Lumen Data Protection Addendum 

1. Applicability. This Data Protection Addendum (“DPA”) forms part of and is subject to the governing services agreement (“Agreement”) between Customer and Lumen and is applicable to the provision of certain Lumen Services. “Lumen” is defined for purposes of this Addendum as CenturyLink Communications, LLC d/b/a Lumen Technologies Group or its affiliated entities. In the event of a conflict between the Agreement and this DPA, the terms of this DPA will control.

2. Definitions. In this DPA, the following definitions apply:

“Controller” “Processor” “Data Subjects” “Personal Data” “Personal Data Breach” and “Processing" will have the meanings ascribed to them in the GDPR.

"Data Protection Laws" means the provisions of applicable laws regulating the use and processing of Personal Data, as may be defined in such provisions, including (a) the EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”), (b) the Electronic Communications Data Protection Directive 2002 as amended and (d) all other applicable laws and regulations relating to processing of personal data.

"Services" means the Lumen Processing Services to be provided to Customer under the Agreement.

3. Compliance with Data Protection Laws. Each party is an independent Controller with respect to Personal Data collected from the other which is necessary for administering its business relationship with the other (e.g. name, address, email address). Customer is a Controller (or effectively the Controller to Lumen as Processer/subprocessor) with respect to Personal Data Processed by Lumen. Lumen is a Controller with respect to billing, utilization, usage patterns/counts/statistics, traffic data and other business and operational information, to the extent it is Personal Data, and a Lumen Privacy Notice applicable to the foregoing can be found at: https://www.lumen.com/en‑us/about/legal/privacynotice.html. Each party will comply at all times with its Controller obligations under Data Protection Laws with respect to any Personal Data processed under the Agreement, including providing individuals with notice, required consents and ensuring a valid legal basis of processing.

4. Data Processing. Unless otherwise set forth in a Service Attachment:

1. Lumen acknowledges that it is a Processor on behalf of the Customer when providing Services and performing its related obligations (including incident resolution, support or consultancy services). Details about the Processing can be found a https://www.lumen.com/en‑us/about/legal/trust‑center/processing‑lumen‑services.html

2. In so far as Lumen processes Personal Data on behalf of Customer as a Processor, Lumen will (and will procure that Lumen affiliates will):

i. Process Personal Data only in accordance with the Customer’s documented instructions, including as set out in the Agreement and this DPA and ensure that Lumen personnel process Personal Data only on such instructions of the Customer, unless processing is required by EU or member state law to which Lumen is subject, in which case Lumen will, to the extent permitted by such law, inform Customer of that legal requirement before processing that Personal Data;

ii. Restrict the disclosure and processing of Personal Data to the extent necessary to provide the Services, or as otherwise permitted under the Agreement and this DPA, or by Customer in writing, and disclose Personal Data only on a need to know basis in connection with the Services to those who have committed themselves to confidentiality, or as required by applicable law;

iii. Taking into account the state of the art, costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, implement and maintain appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, and against all other unlawful forms of processing and ensure a level of security appropriate to the risk presented by the processing;

iv. Ensure that only those personnel who need to have access to Personal Data are granted access to it, and that such access is granted only for the proper provision of the Services; and

v. If and to the extent Lumen retains a copy of any Personal Data, not retain that Personal Data for longer than is necessary to perform the Services and at Customer’s option, securely destroy or return such Personal Data, except where required to retain the Personal Data by law or regulation. The parties agree that Lumen will not actively process such Personal Data and will be bound by the provisions of this DPA in respect of any such retained Personal Data. Lumen will delete such data promptly after it ceases to be obliged to retain it and will only process it to the extent required to comply with applicable laws.