Legal and Regulatory Compliance
4.22.1 During the term of this Contract, Contractor must comply with all local, state, and federal licensing, accreditation and registration requirements/standards, necessary for the performance of this Contract and all other applicable federal, state and local laws, rules, and regulations.
4.22.2 While on the HCA premises, Contractor must comply with HCA operations and process standards and policies (e.g., ethics, Internet / email usage, data, network and building security, harassment, as applicable). HCA will make an electronic copy of all such policies available to Contractor.
4.22.3 Failure to comply with any provisions of this section may result in Contract termination.
General Compliance This Agreement is intended to comply with Section 409A or an exemption thereunder and shall be construed and administered in accordance with Section 409A. Notwithstanding any other provision of this Agreement, payments provided under this Agreement may only be made upon an event and in a manner that complies with Section 409A or an applicable exemption. Any payments under this Agreement that may be excluded from Section 409A either as separation pay due to an involuntary separation from service or as a short-term deferral shall be excluded from Section 409A to the maximum extent possible. For purposes of Section 409A, each installment payment provided under this Agreement shall be treated as a separate payment. Any payments to be made under this Agreement upon a termination of employment shall only be made upon a “separation from service” under Section 409A. Notwithstanding the foregoing, the Company makes no representations that the payments and benefits provided under this Agreement comply with Section 409A, and in no event shall the Company be liable for all or any portion of any taxes, penalties, interest, or other expenses that may be incurred by the Executive on account of non-compliance with Section 409A.
PCI Compliance Company shall not connect to or utilize any computer network or systems of the Aviation Authority, including, without limitation, for transmission of credit card payments. Company shall be solely responsible for providing and maintaining its own computer networks and systems and shall ensure its system ensure its system used to collect, process, store or transmit credit card or customer credit card and/or personal information is compliant with all applicable Payment Card Industry (“PCI”) Data Security Standard (“DSS”).
1. Company shall, within 5 days, notify the Aviation Authority of any security malfunction or breach, intrusion or unauthorized access to cardholder or other customer data, and shall comply with all then applicable PCI requirements.
2. Company, in addition to notifying the Aviation Authority and satisfying the PCI requirements, will immediately take the remedial actions available under the circumstances and provide the Aviation Authority with an explanation of the cause of the breach or intrusion and the proposed remediation plan. Company will notify the Aviation Authority promptly if it learns that it is no longer PCI DSS compliant and will immediately provide the Aviation Authority with a report on steps being taken to remediate the non-compliance status and provide evidence of compliance once PCI DSS compliance is achieved.
3. Company, its successor’s and assigns, will continue to comply with all provisions of this Agreement relating to accidents, incidents, damages and remedial requirements after the termination of this Agreement.
4. Company shall ensure strict compliance with PCI DSS for each credit card transaction and acknowledges responsibility for the security of cardholder data. Company will create and maintain reasonable detailed, complete and accurate documentation describing the systems, processes, network segments, security controls and dataflow used to receive, process transmit store and secure Customer’s cardholder data. Such documentation shall conform to the most current version of PCI DSS.
5. Company must maintain PCI Certification as a bankcard merchant at the Airport. Company is responsible, at Company’s own expense, to contract and pay for all quarterly, annual or other required assessments, remediation activities related to processes within Concessionaire’s control, analysis or certification processes necessary to maintain PCI certification as a bankcard merchant.
6. PCI DSS - Company shall make available on the Premises, within 24 hours upon request by the Aviation Authority, such documentation, policies, procedures, reports, logs, configuration standards and settings and all other documentation necessary for the Aviation Authority to validate Company’s compliance with PCI DSS as well as make available to the individuals responsible for implementing, maintaining and monitoring those system components and processes. Requested logs must be made available to the Aviation Authority in electronic format compatible with computers used by the Aviation Authority.
7. Evidence of PCI DSS Compliance – Company agrees to supply their PCI DSS compliance status and evidence of its most recent validation of compliance upon execution of the Contract. Company must supply to the Aviation Authority evidence of validation of compliance at least annually to be delivered along with the Annual Certification of Fees in accordance with Article 5.C. of this Agreement.
OSHA Compliance To the extent applicable to the services to be performed under this Agreement, Contractor represents and warrants, that all articles and services furnished under this Agreement meet or exceed the safety standards established and promulgated under the Federal Occupational Safety and Health Law (Public Law 91-596) and its regulations in effect or proposed as of the date of this Agreement.
Documentation and compliance (a) The data importer shall promptly and adequately deal with enquiries from the data exporter that relate to the processing under these Clauses.
(b) The Parties shall be able to demonstrate compliance with these Clauses. In particular, the data importer shall keep appropriate documentation on the processing activities carried out on behalf of the data exporter.
(c) The data importer shall make available to the data exporter all information necessary to demonstrate compliance with the obligations set out in these Clauses and at the data exporter’s request, allow for and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or audit, the data exporter may take into account relevant certifications held by the data importer.