4. Obligations of the Data Exporter

The Data Exporter agrees and warrants —

(a) that the Processing, including the transfer itself, of the Personal Data has been and will continue to be carried out in accordance with the relevant provisions of the Regulations (and, where applicable, has been notified to the Registrar) and does not violate those Regulations;
(b) that it has instructed, and throughout the duration of the Personal Data Processing services will instruct, the Data Importer to Process the Personal Data transferred only on the Data Exporter's behalf and in accordance with the Regulations and the Clauses;
(c) that the Data Importer will provide sufficient guarantees in respect of the technical and organisational measures specified in Annex B to these Clauses;
(d) that after assessment of the requirements of the Regulations, the security measures are appropriate to protect Personal Data against unauthorised or unlawful Processing and against accidental loss or destruction or damage, particularly where the Processing involves the transmission of data over a network, and against all other unlawful forms of Processing, and that these measures ensure a level of security appropriate to the risks presented by the Processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
(e) that it will ensure compliance with the security measures specified in paragraph (d);
(f) that, if the transfer involves Sensitive Personal Data, the Data Exporter is in compliance with section 3 of the Regulations in respect of the transfer to the Data Importer;
(g) that, in the event of subprocessing, the Processing activity is carried out in accordance with Clause 11 by a Subprocessor providing at least the same level of protection for the Personal Data and the rights of the Data Subject as the Data Importer under the Clauses; and
(h) that it will ensure compliance with Clause 4(a) to (g).