Common use of DATA PRIVACY AND PROTECTION Clause in Contracts

DATA PRIVACY AND PROTECTION. (a) VI shall, in relation to any processing of personal data by it or VE, maintain a framework and make arrangements to allow the VE Members to comply with EU data protection laws, including the Data Protection Directive 95/46/EC and any legislation in force from time to time which implements the Data Protection Directive 95/46/EC and its successors (the “EU Member State Data Protection Laws”), particularly in connection with the transfer of personal data outside of the European Economic Area (“Trans-Border Dataflow”) and the evolving privacy landscape (including EU privacy norms). (b) The parties agree that the current compliance model (a “Privacy Compliance Model”) maintained by VI and VE (under which VE acts as data controller with responsibility for Trans-Border Dataflow) allows the VE Members to comply with EU Member State Data Protection Laws (as such current Privacy Compliance Model is set out in the VE operating regulations in force immediately prior to the Closing, the VE Constitutional Documents and membership deeds between the VE Members and VE). VI shall ensure that the current Privacy Compliance Model will remain in place following the Closing by entering into a deed poll substantially in the form attached hereto as Exhibit K (the “Deed Poll”), and procuring that VE enters into the Deed Poll, for the benefit of all VE Members, which obliges VE to maintain in place, and comply with, the current Privacy Compliance Model (notwithstanding any termination of the VE Constitutional Documents and membership deeds between the VE Members and VE) until an alternative compliance solution has been implemented pursuant to Section 6.12(c) or (d) below. The Deed Poll shall be governed by English law and VI and VE shall irrevocably submit to the jurisdiction of the courts of England in connection with any proceedings arising out of or in connection with the deed poll and waive any objection to proceedings in any such court on the ground of venue or on the ground that proceedings have been brought in an inconvenient forum. (c) VI may implement an alternative Privacy Compliance Model under which: (i) the VE Members contract directly with VI, and VI offers to enter into direct EU Model Contracts (such EU Model Contracts to be in a form approved by the European Commission) with each VE Member; or (ii) the VE Members enter into new contracts with VE whereby VE acts as data controller with sole responsibility for any Trans-Border Dataflow, such new contracts between VE Members and VE to further: (A) clarify that VE is data controller in respect of any Trans-Border Dataflow; (B) oblige VE to take steps to ensure that any Trans-Border Dataflow is lawful through the use of EU Model Contracts (such EU Model Contracts to be in a form approved by the European Commission); (C) oblige VE to use all reasonable efforts to inform the VE Members about any government access to their data; and (D) contain an indemnity from VE to VE Members in respect of any data protection liability incurred by such VE Members as a result of VE’s breach of its obligations under Section 6.12(b). (d) In addition to the alternative Privacy Compliance Models described in Section 6.12(c), each of VE and the VE Member Representative acknowledge that VI may choose to adopt one or more alternative Privacy Compliance Models for Trans-Border Dataflow and EU Member State Data Protection Law compliance over time, and VI agrees that it will: (i) not take any actions, or make any changes to the then current Privacy Compliance Model, that would reduce the VE Members’ level of compliance with applicable EU Member State Data Protection Laws and the protection afforded to the VE Members; and (ii) (A) be open and transparent with the VE Members about its proposals for the alternative Privacy Compliance Model, (B) provide VE Members with a reasonable opportunity to comment and be consulted in relation to the alternative Privacy Compliance Model, and (C) ensure any such alternative Privacy Compliance Model provides the VE Members with a substantially equivalent level of compliance with, and protection in respect of, applicable EU Member State Data Protection Law as the then current Privacy Compliance Model. (e) VI acknowledges that each VE Member and its Affiliates are entitled to use their own VE Member Data for whatever lawful purpose they choose. VI shall not, and shall ensure that VE and their Affiliates shall not, place any restriction on a VE Member’s or their Affiliates’ use of their own VE Member Data. (f) VI shall not, and shall ensure that VE and their Affiliates shall not, Monetize VE Member Data. VI shall, and shall ensure VE and their Affiliates shall, use VE Member Data in accordance with Laws. (g) The provisions of Section 6.12(e) are subject to the following stipulations: (i) the provisions only apply in relation to the respective rights of, and the relationship between, (A) VI, VE and their Affiliates and (B) each VE Member and their Affiliates, and are without prejudice to the competing rights and interests of any third party; (ii) it is the responsibility of the VE Member and their Affiliates to ensure that their use of VE Member Data is in accordance with Laws; (iii) the VE Member and its Affiliates are not entitled to use VE Member Data in a manner contrary to any Pre-Existing Data Restrictions; (iv) VI, VE and their Affiliates may impose additional restrictions upon the VE Members’ and their Affiliates’ use of VE Member Data with the affected VE Members’ prior consent; (v) VI, VE and their Affiliates may impose modified or additional restrictions upon the VE Members’ and their Affiliates’ use of VE Member Data to the extent that they are required by Laws to impose such restrictions; and (vi) any new services introduced by VI, VE and their Affiliates after the date of the Original Agreement may contain restrictions on the VE Members’ and their Affiliates’ use of VE Member Data supplied under that new service. (h) The restrictions in Section 6.12(f) on VI, VE and their Affiliates Monetizing VE Member Data shall not apply to any of the following: (i) VI, VE and their Affiliates using VE Member Data for their own internal purposes; (ii) any disclosure required by Laws; (iii) any disclosure to or on behalf of a merchant, data subject or other stakeholder in the data in question that does not disclose additional information about a VE Member or its Affiliates that is not already accessible by such merchant, data subject or other stakeholder (for example, this would include analysis for a merchant or data subject by VI, VE or their Affiliates of data already available to that merchant or data subject); (iv) any disclosure that is a necessary or incidental part of the services provided to the VE Members and/or VE Licensed Non-Members and/or their Affiliates, including risk and/or fraud prevention activities; or (v) any use of VE Member Data, to the extent that: (A) such VE Member Data is aggregated so as to anonymise information about the VE Member and its Affiliates in question; (B) such VE Member Data is not of a confidential or proprietary nature regarding the VE Member or its Affiliates in question (it being acknowledged that in many cases Transaction Data will be confidential or - 44 - proprietary); or (C) the VE Member in question has given its prior written consent to such use.

DATA PRIVACY AND PROTECTION. (a) VI shall, in relation to any processing of personal data by it or VE, maintain a framework and make arrangements to allow the VE Members to comply with EU data protection laws, including the Data Protection Directive 95/46/EC and any legislation in force from time to time which implements the Data Protection Directive 95/46/EC and its successors (the “EU Member State Data Protection Laws”), particularly in connection with the transfer of personal data outside of the European Economic Area (“Trans-Border Dataflow”) and the evolving privacy landscape (including EU privacy norms). (b) The parties agree that the current compliance model (a “Privacy Compliance Model”) maintained by VI and VE (under which VE acts as data controller with responsibility for Trans-Border Dataflow) allows the VE Members to comply with EU Member State Data Protection Laws (as such current Privacy Compliance Model is set out in the VE operating regulations in force immediately prior to the Closing, the VE Constitutional Documents and membership deeds between the VE Members and VE). VI shall ensure that the current Privacy Compliance Model will remain in place following the Closing by entering into a deed poll substantially in the form attached hereto as Exhibit K (the “Deed Poll”), and procuring that VE enters into the Deed Poll, for the benefit of all VE Members, which obliges VE to maintain in place, and comply with, the current Privacy Compliance Model (notwithstanding any termination of the VE Constitutional Documents and membership deeds between the VE Members and VE) until an alternative compliance solution has been implemented pursuant to Section 6.12(c) or (d) below. The Deed Poll shall be governed by English law and VI and VE shall irrevocably submit to the jurisdiction of the courts of England in connection with any proceedings arising out of or in connection with the deed poll and waive any objection to proceedings in any such court on the ground of venue or on the ground that proceedings have been brought in an inconvenient forum. (c) VI may implement an alternative Privacy Compliance Model under which: (i) the VE Members contract directly with VI, and VI offers to enter into direct EU Model Contracts (such EU Model Contracts to be in a form approved by the European Commission) with each VE Member; or (ii) the VE Members enter into new contracts with VE whereby VE acts as data controller with sole responsibility for any Trans-Border Dataflow, such new contracts between VE Members and VE to further: (A) clarify that VE is data controller in respect of any Trans-Border Dataflow; (B) oblige VE to take steps to ensure that any Trans-Border Dataflow is lawful through the use of EU Model Contracts (such EU Model Contracts to be in a form approved by the European Commission); (C) oblige VE to use all reasonable efforts to inform the VE Members about any government access to their data; and (D) contain an indemnity from VE to VE Members in respect of any data protection liability incurred by such VE Members as a result of VE’s breach of its obligations under Section 6.12(b). (d) In addition to the alternative Privacy Compliance Models described in Section 6.12(c), each of VE and the VE Member Representative acknowledge that VI may choose to adopt one or more alternative Privacy Compliance Models for Trans-Border Dataflow and EU Member State Data Protection Law compliance over time, and VI agrees that it will: (i) not take any actions, or make any changes to the then current Privacy Compliance Model, that would reduce the VE Members’ level of compliance with applicable EU Member State Data Protection Laws and the protection afforded to the VE Members; and (ii) (A) be open and transparent with the VE Members about its proposals for the alternative Privacy Compliance Model, (B) provide VE Members with a reasonable opportunity to comment and be consulted in relation to the alternative Privacy Compliance Model, and (C) ensure any such alternative Privacy Compliance Model provides the VE Members with a substantially equivalent level of compliance with, and protection in respect of, applicable EU Member State Data Protection Law as the then current Privacy Compliance Model. (e) VI acknowledges that each VE Member and its Affiliates are entitled to use their own VE Member Data for whatever lawful purpose they choose. VI shall not, and shall ensure that VE and their Affiliates shall not, place any restriction on a VE Member’s or their Affiliates’ use of their own VE Member Data. (f) VI shall not, and shall ensure that VE and their Affiliates shall not, Monetize VE Member Data. VI shall, and shall ensure VE and their Affiliates shall, use VE Member Data in accordance with Laws. (g) The provisions of Section 6.12(e) are subject to the following stipulations: (i) the provisions only apply in relation to the respective rights of, and the relationship between, (A) VI, VE and their Affiliates and (B) each VE Member and their Affiliates, and are without prejudice to the competing rights and interests of any third party; (ii) it is the responsibility of the VE Member and their Affiliates to ensure that their use of VE Member Data is in accordance with Laws; (iii) the VE Member and its Affiliates are not entitled to use VE Member Data in a manner contrary to any Pre-Existing Data Restrictions; (iv) VI, VE and their Affiliates may impose additional restrictions upon the VE Members’ and their Affiliates’ use of VE Member Data with the affected VE Members’ prior consent; (v) VI, VE and their Affiliates may impose modified or additional restrictions upon the VE Members’ and their Affiliates’ use of VE Member Data to the extent that they are required by Laws to impose such restrictions; and (vi) any new services introduced by VI, VE and their Affiliates after the date of the Original this Agreement may contain restrictions on the VE Members’ and their Affiliates’ use of VE Member Data supplied under that new service. (h) The restrictions in Section 6.12(f) on VI, VE and their Affiliates Monetizing VE Member Data shall not apply to any of the following: (i) VI, VE and their Affiliates using VE Member Data for their own internal purposes; (ii) any disclosure required by Laws; (iii) any disclosure to or on behalf of a merchant, data subject or other stakeholder in the data in question that does not disclose additional information about a VE Member or its Affiliates that is not already accessible by such merchant, data subject or other stakeholder (for example, this would include analysis for a merchant or data subject by VI, VE or their Affiliates of data already available to that merchant or data subject); (iv) any disclosure that is a necessary or incidental part of the services provided to the VE Members and/or VE Licensed Non-Members and/or their Affiliates, including risk and/or fraud prevention activities; or (v) any use of VE Member Data, to the extent that: (A) such VE Member Data is aggregated so as to anonymise information about the VE Member and its Affiliates in question; (B) such VE Member Data is not of a confidential or proprietary nature regarding the VE Member or its Affiliates in question (it being acknowledged that in many cases Transaction Data will be confidential or - 44 - proprietary); or (C) the VE Member in question has given its prior written consent to such use.

DATA PRIVACY AND PROTECTION. (a) VI shall, in relation to any processing of personal data by it or VE, maintain a framework and make arrangements to allow the VE Members to comply with EU data protection laws, including the Data Protection Directive 95/46/EC and any legislation in force from time to time which implements the Data Protection Directive 95/46/EC and its successors (the “EU Member State Data Protection Laws”), particularly in connection with the transfer of personal data outside of the European Economic Area - 42 - (“Trans-Border Dataflow”) and the evolving privacy landscape (including EU privacy norms). (b) The parties agree that the current compliance model (a “Privacy Compliance Model”) maintained by VI and VE (under which VE acts as data controller with responsibility for Trans-Border Dataflow) allows the VE Members to comply with EU Member State Data Protection Laws (as such current Privacy Compliance Model is set out in the VE operating regulations in force immediately prior to the Closing, the VE Constitutional Documents and membership deeds between the VE Members and VE). VI shall ensure that the current Privacy Compliance Model will remain in place following the Closing by entering into a deed poll substantially in the form attached hereto as Exhibit K (the “Deed Poll”), and procuring that VE enters into the Deed Poll, for the benefit of all VE Members, which obliges VE to maintain in place, and comply with, the current Privacy Compliance Model (notwithstanding any termination of the VE Constitutional Documents and membership deeds between the VE Members and VE) until an alternative compliance solution has been implemented pursuant to Section 6.12(c) or (d) below. The Deed Poll shall be governed by English law and VI and VE shall irrevocably submit to the jurisdiction of the courts of England in connection with any proceedings arising out of or in connection with the deed poll and waive any objection to proceedings in any such court on the ground of venue or on the ground that proceedings have been brought in an inconvenient forum. . (c) VI may implement an alternative Privacy Compliance Model under which: (i) the VE Members contract directly with VI, and VI offers to enter into direct EU Model Contracts (such EU Model Contracts to be in a form approved by the European Commission) with each VE Member; or (ii) the VE Members enter into new contracts with VE whereby VE acts as data controller with sole responsibility for any Trans-Border Dataflow, such new contracts between VE Members and VE to further: (A) clarify that VE is data controller in respect of any Trans-Border Dataflow; (B) oblige VE to take steps to ensure that any Trans-Border Dataflow is lawful through the use of EU Model Contracts (such EU Model Contracts to be in a form approved by the European Commission); (C) oblige VE to use all reasonable efforts to inform the VE Members about any government access to their data; and (D) contain an indemnity from VE to VE Members in respect of any data protection liability incurred by such VE Members as a result of VE’s breach of its obligations under Section 6.12(b). . (d) In addition to the alternative Privacy Compliance Models described in Section 6.12(c), each of VE and the VE Member Representative acknowledge that VI may choose to adopt one or more alternative Privacy Compliance Models for Trans-Border Dataflow and EU Member State Data Protection Law compliance over time, and VI agrees that it will: (i) not take any actions, or make any changes to the then current Privacy Compliance Model, that would reduce the VE Members’ level of compliance with applicable EU Member State Data Protection Laws and the protection afforded to the VE Members; and (ii) ) (A) be open and transparent with the VE Members about its proposals for the alternative Privacy Compliance Model, (B) provide VE Members with a reasonable opportunity to comment and be consulted in relation to the alternative Privacy - 43 - Compliance Model, and (C) ensure any such alternative Privacy Compliance Model provides the VE Members with a substantially equivalent level of compliance with, and protection in respect of, applicable EU Member State Data Protection Law as the then current Privacy Compliance Model. (e) VI acknowledges that each VE Member and its Affiliates are entitled to use their own VE Member Data for whatever lawful purpose they choose. VI shall not, and shall ensure that VE and their Affiliates shall not, place any restriction on a VE Member’s or their Affiliates’ use of their own VE Member Data. . (f) VI shall not, and shall ensure that VE and their Affiliates shall not, Monetize VE Member Data. VI shall, and shall ensure VE and their Affiliates shall, use VE Member Data in accordance with Laws. (g) The provisions of Section 6.12(e) are subject to the following stipulations: (i) the provisions only apply in relation to the respective rights of, and the relationship between, (A) VI, VE and their Affiliates and (B) each VE Member and their Affiliates, and are without prejudice to the competing rights and interests of any third party; (ii) it is the responsibility of the VE Member and their Affiliates to ensure that their use of VE Member Data is in accordance with Laws; (iii) the VE Member and its Affiliates are not entitled to use VE Member Data in a manner contrary to any Pre-Existing Data Restrictions; (iv) VI, VE and their Affiliates may impose additional restrictions upon the VE Members’ and their Affiliates’ use of VE Member Data with the affected VE Members’ prior consent; (v) VI, VE and their Affiliates may impose modified or additional restrictions upon the VE Members’ and their Affiliates’ use of VE Member Data to the extent that they are required by Laws to impose such restrictions; and (vi) any new services introduced by VI, VE and their Affiliates after the date of the Original Agreement may contain restrictions on the VE Members’ and their Affiliates’ use of VE Member Data supplied under that new service. (h) The restrictions in Section 6.12(f) on VI, VE and their Affiliates Monetizing VE Member Data shall not apply to any of the following: (i) VI, VE and their Affiliates using VE Member Data for their own internal purposes; (ii) any disclosure required by Laws; (iii) any disclosure to or on behalf of a merchant, data subject or other stakeholder in the data in question that does not disclose additional information about a VE Member or its Affiliates that is not already accessible by such merchant, data subject or other stakeholder (for example, this would include analysis for a merchant or data subject by VI, VE or their Affiliates of data already available to that merchant or data subject); (iv) any disclosure that is a necessary or incidental part of the services provided to the VE Members and/or VE Licensed Non-Members and/or their Affiliates, including risk and/or fraud prevention activities; or (v) any use of VE Member Data, to the extent that: (A) such VE Member Data is aggregated so as to anonymise information about the VE Member and its Affiliates in question; (B) such VE Member Data is not of a confidential or proprietary nature regarding the VE Member or its Affiliates in question (it being acknowledged that in many cases Transaction Data will be confidential or - 44 - proprietary); or (C) the VE Member in question has given its prior written consent to such use.

DATA PRIVACY AND PROTECTION. (a) VI shall, in relation to any processing of personal data by it or VE, maintain a framework and make arrangements to allow the VE Members to comply with EU data protection laws, including the Data Protection Directive 95/46/EC and any legislation in force from time to time which implements the Data Protection Directive 95/46/EC and its successors (the “EU Member State Data Protection Laws”), particularly in connection with the transfer of personal data outside of the European Economic Area (“Trans-Border Dataflow”) and the evolving privacy landscape (including EU privacy norms). (b) The parties agree that the current compliance model (a “Privacy Compliance Model”) maintained by VI and VE (under which VE acts as data controller with responsibility for Trans-Border Dataflow) allows the VE Members to comply with EU Member State Data Protection Laws (as such current Privacy Compliance Model is set out in the VE operating regulations in force immediately prior to the Closing, the VE Constitutional Documents and membership deeds between the VE Members and VE). VI shall ensure that the current Privacy Compliance Model will remain in place following the Closing by entering into a deed poll substantially in the form attached hereto as Exhibit K (the “Deed Poll”), and procuring that VE enters into the Deed Poll, for the benefit of all VE Members, which obliges VE to maintain in place, and comply with, the current Privacy Compliance Model (notwithstanding any termination of the VE Constitutional Documents and membership deeds between the VE Members and VE) until an alternative compliance solution has been implemented pursuant to Section 6.12(c) or (d) below. The Deed Poll shall be governed by English law and VI and VE shall irrevocably submit to the jurisdiction of the courts of England in connection with any proceedings arising out of or in connection with the deed poll and waive any objection to proceedings in any such court on the ground of venue or on the ground that proceedings have been brought in an inconvenient forum. . (c) VI may implement an alternative Privacy Compliance Model under which: (i) the VE Members contract directly with VI, and VI offers to enter into direct EU Model Contracts (such EU Model Contracts to be in a form approved by the European Commission) with each VE Member; or (ii) the VE Members enter into new contracts with VE whereby VE acts as data controller with sole responsibility for any Trans-Border Dataflow, such new contracts between VE Members and VE to further: (A) clarify that VE is data controller in respect of any Trans-Border Dataflow; (B) oblige VE to take steps to ensure that any Trans-Border Dataflow is lawful through the use of EU Model Contracts (such EU Model Contracts to be in a form approved by the European Commission); (C) oblige VE to use all reasonable efforts to inform the VE Members about any government access to their data; and (D) contain an indemnity from VE to VE Members in respect of any data protection liability incurred by such VE Members as a result of VE’s breach of its obligations under Section 6.12(b). (d) In addition to the alternative Privacy Compliance Models described in Section 6.12(c), each of VE and the VE Member Representative acknowledge that VI may choose to adopt one or more alternative Privacy Compliance Models for Trans-Border Dataflow and EU Member State Data Protection Law compliance over time, and VI agrees that it will: (i) not take any actions, or make any changes to the then current Privacy Compliance Model, that would reduce the VE Members’ level of compliance with applicable EU Member State Data Protection Laws and the protection afforded to the VE Members; and (ii) (A) be open and transparent with the VE Members about its proposals for the alternative Privacy Compliance Model, (B) provide VE Members with a reasonable opportunity to comment and be consulted in relation to the alternative Privacy Compliance Model, and (C) ensure any such alternative Privacy Compliance Model provides the VE Members with a substantially equivalent level of compliance with, and protection in respect of, applicable EU Member State Data Protection Law as the then current Privacy Compliance Model. (e) VI acknowledges that each VE Member and its Affiliates are entitled to use their own VE Member Data for whatever lawful purpose they choose. VI shall not, and shall ensure that VE and their Affiliates shall not, place any restriction on a VE Member’s or their Affiliates’ use of their own VE Member Data. (f) VI shall not, and shall ensure that VE and their Affiliates shall not, Monetize VE Member Data. VI shall, and shall ensure VE and their Affiliates shall, use VE Member Data in accordance with Laws. (g) The provisions of Section 6.12(e) are subject to the following stipulations: (i) the provisions only apply in relation to the respective rights of, and the relationship between, (A) VI, VE and their Affiliates and (B) each VE Member and their Affiliates, and are without prejudice to the competing rights and interests of any third party; (ii) it is the responsibility of the VE Member and their Affiliates to ensure that their use of VE Member Data is in accordance with Laws; (iii) the VE Member and its Affiliates are not entitled to use VE Member Data in a manner contrary to any Pre-Existing Data Restrictions; (iv) VI, VE and their Affiliates may impose additional restrictions upon the VE Members’ and their Affiliates’ use of VE Member Data with the affected VE Members’ prior consent; (v) VI, VE and their Affiliates may impose modified or additional restrictions upon the VE Members’ and their Affiliates’ use of VE Member Data to the extent that they are required by Laws to impose such restrictions; and (vi) any new services introduced by VI, VE and their Affiliates after the date of the Original this Agreement may contain restrictions on the VE Members’ and their Affiliates’ use of VE Member Data supplied under that new service. (h) The restrictions in Section 6.12(f) on VI, VE and their Affiliates Monetizing VE Member Data shall not apply to any of the following: (i) VI, VE and their Affiliates using VE Member Data for their own internal purposes; (ii) any disclosure required by Laws; (iii) any disclosure to or on behalf of a merchant, data subject or other stakeholder in the data in question that does not disclose additional information about a VE Member or its Affiliates that is not already accessible by such merchant, data subject or other stakeholder (for example, this would include analysis for a merchant or data subject by VI, VE or their Affiliates of data already available to that merchant or data subject); (iv) any disclosure that is a necessary or incidental part of the services provided to the VE Members and/or VE Licensed Non-Members and/or their Affiliates, including risk and/or fraud prevention activities; or (v) any use of VE Member Data, to the extent that: (A) such VE Member Data is aggregated so as to anonymise information about the VE Member and its Affiliates in question; (B) such VE Member Data is not of a confidential or proprietary nature regarding the VE Member or its Affiliates in question (it being acknowledged that in many cases Transaction Data will be confidential or - 44 - proprietary); or (C) the VE Member in question has given its prior written consent to such use.