DATA PRIVACY AND PROTECTION AGREEMENT

THIS DATA PRIVACY AND PROTECTION AGREEMENT (the “Agreement”), is made

on this ____ (Day) of ________ (Month), 2024 (the “Effective Date”).

BY AND BETWEEN

VORTEX DYNAMICS, a Company incorporated under the laws of United States of

America, having its principal place of business at _____________________________,
(hereinafter referred to as the “Company” which expression shall, unless contrary to the
context or meaning thereof, mean and include its successors-in-interest and permitted
assigns);

AND

Mr./Ms. _______________, Son/Daughter of _______________, residing at

_____________________ (hereinafter referred to as the “Employee”).

The “Company” and the “Employee” are hereinafter individually referred to as a “Party”
and collectively the “Parties” as the context may require.

WHEREAS;

A. VORTEX DYNAMICS, a multinational conglomerate with operations in India and the

USA, is expanding its business operations to the European Union (“EU”);
B. The Company aims to form strategic partnerships and collaborations in the European
Union (EU), requiring a strong contract to address data privacy and protection issues
and ensure full compliance with GDPR and other relevant laws;
C. On considering the eligibility and experience of the Employee and relying upon the
representations made by the Employee, the Company hereby employs the Employee in
the role of _______ from the “Effective Date” mentioned herein above. The Employee
has accepted the Employment on the terms and subject to the conditions hereinafter
contained.

NOW THEREFORE, in consideration of mutual covenants, promises assurances,

representations and provisions set forth herein, the “Parties” hereto agree as follows:
1. DEFINITIONS

Page 1 of 8
1.1. “Agreement” means this contract and all appendices, schedules, and amendments
hereto;
1.2. “Company” refers to Vortex Dynamics, a multinational conglomerate with
operations in India, the USA, and the European Union;
1.3. “Board” shall mean the Board of Directors for the time being of the Company;
1.4. “Confidential Information” means any non-public information, including but not
limited to trade secrets, proprietary data, recipes, business plans, financial
information, and any other information that is designated as confidential by the
Company or that, under the circumstances surrounding disclosure, ought to be treated
as confidential;
1.5. “Data Protection Officer (DPO)” refers to the individual appointed by the Company
to oversee compliance with data protection laws and regulations, as required by
GDPR;
1.6. “Data Subject” means an identified or identifiable natural person whose personal
data is processed by the Company or on behalf of the Company;
1.7. “Employee” refers to any individual employed by the Company, including full-time,
part-time, temporary, and contract employees;
1.8. “GDPR” stands for General Data Protection Regulation, Regulation (EU) 2016/679,
which is the legal framework governing data protection and privacy in the European
Union;
1.9. “Generative AI Tools” refers to artificial intelligence software or platforms capable
of generating text, images, or other content, including but not limited to ChatGPT;
1.10. “Personal Data” means any information relating to an identified or identifiable
natural person, including but not limited to names, identification numbers, location
data, online identifiers, or one or more factors specific to the physical, physiological,
genetic, mental, economic, cultural, or social identity of that person;
1.11. “Processing” means any operation or set of operations which is performed on
personal data or on sets of personal data, whether or not by automated means, such as
collection, recording, organization, structuring, storage, adaptation or alteration,
retrieval, consultation, use, disclosure by transmission, dissemination or otherwise
making available, alignment or combination, restriction, erasure, or destruction;
1.12. “Sensitive Data” includes personal data revealing racial or ethnic origin, political
opinions, religious or philosophical beliefs, trade union membership, genetic data,

Page 2 of 8
 biometric data for the purpose of uniquely identifying a natural person, data
concerning health or data concerning a natural person’s sex life or sexual orientation;
1.13. “Third Party” refers to any individual or entity that is not an employee of the
Company, including contractors, partners, vendors, and other external entities;
1.14. “Trade Secrets” refers to any practice, design, formula, process, or compilation of
information which is not generally known or reasonably ascertainable, by which the
Company can obtain an economic advantage over competitors or customers;
1.15. “Unauthorized Disclosure” means any disclosure of confidential or sensitive
information to a third party without proper authorization or consent;
1.16. “Zero-Tolerance Policy” refers to the Company’s strict enforcement policy against
violations of data protection laws and regulations, which may include disciplinary
actions such as Termination of employment.

2. DATA PROTECTION OBLIGATIONS

2.1. Confidentiality and Integrity
The Employee shall maintain the confidentiality and integrity of all sensitive data,
including trade secrets and proprietary information, at all times. The Employee agrees
to handle such information with the highest level of care to prevent unauthorized
access, disclosure, alteration, or destruction;
2.2. Data Handling and Storage
The Employee agrees to ensure that data is stored securely, access is restricted to
authorized personnel only, and that data is not retained longer than necessary for its
intended purpose;
2.3. Data Processing Protocols
The Employee shall adhere to the established protocols for processing personal data.
This includes obtaining explicit consent from data subjects where required, ensuring
data accuracy, and processing data only for legitimate business purposes as outlined in
the “GDPR” and other “Applicable Laws”;
2.4. Prohibited Actions
The use of generative AI tools, including but not limited to ChatGPT, on Company
devices and networks is strictly prohibited. The Employee shall refrain from feeding
any Company data, especially sensitive or proprietary information, into such tools
without proper authorization of the Company;
2.5. Employee Training

Page 3 of 8
 The Employee shall undergo 6 (six) Months of mandatory training as part of the
probationary period. This training will cover the principles of GDPR, the Company’s
data protection policies, and the consequences of non-compliance. Contingent to
successful completion of this training, the Employee shall transition to full-time
Employment with the Company.

3. APPOINTMENT OF DATA PROTECTION OFFICER (DPO)

3.1. The “Company” shall appoint Data Protection Officer (DPO). The DPO will oversee
the Company’s data protection strategy and it’s adherence by the “Employee” to
ensure compliance with GDPR and other applicable data protection laws;
3.2. The DPO shall be responsible for monitoring compliance with GDPR and other
relevant data protection laws, providing guidance on data protection impact
assessments (DPIAs), and acting as the Point of Contact (POC) for supervisory
authorities and data subjects on issues related to data processing;
3.3. The Employee shall report any suspected or actual data privacy breaches,
unauthorized disclosures, or other data protection incidents to the DPO, failure to
which, the Board reserves the right to Terminate the Employment of the Employee
without any notice. The DPO will further investigate and address these reports in
accordance with the Company’s data breach response procedures;
3.4. The Employee shall ensure that any personal data outside the EU must comply with
GDPR’s cross-border data transfer requirements. Adequate safeguards, such as
Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs), must be in
place to protect the data during transfer.

4. GDPR COMPLIANCE
4.1. Company Compliance
The Company shall ensure full compliance with the General Data Protection
Regulation (GDPR) and other applicable data protection laws of the European Union
(EU). This commitment includes implementing comprehensive data protection
policies and procedures, conducting regular audits, and maintaining robust data
security measures to safeguard personal data and ensure regulatory adherence;
4.2. Employee Compliance
The Employee shall comply with the Company’s data protection policies and
procedures, which are designed to align with GDPR requirements. This includes, but
Page 4 of 8
 is not limited to, the proper handling, storage, and processing of personal data,
obtaining necessary consents, and respecting the rights of data subjects;

4.3. Data Processing and Handling

The Employee shall ensure that any personal data they handle or process is done so in
accordance with GDPR requirements. This includes ensuring data accuracy, limiting
data access to authorized individuals, and adhering to data retention policies;
4.4. Incident Reporting
The Employee shall report any suspected or actual data breaches or non-compliance
issues to the Data Protection Officer (DPO) within 15 days of occurrence of such
event, failure to which, the Employment of the Employee may be Terminated at the
sole discretion of the “Board of Directors” of the Company.

5. DATA PROTECTION IMPACT ASSESSMENTS (DPIAS)

5.1. The Company shall conduct Data Protection Impact Assessments (DPIAs) for any
high-risk data processing activities as required by GDPR. High-risk processing
activities include those that could significantly impact data subjects’ privacy or
involve sensitive data;
5.2. The Company shall follow a formal DPIA process, including identifying and
describing the processing activity, assessing risks, consulting relevant stakeholders,
and implementing measures to mitigate identified risks;
5.3. The Employee agrees to cooperate with the DPIA process by providing accurate and
complete information about data processing activities they are involved in, failure to
which, the Board may, at its sole discretion, Terminate the Employment of the
Employee;
5.4. The Employee shall participate in DPIA assessments when requested and to
implement any recommended measures to mitigate risks associated with high-risk
data processing activities.

6. CROSS-BORDER DATA TRANSFERS

6.1. The Company and/or the Employee shall transfer personal data to countries outside
the European Union (EU) or European Economic Area (EEA) only when such
transfers comply with applicable data protection laws, including the General Data
Protection Regulation (GDPR);
Page 5 of 8
 6.2. The Employee shall ensure that any Cross-Border data transfers they handle comply
with the Company’s policies and GDPR requirements. This includes verifying that
adequate safeguards are in place before initiating or approving such transfers;
6.3. Prior to any Cross-Border data transfer, the Employee shall perform due diligence to
ensure that the receiving party, whether an external entity or an affiliate, adheres to
GDPR requirements and provides adequate protection for the transferred data;
6.4. Failure to comply with these obligations, the Board of Directors, at its sole discretion,
may, Terminate the Employment of the Employee, without any notice.

7. DATA PROTECTION-RELATED DISPUTES AND DISPUTE RESOLUTION

7.1. The Employee shall resolve any data protection-related disputes internally by
following the Company’s established grievance procedures. This involves raising the
issue with the immediate supervisor or designated data protection officer (DPO)
within 15 days of occurrence of such event;
7.2. The DPO shall review the complaint and work with the Employee to investigate and
resolve the issue in accordance with the Company’s data protection policies and
procedures;
7.3. Should the dispute remain unresolved after following internal procedures and formal
complaint processes, the Company and the Employee agree to engage in Mediation.
Mediation will be conducted by an independent third-party mediator agreed upon by
both parties.

8. TERMINATION
8.1. The employment shall commence from such date as agreed by the “Parties” and shall
subsist until terminated in the manner set forth herein (“Term”);
8.2. Subject to the provisions of this Agreement, the Parties agree that the employment of
the Employee by the Company is contractual, at will, and terminable by either Party
in accordance with the provisions of this Agreement. In the event of Termination, the
Employee shall not be entitled to any benefits, damages, award or compensation,
other than as expressly provided in this Agreement or as mandated by applicable law
for the time being in force;
8.3. This Agreement may be terminated upon the occurrence of any of the events as
described herein and agreed to by the Parties under this Agreement;

Page 6 of 8
8.4. The Company reserves the right to Terminate the Employment of the Employee who
fails to comply with the Company’s data protection policies, GDPR requirements, or
any other applicable data protection laws of the European Union (EU). Grounds for
Termination include, but are not limited to, the unauthorized disclosure of sensitive or
personal data, failure to report data breaches, or repeated violations of data protection
protocols;
8.5. In cases of severe data protection breaches or violations, such as the unauthorized
sharing of sensitive company data or personal information, the Board, at its sole
discretion Terminate the Employment of the Employee immediately, without notice or
compensation;
8.6. Upon Termination of his/her employment, the Employee shall promptly return to the
Company all such Confidential Information or any other Company Property, etc. Any
breach of this condition would entitle the Company to take such action as would be
appropriate in the circumstances and/or to claim damages;
8.7. Post Termination, the Employee shall continue to protect and keep confidential any
personal data or proprietary information obtained during his/her tenure. This includes
refraining from disclosing, using, or exploiting such information for any unauthorized
purpose;
8.8. The Employee agrees that during the Employment and upon Termination of his/her
services, they shall not disparage the Company, its officers or employees (including
but not limited to any related or associated entity or client and his/her officers and
employees).

IN WITNESS WHEREOF, each Party hereto has hereby caused this Agreement to be
executed by its duly authorized officer on the “Effective Date”

For VORTEX DYNAMICS For MR./MS. __________ (Employee)

NAME: NAME:

ADDRESS: ADDRESS:

SIGNATURE: SIGNATURE:

Page 7 of 8
DATE: DATE:

Page 8 of 8