Privileged and Confidential

GLAXOSMITHKLINE LEGAL DEPARTMENT

GLOBAL BILLING GUIDELINES AND MATTER HANDLING PRACTICES
FOR OUTSIDE COUNSEL
EFFECTIVE NOVEMBER 1, 2020[1]

INTRODUCTION

The GlaxoSmithKline (“GSK”) Legal Department has adopted these global billing guidelines and matter handling practices for
outside counsel (“GBGs”). These guidelines will become effective as of the date above and replace all guidelines previously
agreed with GSK Legal.

These GBGs set forth what is expected and required of all law firms providing legal services to GSK. Pursuant to these
guidelines, we expect your firm to:

1. Only be retained by an authorized representative of the GSK Legal Department and have an agreement and
authorization in writing from GSK Legal before beginning any work. Should your law firm be contacted for
representation by someone other than an authorized representative of GSK Legal, contact legal.gelrt@gsk.com prior
to accepting the engagement.

2. Handle GSK’s matters effectively and efficiently.

3. Establish core teams with the appropriate level of expertise for the tasks at hand to handle most/all GSK matters end-
to-end, creating a group with an enhanced knowledge of our business and legal affairs. Where applicable, leverage
expertise of GSK in-house personnel whenever it is reasonable and cost-effective to do so.

4. Designate one primary partner as Relationship Manager for all GSK business (e.g., billing inquiries, firm relationship
issues, etc.).

5. Promote diversity. GSK extends its commitment to diversity and inclusion to all of the law firms and counsel with
whom we work and we encourage your law firm to strive to continually improve your firm’s diversity and inclusion
goals and achievements. Toward this end, we also encourage and will applaud your firm’s efforts to hire and promote
a more diverse workforce including minority, women, LGBT, disabled and other diverse attorneys and staff. In the
selection of outside counsel, one factor important to GSK is the diversity of the law firm under consideration,
including diversity of those attorneys working on GSK matters.

6. Add value to your relationship with GSK. We welcome investments by your firm that add value to your relationship
with GSK. For example, deploying specialized personnel to GSK on secondment, presenting preventive law and
training programs, sharing newsletters, establishing intellectual capital databases, and developing knowledge and
information sharing networks may be value-added investments. The “savings” delivered to GSK through such value-
added services should be quantified. Please send an overall summary of your law firm’s value-added investments,
and your firm’s estimate of the value of these services, to legal.gelrt@gsk.com at the end of each calendar year.

1 This version of the Global Billing Guidelines and Matter Handling Practices for Outside Counsel supersedes and replaces the
October 1, 2018 version of the Global Billing Guidelines and Matter Handling Practices for Outside Counsel.

1
 GLOBAL BILLING GUIDELINES

I. Alternative Fee Arrangements

GSK’s strong preference is for task-based, flat-fee Alternative Fee Arrangements (“AFAs”) that provide substantiated
value to GSK. In every case, the AFA must be confirmed in writing.

For those rare matters in which a task-based, flat-fee AFA is not feasible, hourly billing rates must be agreed with GSK
Legal’s Global External Legal Relations Team (“GELRT”) in writing in advance of the engagement. These rates will
remain in effect and will not increase for any reason without prior written approval by GELRT.

II. Billing Requirements

If requested by GSK, your law firm agrees to use GSK’s electronic billing system to submit invoices. Unless otherwise
agreed in a fee agreement, your law firm’s invoices are to be submitted to GSK on a monthly basis after the work is
performed and no later than 20 days after the end of each calendar month. Amounts not invoiced within three (3)
months of services performed will be considered late and may not thereafter be invoiced. It is outside counsel’s
responsibility to submit accurate invoices on a monthly basis, and to correct invoicing errors for re-submission within
these timelines. GSK shall not be required to pay such amounts and reserves the right to not pay invoices received
more than 90 days after the date when they could have first been invoiced. Late invoices that cross the calendar
year will not be paid.

III. Hourly Billing

GSK has a strong preference for fee agreements to be in the form of task-based flat fee agreements. In the event
that a task-based flat-fee agreement is not feasible for a particular matter-specific engagement, the following billing
requirements must be followed:
 Hourly time should be in chronological order, showing the date of service, the number of hours expended by
each person on each item, a description of the item of work, the rate at which those hours are billed, and the
amount billed for each task or activity.
 Time entries should be billed in time increments of 0.10 hour.
 No one should bill more than ten hours per day, except with GSK prior approval.
 Block or lumped billing is not allowed and generic descriptions alone are not acceptable.
 If hourly billing rates are permitted, GSK typically expects such rates to be discounted by at least 20% in
comparison to your law firm’s standard billing rates.
Time for which GSK does not pay:
 Any work not approved/authorized by the GSK Legal Department.
 General administrative overhead and support staff expenses, including, for example, routine secretarial
work, overtime, messenger services, office supplies, word processing services, etc.
 Routine scheduling of appointments, depositions, meetings, including the making of travel arrangements and
contact with court reporters.
 Maintaining a calendar or tickler system.
 Surcharged rates for paralegals or other personnel.
 Time related to opening, managing, closing files, returning or destroying files.
 Time spent “getting up to speed” or other restart-up costs due to staffing changes.
 Summer associates.

2
  Reviewing fee agreements and /or preparing initial budgets of time, staffing, or total costs of projected legal
work.
 Reviewing and/or submitting invoices or monthly billing statements, including coordination of third-party
bills.
 Investigating conflicts
 Preparing responses to audit letter requests.
 Unauthorized or “We thought you would like to know” communication.
 Scheduling or reviewing firm personnel.
 One professional or paraprofessional redoing the work of another or redrafts or rework of legal writing when
performed to improve a lawyer’s or paralegal’s legal research or writing skills. Further, GSK will not pay for
duplicative entries for reviewing and/or analyzing documents or legal research.
 If a previously drafted standard form is available (e.g., pleadings, discovery/disclosure, agreements), GSK will
pay only for the time necessary to modify it for the matter at issue, not the time incurred to draft the
standard document.
 If legal research is also applicable to other clients, GSK should only be charged for its proportionate share of
the costs.
 Travel time absent GSK approval for exceptional circumstances.

IV. Expenses/Disbursements
All expenses should be itemized with each expense item showing the date the expense was incurred, a descriptive
explanation of the charge, the amount of the charge, and the timekeeper who incurred the charge. GSK will pay all
reimbursable expenses (including pre-approved vendors and experts) at actual cost. For outside vendor expenses,
appropriate documentation consists of actual vendor receipts rather than charge account receipts (except for
restaurant charges).

GSK reserves the right not to pay invoiced expenses until satisfied that proper explanation and, if requested,
documentation has been provided by the firm and/or until the GSK in-house counsel managing the matter for which
the expense was incurred approves such expense. GSK requires that appropriate documentation substantiating all
expenses be maintained by your firm as such expenses are subject to audit by GSK, or at its direction. Any such
billing document audit will be conducted no more frequently than annually and will be conducted in a manner that
does not compromise the confidentiality of other client information.

Third Party Expenses: Invoices for all work/services performed by third-party vendors should be billed as soon as
possible at actual cost as part of your firm’s disbursements on a matter-specific basis. Vendor name, description, and
invoice numbers should be included in the descriptions.

Expense Cap: All expenses, excluding authorized professional fees that your firm pays on behalf of GSK, such as
expert fees, court fees, or local counsel fees, for an individual matter will be capped at fifteen percent (15%) of the
total fees associated with that matter. Any expenses beyond this cap or any extraordinary individual expense must be
approved in writing by both the GSK managing attorney and GELRT.

Travel Expenses: GSK will reimburse the law firm for out-of-pocket expenses actually and reasonably incurred by its
personnel in connection with GSK authorized travel and for associated lodging and meals while performing services
directly on behalf of GSK. Unless otherwise agreed by GSK on a case-by-case basis, whenever most cost effective,
reservations for travel and hotel accommodations should be made at least 14 days in advance All travel is subject to
the following requirements:

3
  Air and train travel must be economy class for all trips. If one-way travel is anticipated to exceed six hours
duration, business class (or equivalent) may be permitted subject to prior GSK Legal approval.
 When rental cars are required, economy or compact class rental automobiles are to be used. Rental car vehicle
type should not exceed “intermediate” car class and suppliers should take insurance.
 If GSK has a contracted nightly rate with a hotel (“preferred hotel”) in the locale of travel, the firm agrees to stay
at such preferred hotel(s) or hotels that have a nightly rate equal to or lesser than that of the preferred hotel’s
GSK rate.
 Distance/mileage traveled in a personally owned vehicle may be reimbursed at the GSK established rate per mile
or the standard IRS mileage rate for the US.
Expenses for which GSK Will Not Pay
 Copying/Printing (color or otherwise), whether cost or time
 Communication charges including phone, WiFi, teleconference, web/video conferencing, word processing, and
fax.
 Publications, books, subscriptions, librarian services, and online databases, such as Lexis and Westlaw
 Any items of overhead expenses (e.g. working/overtime meals, local transportation to/from home including
overtime taxis, conference rooms, calendaring, rental fees, hotels for working late in the office, etc.)
 Storage charges, including data storage
 Inflight WiFi or other data charges
 We will not pay for mini-bar charges, personal telephone calls, movie rentals, laundry/dry cleaning, or similar
personal items
 Banking fees, including but not limited to, late fees, interest charges on invoices, payment processing fees, and
any processing fees for refunds to GSK
 Marketing expenses
 Professional association or other membership fees.
 Charges received late (3 months after a matter is closed or a case is resolved).

V. Miscellaneous
1. REFUNDS to GSK: Any refund due to GSK must be returned to GSK as a Credit Note and should not be applied to an
invoice. The credit note will be applied to a future payment. If a refund is due to GSK and no future invoicing is
expected, funds must be returned by either a refund check or a wire. Please contact legal.gelrt@gsk.com to
coordinate. Monies should not be wired to GSK without coordination with the Legal Department.

2. Ebilling Audits: GSK reserves the right to periodically audit your law firm's invoices and request any supporting
documentation when they pertain to GSK only and to the extent allowed under professional conduct rules applicable
to law firm. If GSK decides to subcontract the audit to a third party said third party will sign a non-disclosure
agreement.

3. If your law firm engages the services of a third party to assist with the generation of your law firm’s e-bills, any
corresponding invoice data should not include: proprietary information, confidential information, attorney-client
privileged information, or Personal Information.

4
 MATTER HANDLING PRACTICES FOR OUTSIDE COUNSEL

I. Conflicts of Interest

Conflicts of interest must be disclosed to GSK and waived in writing prior to beginning a matter or as soon as the conflict or
potential conflict becomes known. We expect your firm to investigate and resolve any potential conflicts of interest you may
have in representing GSK prior to being retained by GSK. If a conflict or potential conflict arises, the law firm should
immediately contact the lead inside GSK counsel for the matter in connection with which the conflict arises. Requests for
conflict waivers should be made in writing in the form of the letter attached hereto as Schedule A (“GSK Conflict Waiver
Request”).

Conflicts are addressed on a case-by-case basis via a separate writing, e.g., a Framework Engagement Agreement or
individual, matter-specific fee agreement, or a GSK Conflict Waiver Request. It is important that you are sensitive to both
direct conflicts and indirect conflicts of which your firm is aware – i.e., conflicts that may arise from your firm’s advocacy of
other clients’ positions which conflict with GSK’s business objectives.

II. Media Relations and Public Disclosure Requirements

Please report any media inquiry relating to GSK, including the Company’s relationship with outside counsel, to GSK’s Legal
Department immediately (preferably your specific legal contact, if he/she is available). Do not make statements to the media
relating to GSK without our approval.

Unless we specifically otherwise agree, your firm should not advertise or promote your relationship with GSK.

III. Labor Rights

Your firm represents and warrants, to the best of its knowledge that it respects the human rights of its staff and does not
employ child labor, forced labor, unsafe working conditions, or cruel or abusive disciplinary practices in the workplace and
that it does not discriminate against any workers on any ground (including race, religion, disability, gender, sexual orientation
or gender identity); and that it pays each employee at least the minimum wage, provides each employee with all legally
mandated benefits, and complies with the laws on working hours and employment rights in the countries in which it
operates. Your firm shall be respectful of its employees right to freedom of association and your firm shall encourage
compliance with these standards by any supplier of goods or services that it uses in performing its obligations related to GSK.

IV. Staffing

Staffing decisions should be approved in advance by GSK. Lawyers and paralegals should not be added, subtracted, or
substituted without GSK’s prior approval.

1. Without prior approval, GSK will pay for only one law firm member’s attendance at any event (e.g., hearings,
depositions, and witness interviews).

2. The level of expertise of the lawyer/paralegal should be appropriate to the complexity of the task. Partners should
not bill for tasks that can be performed just as competently by associates at a lower cost. Similarly, associates should
not bill for tasks that can be just as competently and more economically performed by paralegals.

3. Summer Associates may be utilized only after written approval by your GSK legal contact, and only for specifically
approved tasks. In general, GSK will not pay for Summer Associate work.

5
V. Activities

1. Meetings/Conferences-GSK will pay for necessary conferences, consultations, and/or team strategy meetings relating
to significant legal events. GSK expects law firms to keep the attendance level at these meetings reasonable.

2. Discovery/Disclosure- All discovery/disclosure requests directed to GSK must be submitted to the designated GSK
lawyer or paralegal who will assist in preparing or reviewing the draft answers and responses. All interviews with
GSK current and former GSK employees, as well as appropriate witness statements and similar matters, will also be
coordinated by a GSK lawyer or paralegal. Please do not contact any GSK employee for any purpose without the prior
approval of your GSK legal contact.

3. Legal Research and Memoranda

a. All legal research must first be authorized by GSK.

b. If legal research is also applicable to other clients, GSK should only be charged for its proportionate share of
the costs.

c. GSK expects you to check within your firm as to whether similar research has been performed and could be
utilized on GSK’s matter.

d. Please promptly provide GSK with copies of all research memoranda after the work is completed. It is not
necessary to polish research memoranda prior to providing it to GSK.

VI. Ownership of Work Product

All materials generated or prepared in the course of representing GSK and all copyrights therein, shall belong to GSK. This
includes materials in written, graphic, electronically stored, or any other form. Law firm agrees to assign all right, title,
interest and copyrights in all such materials to GSK and agrees to execute all documents necessary for GSK to perfect its
ownership and copyright interests. At the conclusion of the engagement, law firm should obtain direction from lead inside
counsel at GSK regarding disposition of all materials, prepared for GSK or provided to law firm during the course of the
representation. If at a later point in time GSK requests reproduction of the file and/or legal advice, your firm agrees to
produce the information at no additional cost. The foregoing does not include law firm’s standard documents or templates,
which shall continue to belong to law firm. Law firm shall be able to consult or reference work product created for GSK,
subject to the firm’s professional duties and conflict of interest standards.

VII. GSK Policy on Use of Private Investigators

GSK has a Corporate Policy on Use of Private Investigators (see next paragraph), intended to ensure that external third-party
investigators working on matters for GSK carry out assignments in a lawful and ethical manner, whether retained directly by
GSK or by a third-party. The term ‘ethical’ used in this policy means: in compliance with all laws, regulations, legal and
professional guidelines, and in a manner not likely to result in harm to GSK’s reputation or image. If your firm engages private
investigators, please ensure that any investigators you retain in connection with GSK matters conform their conduct to the
requirements of this policy as incorporated herein. Please pay special attention to the tasking of investigators in any
inquiries that may relate to fraud or where asset tracing may be involved. In the event you become aware of the occurrence
of any activities by an investigator in violation of this policy, please bring it to the attention of your GSK legal contact person
without delay. You must consult your legal contact person and confirm his/her approval before contacting or retaining any
private investigator for any matter. Additionally, you will be required to have all investigators agree in writing to the latest
version of GSK’s Private Investigators Principles.
Policy: Permitted and Prohibited Investigative Activity:
Investigators and security consultants may be engaged for a variety of reasons, which may include the security design of
6
facilities, conducting due diligence enquiries, or investigations into criminal or inappropriate behaviour contrary to the
interests of the Company. Other forms of permitted investigative activity could include: the evaluation of political and
security risks to support investment, acquisition or expansion plans; or to aid the recovery of missing or stolen assets; but all
of these examples require the approval of GSK’s Vice President, Corporate Security & Investigation (VP CSI). You must
consult your legal contact person and confirm that approval has been granted by the VP CSI before contacting or retaining
any private investigator for any matter. GSK employees are specifically prohibited from engaging in any activity, through the
use of third-party investigators engaged either directly or indirectly, which is unlawful, or might be perceived to be unethical,
or could cause harm to the reputation or interests of GSK. For example, such activity could include obtaining personal or
private information through impersonation; corporate espionage; telephone, postal and email intercepts; bribery; or other
illegal techniques.

VIII. Use of GSK’s Systems

If your firm has been retained to represent GSK in a litigation or non-litigation matter, your firm agrees, if asked to do so by
GSK, to connect to, and actively utilize, all electronic systems GSK has implemented to more efficiently manage all aspects of
its legal matter portfolio (e.g., document management, matter management, e-billing, etc.).

IX. Internal Controls; GSK Information and Data Protection

1. GSK expects your firm to have proper internal controls in place such as adequate professional liability/malpractice
insurance coverage, effective disaster recovery plans, and the proper storage and destruction of documentation,
including adequate protection of Privileged and Confidential, proprietary, and Personal Information pursuant to
GSK’s Data Privacy and Information Risk Schedules as set out in Schedule B and Schedule C. Please in particular note
in Schedule B, encryption requirements for electronic information both in transit and at rest as detailed in section
3(j). If your firm uses a cloud provider, your firm will ensure that GSK’s requirements for information protection are
met for all GSK data residing with or processed by your cloud provider, or your firm will advise as to how its cloud
provider does not comply.

2. GSK Confidential Information, as below defined, that comes into your law firm’s possession in the course of your
firm’s representation of GSK will be subject to your firm’s ethical duty of confidentiality. Other than as may be (i)
required by a court order or subpoena; or (ii) approved in advance by GSK (e.g., to other GSK outside counsel,
experts, GSK’s legal service providers, in connection with discovery involving a litigation proceeding and/or
government investigation, etc.) your firm shall not disclose to others any GSK Confidential Information that comes
into your firm’s possession from GSK or from a third party (e.g., experts, patients, other law firms, or legal service
providers, etc.) in connection with your firm’s representation of GSK. In the event that your firm receives a subpoena
or court order directing the production of GSK’s documents or information in your firm’s possession to a third party,
unless your firm is precluded from doing so by law or regulation, your firm shall promptly inform the GSK managing
attorney(ies) with whom your firm is working to inform him, her, or them of your firm’s receipt of the court order or
subpoena so as to afford GSK with the opportunity to object to the disclosure before it occurs. Your firm agrees to
secure and protect GSK’s confidential information pursuant to GSK’s Data Privacy and Information Risk Schedules as
set out in Schedule B and Schedule C.

3. GSK considers Confidential Information to be any information that is proprietary to GSK and is not publicly available
including, without limitation, GSK proprietary information which, if disclosed, could cause damage to the interests of
GSK.

4. Your firm undertakes that it shall comply with applicable Data Protection Law as defined in Schedule C. Your firm
warrants and undertakes that it has provided, and will provide, any necessary privacy notices, or obtain any
necessary consents, to enable it to share any personal information regarding its personnel with GSK (and its affiliates,
vendors and other authorised recipients) in connection with your engagement by GSK. Should GSK request that your

7
 firm enter into a Model Clauses Master Agreement (“MCMA”) or other form of international data transfer agreement
regarding privacy and data processing, your firm will consider that request in good faith.

5. Retention and Return of GSK Data

Your firm will retain GSK Data as necessary to satisfy (i) the purposes for which it was provided to or obtained by your
firm or your firm’s personnel, or (ii) the performance of your firm’s obligations under the Agreement.

Your firm shall (at its sole cost) return, delete or destroy, as specified by GSK, all GSK Data then in its possession or
under its control, including without limitation all originals and copies of such GSK Data, upon (i) the termination of
GSK’s engagement of your firm; or (ii) GSK’s request for any reason, unless this would be in breach of any Laws,
regulations or professional rules applicable to your firm. Your firm shall confirm the compliance with this
requirement by written notice to GSK received no later than thirty (30) days following such return, deletion or
destruction of all GSK Data. Your firm will use destruction methods that meet or exceed current industry standards,
to GSK’s reasonable satisfaction. Unless otherwise agreed in writing with GSK, your firm shall return any GSK owned
physical assets. Where backups of GSK Data are stored in a form where destruction of GSK Data is infeasible, your
firm will ensure that the backups are overwritten if backup media are reused or backups are destroyed within one (1)
year or as otherwise may be agreed by GSK and law firm on a case-by-case basis, and your firm shall not access,
modify or process such GSK Data without GSK's express prior written consent.

GSK does not intend or expect firm to return or destroy (i) GSK Data or information that has become a part of the
public domain through court filings; or (ii) day-to-day exchanges of e-mail between GSK and your firm or e-mail
exchanges between your firm and a third party on GSK’s behalf, that do not contain GSK Data or information in
attachments. E-mails should be handled consistent with the firm’s duty of confidentiality.

6. Continuity Plan

Your firm shall maintain a continuity plan including recovery of critical systems and continuity of workforce. Your
firm will test the continuity plan at least every two (2) years. The recovery point objective (RPO) for services provided
is [ENTER RECOVERY POINT TIME DAYS/HOURS/MINUTES] and the recovery time objective (RTO) is [ENTER RECOVERY
TIME DAYS/HOURS/MINUTES]; if none of the forgoing is specified then the RPO is 24 hours and RTO is 45 days.
7. Backups
Your firm will create, encrypt, maintain and securely store backups of GSK Data to restore any lost, corrupted or
damaged GSK Data in accordance with the recovery point objectives. Such backups must be stored with logical or
physical controls that prevent unauthorised access, including by, malicious programs such as ransomware or
malicious insider activities, i.e., “Destructive Events", consistent with the guidance in Data Integrity, Recovering from
Ransomware and Other Destructive Events NIST Special Publication 1800-11.

X. Social Responsibility

If requested by GSK, your law firm will cooperate with GSK’s social responsibility vendor and corresponding social
responsibility initiatives.

XI. Conduct of Litigation

1. Early Case Assessment, Early Dispute Resolution, and Motions/Interim Applications- GSK expects early case
assessments to be conducted and early dispute resolution to be pursued (according to protocols established by GSK)
in all matters unless you are specifically instructed otherwise by case counsel.

8
 GSK discourages filing motions that are unsupported by a clear tactical rationale- Therefore, as in all other aspects of
the conduct of litigation for GSK, you should remain in close contact with GSK case counsel, keep them closely
apprised of your plans and the rationale underpinning them, and obtain their approval before filing any motions.

2. Alternatives to Litigation- GSK’s EDR protocols require you to consider settlement and/or alternative dispute
resolution strategies throughout your representation. Unless superseded by the terms of an alternative billing
arrangement, GSK may, in its sole discretion, consider a performance bonus in the event that Firm reaches a
resolution of the matter/litigation through early dispute resolution in a manner that is favorable to GSK.

3. GSK’s Participation/Review of Documents- GSK lawyers should be consulted before making any tactical or strategic
decisions. GSK will often participate in the substantive drafting of documents prepared on behalf of the Company.
To permit our review, please send us all documents and filings at least one week prior to due date, unless exceptional
circumstances require a shortened response time.

4. Other Litigation Matters

a. GSK Support. We expect you to take advantage of our broader in-house expertise to assist in your preparation
of GSK’s case – e.g., initial review of scientific, patent or medical records, retrieval of bibliographic data, and
selection of experts.

b. Insurance Inquiries. During the course of litigation, you may receive a request for a status report from one of
the Company’s insurance carriers. We request that you forward such requests to us for response as GSK deals
with its insurers through its corporate Risk Management Department.

XII. Anti-Bribery & Anti-Corruption

Your firm agrees that it shall comply fully at all times with all applicable laws and regulations, including but not limited to anti-
corruption laws, and that it has not, and covenants that it will not, directly or indirectly, make, promise, authorize, ratify or
offer to make, or take any act in furtherance of any payment or transfer of anything of value for the purpose of influencing,
inducing or rewarding any act, omission or decision to secure an improper advantage; or improperly assisting it or GSK in
obtaining or retaining business, or in any way with the purpose or effect of public or commercial bribery, and warrants that it
has taken reasonable measures to prevent subcontractors, agents or any other third parties, subject to its control or
influence, from doing so. For the avoidance of doubt this includes facilitating payments, which are unofficial, improper, small
payments or gifts offered or made to government officials to secure or expedite a routine or necessary action to which we are
legally entitled.

GSK shall be entitled to terminate its relationship and engagement with your firm immediately on written notice to your firm,
if your firm fails to perform its obligations in accordance with this clause. Your firm shall have no claim against GSK for
compensation for any loss of whatever nature by virtue of the termination in accordance with this clause.

Your firm shall inform GSK in writing, if, during the course of your representation, your firm is convicted of or pleads guilty to
a criminal offence involving fraud or corruption, or becomes the subject of any non-legally privileged government
investigation for such offenses, or is listed by any government agency as debarred, suspended, proposed for suspension or
debarment, or otherwise ineligible for government programs.

Your firm represents and warrants that except as disclosed to GSK in writing prior to the commencement of your
representation of GSK: (1) it does not have any interest which directly or indirectly conflicts with its proper and ethical
performance; (2) it shall inform GSK in writing at the earliest possible opportunity of any conflict of interest that arises during
your representation of GSK; and (3) it shall maintain arm’s length relations with all third parties with which it deals for or on
behalf of GSK.

9
GSK shall have the right to conduct an audit of your firm’s activities as they may pertain to or impact GSK to monitor
compliance with the terms of this Agreement. Your firm shall cooperate fully with such audit, the scope, method, nature and
duration of which shall be at the sole reasonable discretion of GSK.

Your firm shall ensure that all transactions related to GSK are properly and accurately recorded in all material respects on its
books and records and each document upon which entries such books and records are based is complete and accurate in all
material respects. Your firm must maintain a system of internal accounting controls reasonably designed to ensure that it
maintains no off-the-books accounts.

Your firm agrees that in the event that GSK believes that there has been a possible violation of the terms of this Agreement,
GSK may make full disclosure of such belief and related information at any time and for any reason to any competent
government bodies and its agencies, and to whomsoever GSK determines in good faith has a legitimate need to know.

Your firm shall provide anti-bribery and anti-corruption training to relevant personnel, including any relevant subcontractors,
at your firm who act on behalf of GSK or interact with government officials during the course of any services provided to GSK.
Your firm shall provide GSK the opportunity to evaluate the training to determine whether it abides by GSK’s standards and
shall conduct additional training, as requested by GSK. Your firm upon request by GSK, shall certify that the anti-bribery and
anti-corruption training has taken place.

XIII. HUMAN SAFETY REPORTING

“Adverse Event” or “AE” shall mean any medical occurrence in a patient, temporally associated with the use of a GSK Product,
whether or not considered drug-related. If, in the course of providing the services, your firm or any of its contractors is
informed or becomes aware of any AE (whether the information relates to the GSK Product by reference to its generic name
or by reference to its trademark) it shall forward such information to GSK. All AEs must be reported to GSK through the GSK
Global Clinical Safety and Pharmacovigilance Department in the United States for review and potential submission to FDA as
reportable adverse events within 24 hours of initial receipt (or next working day if over a weekend).

If it is reasonably expected that your law firm will receive human safety information in the course of your firm’s
representation of GSK, please confirm in writing with the GSK managing attorney(s) at the outset of the GSK matter(s) for
which your firm has been engaged the process to be followed in the event your law firm receives human safety information
relating to GSK pharmaceutical, vaccine and consumer health care products. The confirmed process should include
identification of the person at your law firm primarily responsible for ensuring that human safety information is forwarded in
a timely and appropriate manner to ensure compliance with GSK policy.

XIV. SURVIVAL

To the extent applicable, these GBGs shall survive beyond GSK’s engagement of your law firm.

XV. INTEGRATION

These GBGs, together with the schedules, exhibits, and documents referred to herein, together with the engagement
agreement for the matter or matters for which your law firm is engaged contain the entire understanding of the parties with
respect to the subject matter hereof and supersede all prior agreements and understandings, oral or written, with respect to
such matters, which the parties acknowledge have been merged into such documents, exhibits, agreements and schedules.

We look forward to working with you and welcome your suggestions to help us better manage and further control costs.

In order to acknowledge your acceptance of the terms set forth in this agreement, please digitally sign as prompted at the
end of the letter. If you have any problem with digitally signing, then please contact legal.gelrt@gsk.com.

10
 Muhammad Humayun
By (name of authorized representative):___________________________________________________

Hassan and Humayun Associates

On behalf of (law firm name):_______________________________________

Nov 28, 2020

Date:___________________________________________________________

Electronically signed by: Muhammad Humayun

Reason: I am signing for the reasons as stated
in the document.
Signature: ______________________________________________________
Date: Nov 28, 2020 12:06 GMT+5

11
 SCHEDULE A
GSK CONFLICT WAIVER REQUEST

Date
Name of GSK Attorney
GlaxoSmithKline
Address

Re: [name of case or transaction for which waiver is requested]

Dear [GSK attorney]:

The purpose of this letter is to request a waiver of a [potential or actual] conflict of interest in connection with [law firm]’s
representation of [other client’s name] in the above referenced matter. We seek your assent to such a waiver subject to the
following conditions:

1. [Other client’s name] agrees not to object to [law firm]’s continued ability to represent GSK or its affiliates on
existing and future matters.
2. [Law firm]’s representation of [other client] will not involve the assertion against GSK or any of its affiliates of
a claim of fraud, misrepresentation, or other dishonest conduct. Nor will [law firm] represent [the client] in
any litigation or threatened litigation or arbitration or mediation arising from the matter. [Law firm] will not
take a public position adverse to GSK (e.g., in court or administrative proceedings or in the media).]
3. [Law firm] is representing [other client] for the sole purpose of [describe limited engagement to which GSK is
consenting], and it is understood that GSK reserves the right to claim a potential or actual conflict of interest
and take appropriate action regarding any other matter in which [such law firm] may be engaged, or if the
representation by [law firm] is broader than specified in this sentence.
4. [Law firm] personnel providing services to [other client] in connection with this matter will not be among
those currently providing services to GSK or a GSK affiliate, and a firewall will be maintained between
lawyers representing GSK and lawyers representing [other client].
5. [Law firm] personnel representing [other client] do not have any confidential or “special” knowledge about
GSK or a GSK affiliate that potentially would give [other client] an advantage.
6. [Other client] has been informed of the conditions set forth in this letter and has agreed to these conditions
by signing below.

Very truly yours,

Attorney for Outside Law Firm

Received and agreed to:

_____________________
Other client representative

Received and agreed to:

____________________
GSK Attorney

12
 SCHEDULE B

GSK INFORMATION PROTECTION SCHEDULE

This Information Security Schedule forms a part of the Agreement by and between GSK and your firm. In the event of any
conflict with respect to information security between the terms of this Schedule and the terms of the Agreement, this
Schedule shall control. Capitalised terms not defined in this Schedule will have the meanings ascribed to them in other parts
of the Agreement.
1. Comprehensive Information Security Program
a. Standards and Documentation. While providing legal services to GSK, your firm will maintain , and will comply at all
times with, a comprehensive information security program of policies, standard operating procedures (“SOPs”) and controls
governing the Processing, storage, transmission and security of GSK Data (the “CISP”) consistent with generally-accepted
industry standards (e.g., ISO 27001, COBIT, NIST 800-53, etc.). “Processing” means any operation or set of operations which
is performed on any information or data, whether or not by automated means, such as collection, recording, organisation,
structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or
otherwise making available, alignment or combination, restriction, erasure or destruction. Your firm will perform periodic risk
assessment to ensure that the CISP are kept up to date, continue to be aligned with industry standards, and are revised as
necessary whenever relevant changes are made to your firm's computing environment.
b. Subcontractors, Vendor Risk Management. Your firm will ensure all subcontractors with access or who Process GSK
Data maintain security standards and processes no less stringent than your firm’s CISP. For the purposes of this paragraph
subcontractors include providers of cloud services. Your firm will assess all subcontractors that access, store, process or
transmit GSK Data for appropriate security controls and information security practices, and will only engage subcontractors
who demonstrate compliance with your firm’s CISP or like standards to support the delivery of the Services. For avoidance of
doubt, your firm shall remain liable and responsible for the action, inactions and performance of all obligations performed by
any subcontractor to the same extent as if such obligations were performed by your firm.
2. Physical and Administrative Security Measures
a. Physical Security
i. Facilities. Your firm will ensure that GSK Data is physically secured against unauthorized access. Your firm shall
ensure physical access to its offices, data center facilities and other facilities at which GSK Data is Processed (the “Facilities”)
is restricted to those your firm’s personnel and subcontractors who are required to perform duties at those locations.
ii. Media. The CISP shall control the flow of GSK Data leaving the Facilities, whether on removable media or portable
devices or otherwise (collectively, “Portable Media”), by defining which of your firm’s personnel may transfer GSK Data to
Portable Media and under what circumstances, and which Portable Media are permitted to be transported out of a Facility.
Your firm shall encrypt all GSK Data stored on any Portable Media. Your firm shall remove all GSK Data from any Portable
Media containing GSK Data before the Portable Media is disposed of or reused, using a removal method that sanitizes the
Portable Media and makes recovery of the GSK Data infeasible.
b. Administrative Security
i. Security Awareness and Training. Your firm will ensure written policies, procedures, and standards are published
and communicated to your firm’s personnel and relevant external parties as relevant to their job function and responsibilities.
ii. Background Screening. Your firm shall perform background screening of your firm’s personnel at the time of hire
that includes, to the extent permitted by Applicable Law in the country of hire, proof of identity using government issued
identification documents.
3. Technical Security Measures and Management
a. Configuration Management. Your firm shall ensure that all configuration changes to your computing environment are
controlled using formal change control procedures.
13
 b. Data Segregation. Your firm will maintain technical mechanisms to ensure that GSK Data is logically segregated from
other customers’ data within your firm’s computing environment. This requirement does not pertain to backups or email.
c. Access Management. Your firm will protect access to your firms computing environment by authentication and
authorization mechanisms as described below and in the CISP Documentation.
i. Least Privilege. Your firm will grant access privileges based on job requirements and shall ensure access rights are
implemented adhering to the “least privilege” approach (i.e., authorized staff will be granted the minimum access required to
perform their roles).
ii. Access Credentials. Your firm shall, with respect to Access Credentials it manages and controls: (a) maintain a
robust process ensuring Access Credential secrets are suitably complex in line with then-current industry best practice; (b)
strongly hash or strongly encrypt Access Credential secrets and any data that can be used to derive such secrets both at rest
and in transit; (c) perform identity-proofing to ensure that access is granted to the proper person; (d) assign unique Access
Credentials to personnel requiring access to the computing environment; (e) ensure that Access Credentials are not shared by
your firm’s personnel; (f) secure remote access in-line with industry best practice (e.g., multifactor authentication, contextual
security, etc.) (g) initially establish or communicate Access Credential secrets and reset Access Credential secrets, when
required, using secure means; (h) promptly revoke or modify access rights of your firm’s personnel when access is no longer
required due to termination of employment or a change in responsibilities. “Access Credential” means the combination of a
unique identifiers and secrets assigned or provided to an individual, or inherent in an individual, that provides rights to access
your firm’s computing resources.
d. Logging and Monitoring. Your firm will maintain logs sufficient to definitively attribute access to, and actions
performed using, GSK Data in line with industry standards. Your firm will protect logs from unauthorized access, tampering, or
destruction. Your firm will regularly monitor logs for security alerts using security information and event management (SIEM)
system, or equivalent, and respond to alerts as appropriate in line with industry best practice. Your firm will maintain logs
sufficient to definitively attribute access GSK Data in line with industry best practices, e.g., recommendations in NIST SP 800-
92 Guide to Computer Security Log Management or equivalent industry standards.
e. Network Security. Your firm will maintain network security protecting your firm’s computing environment in line with
industry best practices including, to the extent applicable, firewalls, intrusion detection and prevention systems, segregation,
access control, and secure routing protocols.
f. Patching. Your firm will ensure software is patched for security vulnerabilities that pose a significant risk at least
quarterly and, in the event of vulnerabilities identified by the software vendor as critical, high severity, etc. as soon as
possible, at least monthly. This includes systems and services containing GSK Data in a cloud environment.
g. Hardware and Software. Your firm shall ensure software and hardware used to Process GSK Data is maintained at
versions supported by the licensor or manufacturer, as applicable. This includes systems and services containing GSK Data in
a cloud environment.
h. FOSS Compliance and Policy. Where your firm or cloud provider uses software which meets the open source
definition published at OpenSource.org or the free software definition published by the Free Software Foundation
(collectively, “FOSS”), your firm will ensure FOSS is patched or upgraded to available new releases that address any significant
security vulnerabilities.
i. Mobile Devices. If your firm permits your personnel to Process GSK Data on portable computing devices such as a
smartphone or tablet computer (collectively, “Mobile Devices”), your firm will maintain a Mobile Device management
solution that ensures (i) strong authentication of access to device contents, (ii) strong encryption of data at rest, (iii) remote
wipe of devices that are lost or stolen where possible and, (iv) deletion of GSK Data in email or Mobile Device storage. For
clarity, Mobile Devices excludes laptop computers.
j. Cryptography. Your firm shall use strong encryption controls to protect all GSK Data from unauthorized disclosure,
access or alteration, whether: (a) in transit into or out of your firm’s computing environment over third-party networks, or (b)
at rest within your firms computing environment, on laptop computers, or when stored on a Mobile Device or removable

14
media. If your firm does not currently encrypt GSK data at rest, your firm agrees to implement encryption at rest within 12
months of signing these GBGs.
4. Remediation. Your firm shall prioritise remediation of security issues based on significance of risk and remediate issues as
soon as reasonably possible.
5. Security Audit, Certifications.
a. Self-Assessment. Your firm shall conduct not less than annually a self-assessment of your compliance with all
requirements set forth in this Schedule B. An overall compliance self-assessment is acceptable provided that it substantially
covers GSK's information protection requirements in this Schedule B.
b. Audit Reports & Certifications. At request of GSK, your firm will provide or ensure available to GSK any relevant
certifications (e.g., ISO 27001) or independent audit reports (e.g., SSAE 18 SOC 2 Type II) if available for your firms computing
environment. GSK agrees to enter into any required Non-Disclosure Agreements with third parties supporting your firm if
required as a condition if needed.
c. GSK Audit Rights. GSK, or its nominated representative to be approved by your firm, may with at least 30 working
days’ written notice (but not more than once per annum) conduct an audit of systems, records, data, practices and
procedures of your firm as they pertain to GSK only and that are used in rendering the services under this agreement to verify
the integrity of GSK Data and compliance with the data privacy, confidentiality and security requirements of this GBGs. GSK
shall communicate the scope and methods of the proposed audit in writing to your firm at least 15 working days prior to the
audit. GSK agrees that our scope and methods will not (a) include any technical vulnerability or penetration testing of your
computing systems; (b) require review of systems, reports, or other information that may potentially breach your firm’s client
confidentiality obligations, or; (c) include areas outside the scope of services provided to GSK under this agreement. GSK will
perform the audit during normal office hours and in such a way to cause as little disruption as reasonably possible. At request
of GSK representative, your firm will provide exemplar documentation and evidence demonstrating practices protecting GSK
Data, redacted as your firm deems necessary at your firm’s sole discretion to protect any of your firm’s confidential
information. If your firm utilizes cloud services for Processing of GSK Data, your firm agrees to, where your firm has the right
to do so under your agreement with the relevant cloud service provider (and your firm will use reasonable endeavours to
ensure that your firm has that right), facilitate GSK’s review of your firm’s cloud service provider independent audit reports
and certifications. GSK agrees to and will require that any nominated representative enter into any reasonable non-disclosure
agreement required by your firm or cloud service provider.

6. Security Breach Notification. Your firm will report to GSK by email to csir@gsk.com any compromise of your firm’s
cryptographic keys, or any verified accidental, unauthorized or unlawful use, loss, destruction, disclosure, access, corruption,
modification, sale, rental or other Processing of any GSK Data (a “Security Breach”) as soon as possible, but not more than
seventy-two (72) hours following your firm’s verification. Your firm will work in good faith with GSK to expeditiously
remediate the Security Breach and minimise the impact to GSK. GSK prefers that notification come within twenty-four (24)
hours of your firm’s verification, to the extent possible.

15
 SCHEDULE C

GSK DATA PRIVACY SCHEDULE

The parties agree that the processing of personal data under or in connection with this Agreement shall be in accordance with
this Schedule, including all Annexes.

1. DEFINITIONS

Agreement means all engagement agreements between GSK and Law Firm in connection with which these GBGs are
incorporated and made a part thereof.

Data Protection Laws means as applicable: (a) the General Data Protection Regulation (EU) 2016/679 on the
protection of natural persons with regard to the processing of personal data and on the free movement of such data
and any applicable laws and/or regulations that implement and/or exercise derogations under it and/or replace or
supersede (including as it forms part of retained EU law as defined in the European Union (Withdrawal) Act 2018)
(GDPR); (b) the Data Protection Act 2018; (c) all other laws concerning the processing of personal data;

Personal Information means personal data relating to an identified or identifiable individual; and

Security Schedule means Schedule B of these GBGs; and

Shared Personal Information means any Personal Information, that is: (i) supplied by or on behalf of GSK to Supplier,
generated in the course of providing the Services or supplied by or on behalf of Supplier to GSK; and (ii) processed
under or in connection with this Agreement.

Supplier means, for the purposes of this Schedule C, the Law Firm with which GSK enters into this Agreement.

The terms controller, data protection impact assessment, data subject, personal data, personal data breach,
processor, processing and supervisory authority shall be as defined under relevant Data Protection Laws.

2. DATA PROCESSING

2.1 Status of each party under Data Protection Laws

GSK and Supplier acknowledge that the status of each party is a question of fact determined under Data Protection
Laws. Without limiting the foregoing, GSK and Supplier agree that, in relation to the personal data processed under
this Agreement, GSK and Supplier independently determine how and why certain Shared Personal Information is
processed (and accordingly each party acts as a controller) and all processing of Shared Personal Information shall be
undertaken in accordance with this Schedule.

2.2 Description of processing

All processing of Shared Personal Information undertaken by Supplier is described in this clause 2.2.

Duration, nature and purpose of processing

Duration of processing Unless stated otherwise in this Agreement, or agreed in writing
between the parties, personal data will be processed for the term
of this Agreement, and any such additional period stated in this
Agreement.
16
 Nature and purpose of For the purpose of the provision of services by Supplier under this
processing Agreement.
Personal data
Individuals may include any Consumers, Customers, Members of the public, Employees &
of: Contingent Workers, Healthcare Professionals and other healthcare
Staff, External experts
Patients, Research Subjects, Shareholders, Suppliers, Government
Officials, Media representatives Members of the public
Categories of personal data Personal contact information Family details
may include any of: Education history Professional details
Employment details
Device and online usage data Location data
Purchase history
Financial information (including payment information)
Business travel and expenses
Personal biographical information (e.g., Age, gender and
nationality)
Lifestyle information
Government ID numbers
Information on personal interactions with GSK

Special categories of personal Ethnicity or race Medical or Health information

data may include any of: Union affiliation Political affiliation or opinions
Religious or philosophical beliefs or affiliations
Criminal information Sexual orientation or sex life
Genetic information Biometric data Biological samples

3. GENERAL TERMS

In relation to the processing of all Shared Personal Information, each party:

(a) shall comply with its obligations under Data Protection Laws;

(b) acknowledges that, except as expressly stated otherwise in the Agreement, it is (as between the parties)
solely responsible for meeting all of its obligations under Data Protection Law.

4. PRIVACY NOTICES AND INDIVIDUAL CONSENT

(a) Unless expressly agreed otherwise in writing, each party shall be responsible for providing privacy notices to,
and obtaining any consent required by law from, all individuals to whom the Shared Personal Information
relates in respect of all processing undertaken by that party (including any disclosure to the other party).

(b) If either party expressly agrees in writing to provide a privacy notice on behalf of the other party, it shall
ensure that the relevant privacy notices effectively address all information required to be provided under
Data Protection Laws and take account of any reasonable proposals by the other party.

5. COMMUNICATIONS

If either party receives any communication from a supervisory authority which relates directly or indirectly to:

17
 (a) the other party’s processing of Shared Personal Information; or

(b) a potential failure to comply with Data Protection Laws in relation to the processing of Shared Personal
Information,

the receiving party, shall, to the extent permitted by applicable laws, promptly forward the communication to the
other party and provide the other party with reasonable cooperation and assistance in relation to the same.

6. HANDLING OF SHARED PERSONAL INFORMATION SUPPLIED BY OR ON BEHALF OF GSK

Supplier shall ensure that Shared Personal Information:

(a) shall be kept confidential in accordance with this Agreement and references in the Agreement and the
Security Schedule to GSK Confidential Information shall include Shared Personal Information supplied by or
on behalf of GSK;

(b) is not disclosed to any of its staff unless those persons: (i) have undergone appropriate training in data
protection; and (ii) are bound to hold the information in confidence;

(c) is processed only for the purpose of providing Services under this Agreement, and (a) to meet its legal and
regulatory obligations, (b) in pursuing its legal rights, and (c) for administrative, financial, risk management
and client relationship purposes.;

(d) is transferred to its third party suppliers only: (i) in accordance with applicable law; (ii) where the third party
has entered into a contract with the Supplier containing appropriate terms providing equivalent protection
to those set out in this Schedule; and (iii) on condition that the Supplier remains fully liable to GSK for any
failure of such third party to fulfil its data protection obligations; and

(e) is kept securely, including by application of the measures set out in the Security Schedule and references in
the Security Schedule to “GSK Data” shall include Shared Personal Information supplied by or on behalf of
GSK.

7. RIGHTS OF INDIVIDUALS

If an individual makes a written request to either party to exercise any of their rights under Data Protection Laws in
respect of Shared Personal Information, the receiving party shall respond to that request in accordance with Data
Protection Laws. To the extent the request concerns processing of Shared Personal Information undertaken by the
other party, the receiving party shall: (i) promptly and without undue delay forward the request to the other party;
and (ii) cooperate and provide reasonable assistance in relation to that request to enable the other party to respond
in accordance with Data Protection Laws.

8. DATA BREACH

Without limiting any provision of the Security Schedule, upon becoming aware of a data breach affecting Shared
Personal Information supplied to it by or on behalf of GSK, Supplier shall:

(a) notify GSK promptly and without undue delay, and provide GSK with a reasonable description of the breach
promptly as such information becomes available; and

(b) not publish any communication concerning the breach without first consulting GSK, save that it may disclose
a breach to the extent required by applicable laws and/or to any consultants and/or service providers

18
 assisting firm in the event of a breach in as much as said consultants and/or relevant service providers are
bound by confidentiality terms.

9. COMPLIANCE AND AUDIT

Upon GSK’s reasonable written request, and to enable GSK to verify compliance with this Schedule, Supplier shall,
without limiting any other right of GSK under this Agreement, and subject always to the Supplier's confidentiality
obligations to third parties, allow GSK or an auditor appointed by GSK, or by Supplier (on terms of reference agreed
with GSK in advance), to carry out audits, including inspections of facilities and documents, relating to the processing
of Shared Personal Information supplied to Supplier by or on behalf of GSK, subject to the limitations set forth in
Section 5(c) of Schedule B.

10. TERMINATION OR EXPIRY

This Schedule shall survive and continue in full effect on termination or expiry of this Agreement.

11. INTERNATIONAL DATA TRANSFERS

11.1 Where GSK (acting as a Data Exporter) transfers Shared Personal Data to Supplier (acting as Data Importer) the
parties hereby agree to abide by the EU controller to non-EU or EEA controller model clauses approved under
decision 2004/915/EU (available at https://eur-lex.europa.eu/legal-
content/EN/TXT/PDF/?uri=CELEX:32004D0915&from=EN and incorporated herein by reference) (Model Clauses),
provided that the illustrative commercial clauses shall not apply and, for the purposes of clause II(h) of the Model
Clauses, the Supplier (acting as Data Importer) selects the data processing principles in Annex A of the Model Clauses.
To the extent of any conflict or inconsistency between any term of the Model Clauses and any other part of this
Agreement, the terms of the Model Clauses shall prevail.

For the purposes of the Model Clauses:

a. GSK is a Data Exporter in relation to the Shared Personal Information;
b. Supplier, to the extent it processes Shared Personal Information in a country outside the European Economic
Area or an Adequate Country, is a Data Importer. Supplier (i) hereby enters into this Schedule on behalf of
each Affiliate of Supplier which acts as a Data Importer or (ii) has intra-group data transfer agreements in
place with its Affiliates in accordance with Data Protection Laws governing the processing of Shared Personal
Data by its Affiliates. For the purpose of this Schedule an Adequate Country means any country held by the
European Commission from time to time as providing an adequate level of protection for the purposes of
Article 25(1) of Directive 95/46/EC or Article 45(3) of the GDPR.; and
c. Description of Transfers: The description of transfers, for the purposes of Annex B to the Model Clauses, is
set out in clause 2.2 of this Schedule.

11.2 Where any mechanism for international transfers of personal data ceases for any reason to be a valid means of
complying with the restrictions on transferring personal data to a third country as set out in Data Protection Laws, or
otherwise ceases to apply for any reason, the parties shall act in good faith to agree the implementation of an
alternative solution to enable both parties to comply with Data Protection Laws.

11.3 Supplier shall not process any Shared Personal Information supplied by or on behalf of GSK in any country other than
the country in which GSK is established without the prior written approval of GSK. Such approval may be conditional
upon the existence of appropriate safeguards to ensure compliance with Data Protection Laws applicable to Supplier
and GSK. For these purposes, the European Economic Area is considered as a single country.

19
 ANNEX 1

EXTENSION TO FURTHER GSK COMPANIES

1. Pursuant to an agency agreement dated 3 January 2014 and entered into by certain GSK companies (as amended
from time to time) (the Agency Agreement), by signing this Agreement, GSK hereby enters into the Privacy Obligations
for and on behalf of the Covered Affiliates, in consideration for which Supplier hereby enters into the Privacy
Obligations with those Covered Affiliates, through the agency of GSK. All rights and obligations of GSK under this
Schedule are assumed and incurred as agent for and on behalf of each Covered Affiliate. The obligations of the
Covered Affiliates under this Schedule shall be several and not joint and several.

2. For the purpose of this Schedule a Covered Affiliate means: (i) each Affiliate of GSK which has entered into the
Agency Agreement (a list of which will be provided by GSK to Supplier on request); (ii) each Affiliate of GSK which has
the benefit of this Schedule as a third party (a list of which will be provided by GSK to Supplier on request); (iii) each
Affiliate of GSK which has been added by the parties to this Agreement as a party, in a form reasonably required by
GSK where GSK reasonably determines it necessary in order to comply with applicable Data Protection Laws; and (iv)
any additional new Affiliate of GSK that is added or that needs to be added as a party to this Schedule.

3. The terms set out in clauses 1-11 of this Schedule (the Privacy Obligations) shall be a separate agreement between
each Covered Affiliate and Supplier. References in the Privacy Obligations to GSK shall be to each Covered Affiliate.

4. Supplier agrees that, upon the request of GSK or a Covered Affiliate, it shall procure that a separate original of the
Privacy Obligations (or any agreement incorporated therein, including the Model Clauses or any other data transfer
agreement), between that Covered Affiliate and Supplier, is executed.

5. For the avoidance of doubt (i) unless expressly stated otherwise in the Agreement, no Covered Affiliate shall be
entitled to enforce any other right of GSK or obligation of Supplier under the Agreement; (ii) all exclusions, limitations
of liability and provisions for conduct of litigation set out in this Agreement shall also apply to the Privacy Obligations,
provided that nothing in this Agreement or this Schedule shall limit the liability of either party to individuals under the
Model Clauses.

6. GSK shall enforce any provision of this Schedule on behalf of its Covered Affiliates and in accordance with the
instructions of the Covered Affiliates except to the extent that it is not able to do so as a result of applicable laws.

7. If and to the extent that GSK is not able to recover a loss incurred by any Covered Affiliate under this Schedule in any
instance where a claim to recover loss is not, by operation of law or decision of a court, deemed to be enforceable by
GSK itself (including, for example, where it is deemed that GSK has no standing to enforce the claim for recovery of loss
for whatever reason) then the relevant Covered Affiliate shall be entitled to enforce the Privacy Obligations against
Supplier in its own right, but subject always to the exclusions and limitations of liability set out in this Agreement.

8. International Data Transfers by Covered Affiliates.- Where a Covered Affiliate, acting as a Data Exporter, transfers
Shared Personal Information to Supplier, acting as Data Importer, the parties hereby agree to abide by the Model
Clauses, under the terms set forth in clause 11.1. The Model Clauses shall be a separate agreement between each
Covered Affiliate and each Data Importer.

Part 1

20
Where a Covered Affiliate established in a country listed in Part 1 of this Schedule transfers Shared Personal Information to
Supplier, such transfer will be subject to the following additional provisions:

Argentina - Where GlaxoSmithKline Argentina S.A., domiciled at Tucuman 1, 4th Floor, city of Buenos Aires, Argentina (acting
as a Data Exporter) transfers Shared Personal Information to Supplier (acting as Data Importer) the parties hereby agree to
abide by the Act No. 25,326 on Personal Data Protection and the Deposition E-60 (Annex II) of November 16, 2016, published
in the National Bulletin of 18-Nov-2016, or any other rule that complements or replaces them (Argentinian Model Clauses).
To the extent of any conflict or inconsistency between any term of the Argentinian Model Clauses and any other part of this
Agreement, the terms of the Argentinian Model Clauses shall prevail.

Germany - If and to the extent a Covered Affiliate established in Germany, acting as a Data Exporter, transfers Shared
Personal Information pursuant to Clause 11 of the Schedule, the Model Clauses are hereby replaced with the Set I Controller-
Controller Clauses approved under Commission Decision 2004/915/EC, which are incorporated herein by reference.

Israel - The following provisions shall apply to the transfer of any personal data controlled by a Covered Affiliate in Israel (GSK
Israel as further defined below) to Supplier located outside of Israel, in addition to the other provisions of this Schedule.

1. Supplier undertakes to comply with the provisions of the Exhibit set out below, as Data Importer (the “Israel Data
Transfer Agreement”)
2. Supplier shall not transfer or disclose personal data transferred by GSK Israel to any other person or entity whether in
Supplier’s country or elsewhere, other than to a service provider that has entered into the Israel Data Transfer
Agreement with GSK Israel (in this case the "Data Importer" in the Israel Data Transfer Agreement shall be the third-
party entity) or an equivalent data transfer agreement which complies with the Supplier's obligations under Data
Protection Laws.
3. If Supplier transfers the personal data of GSK Israel to a third party which has not signed the Israel Data Transfer
Agreement with GSK Israel, or an equivalent data transfer agreement which complies with the Supplier's obligations
under Data Protection Laws, Supplier shall indemnify GSK Israel in respect of any claim by a third party, or
determination by the Israeli data protection authorities, that Supplier’s transfer of the personal data of GSK Israel to
that third party in connection with this Agreement does not comply with Israeli law relevant to data transfers, as well
as any damages, losses, expenses and fines (including reasonable attorneys' fees) resulting from such claim or
determination.
4. GSK and Supplier acknowledge that the systems where the relevant personal data is stored and to which Supplier is
allowed to access are to be agreed by GSK and Law Firm if/when a particular engagement agreement involves personal
information involving residents of Israel.

Exhibit
Israel Data Transfer Agreement

GlaxoSmithKline (Israel) Ltd and GSK Consumer Healthcare Israel (each separately and together “GSK Israel”) agrees to provide
to Law Firm with which GSK enters into this Agreement (the "Data Importer") certain information (“Information”) which may
be stored in one or more databases maintained by GSK Israel ("Databases"), subject to the terms and conditions set forth in
this Exhibit:

1. The provisions of this Exhibit are made and have been executed according to the requirements and
conditions of the Israeli Protection of Privacy Law – 1981 and The Protection of Privacy Regulations (Transfer
of Information to a Database Outside the Borders of the State) – 2001 (“Regulations”), and Section 2(4) of
the Regulations.

21
 2. The Data Importer undertakes that the Information will not be transferred or disclosed to any other person
or entity, whether in Supplier’s country or another country.

3. The Data Importer undertakes to take adequate measures to ensure the privacy of those individuals to
whom such Information refers.

This Exhibit is governed by, and construed in accordance with, the laws of the State of Israel.

22