2. The parties agree that the supervisory authority has the right to carry out a check on the importer of data and a subprocesser with the same scope and conditions as in the case of a control of the data exporter in accordance with existing data protection legislation. B. Accordingly, in accordance with point 11 of these clauses, the data exporter gives the data importer a general agreement to transmit the subprocessors. This consent is conditional on the data importer complying with the requirements set out in the “Notification and Objection to New Contractors” section of the data protection authority. (i) to a person, unless they provide appropriate proof of their identity and authority; (ii) any legal auditor who has not previously given written consent (which cannot be improperly withheld); (iii) if the legal auditor does not enter into a confidentiality agreement with OutSystems on terms acceptable for outsourcing; (iv) if and to the extent that OutSystems believes this would reasonably lead to an infringement of the privacy or data security of other OutSystems customers or the availability of OutSystems services for those other customers; v) outside normal hours of operation in these premises; or vi) on more than one occasion during each twelve (12) month period, with the exception of any other additional control or inspection that: a. The client feels that this is necessary because of a breach event; or b. The customer is required to perform in accordance with applicable data protection laws or as indicated by a supervisory authority, if the customer has identified the injury event or the corresponding requirement in his notification to OutSystems for control or inspection. c.

Corrective measures. Unless existing data protection legislation requires an Approved Affiliate to exercise a right or obtain a direct appeal against us in accordance with this Privacy Statement, the parties agree that (i) only the client entity that is a contracting party to the Agreement exercises all rights or requires remedies that an Approved Affiliate may have on behalf of its related companies in accordance with that Data Protection Authority. , and (ii) the client entity that is a contracting party to the contract will not exercise these rights by that data protection authority separately for each approved affiliate, but summarised for itself and for all of its approved affiliates. The client who is the client is responsible for coordinating all communication with us in accordance with the Data Protection Authority and is entitled to make and receive any notification relating to this data protection authority on behalf of its licensed related companies.