regulations to have access to the Personal Data;
(c) it has no reason to believe in the existence of any non-Abu Dhabi Global Market laws that would have a substantial adverse effect on the enforceability of these Clauses, and it will promptly inform the Data Exporter (which will pass such notification on to the Registrar where required) if it becomes aware of any such laws or any changes in such laws which have such a substantial adverse effect;
(d) it will Process the Personal Data for purposes described in Annex B, and has the legal authority to give the warranties and fulfil the undertakings set out in these Clauses;
(e) it will identify to the Data Exporter a contact point within its organisation authorised to respond to enquiries concerning Processing of the Personal Data, and will cooperate in good faith with the Data Exporter, the Data Subject and the Registrar concerning all such enquiries within a reasonable time;
(f) at the request of the Data Exporter, it will provide the Data Exporter with evidence of financial resources sufficient to fulfil its responsibilities under Clause 4 (which may include insurance coverage);
(g) upon reasonable request of the Data Exporter, it will submit its data Processing facilities, data files and documentation needed for Processing to reviewing, auditing and/or certifying by the Data Exporter (or any independent or impartial inspection agents or auditors, selected by the Data Exporter and not reasonably objected to by the Data Importer) to ascertain compliance with the warranties and undertakings in these Clauses, with reasonable notice and during regular business hours. The request will be subject to any necessary consent or approval from a regulatory or supervisory authority within the country of the Data Importer, which the Data Importer will attempt to obtain in a timely fashion;
(h) it will Process the Personal Data, at its option, in accordance with —
(i) the Regulations, or
(ii) the data Processing principles set forth in Annex A,

Data Importer to indicate which option it selects: ...................

Initials of Data Importer: ...................................; and
(i) it will promptly notify the Data Exporter about —
(i) any legally binding request for disclosure of the Personal Data by a law enforcement authority unless otherwise prohibited, such as a prohibition under the criminal law of any jurisdiction outside the Abu Dhabi Global Market to preserve the confidentiality of a law enforcement investigation;
(ii) any accidental or unauthorised access; and
(iii) any request received directly from the Data Subjects without responding to that request, unless it has been otherwise authorised to do so.
(2) The Data Importer warrants and undertakes that it will not disclose or transfer the Personal Data to a third party data controller located outside the Abu Dhabi Global Market unless it notifies the Data Exporter about the transfer and —
(i) the third party data controller processes the Personal Data in accordance with a Registrar decision finding that a jurisdiction outside the Abu Dhabi Global Market provides adequate protection;
(ii) the third party data controller becomes a signatory to these Clauses or another data transfer agreement approved by the Registrar;
(iii) Data Subjects have been given the opportunity to object, after having been informed of the purposes of the transfer, the categories of recipients and the fact that the jurisdictions to which data is exported may have different data protection standards; or
(iv) with regard to onward transfers of Sensitive Personal Data, Data Subjects have given their consent to the onward transfer.