The remedies set forth in the above table and Customer’s right to terminate for chronic SLA failure, as set forth below, shall be Client’s sole and exclusive remedy, and Service Provider’s sole and exclusive obligation, in the event of a breach of this SLA. 

Termination for Chronic System Availability Failures.  Notwithstanding anything in this Agreement or any Exhibit or SOW to the contrary and in addition to any other termination rights that may be available to Customer under this Agreement, Customer may terminate the Agreement immediately with notice to Service Provider if System Availability falls below 99.5% (a) 2 or more times in any given month during the Term, (b) at least once per month in any 2 consecutive months during the Term, or (c) 3 or more times during any 6-month period during the Term.  Termination pursuant to this paragraph will be effective on the date set forth in Customer’s written notice and will be without further liability or penalty of any kind except for payment as provided in the Agreement of amounts due and prior to the effective date of termination.  In the event of termination pursuant to this paragraph, Service Provider shall refund any pre-paid and unused Fees to Customer upon such termination within fifteen (15) days following the effective date of termination.

************ END OF EXHIBIT A TO MASTER AGREEMENT FOR BRANDS******************

EXHIBIT B TO MASTER AGREEMENT FOR BRANDS

STATEMENT OF WORK

************ END OF EXHIBIT B TO MASTER AGREEMENT FOR BRANDS**************

EXHIBIT C TO MASTER AGREEMENT FOR BRANDS

DATA PROCESSING AGREEMENT

THIS DATA PROCESSING AGREEMENT (THE “DPA”) is made on the date of the signed Statement of Work (the “Effective Date”).

BETWEEN

(1)            Client, a XXXX company whose registered address is  (“Client”); and

Locally.com , Inc., d/b/a Locally.com , a Delaware corporation  (“Supplier”).

BACKGROUND

Client wishes to procure, and Supplier wishes to supply, those Services (as such term is defined below) on and pursuant to the terms and conditions set out in the Services Agreement (as such term is defined below).

Client and Supplier acknowledge that the provision of the Services may involve the Processing of Personal Data under certain Data Protection Laws.

Supplier and Client agree to enter this DPA to set forth certain terms and conditions regarding the Processing of Personal Data.

THE PARTIES AGREE AS FOLLOWS:

Definitions and Interpretation

In this DPA the following terms shall have the applicable meanings given to them.

“Applicable Law” means any applicable:

(a)             statute, regulation, regulatory requirement, by law, ordinance, subordinate legislation or other law or mandatory guidance or code of practice (including in each case any judicial or administrative interpretation of it), in force from time to time in any applicable jurisdiction; or

judgment of a relevant court of law, or sanction, directive, order or requirement of any regulatory authority;

“Business”, “Sell” (or Sale), “Service Provider”, and “Share” all have the meanings given to those terms in the CCPA (as defined below).

“Commencement Date” means the Effective Date of this DPA;

“Data Controller” (or Controller), “Data Processor” (or Processor) “Data Subject”, “Processing”, and “Sensitive Personal Data” (or special categories of Personal Data) all have the meanings given to those terms in the applicable Data Protection Laws that define such terms (and related terms such as “Process” and “Processed” shall have corresponding meanings);

“Data Protection Laws” means any law, enactment, regulation, regulatory policy, by law, ordinance or subordinate legislation which governs the Processing of Personal Data and which governs the Client, Supplier and/or the Services, including without limitation:

the California Consumer Privacy Act, as amended  (CCPA);

any laws or regulations implementing 2002/58/EC (ePrivacy Directive);

the European Union’s General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679);

The United Kingdom General Data Protection Regulation, Assimilated Regulation (EU) 2016/679 (UK GDPR) ; and

any judicial or administrative interpretation of any of the above, and any guidance, guidelines, codes of practice, approved codes of conduct or approved certification mechanisms issued by any relevant Supervisory Authority,

in each case, as in force and applicable;

“Data Subject Request” means a request made by a Data Subject to exercise any of their rights under the Data Protection Laws;

“DPIA” means a data protection impact assessment, as described in the Data Protection Laws;

“EU Personal Data” means the personal data, as defined by the GDPR, (or UK Personal Data as defined in the UK GDPR)  provided by Client to Supplier pursuant to the Services Agreement or otherwise Processed by Supplier on behalf of Client;

“Industry Standard(s)” means industry standards that are prevalent in Supplier’s industry sector regarding the Processing or security of the applicable Personal Data, taking into account the state of the then-current technology used by comparable companies in Supplier’s industry and the cost of implementation in view of the nature, scope, context, and purpose of the Processing of the applicable Personal Data. 

“Personal Data” means the personal data, as defined by the Data Protection Laws, provided by Client to Supplier pursuant to the Services Agreement or otherwise Processed by Supplier on behalf of Client, including EU Personal Data;

“Security Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data;

“Services” means those  SaaS Services and/or SaaS Products (as such terms are defined in the Services Agreement) being provided to Client by Supplier pursuant to the terms and conditions of the Services Agreement;

“Services Agreement” means the Master Agreement between Supplier and Client for the provision of SaaS Services and Products dated March 1, 2018, as amended;

“Standard Contractual Clauses” means the current standard contractual clauses for the transfer of personal data from the EU or the UK to processors established , the current approved version of which is set forth in the European Commission’s Implementing Decision (EU) 2021/914 of 4 June 2021 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as set out in Schedule 2 (such term shall also include the UK International Data Transfer Addendum (“UK Addendum”) to the EU Commission Standard Contractual Clauses in force as of March 21, 2022);

“Sub-Processor” means another Processor used by Supplier for processing activities in relation to Personal Data on behalf of Client, including any GDPR Sub-Processor;

“Supervisory Authority” means any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering the Data Protection Laws; and

“Supplier Personnel” means individuals used by or on behalf of Supplier in performing the Services from time to time, including any Sub-Processors’ personnel.

Drafting conventions.

The headings in this DPA are inserted for convenience only and shall not affect the interpretation or construction of this DPA.

Words expressed in the singular shall include the plural and vice versa. Words referring to a particular gender include every gender. References to a person include an individual, company, body corporate, corporation, unincorporated association, firm, partnership or other legal entity.

The words “other”, “including” and “in particular” shall not limit the generality of any preceding words or be construed as being limited to the same class as any preceding words where a wider construction is possible.

References to any statute or statutory provision shall include (i) any subordinate legislation made under it, (ii) any provision which it has modified or re-enacted (whether with or without modification), and (iii) any provision which subsequently supersedes it or re-enacts it (whether with or without modification) whether made before or after the date of this DPA.

All references in this DPA to “schedules”, “clauses” and “appendices” are to the clauses and appendices to this DPA unless otherwise stated.

References to “this DPA” shall mean all of or any part of this document and its appendices as the context so admits.

General

In respect of Personal Data, the parties agree that Client is the Data Controller (or Business) and Supplier is a Data Processor (or Service Provider).

Each party shall comply with the Data Protection Laws and its obligations under this DPA. Supplier shall be responsible for ensuring that its Sub-Processor  comply with Supplier’s obligations under this DPA.

Commencement and Duration

1.           This DPA shall come into force on the Commencement Date and shall continue in force for the term of the Services Agreement, or, if longer, for as long as Supplier Processes Personal Data on behalf of Client, unless terminated earlier by written agreement between the parties.

Data Processing Instructions

Where Supplier processes Personal Data on behalf of Client, Supplier shall:

(and shall ensure that any person acting under its authority who has access to Personal Data) process the Personal Data only in accordance with Client’s lawful written instructions, which for clarity include the Services Agreement (and its exhibits) , this DPA, and Schedule 1 (which may be updated from time to time by written agreement of the parties), and which set out Client’s complete instructions to Supplier in relation to the processing of Personal Data (“Processing Instructions” or the “Business Purpose”), except where otherwise required by any law applicable to Supplier; and

Except to the extent agreed upon by the Parties, including without limitation as set forth in the Services Agreement, and except as otherwise permitted under the CCPA or any other Data Protection Law, Supplier: (a) will not Sell or Share Client Personal Data; (b) will only retain, use or disclose the Client Personal Data for the  purpose of carrying out or performing the Services, including without limitation carrying out the business relationship between the Client, Supplier and any other party as contemplated by the Services Agreement.

immediately inform Client if, in its opinion, an instruction given by Client violates applicable provisions in relation to data protection, or of any requirement under Applicable Law that would require Supplier to process the Personal Data other than only on the Processing Instructions (unless such notification is prohibited by that law). Supplier shall be entitled to suspend the performance of said instruction until it is confirmed or modified by Client. Supplier is not under any obligation to carry out a legal review of the instructions. Notwithstanding the foregoing, the Client is responsible to the extent the Supplier is just carrying out the Client’sProcessing Instructions

Sub-Processors

Supplier shall be authorized to engage Sub-Processors to process Personal Data if Supplier enters into a written or electronic contract with the Sub-Processors regarding the processing of Client Personal Data, and said contract provides the same data protection obligations as those set out by this DPA (“Processor Contract”) and Client gives its prior written or electronic consent to engage the GDPR Sub-Processors, which consent shall not be unreasonably withheld  or delayed. Client hereby consents to the engagement by Supplier of the Sub-Processors specified in Schedule 3,as amended. Supplier shall inform Client in writing or electronic form of any changes concerning the addition or replacement of such Sub-Processors. Client’s consent shall be deemed given if Client does not object in writing or electronic form within fourteen calendar days after receipt of this information. If Client objects in writing or electronic form, based on reasonable grounds relating to the protection of Client Personal Data, within five calendar days after receipt of such notice, then Supplier shall not engage the additional  Sub-Processor and will work with Client to find a suitable alternative. 

Supplier shall:

promptly on reasonable request by Client give relevant non-confidential details of any Processor Contract to Client;

where a Sub-Processor does not comply with its data protection obligations in accordance with the Processor Contract, remain fully liable to Client for that Sub-Processor’s obligations as for its own obligations; and

immediately stop using a Sub-Processor to process Personal Data if Client requests that the Sub-Processor stops processing Personal Data for significant and proven security reasons about the Sub-Processor’s ability to materially carry out the Processing in compliance with the Data Protection Laws or this DPA.

Supplier Personnel

Supplier shall take reasonable steps to:

ensure that Supplier Personnel processing Personal Data have entered into agreements requiring them to keep Personal Data confidential; and

ensure that Supplier Personnel receive adequate training on compliance with this DPA and the Data Protection Laws.

International Data Transfers

Supplier shall only transfer Personal Data governed by the EU GDPR or the UK GDPR to any country outside  the European Economic Area and/or the United Kingdom if the Supplier ensures that such transfer (and any onward transfer):

are pursuant to a written contract, including provisions relating to security and confidentiality of the Personal Data;

either: (i) conforms to the Standard Contractual Clauses, which is attached hereto as Schedule 2 and incorporated herein by this reference, and which the parties agree has been approved by the Client; or (ii) in the alternative are effected by way of a legally enforceable mechanism for transfers of Personal Data as permitted under the Data Protection Laws from time to time (the form and content of which shall be subject to Client’s written approval, which  shall not be unreasonably withheld or delayed);

comply with clause 0; and

otherwise comply with the applicable Data Protection Laws.

For the purposes of clause 0:

if the transfer of Personal Data is effected on the basis of the Standard Contractual Clauses (under Section 7.1.2(i), Supplier will procure that the party based in the country outside the European Economic Area or the United Kingdom shall execute the Standard Contractual Clauses; and

the reference to “data exporter” in the Standard Contractual Clauses shall deemed to be to “Client and its Affiliates”.

Security Measures

Supplier shall implement and maintain appropriate technical and organizational measures using Industry Standards for the processing of Personal Data that is done by or on behalf of Supplier under the Services Agreement in order to:

meet the requirements of the Data Protection Laws; and

ensure a level of security in respect of Personal Data which, using Industry Standards, are appropriate to the risks of the Processing, in particular to protect against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data.

Supplier has the right to use, retain, sell, lease, license, transfer, or otherwise disclose Personal Data pursuant to the terms and conditions set forth in the Services Agreement and as necessary to render the Services to Client. Supplier  understands and will comply with the restrictions and obligations contained in this DPA and the Services Agreement; provided that once Personal Data has been permanently anonymized pursuant to the provisions of Section 8(c) of the Services Agreement governing “Aggregate/Anonymous Data” (as such term is so defined in said Section 8(c)), such that no individual can be identified (or re-identified) from the Personal Data, and consequently will no longer fall within the definition of “Personal Data”under this DPA (hereinafter, “Aggregate/Anonymous Data”) , Supplier shall be permitted to process and otherwise such  Aggregate/Anonymous Data in such aggregated or anonymized form pursuant to said Section 8(c) of the Services Agreement.    

Security Breaches

2.              Upon becoming aware of any Security Breach related to the Services or this DPA, Supplier shall notify Client of the breach without a reasonable period of time (including any time period which may be required by any applicable Data Protection Law) and provide Client with all necessary details relating to the breach as Client reasonably requires.

Assistance

Supplier shall provide reasonable assistance to assist Client, at Client’s expense to the extent permitted by law, with Client’s obligations to respond to Data Subject Requests, including to ensure that all Data Subject Requests it receives are recorded and then referred to Client without undue delay.

Supplier shall provide reasonable assistance according to the Data Protection Laws to Client, at Client’s reasonable expense to assist Client in Client’s compliance with Client’s obligations under the Data Protection Laws, including as reasonably needed to allow Client to respond to rights requests in compliance with applicable Data Protection Laws (including providing Client with access to Personal Data which has been provided by Client and deleting aforementioned Personal Data when and as instructed by the Customer, subject to any of Supplier’s rights of retention under the applicable Data Protection Law), with respect to:

Verifying security of processing;

notification by Client of breaches to the Supervisory Authority or Data Subjects; and

DPIAs and prior consultation with a Supervisory Authority regarding high risk processing.

Deletion or Return of Personal Data

3.           Supplier shall without delay, at Client’s written request, either securely delete or return all the Personal Data to Client in electronic form after the end of the provision of the relevant Services related to processing or, if earlier, as soon as the Personal Data is no longer required for Supplier’s performance of its obligations under the Services Agreement, and securely delete existing copies (unless storage of any data is required by Applicable Law, and if so Supplier shall notify Client of this), all as per the below, subject, however, to Supplier’s rights to continue to use Aggregate/Anonymous Data as such term is defined in, and pursuant to, Section 8.3 herein:

Should Personal Data need to be rectified, deleted, or should its processing be restricted, Client shall undertake this themselves by using the corresponding functions available in the software provided. If this is not possible, Supplier shall take on the tasks of rectifying or deleting Personal Data, and restricting its processing, following the instructions from the Client, at Client’s reasonable expense.

4.           Supplier shall delete the Client Personal Data from its data storage media and destroy any relevant documentation it holds within a reasonable period of time after the Services Agreement has terminated and consistent with Industry Standards or pursuant to any applicable Data Protection Laws, provided that Supplier is not legally obliged to continue storing it and subject to any retention rights Supplier has pursuant to any applicable Data Protection Laws. Client shall be responsible for exporting the Personal Data, at its expense,  in a timely manner before the end of this period, and to save it for its own continued use. Supplier shall provide such Personal Data in a manner and format reasonably acceptable to the parties.

Records of Processing

5.           Supplier shall maintain complete, accurate and up to date written records of processing activities containing information as required under the Data Protection Laws (“Processing Records”), and shall make available to Client on a reasonable request such Processing Records as is reasonably required by Client to demonstrate compliance by Supplier with its obligations under the Data Protection Laws and this DPA, which Client may share with the Supervisory Authority or any other relevant regulatory authority.  

Audits and Inspections

6.           While it is the parties’ intention ordinarily to rely on the provision of the Processing Records to verify Supplier’s compliance with this DPA, Supplier shall, only during the Term of the Services Agreement,  allow for auditscarried out by or on behalf of Client to determine Supplier’s compliance with its obligations under the Data Protection Laws and this DPA, subject however to the following: (i)  Client must give Supplier at least thirty (30) days’ prior written notice (or such other notice required by applicable law or orders from supervisory authorities) of such audit and/or inspection, shall provide a reasonable audit scope and evidence request list no less than twenty days in advance of such visit; (ii) shall ensure that any auditor is subject to binding obligations of confidentiality; and (ii) such audits shall only govern the review of Processing Records as such term is defined in Section 12 herein. The audits shall be carried out by Client or an auditor mandated by Client during Supplier’s normal business hours, and without causing a significant disruption to Supplier’s business operations. Each party shall cover its own costs of or in connection with such audits.  Client, or their third party auditor, shall at all times comply with all reasonable security and confidentiality guidelines and other policies of Supplier with respect to such audit. 

7.            

Parties

This DPA is personal to both parties to the Services Agreement.  Except as set out in this DPA or the Services Agreement, neither party shall assign, transfer, charge or otherwise dispose of all or any of its rights and responsibilities under this DPA without the prior written consent of the other party.

A person who is not a party to this DPA has no rights  to enforce any provision of this DPA.

The rights of the parties to terminate, rescind or agree any variation, waiver or settlement under this DPA are not subject to the consent of any person that is not a party to this DPA.

Neither party may represent itself as being the other party, nor an agent, partner, employee, or representative of the other party and neither party may hold itself out as such nor as having any power or authority to incur any obligation of any nature, express or implied on behalf of the other party.

Nothing in this DPA, and no action taken by the parties pursuant to this DPA, creates, or is deemed to create a partnership or joint venture or relationship of employer and employee or principal and agent between the parties.  

Construction and Interpretation of this DPA

Entire Agreement

This DPA is an integral part of the Services Agreement and, along with the Services Agreement (and its exhibits) contains the entire agreement between the parties in relation to its subject matter of this DPA and supersedes any prior arrangement, understanding written or oral agreements between the parties in relation to such subject matter. 

The parties acknowledge that this DPA has not been entered into wholly or partly in reliance on, nor has either party been given, any warranty, statement, promise or representation by the other or on its behalf other than as expressly set out in this DPA.

All warranties, conditions, terms and representations not set out in this DPA whether implied by statute or otherwise are excluded to the extent permitted by law.

If at any time any part of this DPA is held to be or becomes void or otherwise unenforceable for any reason under any Applicable Law, the same shall be deemed omitted from this DPA and the validity and/or enforceability of the remaining provisions of this DPA shall not in any way be affected or impaired as a result of that omission.

The rights and remedies of either party in respect of this DPA shall not be diminished, waived, or extinguished by the granting of any indulgence, forbearance or extension of time granted by that party to the other nor by any failure of, or delay in ascertaining or exercising any such rights or remedies.  The waiver by either party of any breach of this DPA shall not prevent the subsequent enforcement of that provision and shall not be deemed to be a waiver of any subsequent breach of that or any other provision.

Contract Administration

No purported alteration or variation of this DPA shall be effective unless it is in writing, refers specifically to this DPA and is duly executed by each of the parties to the DPA. 

This DPA may be executed in any number of counterparts, each of which when executed shall constitute an original of this DPA, but all the counterparts together constitute the same DPA. No counterpart shall be effective until each party has executed at least one counterpart. 

GOVERNING Law

This DPA and any issues, disputes or claims arising out of or in connection with it (whether contractual or non-contractual in nature such as claims in tort, from breach of statute or regulation or otherwise) shall be governed by, and construed in accordance with, the laws of the State of Delaware without regard to choice or conflict of law rules thereof.  

Schedule 1 TO THE DATA PROCESSING AGREEMENT

SUBJECT-MATTER, NATURE AND PURPOSE OF THE PROCESSING:

8.           The context and purpose for the Processing of the Personal Data is Supplier’s provision of the applicable Services to Client, which shall involve performance by Supplier on behalf of Client of the tasks and activities set out on the Services Agreement.

DURATION OF PROCESSING:

9.           Processing of the Personal Data by Supplier shall be for the term of the Services Agreement, provided that the Personal Data shall not be Processed for longer than is necessary for the purpose for which it was collected or is being Processed (except where a statutory exception applies).

PERSONAL DATA IN SCOPE:

10.         Supplier may Process the following types/categories of Personal Data:

11.         Personal Data, consisting of:

• Name, mailing address, telephone number, email address, order and order processing information

PERSONS AFFECTED (DATA SUBJECTS):

12.         The group of Data Subjects affected by the Processing of their Personal Data consists of:

• Consumers that purchase Client products via Supplier Widget on Client website(s).

Schedule 2 TO THE DATA PROCESSING AGREEMENT

Standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council

STANDARD CONTRACTUAL CLAUSES

SECTION I

Clause 1

Purpose and scope

(a)                The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) for the transfer of personal data to a third country.

(b)                The Parties:

(i)          the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter “entity/ies”) transferring the personal data, as listed in Annex I.A. (hereinafter each “data exporter”), and

(ii)        the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A. (hereinafter each “data importer”)

have agreed to these standard contractual clauses (hereinafter: “Clauses”).

(c)                These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.

(d)                The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.

Clause 2

Effect and invariability of the Clauses

(a)                These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46 (2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.

(b)                These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.

Clause 3

Third-party beneficiaries

(a)                Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:

(i)          Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;

(ii)        Clause 8 - Module One: Clause 8.5 (e) and Clause 8.9(b); Module Two: Clause 8.1(b), 8.9(a), (c), (d) and (e); Module Three: Clause 8.1(a), (c) and (d) and Clause 8.9(a), (c), (d), (e), (f) and (g); Module Four: Clause 8.1 (b) and Clause 8.3(b);

(iii)       Clause 9 - Module Two: Clause 9(a), (c), (d) and (e); Module Three: Clause 9(a), (c), (d) and (e);

(iv)       Clause 12 - Module One: Clause 12(a) and (d); Modules Two and Three: Clause 12(a), (d) and (f);

(v)         Clause 13;

(vi)       Clause 15.1(c), (d) and (e);

(vii)      Clause 16(e);

(viii)    Clause 18 - Modules One, Two and Three: Clause 18(a) and (b); Module Four: Clause 18.

(b)                Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.

Clause 4

Interpretation

(a)                Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.

(b)                These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.

(c)                These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.

Clause 5

Hierarchy

In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.

Clause 6

Description of the transfer(s)

The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.

Clause 7 - Optional

Docking clause

(a)                An entity that is not a Party to these Clauses may, with the agreement of the Parties, accede to these Clauses at any time, either as a data exporter or as a data importer, by completing the Appendix and signing Annex I.A. 

(b)                Once it has completed the Appendix and signed Annex I.A, the acceding entity shall become a Party to these Clauses and have the rights and obligations of a data exporter or data importer in accordance with its designation in Annex I.A.

(c)                The acceding entity shall have no rights or obligations arising under these Clauses from the period prior to becoming a Party.

SECTION II – OBLIGATIONS OF THE PARTIES

Clause 8

Data protection safeguards

The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.

8.1          Instructions

(a)                The data importer shall process the personal data only on documented instructions from the data exporter. The data exporter may give such instructions throughout the duration of the contract.

(b)                The data importer shall immediately inform the data exporter if it is unable to follow those instructions.

8.2          Purpose limitation

The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B, unless on further instructions from the data exporter.

8.3          Transparency

On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including the measures described in Annex II and personal data, the data exporter may redact part of the text of the Appendix to these Clauses prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand the its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information. This Clause is without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679. 

8.4          Accuracy

If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to erase or rectify the data.

8.5          Duration of processing and erasure or return of data

Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the data exporter and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).

8.6          Security of processing

(a)                The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter “personal data breach”). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organisational measures specified in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.

(b)                The data importer shall grant access to the personal data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. It shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

(c)                In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify the data exporter without undue delay after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the breach including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.

(d)                The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer.

8.7          Sensitive data

Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter “sensitive data”), the data importer shall apply the specific restrictions and/or additional safeguards described in Annex I.B.

8.8          Onward transfers

The data importer shall only disclose the personal data to a third party on documented instructions from the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union (in the same country as the data importer or in another third country, hereinafter “onward transfer”) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:

(i)          the onward transfer is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;

(ii)        the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 Regulation of (EU) 2016/679 with respect to the processing in question;

(iii)       the onward transfer is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or

(iv)       the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person.

Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.

8.9          Documentation and compliance

(a)                The data importer shall promptly and adequately deal with enquiries from the data exporter that relate to the processing under these Clauses.

(b)                The Parties shall be able to demonstrate compliance with these Clauses. In particular, the data importer shall keep appropriate documentation on the processing activities carried out on behalf of the data exporter.

(c)                The data importer shall make available to the data exporter all information necessary to demonstrate compliance with the obligations set out in these Clauses and at the data exporter’s request, allow for and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or audit, the data exporter may take into account relevant certifications held by the data importer.  

(d)                The data exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice.

(e)                The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority on request.

Clause 9

Use of sub-processors

(a)                GENERAL WRITTEN AUTHORISATION The data importer has the data exporter’s general authorisation for the engagement of sub-processor(s) from an agreed list, including without limitation: (i) those sub-processors listed in Annex III attached to these Clauses; and (ii) those sub-processor(s) listed in Schedule 3 to that certain Data Processing Agreement by and between Locally.com, Inc (as data importer) and the data exporter identified in these Clasuses (hereinafter, the “Data Processing Addendum”). The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least 7 calendar days in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.

(b)                Where the data importer engages a sub-processor to carry out specific processing activities (on behalf of the data exporter), it shall do so by way of a written contract that provides for, in substance, the same data protection obligations as those binding the data importer under these Clauses, including in terms of third-party beneficiary rights for data subjects. The Parties agree that, by complying with this Clause, the data importer fulfils its obligations under Clause 8.8. The data importer shall ensure that the sub-processor complies with the obligations to which the data importer is subject pursuant to these Clauses.

(c)                The data importer shall provide, at the data exporter’s request, a copy of such a sub-processor agreement and any subsequent amendments to the data exporter. To the extent necessary to protect business secrets or other confidential information, including personal data, the data importer may redact the text of the agreement prior to sharing a copy.

(d)                The data importer shall remain fully responsible to the data exporter for the performance of the sub-processor’s obligations under its contract with the data importer. The data importer shall notify the data exporter of any failure by the sub-processor to fulfil its obligations under that contract.

(e)                The data importer shall agree a third-party beneficiary clause with the sub-processor whereby - in the event the data importer has factually disappeared, ceased to exist in law or has become insolvent - the data exporter shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.

Clause 10

Data subject rights

(a)                The data importer shall promptly notify the data exporter of any request it has received from a data subject. It shall not respond to that request itself unless it has been authorised to do so by the data exporter.

(b)                The data importer shall assist the data exporter in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679. In this regard, the Parties shall set out in Annex II the appropriate technical and organisational measures, taking into account the nature of the processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance required.

(c)                In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with the instructions from the data exporter.

Clause 11

Redress

(a)                The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject.

(b)                In case of a dispute between a data subject and one of the Parties as regards compliance with these Clauses, that Party shall use its best efforts to resolve the issue amicably in a timely fashion. The Parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them.  

(c)                Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the data importer shall accept the decision of the data subject to:

(i)          lodge a complaint with the supervisory authority in the Member State of his/her habitual residence or place of work, or the competent supervisory authority pursuant to Clause 13;

(ii)        refer the dispute to the competent courts within the meaning of Clause 18.

(d)                The Parties accept that the data subject may be represented by a not-for-profit body, organisation or association under the conditions set out in Article 80(1) of Regulation (EU) 2016/679.

(e)                The data importer shall abide by a decision that is binding under the applicable EU or Member State law.

(f)                 The data importer agrees that the choice made by the data subject will not prejudice his/her substantive and procedural rights to seek remedies in accordance with applicable laws.

Clause 12

Liability

(a)                Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses Subject; provided, however, the foregoing provision as applied between Locally.com, Inc (as data importer in these Clauses) and the data exporter identified in these Clasuses is subject to the limitation of    liability and other provisions set forth in Section 15 of the Master Agreement for Brands (as defined below). For purposes of this Agreement, the “Master Agreement for Brands” means that certain Master Agreement for Brands by and between Locally.com, Inc (as data importer) and the data exporter identified in these Clauses. 

(b)                The data importer shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data importer or its sub-processor causes the data subject by breaching the third-party beneficiary rights under these Clauses.

(c)                Notwithstanding paragraph (b), the data exporter shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data exporter or the data importer (or its sub-processor) causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter and, where the data exporter is a processor acting on behalf of a controller, to the liability of the controller under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable.

(d)                The Parties agree that if the data exporter is held liable under paragraph (c) for damages caused by the data importer (or its sub-processor), it shall be entitled to claim back from the data importer that part of the compensation corresponding to the data importer’s responsibility for the damage.

(e)                Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.

(f)                 The Parties agree that if one Party is held liable under paragraph (e), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its / their responsibility for the damage.

(g)                The data importer may not invoke the conduct of a sub-processor to avoid its own liability.

Clause 13

Supervision

(a)                Where the data exporter is established in an EU Member State: The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority.

(b)                The data importer agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Clauses. In particular, the data importer agrees to respond to enquiries, submit to audits and comply with the measures adopted by the supervisory authority, including remedial and compensatory measures. It shall provide the supervisory authority with written confirmation that the necessary actions have been taken.

SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES

Clause 14

Local laws and practices affecting compliance with the Clauses

(a)                The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.

(b)                The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:

(i)          the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;

(ii)        the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards;

(iii)       any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.

(c)                The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.

(d)                The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.

(e)                The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a).

(f)                 Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.  

Clause 15

Obligations of the data importer in case of access by public authorities

15.1        Notification

(a)                The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it:

(i)          receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or

(ii)        becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer.

(b)                If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter.

(c)                Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.).

(d)                The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request.

(e)                Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses.

15.2        Review of legality and data minimisation

(a)                The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e).

(b)                The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request. [For Module Three: The data exporter shall make the assessment available to the controller.]

(c)                The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.

SECTION IV – FINAL PROVISIONS

Clause 16

Non-compliance with the Clauses and termination

(a)                The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.

(b)                In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).

(c)                The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:

(i)          the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;

(ii)        the data importer is in substantial or persistent breach of these Clauses; or

(iii)       the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.

In these cases, it shall inform the competent supervisory authority of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.

(d)                Personal data that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall at the choice of the data exporter immediately be returned to the data exporter or deleted in its entirety. The same shall apply to any copies of the data. The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.

(e)                Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.

Clause 17

Governing law

These Clauses shall be governed by the law of the EU Member State in which the data exporter is established. Where such law does not allow for third-party beneficiary rights, they shall be governed by the law of another EU Member State that does allow for third-party beneficiary rights. The Parties agree that this shall be the law of the Member State that the data exporter is established. 

Clause 18

Choice of forum and jurisdiction

(a)                Any dispute arising from these Clauses (excluding however any and all disputes regarding the terms of the  “Master Agreement for Brands”as defined in Clause 12 herein and the terms of the “Data Processing Addendum” as defined in Clause 9 herein, which disputes shall be resolved pursuant to the laws and courts as set forth in such agreements) shall be resolved by the courts of an EU Member State

(b)                The Parties agree that the foregoing EU Member State court referenced in Clause 18 (a) above shall be the courts of the Member State that the data exporter is established.

(c)                A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence.

(d)                The Parties agree to submit themselves to the jurisdiction of such courts for only those disputes governed by this Clause 18.

APPENDIX TO STANDARD CONTRACTUAL CLAUSES

ANNEX I—LIST OF PARTIES AND DESCRIPTION OF TRANSACTION

A. LIST OF PARTIES

Data exporter(s):  

Company Name: Found in Statement of Work

Role:  Controller

Address: Found in Statement of Work

By: Found in Statement of Work

Title: Found in the Statement of Work

Signature Found in the Statement of Work

Email: Found in the Statement of Work

Date: Found in the Statement of Work

Data importer:

Company Name: Locally.com, Inc., d/b/a Locally.com, a Delaware corporation

Role: Processor

Address: 509 N Carrollton New Orleans LA 70119

By: Billy McKee

Title: President

Signature: ______________________

Email: billy.mckee@locally.com

Date: Found in the Statement of Work

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

As specified in the Data Processing Addendum  (as defined in Clause 9 herein) to which these Clauses are attached, and in the Master Agreement for Brands (as defined in Clause 12 herein).

Categories of personal data transferred

As specified in the Data Processing Addendum  (as defined in Clause 9 herein) to which these Clauses are attached, and in the Master Agreement for Brands (as defined in Clause 12 herein).

Sensitive data transferred: NONE

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

For the business transactions specified in the Data Processing Addendum (as defined in Clause 9 herein) to which these Clauses are attached, and in the Master Agreement for Brands (as defined in Clause 12 herein).

Nature of the processing

For the business transactions specified in the Data Processing Addendum (as defined in Clause 9 herein) to which these Clauses are attached, and in the Master Agreement for Brands (as defined in Clause 12 herein).

Purpose(s) of the data transfer and further processing

For the business transactions specified in the Data Processing Addendum (as defined in Clause 9 herein) to which these Clauses are attached, and in the Master Agreement for Brands (as defined in Clause 12 herein).

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

As set forth in the Data Processing Addendum (as defined in Clause 9 herein) to which these Clauses are attached, and in the Master Agreement for Brands (as defined in Clause 12 herein).

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

To carry out the business transactions specified in the Data Processing Addendum (as defined in Clause 9 herein) to which these Clauses are attached, and in the Master Agreement for Brands (as defined in Clause 12 herein).

C. COMPETENT SUPERVISORY AUTHORITY

The supervisory authority for the Member State that the data exporter is established.

………………………….

ANNEX II - TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

(2)                 

1.              PSEUDONYMIZATION AND ENCRYPTION OF PERSONAL DATA

a.      Measures which generally prevent unauthorized processing of Personal Data:

             i.     Personal Data are encrypted when transmitted.

             ii.     To the extent reasonably possible (without preventing the rendering of the agreed services) Personal Data are anonymized and/or pseudonymized by hashing or reference to a database whether personal data are stored.

2.              ABILITY TO ENSURE THE ONGOING CONFIDENTIALITY, INTEGRITY, AVAILABILITY AND RESILIENCE OF PROCESSING SYSTEMS AND SERVICES

a.      Physical Access control: Measures which prevent unauthorized persons from gaining access to data processing systems which process or use Personal Data:

              i.     Implementation of access prevention:

1.     The area to be protected is secured using a suitable construction.

2.     All possible manners of access are safeguarded against unauthorized access.

3.     There is an access authentication system which is obligatory for all (key or smart card).

4.     An access control system has been put in place.

              ii.     Management and documentation of personal access authorizations:

1.     There are organizational regulations concerning access authorizations to operational areas.

2.     There is documentation regarding the allocation of keys.

iii.     Supervision of visitors and external staff:

1.     There are guidelines for monitoring visitors and external staff (supervision, visitor pass, logging etc.).

2.     There are regulations for monitoring maintenance staff (supervision, prior registration, checking identity etc.).

b.     System Access control: Measures to prevent unauthorized persons from being able to use data processing systems (including encryption processes):

                 i.     Access protection (authentication):

1.     User authentication is in place to protect access to data processing systems.

2.     Checks are carried out to ensure the implementation of the measures protecting access.

3.     A password generator is used to randomly generate passwords.

                 ii.     Secured transmission of authentication credentials within the network:

1.     Authentication credentials are encrypted when transmitted across the network.

                 iii.     Blocking access in the event of failed login attempts/inactivity, and the process to reset blocked user IDs:

1.     A secure resetting procedure is in place after access has been blocked, e.g. allocation of new user IDs.

                  iv.     Prohibition on saving passwords and/or form entries on the local system:

1.     Access passwords and/or form entries are not stored on the Customer or in its environment (e.g. saving in a browser or notes).

2.     The users are given instructions about these requirements.

                  v.     Determining authorized persons:

1.     A role concept is in place (predefined user profiles).

2.     Access authorizations are always allocated on an individual (personal) basis.

3.     The number of authorized persons is kept to the absolute minimum required for operation.

                   vi.     Management and documentation of personal authentication devices and access authorizations:

1.     A process for applying for, approving, allocating, and withdrawing authentication devices and access authorizations has been set up, described, and shall be used.

2.     A person responsible for allocating access authorizations shall be specified.

3.     Regulations on delegation are in place in case of the main person responsible being unavailable.

            vii.     Automatic access lock-out:

1.     A password protected screen saver will be automatically activated by using the operating system’s own built-in technology in the event of a workstation or a terminal remaining inactive for more than 30 minutes.

viii.     Manual access lock-out:

1.     Guidelines are in place to protect workstations and terminals against unauthorized use when the workplace is temporarily vacated, e.g. by automatic or manual activation of the password protected screen saver.

2.     Employees shall receive training with regards to the necessity of using these measures.

c.      Data Access control: Measures to ensure that persons authorized to use a data processing system have access only to the data they are authorized to access, and that personal data cannot be read, copied, altered, or removed without authorization during processing or utilization and after being saved (including encryption processes):

                   i.     Authorization concept/implementing access restrictions:

1.     There are regulations regarding the creation, modification, and deletion of authorization profiles.

2.     Each person authorized with access is only able to access the data which he/she specifically requires to carry out the current process as per the processing methods agreed in this Agreement, and which has been set up in the individual authorization profile.

3.     If data sets including several customers are saved in one database or are processed using the same data processing system, a logical access restriction method has been put in place to organize the processing of data for each respective customer (multi-customer capability).

               ii.     Management and documentation of personal access authorizations:

1.     A process for applying for, approving, allocating, and withdrawing access authentications has been set up.

2.     Authentications are linked to a personal user ID and account.

3.     If the basis for having an authorization is no longer in effect (e.g. in the event of a change of function), this authorization shall be withdrawn immediately.

                 iii.     Logging of data access:

1.     All operations relating to reading, entering, modifying, and deletion, are logged.

2.     Regular assessments are carried out, on a random basis, to identify any possible misuse.

d.     Transmission controls: Measures to ensure that Personal Data cannot be read, copied, altered, or removed without authorization during electronic transmission or transportation, or while being saved to data storage media, and that it is possible to ascertain and establish which areas Personal Data is to be transferred to using data transmission facilities (including encryption processes):

                    i.     Logging:

1.     A log shall be kept of the sending and receiving areas.

2.     The task is documented and made known to the affected employees.

                   ii.     Secure data transmission between the server and Customer:

1.     The data transmission between Customer and servers is encrypted (SSL, SSH, SFTP, or VPN).

                 iii.     Back-end transmission:

1.     The connection to back-end systems is protected.

2.     Data with high protection requirements is encrypted.

                   iv.     Minimizing risk through network segmentation:

1.     Network segmentation has been carried out with the aim of ensuring that the data transmission takes place over a minimum amount of network elements.

2.     A network diagram has been created.

3.     The relevant system is located in a DMZ.

                  v.     Security gateways to network transfer points:

1.     Firewalls are in place at network transfer points.

2.     The firewalls are always active.

3.     The firewalls cannot be deactivated by the user.

                  vi.     Hardening back-end systems:

1.     Preinstalled service accounts/passwords have been deactivated.

2.     Standard operating procedures are in place in the event of any suspicion of misuse.

3.     Up-to-date anti-virus software is in place.

                   vii.     Description of all interfaces and Personal Data fields to be transmitted:

1.     There is a documented interface specification.

2.     There are procedural requirements when transmitting.

3.     There is a description of all Personal Data fields to be transmitted.

                 viii.     Human-machine authentication:

1.     Two-way authentication using cryptographic processes.

               ix.     Access to local cache:

1.     All access to any local cache or databases which contain Customer Data from the Customer for purposes and/or for use with applications that the Customer has not authorized is denied using in-built technology.

                     x.     Personal Data shall not be transmitted via the post.

                     xi.     Process for collection and disposal:

1.     There are regulations in place relating to the destruction of data storage media in a manner that is compliant with data protections laws.

2.     There are regulations in place relating to the destruction of documents in a manner that is compliant with data protections laws.

                   xii.     Deletion and destruction procedures according to data protection laws:

1.     Data storage media must be wiped in accordance with data protection laws before being used by another user; recovering the deleted data is not possible, or only possible by investing a disproportionate amount of time and effort.

2.     Hardware components or documents are to be destroyed in such a manner that recovering them is not possible, or only possible by investing a disproportionate amount of time and effort.

e.      Input control: Measures to ensure that it is possible, after the activity, to check and ascertain whether Personal Data has been entered into, altered, or removed from data processing systems and if so, by whom (input control):

                  i.     There is documentation regarding which persons are authorized and responsible for entering, altering, or removing Personal Data in the data processing system, based on their assigned tasks.

f.      Inspection of compliance during assignment: Measures to ensure that the commissioned Personal Data processing shall only be carried out in accordance with the instructions given by Customer (contract control):

                    i.     Only Customer is authorized to control assignments in the system.

                     ii.     Exercising the obligation of inspection:

1.     The Supplier shall support the Customer when carrying out its obligation to inspect.

2.     All incidents that occur shall be reported to the Customer.

3.     The Supplier shall inform all employees of their obligation to give information about incidents.

                      iii.     Logging of the assignment execution by the Supplier:

1.     There are records which ensure the complete traceability of the individual operational steps carried out as part of the assignment execution. Evidence can be provided upon request that the respective assignment has been carried out in strict accordance with the Customer’s instructions (minimum information: Customer/customer, action/partial order, exact specification of the process stages/parameters, authorized persons processing, dates, recipient if necessary).

3.              ABILITY TO RESTORE THE AVAILABILITY AND ACCESS TO PERSONAL DATA IN A TIMELY MANNER IN THE EVENT OF A PHYSICAL OR TECHNICAL INCIDENT

a.      Availability inspection: Measures to ensure that Personal Data is protected against accidental destruction or loss (availability inspection):

                        i.     Backup procedure:

1.     There is a backup procedure in place.

2.     Backups are carried out regularly.

3.     A person and deputy responsible for the backup are specified.

4.     Regular checks will be carried out to ascertain whether it is possible to restore a backup.

ii.     Contingency plan:

1.     A contingency plan is in place which details the steps to be taken and defines which persons, particularly on the Customer’s side, are to be informed of the incident.

                     iii.     Testing the contingency arrangements:

1.     Emergency power generators and overvoltage protection devices are regularly tested, and the operating parameters are under constant surveillance.

b.     Limitations on use: Measures to ensure that data collected for different purposes can be processed separately.

                     i.     Data from the Supplier’s different customers is to be saved in separate files and in separate directories, and is not to be merged together.

4.              PROCESS FOR REGULARLY TESTING, ASSESSING AND EVALUATING THE EFFECTIVENESS OF TECHNICAL AND ORGANIZATIONAL MEASURES FOR ENSURING THE SECURITY OF THE PROCESSING

a.      Organizational control

                     i.     Process definition/control:

1.     There are procedural instructions.

2.     Processes and operational procedures are defined for processing data in the company.

3.     Checks are carried out on the implementation and compliance with processes.

                     ii.     Training/obligation:

1.     Principles of data protection, including technical and organizational measures.

2.     Obligation to maintain confidentiality with regards to trade and business secrets, including the Customer’s procedures.

3.     Handling data, files, storage media, and other documentation in due form and with great care.

4.     Records of the training sessions are kept.

5.     The training sessions shall regularly be repeated, at least once every three years.

                    iii.     Training/obligation for external staff:

1.     External staff shall only be given access to data processing systems and permitted to operate them once they have committed to, and have been trained on, data and telecommunications secrecy and other non-disclosure obligations.

                 iv.     Internal allocation of duties:

1.     Operative and administrative functions are kept separate.

                      v.   Substitute arrangement:

A substitute has been determined for all duties/functions critical for the operation of the business

ANNEX III – LIST OF SUB-PROCESSORS

All of the sub-processors listed in Schedule 3 to the Data Processing Agreement (as defined in Clause 9 herein).

**************END OF SCHEDULE 2 TO THE DATA PROCESSING AGREEMENT************

SCHEDULE 3 of data processing agreement

SUB-PROCESSORS

SUB-PROCESSORS

As of the date of the Data Processing Agreement, Supplier provisions services from the following Sub-Processors.  Supplier represents and warrants that Supplier has entered into agreements with such Sub-processors which meet the requirements of Section 5 of the Data Processing Agreement.

************END OF EXHIBIT “C” TO THE MASTER AGREEMENT FOR BRANDS***************