Data Protection and Security

Commercial Contract

Data Protection and Security

While terms relating to the protection of personal information are becoming increasingly more common in contracts due to the high-risk nature of handling such sensitive information, often such terms are absent or insufficiently addressed in general commercial agreements. At a minimum, the parties may wish to include some basic terms relating to the protection of sensitive information, particularly where the contract contemplates the use, handling, and exchange of information of a biometric, medical, financial, or other personal nature. A detailed discussion of data-protection terms in the context of NDAs can be found in the section entitled “Data Protection Security Measures”.

Definitions

As illustrated in the following exemplar, an acceptable definition of “personal information” should account for information that could potentially identify a specific individual:

Exemplar C22-1

“Personal Information” means information provided to Supplier by or at the direction of Company, or to which access was provided to Supplier by or at the direction of Company, and any modifications and derivatives thereof, that (a) identifies an individual or with respect to which there is a reasonable basis to believe the information can be used to directly or indirectly identify an individual (including, without limitation, names, addresses, telephone numbers, e-mail addresses and other unique identifiers); or (b) can be used to authenticate an individual (including, without limitation, employee identification numbers, government-issued identification numbers, passwords or PINs, user identification and account access credentials or passwords, financial account numbers, credit report information, biometric, health, medical or medical insurance data, answers to security questions and other personal identifiers).

Standard Obligations

The following exemplars recite basic and general obligations regarding the protection of personal information, which may suffice for certain transactions until more fulsome and robust terms are required:

Exemplar C22-2

During the Term and for so long as any Party retains any Personal Information in consequence of this Agreement and its performance, that Party shall comply with all requirements of applicable law and industry standards regarding the protection of Personal Information. Upon the occurrence of a Data Security Breach implicating this Agreement (including any Personal Information received or held by a Party in consequence of this Agreement), the compromised Party’s authorized privacy or security officer, or equivalent officer, shall promptly notify the other Party in writing, together with an explanation in reasonable detail nature, causes, and potential remedies to that Data Security Breach. The Parties shall reasonably cooperate, although at the sole cost and expense of the compromised Party, in regard to any Data Security Breach to identify the causes, develop and implement a reasonable remedial plan and all necessary remedial actions, and to limit as much as is possible the potential damages arising in consequence of a Data Security Breach.

Exemplar C22-3

To the extent it holds, retains, stores, transmits, uses or processes Partner Data in connection with this Agreement, it will maintain appropriate logical and physical security measures to prevent loss, destruction, or unauthorized access to such Partner Data in accordance with all applicable laws, regulations, or industry requirements applicable to such Partner Data including, without limitation, laws and regulations relating to data privacy.

Exemplar C22-4

Contractor represents and warrants that it shall at all times utilize reasonable and appropriate practices and technologies common and prevalent in Contractor’s industry (including, to the extent applicable, encryption, firewall protection, intrusion detection and prevention tools and network management applications) to protect, safeguard, and secure Partner Data against unauthorized access, use and disclosure.

Exemplar C22-5

The parties will comply with all applicable international, federal, state, provincial and local laws relating to (a) corruption practice, bribery, and acts contrary to the public administration including the US Foreign Corrupt Practices Act of 1977, 15 U.S.C. § 78dd-1, et seq.; (b) discrimination against employees or job applicants based on race, color, religion, sex, national origin, veteran status or disability; and (c) the privacy, confidentiality, security and protection of Personal Data including the EU Data Protection Directive 95/46/EC as amended and as implemented in the various European Economic Area countries or any similar and applicable legislation enacted outside of the European Economic Area and security breach notification laws.

Security Measures

In addition to terms that require a service provider to process any client data in accordance with applicable law, industry standards, and the client’s instructions, the client may also require the provider to implement appropriate technical and organizational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, such data.

Exemplar C22-6

Customer will maintain commercially reasonable administrative, physical, and technical safeguards for protection of the security of the Services. Without limiting the foregoing, Customer shall maintain a written, comprehensive information security plan that specifies adequate and appropriate technological, physical and organizational security measures and standards for security, configuration and anti-virus protection, with respect to its facilities, computer systems, employees, representatives and contractors, third parties under its control and other matters relating to the Prime Services. Customer shall regularly test or otherwise monitor the effectiveness of such security measures and standards for protection. Upon request from Partner, Customer shall have one of its senior officers certify Customer’s compliance with such security measures and standards for protection. Upon request, Customer shall provide Partner with a copy of an executive overview and summary of Customer’s security policies.

Exemplar C22-7

The parties acknowledge that Contractor may hold, retain, store, transmit, use or process Personal Data in connection with the provision of the Service to Customer. Personal Data means data, the use, processing, or transfer of which is regulated by law or regulation applicable to Contractor as personal data/personally identifiable information. Contractor shall process Personal Data in accordance with applicable law and the terms and conditions attached hereto in Addendum A (Data Processing Terms), including restricting access to Personal Data, applying appropriate security measures to protect Personal Data, and not disclosing Personal Data to third parties without Customer’s prior authorization. Contractor will maintain appropriate logical and physical security measures to prevent loss, destruction, or unauthorized access to such data in accordance with all applicable laws, regulations, or industry requirements applicable to such data, including, without limitation, laws and regulations relating to data privacy. Without limiting the foregoing, Contractor represents and warrants that it shall at all times utilize reasonable and appropriate practices and technologies common and prevalent in Contractor’s industry (including, to the extent applicable, encryption, firewall protection, intrusion detection and prevention tools and network management applications) to protect, safeguard, and secure data against unauthorized access, use and disclosure. Additionally, Contractor shall maintain a written, comprehensive information security plan that specifies adequate and appropriate technological, physical and organizational security measures and standards for security, configuration and anti-virus protection, with respect to its facilities, computer systems, employees, representatives and contractors, third parties under its control and other matters relating to the Services. Contractor shall regularly test or otherwise monitor the effectiveness of such security measures and standards for protection.

Exemplar C22-8

Supplier shall implement and maintain appropriate measures designed to meet the following objectives: (i) to ensure security and confidentiality of Protected Data; (ii) to protect against any anticipated threats or hazards to the security or integrity of Protected Data; and (iii) to protect against unauthorized access to or use of Protected Data. Supplier shall maintain physical, electronic, and procedural controls and safeguards in compliance with the Law, to protect the Protected Data from unwarranted disclosure. These controls shall include the maintenance of appropriate safeguards to restrict access to the Protected Data to those employees, agents, or service providers of Supplier and its subcontractor who need such information to carry out the purpose of providing the Services. For information disclosed in electronic form, Supplier agrees that such safeguards must include electronic barriers (e.g., “firewalls” or similar barriers) and password protected access to the Protected Data. In addition, in the event that Supplier sends or receives any Protected Data over the Internet or through an ISP, Supplier shall secure or encrypt such information in a manner consistent with industry security standards. For information disclosed in written form, Supplier agrees that such safeguards shall include secured storage of Protected Data. Supplier shall also establish and maintain any additional physical, electronic, and procedural controls and safeguards to protect the Protected Data from unwarranted disclosure as may be required for Contractor to comply with any Law.

Exemplar C22-9

Contractor agrees to the following as it relates to Personal Data:

1.1 To prevent unauthorized use, dissemination, or publication of the Personal Data, and implement any technical and organizational measures to protect Personal Data which are required by the applicable law.

1.2 To implement appropriate technical and organizational measures to protect Personal Data against (i) accidental or unlawful destruction or loss, (ii) unauthorized disclosure or access, in particular where processing involves the transmission of Personal Data over a network, (iii) alteration, and (iv) all other unlawful forms of processing.

1.3 To inform Client immediately in writing if it becomes aware of any unauthorized use or disclosure of Personal Data by itself or others.

1.4 When collecting, using, storing, transferring and otherwise processing Personal Data, Contractor shall adhere to all applicable export and personal data protection laws, regulations and rules.

Exemplar C22-10

Company warrants that it has adopted and implemented written technical and organizational measures to protect personally identifiable information (“PII”) against accidental, unauthorized or unlawful destruction, loss, alteration, disclosure, and access, and against all other unlawful activities. To fulfill its obligations under this section, Company shall have in place, at a minimum physical, technical, administrative, and organizational safeguards that provide for and ensure: (a) protection of business facilities, paper files, servers, computing equipment, including without limitation all mobile devices and other equipment with information storage capability, and backup systems containing PII; (b) network, application (including databases) and platform security; (c) business systems designed to optimize security and proper disposal of PII according to the terms of this Agreement; (d) secure transmission and storage of PII; (e) authentication and access control mechanisms over personal information, media, applications, operating systems and equipment; (f) personnel security and integrity, including background checks where consistent with applicable law; (g) annual training to Company’s employees on how to comply with the Company’s physical, technical, and administrative information security safeguards and confidentiality obligations under applicable laws, rules, regulations and guidelines; (h) reasonably up-to-date versions of security agent software for systems that house PII, which include ransomware and malware protection, and use reasonably up-to-date patches and virus definitions; and (i) storage limitations such that PII reside only on servers in data centers that comply with industry standard data center security controls, and restrictions to ensure that PII are not placed on any notebook hard drive or removable media, such as compact disc or flash drives.

Exemplar C22-11

Licensor shall implement all technical and organisational measures to comply with the requirements pursuant to applicable data protection laws. Licensor undertakes to Contractor that it has taken and will, on a continuing basis, take appropriate technical and organizational measures to keep personal data secure and protect it against unauthorized or unlawful processing and accidental loss, destruction or damage. In particular, Licensor shall take and regularly check the following protection measures:

· Physical access control: Licensor shall install an access control system.

· Access control: Licensor shall control and log access to data processing systems.

· Access limitation control: Licensor shall define, implement and monitor a concept for user rights, rules for passwords and login procedures.

· Transmission control: Licensor shall ensure personal data transmission in encrypted form or by a secure alternative procedure. Transmissions must be logged and guidelines for personal data transmissions must be laid down in writing.

· Input control: Licensor shall implement a detailed logging system for input, modification and deletion of personal data.

· Job control: Licensor shall define in writing and establish control mechanisms to ensure that data are processed strictly in accordance with the instructions of the Provider.

· Availability control. Licensor shall run a state-of-the-art backup system and define a restore operation procedure to protect personal data from accidental destruction or loss.

· Data separation: Licensor shall ensure by technical means and defined organisational procedures that personal data collected for different purposes (e.g. different Providers) can be processed separately. Technical means can be separated computer systems or demonstrably logical separation. Access by one Explorer to the data of any other Explorer must be prevented.

Exemplar C22-12

If any information provided or disclosed to, or acquired by, Contractor in connection with the Purpose includes the name and address of an individual CUSTOMER subscriber, or other information that under Applicable Law (as such term is defined below) is personally identifiable information (or other equivalent term used under any Applicable Law) of an individual CUSTOMER subscriber, (collectively, "Personal Data"), the communication, storage and use thereof by Contractor shall be subject to the provisions of this Section as follows: Contractor has established, and implements and maintains, (i) a comprehensive written information security program that is reasonably designed to protect the security, confidentiality and integrity of Personal Data (the "Security Program"); and (ii) a written program for combating identity theft in connection with Contractor's use of Personal Data, either as a component of the Security Program or on a stand-alone basis (the "Identity Theft Prevention Program"). The Security Program and the Identity Theft Prevention Program shall each contain administrative, technical and physical safeguards appropriate to Contractor's size and complexity, the nature and scope of Contractor's use of Personal Data, and the sensitivity of Personal Data.

Inspection and Audit Rights

The owner of personal information can confirm compliance by the party handling or processing such information with its legal obligations under the contract or applicable law through inspections, audits, and/or industry-standard audit reports:

Exemplar C22-13

Contractor shall accord to any independent security expert or auditor engaged by CUSTOMER and reasonably acceptable to Contractor reasonable access to all facilities, systems and records in the possession or under the control of Contractor solely to investigate and examine Contractor's use of Personal Data and compliance by Contractor with the Security Program and the Identity Theft Prevention Program as they relate to Personal Data; provided, that any independent third party engaged by CUSTOMER that is qualified as a Certified Information System Security Professional or as a Certified Information Systems Auditor, or holds a Global Information Assurance Certification from the SANS (SysAdmin, Audit, Network, Security) Institute, shall be deemed acceptable to Contractor. Such independent security expert or auditor engaged by CUSTOMER must execute a confidentiality agreement in a customary form reasonably approved by Contractor prior to any such inspection.

Exemplar C22-14

Client may inspect CONTRACTOR's operating facilities during standard office hours to ascertain that procedures with respect to the observance of the technical and organizational requirements of data protection and information security are appropriate.

Exemplar C22-15

Customer agrees that, to the extent applicable, Contractor's then-current SOC 1 and SOC 2 audit reports (or comparable industry-standard successor reports) and/or Contractor's ISO 27001 and ISO 27018 Certifications will be used to satisfy any audit or inspection requests by or on behalf of Customer, and Contractor shall make such reports available to Customer. In the event that Customer, a regulator, or supervisory authority requires additional information, including information necessary to demonstrate compliance with this DPE, or an audit related to the Covered Service, such information and/or audit shall be made available in accordance with Contractor's Customer Audit Program.

Exemplar C22-16

Contractor will provide Client with a copy of the Type II SAS 70 audit report or ISAE 3402 report (or any successor report thereto), as the case may be, with respect to the Services ("Internal Control Report") as soon as reasonably practicable following Contractor's receipt of such Internal Control Report, but no less frequently than once per calendar year. Client shall not distribute to or allow any third party (other than Its Independent auditors) to use the Internal Control Report provided to Client by Contractor without the prior written consent of Contractor. Client shall Instruct Its Independent auditors or other approved third parties to keep the Internal Control Report confidential and Client shall remain liable for any unauthorized disclosure of the Internal Control Report by Its independent auditors or other approved third parties.

Exemplar C22-17

CONTRACTOR shall maintain a commercially reasonable disaster recovery plan ("DR Plan"), a copy of the summary of which shall be available for viewing by the Client in CONTRACTOR's offices upon request. CONTRACTOR agrees to follow its DR Plan. CONTRACTOR may amend its DR Plan at any time, provided that CONTRACTOR shall not reduce Its disaster recovery ability to less than the disaster recovery ability in effect pursuant to the DR Plan in existence on the Effective Date of this Agreement.

Industry-Specific Privacy and Security Standards

Certain highly regulated industries may have specific standards for handling and securing personal data which can be referenced and incorporated by the parties:

HIPAA

Exemplar C22-18

Both parties agree to comply with applicable federal and state privacy and information security laws and regulations (“Privacy Laws”), including, but not limited to, state medical privacy laws, the Health Insurance Portability and Accountability Act of 1996, the Health Information Technology for Economic and Clinical Health Act of 2009 (the "HITECH Act"), and regulations promulgated thereunder (collectively, “HIPAA”), to the extent HIPAA requirements are applicable to the Services. Both parties agree not to use or further disclose any “protected health information” (“PHI”), as defined in 45 CFR §164.504, or “individually identifiable health information” (“IIHI”), as defined in 42 U.S.C. §1320d, concerning a test subject other than as permitted by the provisions of this Agreement and Privacy Laws. Both parties shall implement appropriate logical and physical security measures and safeguards designed to prevent the use or disclosure or loss or destruction of, or unauthorized access to, IIHI or PHI. Either party shall promptly provide Notice to the other party any use or disclosure, or loss or destruction of, or access to PHI or IIHI not in accordance with this Agreement or in violation of Privacy Laws of which that party becomes aware. Each party shall include provisions in any subcontracts for the Services whereby the subcontracting party and the subcontractor agree to the same restrictions and conditions that apply to the subcontracting party with respect to such IIHI. Either party shall return to the other party or properly dispose of any IIHI or PHI in accordance with Privacy Laws after the expiration or termination of this Agreement. Any breach of this paragraph shall constitute a material breach that may be cause for termination of this Agreement.

Exemplar C22-19

The Parties acknowledge that in providing the Service pursuant to this Agreement, Contractor may have access to certain personally identifiable information provided by Customer and/or Users and/or third-party payors or plan administrators, which information may be subject to applicable international, federal, state and local data privacy and security laws and regulations (“Customer Protected Data”). Where required under applicable data privacy laws, the Parties will enter into such additional contracts as may be required under such laws, such as a Business Associate Agreement if applicable and required by the U.S. Health Insurance Portability and Accountability Act (“HIPAA”) and/or a Data Processing Agreement if applicable and required by the EU General Data Processing Regulation (“GDPR”) (each a “Data Privacy Agreement”). The applicable data privacy terms that will govern the control and processing of User Personal Information in connection with the Services are attached hereto as Exhibit X, and shall be deemed an addendum to and part of this Agreement and shall be incorporated by reference herein.

Consumer Privacy Protection Principles for Vehicle Technologies and Services

Exemplar C22-20

Supplier represents and warrants that at all times during the term of the Agreement it will: (i) comply with all applicable local, state, federal, and international privacy, confidentiality, consumer protection, advertising, electronic mail, data security, data destruction, and other similar laws, rules and regulations, whether in effect now or in the future, Client’s privacy policy, as may be updated by Client from time to time in its sole discretion, the Consumer Privacy Protection Principles for Vehicle Technologies and Services promulgated by the Alliance of Automobile Manufacturers, the Association of Global Automakers, and their members and industry best practices (all of the foregoing collectively the “Privacy and Security Requirements”); (ii) use, handle, collect, maintain, store, transmit and destroy Client Data solely as permitted under the Agreement or as instructed by Client and in accordance with all Privacy and Security Requirements; and (iii) maintain and enforce administrative, technical and physical security procedures designed to ensure the confidentiality, integrity and availability of Client Data that are (A) at least equal to those required by all relevant Privacy and Security Requirements, and, to the extent not inconsistent with the foregoing, (B) in accordance with industry best practices for Services of the kind provided by Supplier under the Agreement. Supplier’s failure to fulfill its data privacy and security obligations set forth in this Agreement constitutes a material breach of the Agreement subject to termination by HMA under this Agreement.

Credit Card Industry Standard

Exemplar C22-21

Without limiting the generality of the foregoing (i) the Security Program shall adhere to requirements of the Payment Card Industry Data Security Standard in effect from time to time ("PCI DSS"), in connection with all use, if any, of Personal Data that is "cardholder data" or "sensitive authentication data" (as each such term is used in PCI DSS); (ii) the Identity Theft Prevention Program must include reasonable policies and procedures for detecting, preventing and mitigating identity theft that conform to regulations and guidelines promulgated pursuant to the Fair and Accurate Credit Transactions Act of 2003 and rules and regulations adopted thereunder; and (iii) the Security Program and the Identity Theft Prevention Program shall each comply with all Applicable Laws. "Applicable Law" means any privacy, data security, breach notification, identity theft or other United States federal or state law applicable to Personal Data. For purposes of this Agreement, references to and compliance with Applicable Law shall mean reference to and compliance with any Applicable Law of the jurisdiction in which an individual whose Personal Data included in Confidential Information resides, even if any such Applicable Law does not otherwise impose a direct obligation on Contractor.

Permitted Uses

In the following exemplars, the parties specify certain permitted uses of personal information, including use necessary to provide contracted services:

Exemplar C22-22

To the extent any personally identifiable data relevant to Customer or Customer Representatives is obtained by Contractor or communicated to Contractor by Customer in connection with this Agreement, Contractor agrees that it (and/or its contractors) will use or disclose any such personally identifiable data received (if any is ever received) only to implement and deliver the features and services associated with the normal use of the Software and to perform its obligations hereunder.

Exemplar C22-23

It is not the intention under this Agreement for Licensor to process personal data of Contractors or End Users. Rather, processing of Contractor or End User personal data will take place only in exceptional circumstances as an incidental effect of Licensor’s performing its contractual duties. To the extent Licensor does process personal data of Contractor or End User and such processing constitutes commissioned data processing by Licensor under EU Directive 95/46/EC (hereinafter referred to as the “Data Protection Directive”) and/or applicable national data protection laws of the EU/EEA Member States.

Exemplar C22-24

Client acknowledges and agrees that CONTRACTOR shall process the Personal Information of employees and former employees of the Client Group as needed to provide the Services. CONTRACTOR shall only process the Personal Information in accordance with Client's instructions as needed to perform the Services, or as required or permitted by the applicable data protection law. CONTRACTOR shall at all times have Implemented reasonable operational, technical and organizational measures to protect the Personal Information received by CONTRACTOR from Client against accidental or unlawful destruction or alteration and unauthorized disclosure or access.

Exemplar C22-25

Exemplar C22-26

Contractor shall give commissions related to the processing of personal data and parts thereof to Licensor in writing, by facsimile or via e-mail or implied by making use of the Software.

Exemplar C22-27

Licensor shall process the personal data and other operating data of Contractor exclusively in accordance with Contractor’s instructions and/or End User’s instructions relayed to Licensor by Contractor which may include (without limitation) the correction, erasure and/or the blocking of such data. The personal data shall not be used by Licensor for any other purpose. Licensor shall not preserve such personal data longer than instructed by Contractor. The statutory preservation periods remain unaffected. For processing personal data, Licensor shall only use personnel which demonstrably committed themselves to observe data secrecy and secrecy of telecommunications pursuant to applicable data protection laws. Licensor may discharge this obligation by utilizing one standard template for all its customers.

Data Protection Breach Incidents

The following exemplars define the obligations and assign the responsibilities of the parties upon the occurrence of unauthorized access to protected data (aka a “Data Protection Incident”), including those relating to notice to the data owner, corrective measures to be undertaken by the data processor, and coordination of any public announcements regarding the breach incident (note that a similar discussion relating to data security breach incidents in the context of NDAs can be found in the section entitled “Data Protection Security Measures” [N6A]).

Definition

Exemplar C22-28

A "Data Protection Incident" means (A) any (1) breach of Contractor's facilities, equipment or systems, (2) failure to comply with the Security Program or the Identity Theft Prevention Program, (3) unauthorized disclosure, access or use of Personal Data in the possession or under the control of Contractor, or (4) violation by Contractor or any employee, contractor, agent or representative of Contractor of any Applicable Law, that in each case reasonably may be expected to (x) adversely affect the security or confidentiality of Personal Data, or (y) lead to identity theft or other substantial harm or inconvenience with respect to a CUSTOMER subscriber; or (B) any (1) claim made or suit filed or proceeding instituted by a third party with respect to, or (2) inquiry, investigation or directive initiated or issued by any governmental entity regarding (x) the failure by Contractor to comply with any Applicable Law, or (y) any compromise in the security or confidentiality of Personal Data in the possession or under the control of Contractor.

Notice

Exemplar C22-29

Upon becoming aware of a Data Protection Incident, Contractor shall promptly notify CUSTOMER in writing, reasonably detailing the circumstances and particulars thereof. Promptly following its own receipt thereof, Contractor shall provide CUSTOMER with a copy of (A) any written communication from a governmental entity pertaining to a Data Protection Incident, and (B) any complaint or demand filed with a court or governmental entity pertaining to a Data Protection Incident; provided, that Contractor may redact from such copy any non-public information that identifies or describes any customer or client of Contractor.

Exemplar C22-30

CONTRACTOR shall inform Client as soon as practicable, but in any event within five (5) days or, as otherwise agreed to by Client (subject to any delay requested by relevant statute or an appropriate law enforcement agency), if CONTRACTOR receives and becomes aware of any enquiry, complaint or claim from any court, governmental official, third parties or Individuals (including but not limited to the Individuals to whom the Personal Data relates), and shall timely provide Client with reasonable support and cooperation In responding to any such request. Should Client, on the basis of applicable law, be obliged to provide information to an individual about the Processing of Personal Data relating to that Individual, CONTRACTOR shall, without levying a fee, assist Client In providing such access or Information, provided that Client has submitted a written request for CONTRACTOR to do so.

Exemplar C22-31

Licensor shall inform Contractor immediately in case of serious disruptions of the operating process, suspected data protection violations or other irregularities in connection with the processing of Contractor’s Data.

Corrective Measures

Exemplar C22-32

In the event of the occurrence of a Data Protection Incident involving Personal Data, Contractor shall take such reasonable corrective measures as CUSTOMER may request that are customary under the circumstances (such as providing breach notifications to CUSTOMER subscribers). Contractor shall promptly reimburse CUSTOMER upon its written request reasonably detailing any of the following costs and expenses actually and reasonably incurred by CUSTOMER as a direct result of such Data Protection Incident: (a) the reasonable fees and disbursements of any independent security expert or auditor engaged by CUSTOMER to conduct any investigation or examination upon the occurrence of a Data Protection Incident, and (b) any corrective measures required by any Applicable Law or by any governmental entity, financial institution or payment card issuer or processor to be taken by CUSTOMER (such as providing breach notifications to CUSTOMER subscribers, closing and/or reopening CUSTOMER subscriber accounts, and offering credit monitoring services and identity theft insurance to CUSTOMER subscribers).

Exemplar C22-33

If CONTRACTOR becomes aware of any actual or suspected unauthorized access that compromises the security, Integrity or confidentiality of any Personal Information of Client {an "Incident"), CONTRACTOR will take appropriate actions to contain and mitigate the Incident, Including notifying Client as soon as possible, but In no event more than five Business Days of CONTRACTOR becoming aware of the Incident {subject to any delay requested by an appropriate law enforcement agency), to enable Client to expeditiously Implement Its response program. CONTRACTOR will reasonably cooperate with Client to Investigate the nature and scope of any Incident, and to cooperate with Client to Implement any reasonable remedies in response to such Incident.

Exemplar C22-34

At Contractor’s written request and at Contractor’s expense, Licensor shall reasonably support Contractor in dealing with requests from individual data subjects and/or a supervisory authority with respect to the processing of personal data controlled by Contractor. Licensor shall notify Contractor about inspections and measures of a supervisory or any other competent authority.

Public Announcements

Exemplar C22-35

CC

Data Protection and Security

Commercial Contract

Table of Contents: