You warrant and undertake to John Lewis that you shall, and shall procure that your sub- contractors shall:

only process personal data in compliance with, and shall not cause yourself or John Lewis or any Customer Affiliate to be in breach of, the Data Protection Laws;

use the personal data, which is set out in Schedule 2 of this letter, only as specified in that Schedule for the purposes of providing the Services and not for any other purpose;

only process the personal data on the documented instructions of John Lewis (and for the avoidance of doubt, such documented instructions include as provided by this letter), including with regard to transfers of personal data to a third country or international organisation, and otherwise:

(i) as necessary to perform your obligations in providing the Services; or

(ii) as required by any Applicable Law of which, before processing any personal data, you shall notify John Lewis (unless prohibited by Applicable Law from doing so on important grounds of public interest).

keep a record of the documented instructions of John Lewis, including as provided by this letter;

comply with any request from John Lewis requiring you to amend, transfer or delete all or any part of the personal data as soon as possible.

not engage or transfer and/or disclose any personal data to any other processor, sub- contractor or other third party, including a Supplier Affiliate to carry out processing in connection with the Services ("sub-processor") (including any cloud computing service providers or contractors):

(i) unless the engagement is necessary for you to carry out the Services; and

(ii) without the prior specific written authorisation of John Lewis.

with respect to each sub-processor:

(i) carry out adequate due diligence to ensure the sub-processor is capable of providing a level of protection for the personal data as required by this letter; and

(ii) provide John Lewis for review such copies of the agreements with sub-processors (which may be redacted to remove confidential commercial information not relevant to the requirements of this letter) as John Lewis may request from time to time.

enter into a written agreement with each sub-processor approved by John Lewis under Clause 1.6.1 containing obligations on such third party which are equivalent to, and no less onerous than, those set out in this letter and you shall remain responsible to John Lewis for all obligations that are performed by and acts or omissions of each sub- processor authorised by John Lewis under Clause 1.6.1 as if they were your acts and omissions. This Clause shall also apply to any replacement sub-processor.

maintain the confidentiality of the personal data and not disclose, copy, reproduce or distribute any of it or otherwise make it available to any third party except in response to a specific written request by John Lewis or where obliged to do so by law and, in the case of the latter, promptly notify John Lewis and cooperate with us in the making of such disclosure;

take all reasonable steps to ensure the reliability of any employees, agents or contractors who may have access to, or are authorised to process, personal data and ensure such employees, agents or contractors are bound by obligations of confidentiality which are no less protective than those set out in this letter and shall ensure that such access is strictly limited to those employees, agents and contractors requiring access for provision of the Services and that they at all times act in compliance with Data Protection Laws and the obligations of this letter;

procure that those of your employees, agents or contractors who are used to provide the Services are made aware (in advance of disclosure) of the terms of this letter, and will use best endeavours to procure that each such person adheres to those terms as if that person were a party to this letter;

notify John Lewis immediately, if you receive any enquiry, rights or other request, complaint, notice or other communication from any supervisory authority, other organisation, any data subject or any individual, relating to either the Services or sub- processors or other third parties who are appointed by you in connection with the Services or our, your or any sub-processor's compliance with Data Protection Laws, unless prohibited by Applicable Law.

provide all necessary assistance to John Lewis to enable us to respond to such enquiries, rights or other requests, complaints, notices or other communications and to comply with Data Protection Laws.

not respond to any enquiry, rights or other request, complaint, notice or other communication without the prior written consent of John Lewis.

have in place and maintain Protective Measures regarding the security of the personal data, including without limitation:

(i) protection against unauthorised disclosure of, or access to; and

(ii) protection against accidental or unlawful destruction, loss or alteration;

of personal data transmitted, stored or otherwise processed.

and shall comply with John Lewis' IT security policies and provide, on our request, a written description of the technical and organisational measures, including Protective Measures, employed by you for processing of personal data within timescales reasonably required by John Lewis. Compliance with John Lewis' IT security policies shall not relieve you of any liability otherwise arising under this letter and shall not constitute confirmation or assurance from John Lewis that compliance with the requirements set out in John Lewis' IT security policies shall satisfy your other obligations under this letter or under Data Protection Laws regarding the security of personal data.

take all measures required by, and provide all reasonable assistance to John Lewis so that it can demonstrate compliance with Article 32 of the GDPR, and assist John Lewis by appropriate technical and organisational security measures to ensure the processing of personal data meets the requirements of the Data Protection Laws and for the fulfilment of our obligations to respond to requests for exercising the rights of data subjects as set out in the Data Protection Laws.

notify John Lewis immediately in writing after becoming aware of any:

(i) Data Breach or

(ii) protection against accidental or unlawful destruction, loss or alteration;

(ii) any other breach of the terms of this letter.

Failure to notify John Lewis shall be deemed an irremediable material breach of the agreement between John Lewis and you under which you provide the Services.

in the event of a Data Breach, provide John Lewis with full co-operation and assistance in dealing with the Data Breach, in particular in relation to:

(i) resolving any data privacy or security issues involving any personal data; and

(ii) making any appropriate notifications to individuals affected by the Data Breach or to a supervisory authority.

investigate the Data Breach immediately and in any event within 24 hours and shall then provide John Lewis as soon as possible with complete information relating to a Data Breach, including, without limitation:

(i) the nature of the Data Breach;

(ii) the nature of the personal data affected;

(iii) the categories and number of data subjects concerned;

(iv) the categories and number of personal data records concerned;

(v) the name and contact details of your Data Protection Officer or relevant contact point;

(vi) the possible consequences of the Data Breach;

(vii) the measures taken to, or proposed to be taken, to address the Data Breach and mitigate its possible effects; and

(viii) any other information that John Lewis may reasonably request concerning the Data Breach.

maintain a log of Data Breaches including facts, effects and remedial action taken.

if any of the personal data in your possession or control becomes lost, corrupted or rendered unusable for any reason (including as a result of the Data Breach), shall promptly take all steps to restore, re-constitute and/or reconstruct any personal data using your back up and/or disaster recovery procedures as if they were your own data at your own cost with all possible speed and shall provide John Lewis with all reasonable assistance in respect of it at no cost to John Lewis.

take all steps necessary to prevent a repeat of the Data Breach and shall consult with and agree those steps with John Lewis.

on request and at no additional charge, provide to John Lewis and/or its authorised representatives or auditors all information required by John Lewis and/or allow for and contribute to audits and inspections to assess your compliance with this letter and the Data Protection Laws and all information necessary for John Lewis to demonstrate our compliance with the Data Protection Laws.

in order that John Lewis and/or its authorised representatives or auditors and any supervisory authority may audit your compliance with the Data Protection Laws and the terms of this letter, on request and at no additional charge you shall provide John Lewis with:

(i) reasonable access to all relevant data processing facilities, procedures and documentation and all information, premises, personal data, employees, agents, sub- processors, equipment and assets at all locations from which your obligations under this letter are being or have been or should have been carried out;

(ii) all reasonable assistance in carrying out the audit, and

(iii) shall notify John Lewis immediately if, in your opinion, an instruction under Clause 1.13.1 or 1.13.2 infringes the Data Protection Laws or any other Applicable Law.

Clause 1.13.1 and 1.13.2 apply during the terms of the delivery of the Services and for 36 months after the termination date of the Services, subject to John Lewis giving you seven days' notice (except where such audit is required by a supervisory authority to which John Lewis is subject in which case these time limits shall not apply).

on request, take all necessary actions and provide John Lewis with all reasonable assistance necessary for us to comply with our obligations under the Data Protection Laws, including in relation to:

(i) the provision of access to information and personal data to data subjects;

(ii) the rectification of inaccurate data in relation to a data subject;

(iii) the erasure of a data subject's personal data;

(iv) the restriction of processing of personal data of a data subject;

(v) the right of a data subject to object to processing of their personal data including automated decision-making; and

(vi) the retrieval and porting of the personal data of a data subject.

shall use reasonable information minimisation procedures to limit collection, retention and processing of personal data.

shall provide John Lewis with such assistance and co-operation as we may reasonably request to enable us to comply with any obligations imposed on us by Data Protection Laws in relation to the personal data processed by you, including, but not limited to:

(i) on request of John Lewis, promptly providing written information regarding the technical and organisational measures, including Protective Measures, which you have implemented to safeguard the personal data in compliance with this letter and/or Data Protection Laws;

(ii) disclosing full and relevant details in respect of any and all government access controls which you have implemented; and

(iii) notifying John Lewis as soon as possible and as far as you are legally permitted to do so, of any request for disclosure of data which concerns personal data (or any part thereof) by any governmental or other regulatory authority, or by a court or other competent authority. For the avoidance of doubt and as far as you are legally permitted to do so, you shall not disclose or release any personal data in response to such request without first consulting with and obtaining the written consent of John Lewis.

if requested in writing by John Lewis from time to time, provide to us a copy of the personal data in the format and on the media reasonably specified;

maintain records of all processing activities carried out on behalf of John Lewis to comply with Data Protection Laws, including:

(i) the information described in Clauses 1.13.1 and 1.13.2;

(ii) where applicable, the name and contact details of: your company, John Lewis, any sub-processors and the data protection officer or, if relevant, the representative based in the EEA of your company and of any sub-processors;

(iii) the different types of processing being carried out (if applicable);

(iv) any transfers of personal data outside of the EEA, including the identification of the relevant country or international organisation and any documentation required to demonstrate suitable safeguards;

(v) a description of the Protective Measures referred to in Clauses 1.11.1 and 1.11.2, together, "the Records". The Records shall be in written electronic form.

provide the Records to John Lewis promptly on request in a format reasonably requested by us.

not transfer any personal data outside the EEA, or to any international organisation unless:

(i) you notify John Lewis in writing that you intend to transfer any personal data outside of the EEA;

(ii) John Lewis provides its written consent to such transfer (which consent it may give or withhold in its absolute discretion or make subject to conditions); and

(iii) you provide, in advance of a transfer authorised under Clause 1.19(ii) evidence to John Lewis's satisfaction of appropriate safeguards, as required by Data Protection Laws.

shall, on the termination or expiry of the agreement (or the relevant part of it) between you and John Lewis, at the option of John Lewis:

(i) securely destroy or delete all personal data (including any personal data held in an electronic database) within 30 days and confirm such destruction or deletion in writing to John Lewis; or

(ii) return to John Lewis or transfer all personal data to a nominated third party, in a mutually agreed form and format and by a mutually agreed method and shall destroy or delete all personal data (including any personal data held in an electronic database) within 30 days and confirm such destruction or deletion in writing to John Lewis;

other than to the extent that its ongoing retention by you is required by Applicable Law.

not, and shall ensure that no third party appointed to assist in the provision of the Services shall, dispose, re-assign or re-use any equipment or any electronic, magnetic or other medium which is or has been used to store personal data or any other data that has been generated, obtained, held, used or stored for the purposes of the Services without ensuring that such personal data has been entirely removed, or otherwise securely obliterated.

notify John Lewis, prior to adopting any new type of processing in respect of personal data (including, without limitation, the use of new technology or processes to continue current processing).

following notification by you under Clause 1.22.1, at John Lewis's request shall participate in, and provide all reasonable assistance with, a privacy impact assessment, data protection impact assessment or prior consultation with a supervisory authority including under Article 35 (data protection impact assessment) and Article 36 (prior consultation) of the GDPR or equivalent provisions of Data Protection Laws in respect of the new type of processing proposed, in accordance with Data Protection Laws.

You shall on demand indemnify John Lewis from and against all costs, claims, actions, proceedings, demands, awards, judgments, settlements, expenses, liabilities, damages and losses (including all interest, fines, penalties, legal costs and disbursements, loss or corruption of data, management time, loss of reputation, goodwill) of whatsoever nature incurred by John Lewis or member of its group in connection with any failure by you or any sub-processor or other third party appointed by you to comply with the provisions of this letter and/or Data Protection Laws in respect of your processing of personal data.

No exclusions or limitations of liability whatsoever shall apply to the indemnity given by you in Clause 2.1.1.

You acknowledge and agree that John Lewis retains all rights, title and interest in the personal data, including any copyright and database rights.

This letter (including the agreement constituted by your acknowledgement of its terms) and the relationship between the parties shall be governed by and construed in accordance with the laws of England and Wales.

The English courts have exclusive jurisdiction to settle any disputes arising out of or in connection with this letter and the parties submit to the exclusive jurisdiction of the English courts.

To the extent that you have an entitlement under Data Protection Laws to claim from John Lewis compensation paid by you to a data subject as a result of a breach of Data Protection Laws to which John Lewis contributed, we shall be liable only for such amount as it directly relates to our responsibility for any damage caused to the relevant data subject.

For the avoidance of doubt John Lewis shall only be liable to make payment to you under Clause 2.5.1 upon receipt of evidence from you, to John Lewis's reasonable satisfaction, that clearly demonstrates:

(i) John Lewis has breached Data Protection Laws;

(ii) that such breach contributed (in part or in full) to the harm caused and entitling the relevant data subject to receive compensation in accordance with Data Protection Laws; and

(iii) the compensation payable reflects the proportion of responsibility for the harm caused to the relevant data subject which is attributable to John Lewis.

"Applicable Law" means all applicable EU laws, regulations, regulatory requirements and codes of practice as amended and in force from time to time.

"Customer Affiliate" means any entity which owns or controls, is owned or controlled by or is under common control or ownership with John Lewis where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the affairs of an entity, whether through ownership of voting securities, by contract or otherwise.

"Data Breach" means any event that results, or may result in, unauthorised or unlawful processing of, disclosure of, use of, access to, theft of and/or any accidental or unlawful damage to, destruction of, loss of, alteration to or corruption of personal data.

"Data Protection Law" means:

the European Data Protection Directive (95/46/EC) and the European Privacy and Electronic Communications Directive (Directive 2002/58/EC), including as transposed into the domestic law of each Member State;

on and from 25 May 2018, Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) ("the GDPR") and any law implementing, supplementing, replacing or relating to it;

on and from the date it becomes applicable, the Regulation on Privacy and Electronic Communications and any law implementing, supplementing, replacing or relating to it;

any guidance, directions, determinations, codes of practice, orders, notices or demands issued by any supervisory authority or other competent authority;

the Data Protection Act 2018 (when in force) and any other applicable data privacy or data protection laws or regulations and judgments of any tribunal, regulatory body or court of law;

each as amended, extended, re-enacted or replaced from time to time.

The terms"personal data", "controller", "processor", "data subject", "processing", "supervisory authority", "Member State", "third country"and "international organisation"shall all have the same meaning as in the Data Protection Laws and the term "process" shall be construed accordingly.

"EEA" means the European Economic Area.

"Protective Measures" means all appropriate technical and organisational measures aimed at ensuring an appropriate level of security and preventing a Data Breach, which shall be compliant with all appropriate Data Protection Laws including but not limited to preventing a breach resulting from, or arising out of, your internal use, processing or other transmission of personal data.

"Sub-processor" has the meaning set out in Clause 1.6.1.

"Supplier Affiliate" means any entity which owns or controls, is owned or controlled by or is under common control or ownership with you, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the affairs of an entity, whether through ownership of voting securities, by contract or otherwise.