1. Definitions and Interpretation

All capitalised terms used in this Clause and not otherwise defined in this Agreement shall have the meanings given to them in the General Data Protection Regulation ((EU) 2016/679) (the “GDPR”) and such other applicable data protection laws worldwide, including, but not limited to, those of the United Kingdom, the European Union and the United States of America (together the “Applicable Data Protection Legislation”).  “Personal Data” shall be interpreted to include “personal information” and any comparable term used in Applicable Data Protection Legislation. 

2. Processing of Company Personal Data

2.1. The Parties acknowledge and agree that, in performing the Services, AlixPartners may Process Personal Data provided by the Company or collected on the Company’s behalf (“Company Personal Data”).

2.2. The Company and AlixPartners shall each comply with all relevant provisions of the Applicable Data Protection Legislation in relation to the Processing of the Company Personal Data in relation to the Services.

2.3. The parties acknowledge that the role of each party in relation to the processing of Company Personal Data pursuant to this Agreement will be dictated by the factual arrangement between them and the nature of their respective rights and obligations concerning data protection. Where AlixPartners processes Company Personal Data as an independent data controller, the provisions of clause 4 will apply. Where AlixPartners processes Company Personal Data as a data processor, the provisions of clause 5 will apply. The parties do not intend to process any Company Personal Data as joint data controllers. 

3. Obligations of the Company

3.1. The Company will ensure that it is lawfully permitted to transfer the Company Personal Data to AlixPartners, and that AlixPartners is lawfully permitted to collect Company Personal Data specified by the Company as being required for AlixPartners’ performance of the Services.

3.2. For all Company Personal Data that AlixPartners receives or collects, and to the extent necessary for AlixPartners’ Processing of Company Personal Data in order to provide the Services, the Company shall provide Data Subjects with all fair processing information required by Applicable Data Protection Legislation and shall obtain from Data Subjects all consents required under Applicable Data Protection Legislation.

3.3. The Company consents to AlixPartners appointing the third-party Processors (or sub-processors, as the case may be) of Company Personal Data under this Agreement. AlixPartners confirms that it will enter into a written agreement with any third-party (sub-)Processor prior to supplying them with the Company Personal Data, incorporating terms which are: (a) sufficient to comply with the requirements of Applicable Data Protection Laws; and (b) appropriate to the risk associated with the processing of any Company Personal Data. As between the Company and AlixPartners, AlixPartners shall remain liable, subject to the Agreement, for acts or omissions of any third-party (sub-)Processor appointed by AlixPartners pursuant to this clause.

3.4. The Company acknowledges that AlixPartners is an international business, headquartered in the United States of America (“US”) and that AlixPartners may, in the ordinary course of its business including the performance of the Services, transfer Company Personal Data outside the country in which it was received to its US-based Affiliates or any other AlixPartners’ Affiliates globally in accordance with Applicable Data Protection Legislation. The Company acknowledges and agrees that AlixPartners, as reasonably required for the performance of the Services pursuant to this Agreement, be permitted to transfer Personal Data to its Affiliates in accordance with Applicable Data Protection Legislation and the terms of this Addendum.

4. AlixPartners acting as an independent data controller

4.1. AlixPartners shall, in relation to any Company Personal Data Processed by AlixPartners in performance of the Services:

4.1.1. only process Company Personal Data for the following purposes: (i) to provide the Services to the Company; (ii) to comply with AlixPartners’ obligations under applicable laws, regulations or professional accreditations and standards; (iii) to respond to information requests and other communications from relevant authorities, as required or permitted by law; (iv) for client relationship purposes, including sending relevant information and invitations to client contacts in accordance with their preferences; (v) anonymisation to enable AlixPartners to conduct data analysis for the improvement of our products and services; and (vi) for administrative and other reasonable business purposes;

4.1.2. implement and maintain physical and logical security and provide technical and organizational safeguards that ensure a level of security appropriate to the risks presented by the Processing, including those set out in AlixPartners’ Information Security Program Overview[A1] ;

4.1.3. ensure that AlixPartners personnel authorised to access Company Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

4.1.4. at the Company’s cost, assist the Company in complying with its obligations under Applicable Data Protection Legislation, including providing information necessary for the Company to respond to requests from Data Subjects and assisting with responses to regulators in connection with the processing of Company Personal Data; and

4.1.5. notify the Company without undue delay on becoming aware of a Personal Data Breach or any request by a Data Subject or regulator regarding the processing of Company Personal Data.

4.2. The Parties shall comply with the data transfer provisions set out in:

4.2.1. Schedule 1 – Controller To Controller Restricted Transfers Originating from the EEA, Switzerland and the United Kingdom;

4.2.2. Module 1 of the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council approved by the European Union Commission Decision of 4 June 2021 available here (“C2C SCCs");  and

4.2.3. Schedule 3 – Restricted Transfers Originating from Outside Europe.

5. AlixPartners acting as a data processor

5.1. AlixPartners shall, in relation to any Company Personal Data Processed, on behalf of the Company, by AlixPartners in performance of the Services:

5.1.1. only Process Company Personal Data in accordance with the Company’s documented instructions for the purposes of providing the Services as specified in Schedule 2 (including when making an international transfer of Company Personal Data or otherwise sharing Company Personal Data) unless required to do so by law;

5.1.2. assist the Company in complying with its obligations under Applicable Data Protection Legislation to respond to requests from Data Subjects and respond to any other correspondence, received from a Data Subject, regulator or other third party in connection with the processing of such Company Personal Data;

5.1.3. notify the Company in accordance with Applicable Data Protection Legislation without undue delay: (a) on becoming aware of a Personal Data Breach affecting Company Personal Data; and (b) any request by a Data Subject or regulator relating to Company Personal Data;

5.1.4. ensure that AlixPartners personnel authorised to access Company Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

5.1.5. promptly inform the Company if, in its opinion, an instruction from the Company violates Applicable Data Protection Legislation or if AlixPartners determines it can no longer comply with Applicable Data Protection Legislation or the terms of this Agreement;

5.1.6. upon termination or expiration of this Agreement either delete or return any Company Personal Data and any copies thereof to the Company (except to the extent AlixPartners is required by law to retain such Company Personal Data, and except for Company Personal Data located on AlixPartners’ disaster recovery or backup systems where it will be destroyed upon the normal expiration of the backup files);

5.1.7. at the Company’s cost (including hourly fees at AlixPartners’ standard hourly rates), assist the Company in complying with its obligations under Applicable Data Protection Legislation to notify Data Subjects and regulators, complete privacy assessments, and meet security requirements;

5.1.8. implement and maintain physical and logical security and provide technical and organizational safeguards that ensure a level of security appropriate to the risks presented by the Processing, including those set out in AlixPartners’ Information Security Program Overview[A2] ;

5.1.9. not collect, retain, use, disclose, sell, or otherwise Process Personal Data for any purpose other than performing the Services, nor combine Personal Data collected in the performance of the Services with Personal Data collected in other circumstances unless in accordance with the Company’s written instructions and consistent with AlixPartners’ role as a Data Processor, Service Provider, or comparable entity under Applicable Data Protection Legislation;

5.1.10. maintain appropriate records to demonstrate compliance with this Clause 5.1. If Company receives notice that Company Personal Data Processed subject to this Agreement is Processed without authorization, the Company and AlixPartners agree to cooperate in good faith to suspend and remediate such Processing; and

5.1.11. In addition to meeting its obligations under clause 3.3, AlixPartners shall provide the Company with prior notice of the identity of any third party Sub-Processor(s) it wishes to appoint and the specific services to be sub-contracted. See (https://www.alixpartners.com/policies/subprocessors/) for a list of sub-processors that may process data during this engagement.

5.2. The Parties shall comply with the data export provisions set out in:

5.2.1. Schedule 2 – Controller To Processor Restricted Transfers Originating from the EEA, Switzerland and the United Kingdom;

5.2.2. Module 2 of the 2021 SCCs; and

5.2.3. Schedule 3 - Restricted Transfers Originating from Outside Europe.

6. Audits

Upon reasonable notice to AlixPartners, AlixPartners shall permit the Company (or a mutually agreed third-party auditor) to audit AlixPartners's compliance with this DPA and, to that effect, shall make available records and supporting documentation, necessary to conduct such audit. The Company will not exercise its audit rights more than once in any twelve (12) calendar month period, except if and when required by instruction of a competent data protection authority; or the Company believes a further audit is necessary due to an AlixPartners Personal Data Breach affecting Company Personal Data.

Schedule 1 – Controller to controller restricted transfers from the EEA, Switzerland and the United Kingdom

For the purposes of this Schedule “Restricted Transfer” means a transfer of Company Personal Data by the Company to AlixPartners (or any onward transfer), where such transfer would be prohibited by the Applicable Data Protection Laws in the absence of the protection for the transferred Company Personal Data provided by the EU Standard Contractual Clauses.

1. Restricted Transfers Originating from the EEA

1.1. In relation to Restricted Transfers of Company Personal Data from the EEA, AlixPartners and relevant AlixPartners Affiliates that import Company Personal Data (the “AlixPartners Data Importer(s)”), and the Company shall, with effect from the commencement of the relevant transfer hereby enter into and agree to be bound by Module 1 of the Standard Contractual Clauses for Controller-to-Controller Transfers, approved by the European Union Commission Decision of 4 June 2021 (“C2C SCCs”). The C2C SCCs shall also incorporate the following specific terms:

1.1.1. Clause 7 – the Docking clause of the C2C SCCs shall not apply;

1.1.2. Clause 9 – In relation to the use of subprocessors the Parties agree that "Option 2" (general written authorization) of the C2C SCCs shall apply. AlixPartners shall inform the Company 30 days' in advance of any additions or replacements to its list of approved subprocessors taking place; 

1.1.3. Clause 11(a) – In relation to redress for Data Subjects under the C2C SCCs, the optional language shall not apply;

1.1.4. Clause 13(a) – The following language shall be added: “Where the data exporter is established in an EU Member State the supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority”.

1.1.5. Clause 17 –The Parties agree that the C2C SCCs shall be governed by the laws and courts of the Republic of Ireland.

1.1.6. Clause 18 – The parties agree that any dispute arising from the C2C SCCs shall be resolved by the laws and courts of the Republic of Ireland.  

1.1.7. Annex I of the C2C SCCs shall be deemed to be pre-populated with the relevant sections of Annex 1.B to this Schedule, and the processing operations are deemed to be those described therein and in the Agreement; and

1.1.8. Annex II of the C2C SCCs shall be deemed to be pre-populated with the relevant sections of Annex II to this Schedule.

1.2. The Company hereby agrees that the AlixPartners’ Data Importer(s)’ liability to the Company under the C2C SCCs and this Agreement shall be determined solely by the terms of this Agreement as applicable to AlixPartners, including (without limitation) any limitations on and/ or exclusions from liability contained in the Agreement.

2. Restricted Transfers Originating from Switzerland

2.1. In relation to Restricted Transfers of Company Personal Data from Switzerland, the AlixPartners Data Importer(s) and the Company shall, with effect from the commencement of the relevant transfer hereby enter into and agree to be bound by the C2C SCCs. In the event of any conflict between the provisions in this part 2 of this Schedule and the C2C SCCs, the C2C SCCs shall prevail. The C2C SCCs for Restricted Transfers from Switzerland shall also incorporate the following specific terms:

2.1.1. Clause 13 - To the extent the transfer of Company Personal Data as specified in Annex I.B is subject to the Swiss Federal Act on Data Protection (“CH-DPA”), the FDPIC shall be specified as the competent supervisory authority. To the extent the transfer of personal data as specified in Annex I.B is subject to the GDPR, the supervisory authority of the Member State in which the Swiss data exporter’s EU representative is established under GDPR Article 27.1 shall act as competent supervisory authority.

2.1.2. Clause 17 - The Parties agree that the C2C SCCs shall be governed by the laws of Switzerland.

2.1.3. Clause 18 – The Parties agree that any dispute arising from the C2C SCCs shall be resolved by the courts of Switzerland.

2.2. To the extent that the transfer of Company Personal Data is subject to Applicable Data Protection Legislation in Switzerland, the C2C SCCs shall be read and interpreted in light of the provisions of Applicable Data Protection Legislation in Switzerland, so that they fulfil the intention for them to provide the appropriate safeguards as required by such laws. The C2C SCCs shall not be interpreted in a way that conflicts with rights and obligations provided for in Applicable Data Protection Legislation in Switzerland.

2.3. For the purposes of Applicable Data Protection Legislation in Switzerland, in Clause 18(c) of the C2C SCCs, "Member State" will be interpreted in such a way as to not to exclude Data Subjects in Switzerland from the possibility of bringing a claim under the C2C SCCs before the courts in Switzerland, and Part C of Annex 1 shall include the Swiss Federal Data Protection and Information Commissioner.

2.4. The C2C SCCs shall also apply to the transfer of information relating to an identified or identifiable legal entity where such information is protected similarly as Personal Data under Applicable Data Protection Legislation in Switzerland, until such laws are amended to no longer apply to a legal entity.

3. Restricted Transfers Originating from the UK

3.1. In relation to Restricted Transfers of Company Personal Data from the UK, the AlixPartners Data Importers and the Company shall, with effect from the commencement of the relevant transfer hereby enter into and agree to be bound by the Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the Information Commissioners Office (“ICO”) and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under section ‎‎18 of those Mandatory Clauses.

3.2. The information required by Part 1, Tables 1 to 3 of the Approved Addendum is set out in this Schedule and its respective Annexes (as applicable). For the purposes of Part 1, Table 4 of the Approved Addendum, neither party is entitled to terminate the Approved Addendum in the event that the ICO issues a revised Approved Addendum under Section 18.

Annex I

A. List of parties

Data exporter(s):

Name Company See Agreement

Address: See Agreement

Contact person’s name, position and contact details: See Agreement

Activities relevant to the data transferred under these Clauses: See Data Protection Schedule of Agreement

Signature and date: See Agreement

Role (controller/processor): Controller

 

Data importer(s):

Name: AlixPartners See Agreement

Contact person’s name, position and contact details: See Signature on Agreement

Activities relevant to the data transferred under these Clauses: See Data Protection Schedule of Agreement

Signature and date: See Agreement

Role (controller/processor): Controller

B. Description of transfer

See Data Protection Schedule of Agreement

C. Competent supervisory authority

For the EU: Irish Data Protection Commissioner

For Switzerland: Swiss Federal Data Protection and Information Commissioner

For the UK: Information Commissioner’s Office

Annex II

Technical and organisational measures including technical and organisational measures to ensure the security of the data

See www.alixpartners.com/it-1000

Schedule 2 – Controller to processor restricted transfers originating from the EEA, Switzerland and the United Kingdom

For the purposes of this Schedule “Restricted Transfer” means a transfer of Company Personal Data by the Company to AlixPartners (or any onward transfer), where such transfer would be prohibited by the Applicable Data Protection Laws in the absence of the protection for the transferred Company Personal Data provided by the EU Standard Contractual Clauses.

1. Restricted Transfers Originating from the EEA

1.1. In relation to Restricted Transfers of Company Personal Data from the EEA, AlixPartners, and relevant AlixPartners Affiliates that import Company Personal Data (the “AlixPartners Data Importer(s)”), and the Company shall with effect from the commencement of the relevant transfer hereby enter into and agree to be bound by Module 2 of the Standard Contractual Clauses for Controller-to-Processor Transfers approved by the European Union Commission Decision of 4 June 2021 (“C2P SCCs”). The C2P SCCs shall also incorporate the following specific terms:

1.1.1. Clause 7 – Docking clause of the C2P SCCs shall not apply;

1.1.2. Clause 9 – In relation to the use of subprocessors the Parties agree that "Option 2" (general written authorization) of the C2P SCCs shall apply. AlixPartners shall inform the Company 30 days' in advance of any additions or replacements to its list of approved subprocessors taking place;

1.1.3. Clause 11(a) – In relation to redress for Data Subjects under C2P SCCs, the optional language shall not apply;

1.1.4. Clause 13(a) – the following language shall be added: “Where the data exporter is established in an EU Member State, the supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority”;

1.1.5. Clause 17 – The Parties agree that the C2P SCCs shall be governed by the law of the EU Member State in which the data exporter is established.  Where such law does not allow for third-party beneficiary rights, they shall be governed by the law of another EU Member State that does allow for third-party beneficiary rights. The Parties agree that this shall be by the laws and courts of the Republic of Ireland;

1.1.6. Clause 18 – The Parties agree that any dispute arising from the C2P SCCs shall be resolved by the courts of an EU Member State. The parties agree that those shall be by the laws and courts of the Republic of Ireland;  

1.1.7. Annex I of the C2P SCCs shall be deemed to be pre-populated with the relevant sections of Annex 1.B to this Schedule, and the processing operations are deemed to be those described therein and in the Agreement;

1.1.8. Annex II of the C2P SCCs shall be deemed to be pre-populated with the relevant sections of Annex II to this Schedule; and

1.1.9. Annex III of the C2P SCCs shall be deemed to be pre-populated with the relevant sections of Annex III to this Schedule.

1.2. The Company hereby agrees that the AlixPartners’ Data Importer(s)’ liability to the Company under the C2P SCCs and this Agreement shall be determined solely by the terms of this Agreement as applicable to AlixPartners, including (without limitation) any limitations on and/ or exclusions from liability contained in the Agreement.

2. Restricted Transfers Originating from Switzerland

2.1. In relation to Restricted Transfers of Company Personal Data from Switzerland, the AlixPartners Data Importers and the Company shall, with effect from the commencement of the relevant transfer hereby enter into and agree to be bound by the C2P SCCs. In the event of any conflict between the provisions in this part 2 of this Schedule and the C2P SCCs, the C2P SCCs shall prevail. The C2P SCCs for Restricted Transfers from Switzerland shall also incorporate the following specific terms:

2.1.1. Clause 13 – To the extent the transfer of Company Personal Data as specified in Annex I.B is subject to the Swiss Federal Act on Data Protection (“CH-DPA”), the FDPIC shall be specified as the competent supervisory authority. To the extent the transfer of personal data as specified in Annex I.B is subject to the GDPR, the supervisory authority of the Member State in which the Swiss data exporter’s EU representative is established under GDPR Article 27.1 shall act as competent supervisory authority.

2.1.2. Clause 17 – The Parties agree that the C2P SCCs shall be governed by the law of Switzerland.

2.1.3. Clause 18 – The Parties agree that any dispute arising from the C2P SCCs shall be resolved by the courts of Switzerland.

2.1.4. To the extent that the transfer of Personal Data is subject to Applicable Data Protection Legislation in Switzerland, the C2P SCCs shall be read and interpreted in light of the provisions of Applicable Data Protection Legislation in Switzerland, so that they fulfil the intention for them to provide the appropriate safeguards as required by such laws. The C2P SCCs shall not be interpreted in a way that conflicts with rights and obligations provided for in Applicable Data Protection Legislation in Switzerland.

2.1.5. For the purposes of Applicable Data Protection Legislation in Switzerland, in Clause 18(c) of the C2P SCCs, "Member State" will be interpreted in such a way as to not to exclude Data Subjects in Switzerland from the possibility of bringing a claim under the C2P SCCs before the courts in Switzerland, and Part C of Annex 1 shall include the Swiss Federal Data Protection and Information Commissioner.

2.1.6. The C2P SCCs shall also apply to the transfer of information relating to an identified or identifiable legal entity where such information is protected similarly as Personal Data under Applicable Data Protection Legislation in Switzerland, until such laws are amended to no longer apply to a legal entity.

3. Restricted Transfers Originating from the UK

3.1. In relation to Restricted Transfers of Company Personal Data from the UK, the AlixPartners Data Importers and the Company shall, with effect from the commencement of the relevant transfer hereby enter into and agree to be bound by the Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the Information Commissioners Office (“ICO”) and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under section ‎‎18 of those Mandatory Clauses.

3.2. The information required by Part 1, Tables 1 to 3 of the Approved Addendum is set out in this Schedule and its respective Annexes (as applicable). For the purposes of Part 1, Table 4 of the Approved Addendum, neither party may end the Approved Addendum in the event that the ICO issues a revised Approved Addendum under Section 18.

Annex I

A. List of parties

Data exporter(s):

Name Company See Agreement

Address: See Agreement

Contact person’s name, position and contact details: See Agreement

Activities relevant to the data transferred under these Clauses: See Data Protection Schedule of Agreement

Signature and date: See Agreement

Role (controller/processor): Controller

 

Data importer(s):

Name: AlixPartners See Agreement

Contact person’s name, position and contact details: See Signature on Agreement

Activities relevant to the data transferred under these Clauses: See Data Protection Schedule of Agreement

Signature and date: See Agreement

Role (controller/processor): Processor

B. Description of transfer

See Data Protection Schedule of Agreement

C. Competent supervisory authority

For the EU: Irish Data Protection Commissioner

For Switzerland: Swiss Federal Data Protection and Information Commisioner

For the UK: Information Commissioner’s Office

Annex II

Technical and organisational measures including technical and organisational measures to ensure the security of the data

See www.alixpartners.com/it-1000

Annex III

List of subprocessors

/policies/processors-subprocessors/

Schedule 3 – Restricted transfers from China, Japan and South Korea

1. Transfer from China

The following provisions apply to all transfers of Company Personal Data from Company to AlixPartners to the extent that the Company is established in China.

1.1. Personal Data shall mean “personal data”, “important data” or “national core data” within the meaning of Applicable Data Protection Legislation in China, including, in respect of “personal data”, the Cyber Security Law and the Personal Information Protection Law, and, in respect of “important data” and “national core data”, the Cyber Security Law and the Data Security Law, as each may be amended or superseded from time to time.

1.2. The Company will not transfer Personal Data to AlixPartners to the extent that doing so is prohibited by Applicable Data Protection Legislation.  The Company shall obtain any and all consents and approvals required under Applicable Data Protection Legislation, make any and all notifications required under Applicable Data Protection Legislation and meet any other requirements under Applicable Data Protection Legislation for lawful transfers of Personal Data to AlixPartners.

1.3. The Company will not transfer Personal Data to a place outside of China to the extent that doing so is prohibited by Applicable Data Protection Legislation. The Company shall obtain any and all consents and approvals required under Applicable Data Protection Legislation, make any and all notifications required under Applicable Data Protection Legislation and meet any other requirements under Applicable Data Protection Legislation for lawful transfers of Personal Data to a place outside of China.

1.4. The Company warrants and undertakes that Personal Data have been collected, Processed and stored in accordance with the laws applicable to the Company in China. In the case of a transfer of Personal Data from the Company to a territory outside China, it is the responsibility of the Company to ensure that the transfer is lawful and data subjects have given their unambiguous consent to the transfer and have been notified of all information required to be notified in respect of the transfer in accordance with Applicable Data Protection Legislation.

1.5. AlixPartners and AlixPartners Affiliates shall Process and use Personal Data received for purposes as consented to by data subjects or as otherwise permitted under Applicable Data Protection Legislation.

1.6. AlixPartners and AlixPartners Affiliates shall maintain the security and confidentiality of Personal Data.

1.7. AlixPartners and AlixPartners Affiliates shall avoid providing or transferring the Personal Data to any third party, except when authorized by the Company and consented to by data subjects (including to subcontractors subject to the same obligations as AlixPartners and AlixPartners Affiliates) or when required by applicable law (e.g., when lawfully requested by competent authorities).

1.8. AlixPartners and AlixPartners Affiliates shall update Personal Data according to any instructions from the Company.

1.9. AlixPartners and AlixPartners Affiliates shall make Personal Data accessible to the Company upon reasonable request and provide the Company with information concerning AlixPartners and AlixPartners Affiliates’ security controls from time to time upon request.

2. Transfer from Japan

The following provisions apply to all transfers of Personal Data if controlled by the Company in Japan.

2.1. For the avoidance of doubt, “Applicable Data Protection Legislation” includes the Act on the Protection of Personal Information “APPI” (Act No. 57 of 2003, as amended).

2.2. AlixPartners and AlixPartners Affiliates shall not Process Personal Data for purposes other than those described in the Agreement, or as otherwise agreed by the Company (for the purpose of this clause, the “Utilization Purposes”) without the prior written consent of the Company. The Company represents that it has notified all applicable Data Subjects of the Utilization Purposes to the extent required by Applicable Data Protection Legislation.

2.3. AlixPartners and AlixPartners Affiliates and the Company agree that the Company shall collect all consents from Data Subjects required by Applicable Data Protection Legislation, including without limitation for (1) the collection of any “Special Care-Required Personal Information” (as defined by Applicable Data Protection Legislation) and (2) any disclosures of Personal Data made by the Company to third parties, subject to provisions below.

2.4. AlixPartners and AlixPartners Affiliates shall keep the Personal Data accurate and up-to-date within the scope necessary to achieve the Utilization Purposes, and shall delete any Personal Data that becomes unnecessary to achieve a Utilization Purpose or other legitimate business purpose. It is the duty of the Company to ensure AlixPartners and AlixPartners Affiliates are provided with updates to the data to meet this obligation. For the avoidance of doubt, it is not necessary to delete Personal Data where Applicable Data Protection Legislation require AlixPartners or AlixPartners Affiliates to retain it.

2.5. AlixPartners and AlixPartners Affiliates shall have in place appropriate technical and organizational measures to protect the Personal Data against accidental or unlawful destruction or accidental loss, leakage, alteration, and unauthorized disclosure or access, and which provide a level of security appropriate to the risk represented by the processing and the nature of the data to be protected.

2.6. AlixPartners and AlixPartners Affiliates shall exercise the necessary and appropriate control and supervision over its officers, employees, and vendors to securely manage the Personal Data received.

2.7. AlixPartners and AlixPartners Affiliates shall not disclose Personal Data to any third party unless the disclosure is mandated by Applicable Data Protection Law, where the Company consents to the disclosure, or as permitted by the Agreement so long as AlixPartners and AlixPartners Affiliates impose contractual obligations upon the third party that are no less restrictive than the terms set forth in this Agreement.

2.8. In the case where AlixPartners and AlixPartners Affiliates entrust the handling of the Personal Data to a third party pursuant to this paragraph, they shall exercise necessary and appropriate control and supervision over the third parties to ensure the safety of such Personal Data, as stated above, and they shall require the third parties comply with obligations equivalent to the obligations of AlixPartners and AlixPartners Affiliates under this Agreement, including the obligations in this clause. AlixPartners and AlixPartners Affiliates shall be responsible for any breach by the third parties (and any subsequent third parties) of the obligations above. For clarity, this paragraph shall apply to all third parties and subsequent third party recipients.

2.9. To the extent required by the APPI, upon request of the Data Subject, each AlixPartners and AlixPartners Affiliate shall correct, add, or delete certain Personal Data if the Data Subject can show the contents of the Personal Data are incorrect. Each AlixPartners and AlixPartners Affiliate shall promptly inform the Data Subject if it has corrected, added, or deleted Personal Data, or if it has determined it does not have to do so.

2.10. To the extent required by the APPI, upon request of the Data Subject, AlixPartners and AlixPartners Affiliates shall disclose the information stipulated under the APPI.

2.11. To the extent required by the APPI, each AlixPartners and AlixPartners Affiliate shall delete or stop utilizing the Personal Data if the Data Subject can show that the AlixPartners or AlixPartners Affiliate is using or has used such Personal Data outside of the designated Utilization Purposes or if it was acquired by improper means; provided, however, that it is not required where it would be unreasonably expensive or unreasonably difficult to do so and where alternative action which would protect the Data Subject's interests can be taken. Each AlixPartners and AlixPartners Affiliate shall promptly inform the Data Subject if it has deleted or stopped utilizing the Personal Data, or if it has determined it does not have to do so.

2.12. To the extent required by the APPI, each AlixPartners and AlixPartners Affiliate shall stop providing Personal Data to a third party if the disclosure violates the APPI; provided, however, that suspension of disclosure it is not required if it would be unreasonably expensive or unreasonably difficult to do so and where alternative action that would protect the Data Subject's interests and comply with the APPI can be taken. Each AlixPartners and AlixPartners Affiliate shall promptly inform the Data Subject if it has stopped providing the Personal Data, or if it has determined it does not have to do so.

2.13. If AlixPartners or an AlixPartners Affiliate knows or should know that any Personal Data has been or is likely to be leaked, disclosed, accessed, destroyed, altered, lost, used without authorization, or otherwise handled in any way not permitted under this Agreement, regardless of whether or not AlixPartners or the AlixPartners Affiliate is liable for such incidents, they shall inform the Company of the same in writing, and shall take any appropriate measures to prevent such incident from occurring, expanding, and recurring.

3. Transfer from South Korea

The following provisions apply to all transfers of Personal Data controlled by the Company in South Korea.

When Processing Personal Data provided by or on behalf of the Company:

3.1. The scope, classification, purposes and details of the Processing of the Personal Data shall be as described in the Agreement or as otherwise agreed by the Company and AlixPartners in writing.

3.2. AlixPartners and AlixPartners Affiliates shall limit access to Personal Data to those personnel who reasonably require such access for the purposes of the Processing, and AlixPartners and AlixPartners Affiliates shall establish and maintain measures for the protection of Personal Data that may be required under relevant rules and regulations of South Korean data protection law. See www.alixpartners.com/it-1000 for a list of measures

3.3. To the extent AlixPartners and AlixPartners Affiliates disclose or transfer Personal Data to a third party service provider, they shall inform the Company reasonably in advance of such disclosure or transfer. Upon the Company’s request, AlixPartners and AlixPartners Affiliates shall inform the Company of the Processing activities to be subcontracted; the identity of the third party service provider, and any changes to

3.4. Any engagement by AlixPartners or an AlixPartners Affiliate of a third party service provider processing Personal Data will be subject to a written agreement binding the third party service provider to the equivalent terms which AlixPartners is subject to as specified in this Agreement.

3.5. AlixPartners and AlixPartners Affiliates shall not disclose or transfer to any person or entity any Personal Data unless it otherwise does so in accordance with applicable provisions of South Korean data protection law.

3.6. AlixPartners and AlixPartners Affiliates shall establish and implement appropriate procedures for the handling of complaints regarding invasions of privacy and the resolution of any disputes with Data Subjects.

3.7. AlixPartners and AlixPartners Affiliates shall establish and implement internal administrative procedures for the protection of Personal Data, including the appointment of a data protection officer and the provision of regular training for relevant personnel.

3.8. AlixPartners Data Importer(s) shall be subject to (i) instruction and supervision by the Company with respect to their handling of the Personal Data, and (ii) supervision and audit by relevant Supervisory Authorities.