DATA PROTECTION AND PRIVACY. (a) Each Group Company has, since January 1, 2016: (i) complied in all material respects with applicable Company Privacy Policies and Data Protection Laws, including through adopting all appropriate technical and organizational security measures to protect Personal Data against a Data Breach; (ii) except as would not reasonably be expected to adversely affect the Group Companies in any material respect, (A) obtained and maintained all registrations and notifications required under applicable Data Protection Laws, and (B) any processing of personal data by or on its behalf has been in accordance with such registrations and notifications; (iii) duly provided data subjects with relevant information notices and acquired any necessary consent of data subjects to the processing of their data, as required under applicable Data Protection Laws, and any processing of Personal Data by or on its behalf has been in accordance with such notices and consents; and (iv) in place written agreements with any third party which it has authorized to have access to Personal Data, including processors, to ensure that the third party respects and maintains the confidentiality and security of the Personal Data and complies at all times with applicable Data Protection Laws and such written agreements with such processors include processing provisions as required under Data Protection Laws. (b) As at the date hereof: (i) each Group Company is in compliance in all material respects with the terms of all Contracts to which it is a party relating to data privacy, security, or breach notification (including provisions that impose conditions or restrictions on the collection, use, storage, transfer or disposal of Personal Data); (ii) no Group Company has received a written notice (including any enforcement notice), letter or complaint from a supervisory authority or any data subject alleging breach by it of any Data Protection Laws nor has it been involved in any litigation with respect to its processing of Personal Data; (iii) no data subject has been awarded compensation by a supervisory authority or by a court of law from any Group Company under any Data Protection Laws; (iv) no written request has been made by a data subject to, or order has been made by a supervisory authority or a court of law against, any Group Company for access to, the rectification, restriction, blocking, erasure or destruction of any Personal Data under any Data Protection Laws; and (v) no Group Company has transferred Personal Data outside of the European Economic Area other than in compliance with Data Protection Laws in all material respects. (c) Following the Closing Date, Holdco and the Group Companies will be entitled to process the Personal Data comprised in the information of the Group Companies created prior to the Closing Date that are in the control or possession of the Holdco and/or the Group Companies after the Closing Date in the manner in which that Personal Data was processed by the Group Companies in the course of business in the three (3) years immediately prior to the Closing Date, including adaptations made due to the introduction of EU-Regulation 2016/679 (General Data Protection Regulation) in May 2018, in compliance with Data Protection Laws. (d) Neither the execution, delivery or performance of this Agreement or any of the other agreements contemplated by this Agreement, nor the consummation of any of the transactions contemplated by this Agreement or any such other agreements, nor the Member’s provision to Parent, Holdco and Merger Sub, or Parent’s, Holdco’s or Merger Sub’s possession or use of, Personal Data or any other data or information in the databases of the Group Companies, will result in any violation of the Member’s or any Group Company’s Privacy Policy, contract, or any Data Protection Laws or other Laws pertaining to privacy, Personal Data, data security, or spyware. (e) Each Group Company has established and is in material compliance with an information security program that: (i) includes administrative, technical and physical safeguards designed to safeguard the security, confidentiality, and integrity of the Information Technology Systems and the data hosted therein; (ii) is designed to protect against unauthorized access to the Information Technology Systems and the systems of any third party service providers that have access to the Information Technology Systems and the data hosted therein; and (iii) complies with applicable Data Protection Laws in all material respects. (f) Since January 1, 2016, no Group Company has suffered a Data Breach with respect to the Information Technology Systems and no breach or violation of any security program described above has occurred or is threatened, and, to the Knowledge of the Company, there has been no unauthorized or illegal use of or access to the Information Technology Systems and the data hosted therein. No third party service provider working on behalf of a Group Company has notified any Group Company that the third party service provider has had, and, to the Knowledge of the Company, no third party service provider working on behalf of a Group Company has had, a Data Breach with respect to any data collected or used in connection with the operation of the business. No Group Company has notified, nor been required to notify, any data subject or supervisory authority of any Data Breach.
Appears in 2 contracts
Samples: Master Transaction Agreement (RTI Surgical Holdings, Inc.), Master Transaction Agreement (Rti Surgical, Inc.)
DATA PROTECTION AND PRIVACY. (a) Each Group Company hasThe Sellers and the Transferred Entities have in relation to the Businesses, since January 1established an Information Security Program that materially complies with Privacy Requirements, 2016: Privacy Policies, and any material Contracts relating to the protection or the Processing of Business Data, that is appropriately implemented and maintained and there have been no material violations of the Information Security Program. The Sellers and the Transferred Entities have in relation to the Businesses assessed and tested the Information Security Program on a no less frequent than annual basis; remediated all emergency, critical and high risks and vulnerabilities identified in external, authorized third-party penetration tests undertaken by the Sellers and the Transferred Entities on an annual basis; and the Information Security Program has proven sufficient and compliant with Privacy Requirements in all material respects. The IT Systems currently used in relation to the Businesses are in good working condition, operate and perform as necessary to conduct the Businesses and, to the knowledge of Sellers, do not contain any Malicious Code or defect.
(b) In relation to the Businesses, the Sellers and Transferred Entities and, to the knowledge of Sellers, with respect to the Processing of Business Data, their Data Processors, (i) comply and have complied in the three (3) years prior to the date hereof in all material respects with applicable Company Privacy Policies, material Contracts relating to the protection or the Processing of Personal Data, and the Privacy Requirements; and (ii) have not carried out any cross-border transfers of Personal Data other than in accordance with Privacy Requirements, Privacy Policies and Data Protection Lawsmaterial Contracts relating to the protection or the Processing of Personal Data.
(c) In relation to the Businesses, including through adopting all appropriate technical the Sellers and organizational security measures Transferred Entities: (i) have implemented and maintained procedures to protect ensure that any Processing of Personal Data against has been carried out in reliance on a Data Breachvalid legal basis; (ii) except as would not reasonably be expected to adversely affect the Group Companies in any material respectwhere required by Privacy Requirements, (A) obtained and maintained all registrations and notifications required under applicable Data Protection Laws, and (B) any processing of personal data by or on its behalf has been in accordance with such registrations and notifications; (iii) have duly provided data subjects with relevant adequate information notices and acquired any obtained necessary consent of valid consents from data subjects to for the processing Processing of their data, as required under applicable Data Protection LawsPersonal Data, and any processing of Personal Data by or on its behalf all Processing has been carried out in accordance all material respects in compliance with such notices and consents; and (iviii) have satisfied any requests for access to Personal Data or any other rights of data subjects exercised, in place written agreements accordance with Privacy Requirements. To the extent required by material Contracts relating to the protection or the Processing of Personal Data, Privacy Requirements or Privacy Policies, (i) Personal Data is Processed in an encrypted manner, and (ii) Personal Data is securely deleted or destroyed in accordance with Privacy Requirements or material Contracts relating to the protection or the Processing of Personal Data. Neither the Sellers nor the Transferred Entities have sold (as defined by the California Consumer Privacy Act of 2018), and do not sell, any Personal Data to Persons or other third parties. Neither the execution, delivery or performance of this Agreement nor any of the other Transaction Documents, nor the consummation of any of the Transactions materially violate any material Contracts relating to the protection or the Processing of Personal Data, Privacy Requirements or Privacy Policies. Where Personal Data are disclosed and/or made available to a third party, such third party (whether or not a Data Processor) has provided guarantees, warranties or covenants in relation to the Processing of Personal Data, confidentiality, and security measures, all of which materially comply with Privacy Requirements, and such third party has agreed to comply with those obligations in a manner sufficient for the Seller and Transferred Entities to materially comply with Privacy Requirements.
(d) In the three (3) years prior to the date hereof, the Business and, to the knowledge of the Sellers and the Transferred Entities, their Data Processors, have not suffered and are not suffering a Security Incident that has been or is required to be notified to any Person or Governmental Authority, as documented in legal assessments carried out by the Sellers and the Transferred Entities in accordance with Privacy Requirements. In the three (3) years prior to the date hereof, the Business and, to the knowledge of the Sellers and the Transferred Entities, their Data Processors, have not been and are not materially adversely affected by any Malicious Code, ransomware, malware attacks, or denial-of-service attacks on any IT Systems. In the three (3) years prior to the date hereof, none of the Sellers or Transferred Entities, nor, to Sellers’ knowledge, any other Person, has made any illegal, or unauthorized use of any Business Data collected with respect to the Businesses. In relation to the Businesses, neither the Sellers nor the Transferred Entities, nor any third party which it acting at their direction or authorization (including, any Data Processor), has authorized paid any perpetrator of any actual or threatened Security Incident or cyber-attack, including, but not limited to have access a ransomware attack or a denial-of-service attack. In the three (3) years prior to Personal Data, including processors, to ensure that the third party respects and maintains the confidentiality and security of the Personal Data and complies at all times with applicable Data Protection Laws and such written agreements with such processors include processing provisions as required under Data Protection Laws.
(b) As at the date hereof: (i) each Group Company is , in compliance in all material respects with relation to the terms of all Contracts to which it is a party relating to data privacyBusinesses, securityneither the Sellers nor the Transferred Entities, or breach notification (including provisions that impose conditions or restrictions on the collection, use, storage, transfer or disposal of Personal Data); (ii) no Group Company has have received a written notice (including any enforcement notice), letter letter, or complaint from a supervisory authority Governmental Authority alleging noncompliance or potential noncompliance with any Privacy Requirements or Privacy Policies or any data material Contracts relating to the protection or the Processing of Personal Data and have not been subject alleging breach by it to any actual, pending, or, to the knowledge of Sellers, threatened civil, criminal, or administrative actions, suits, demands, claims, hearings, notices of violation, investigations, proceedings, demand letters, settlements, or enforcement actions, relating to noncompliance or potential noncompliance with Privacy Requirements or the Processing of Personal Data or any Data Protection Laws nor has it been involved in any litigation with respect material Contracts relating to its processing the protection or the Processing of Personal Data; (iii) no data subject has been awarded compensation by a supervisory authority or by a court of law from any Group Company under any Data Protection Laws; (iv) no written request has been made by a data subject to, or order has been made by a supervisory authority or a court of law against, any Group Company for access to, the rectification, restriction, blocking, erasure or destruction of any Personal Data under any Data Protection Laws; and (v) no Group Company has transferred Personal Data outside of the European Economic Area other than in compliance with Data Protection Laws in all material respects.
(c) Following the Closing Date, Holdco and the Group Companies will be entitled to process the Personal Data comprised in the information of the Group Companies created prior to the Closing Date that are in the control or possession of the Holdco and/or the Group Companies after the Closing Date in the manner in which that Personal Data was processed by the Group Companies in the course of business in . In the three (3) years immediately prior to the Closing Datedate hereof, including adaptations made due in relation to the introduction of EU-Regulation 2016/679 (General Data Protection Regulation) in May 2018Businesses, in compliance neither the Sellers nor the Transferred Entities have received a material written complaint or letter from any Person alleging noncompliance or potential noncompliance with Data Protection Laws.
(d) Neither the execution, delivery any Privacy Requirements or performance of this Agreement Privacy Policies or any material Contracts relating to the protection or the Processing of Personal Data. In relation to the other agreements contemplated by this AgreementBusinesses, neither the Sellers nor the consummation Transferred Entities, are in material breach or default of any of material Contracts relating to the transactions contemplated by this Agreement IT Systems or any such other agreementsto Business Data. In relation to the Businesses, nor the Member’s provision to ParentSellers and Transferred Entities maintain, Holdco and Merger Sub, or Parent’s, Holdco’s or Merger Sub’s possession or use of, Personal Data or any other data or information have maintained in the databases of the Group Companies, will result in any violation of the Member’s or any Group Company’s Privacy Policy, contract, or any Data Protection Laws or other Laws pertaining to privacy, Personal Data, data security, or spyware.
two (e2) Each Group Company has established and is in material compliance with an information security program that: (i) includes administrative, technical and physical safeguards designed to safeguard the security, confidentiality, and integrity of the Information Technology Systems and the data hosted therein; (ii) is designed to protect against unauthorized access years prior to the Information Technology Systems and the systems of any third party service providers that have access to the Information Technology Systems and the data hosted therein; and (iii) complies date hereof, cyber liability insurance with applicable Data Protection Laws in all material respectsreasonable coverage limits.
(f) Since January 1, 2016, no Group Company has suffered a Data Breach with respect to the Information Technology Systems and no breach or violation of any security program described above has occurred or is threatened, and, to the Knowledge of the Company, there has been no unauthorized or illegal use of or access to the Information Technology Systems and the data hosted therein. No third party service provider working on behalf of a Group Company has notified any Group Company that the third party service provider has had, and, to the Knowledge of the Company, no third party service provider working on behalf of a Group Company has had, a Data Breach with respect to any data collected or used in connection with the operation of the business. No Group Company has notified, nor been required to notify, any data subject or supervisory authority of any Data Breach.
Appears in 2 contracts
Samples: Security and Asset Purchase Agreement (Willis Towers Watson PLC), Security and Asset Purchase Agreement (Arthur J. Gallagher & Co.)
DATA PROTECTION AND PRIVACY. (a) Each Group Company has, since January 1, 2016: (i) complied Except as has not resulted in all material respects with applicable Company Privacy Policies and Data Protection Laws, including through adopting all appropriate technical and organizational security measures to protect Personal Data against a Data Breach; (ii) except as would not reasonably be expected to adversely affect result in, individually or in the Group Companies aggregate, a Company Material Adverse Effect:
(1) each Company Entity maintains, and since December 31, 2017, has adopted, implemented and maintained a data privacy and security compliance program that complies with all applicable Privacy/Cybersecurity Requirements, protects Company IT Assets and protects Personal Information in the possession or under the control of any Company Entity against reasonably anticipated threats and hazards to its security and the unauthorized use or disclosure thereof, and that includes reasonably comprehensive plans, policies, procedures and administrative, personnel, technical and physical safeguards to protect the Company IT Assets and Personal Information and other material respectdata in the possession or under the control of any Company Entity, (A2) obtained the Company Entities are, and maintained since December 31, 2017, have been, in compliance with all registrations Privacy/Cybersecurity Requirements, including all HIPAA Commitments and notifications required requirements set forth in Company Entity data privacy and security compliance program policies, in the business of the Company Entities, (3) since December 31, 2017, no Person has gained unauthorized access, including any such access reportable to a Governmental Authority under applicable Data Protection LawsLaw, to any Personal Information transmitted, processed or stored by or in the possession or under the control of any Company Entity or to any Company IT Assets, or used, accessed or disclosed any such Personal Information or used or accessed such Company IT Assets for any illegal or unauthorized purpose, (4) since December 31, 2017, no Company Entity has received written notice of any claims, and there have been no Actions (Bincluding any investigation or written notice), from any Governmental Authority or any other Person alleging either a violation of any Person’s rights under Privacy/Cybersecurity Requirements, or breach or compromise of Privacy/Cybersecurity Requirements and (5) the consummation of the transactions contemplated hereby shall not breach or otherwise cause any processing violation of personal Privacy/Cybersecurity Requirements; and
(ii) without limiting Section 3.16(a)(i), since December 31, 2017, (1) no Company Entity has received any notice from any Governmental Authority or other Person in respect of any alleged noncompliance with HIPAA, including the HIPAA Commitments, or any other Privacy/Cybersecurity Requirements, (2) no breach, unauthorized access or other actual or potential noncompliance related to Privacy/Cybersecurity Requirements has occurred, including any breach as that term is defined in 45 C.F.R. §160.103, related to any unsecured Personal Information that is created, retained, collected, used, disclosed, stored, transmitted, received or otherwise processed by a Company Entity, (3) no information security or privacy breach event has occurred that has resulted in or would require notification to any Governmental Authority or other Person by, on behalf of or as a result of a Company Entity under HIPAA or any comparable Laws or other Privacy/Cybersecurity Requirements, including any report of a breach or similar event to the Office for Civil Rights of the Department of Health and Human Services, (4) no Action has been asserted or threatened against any Company Entity alleging a violation of any Person’s data by privacy or on its behalf security rights, or a violation of any Privacy/Cybersecurity Requirement, and there does not exist any colorable basis therefor and (5) no Company Entity is or has been in accordance with such registrations and notifications; (iii) duly provided data subjects with relevant information notices and acquired breach or default under any necessary consent of data subjects Contract related to any provision thereof related to the processing creation, collection, obtaining, tracking, retention, storage, processing, use, sharing, disclosure, transmission, security, confidentiality and/or protection of their data, as required under applicable Data Protection Laws, and any processing of Company IT Assets or Personal Data by or on its behalf has been in accordance with such notices and consents; and (iv) in place written agreements with any third party which it has authorized to have access to Personal Data, including processors, to ensure that the third party respects and maintains the confidentiality and security of the Personal Data and complies at all times with applicable Data Protection Laws and such written agreements with such processors include processing provisions as required under Data Protection LawsInformation.
(b) As at the date hereof: (i) each Group The Company is not subject to any Privacy/Cybersecurity Requirements that, after the Closing, would prohibit the Company Entities from receiving and/or using Personal Information in compliance in all material respects with substantially the terms of all Contracts to which it is a party relating to data privacy, security, or breach notification (including provisions that impose conditions or restrictions on the collection, use, storage, transfer or disposal of Personal Data); (ii) no Group Company has received a written notice (including any enforcement notice), letter or complaint from a supervisory authority or any data subject alleging breach by it of any Data Protection Laws nor has it been involved in any litigation with respect to its processing of Personal Data; (iii) no data subject has been awarded compensation by a supervisory authority or by a court of law from any Group Company under any Data Protection Laws; (iv) no written request has been made by a data subject to, or order has been made by a supervisory authority or a court of law against, any Group Company for access to, the rectification, restriction, blocking, erasure or destruction of any Personal Data under any Data Protection Laws; and (v) no Group Company has transferred Personal Data outside of the European Economic Area other than in compliance with Data Protection Laws in all material respects.
(c) Following the Closing Date, Holdco and the Group Companies will be entitled to process the Personal Data comprised in the information of the Group Companies created same manner as prior to the Closing Date that are in the control or possession of the Holdco and/or the Group Companies after the Closing Date in the manner in which that Personal Data was processed by the Group Companies in the course of business in the three (3) years immediately prior to the Closing Date, including adaptations made due to the introduction of EU-Regulation 2016/679 (General Data Protection Regulation) in May 2018, in compliance with Data Protection LawsClosing.
(d) Neither the execution, delivery or performance of this Agreement or any of the other agreements contemplated by this Agreement, nor the consummation of any of the transactions contemplated by this Agreement or any such other agreements, nor the Member’s provision to Parent, Holdco and Merger Sub, or Parent’s, Holdco’s or Merger Sub’s possession or use of, Personal Data or any other data or information in the databases of the Group Companies, will result in any violation of the Member’s or any Group Company’s Privacy Policy, contract, or any Data Protection Laws or other Laws pertaining to privacy, Personal Data, data security, or spyware.
(e) Each Group Company has established and is in material compliance with an information security program that: (i) includes administrative, technical and physical safeguards designed to safeguard the security, confidentiality, and integrity of the Information Technology Systems and the data hosted therein; (ii) is designed to protect against unauthorized access to the Information Technology Systems and the systems of any third party service providers that have access to the Information Technology Systems and the data hosted therein; and (iii) complies with applicable Data Protection Laws in all material respects.
(f) Since January 1, 2016, no Group Company has suffered a Data Breach with respect to the Information Technology Systems and no breach or violation of any security program described above has occurred or is threatened, and, to the Knowledge of the Company, there has been no unauthorized or illegal use of or access to the Information Technology Systems and the data hosted therein. No third party service provider working on behalf of a Group Company has notified any Group Company that the third party service provider has had, and, to the Knowledge of the Company, no third party service provider working on behalf of a Group Company has had, a Data Breach with respect to any data collected or used in connection with the operation of the business. No Group Company has notified, nor been required to notify, any data subject or supervisory authority of any Data Breach.
Appears in 1 contract
DATA PROTECTION AND PRIVACY. (a) Each Group Company has, since January 1, 2016: (i) complied In this Section 3.1(aa), “Data Subject”, “Controller” and “Processor” shall have the meaning given in all material respects with applicable Company Privacy Policies and the Data Protection Laws, including through adopting all appropriate technical and organizational security measures to protect Personal Data against a Data Breach; (ii) except as would not reasonably be expected to adversely affect the Group Companies in any material respect, (A) obtained and maintained all registrations and notifications required under applicable Data Protection Laws. The Subsidiary has, and (B) any processing of personal data by or on its behalf has been in accordance with such registrations the past, maintained written policies and notifications; (iii) duly provided data subjects with relevant information notices and acquired any necessary consent of data subjects to procedures concerning the processing of their data, as required under applicable Data Protection Laws, and any processing of Personal Data by or on its behalf has been in accordance with such notices and consents; and (iv) in place written agreements with any third party which it has authorized to have access to Personal Data, including processors, to ensure that the third party respects and maintains the confidentiality and privacy and/or security of the any information about an identified or identifiable natural person or that constitutes Personal Data Information or similar information governed by applicable Law and complies at all times has provided notice thereof in compliance with applicable Data Protection Laws and no disclosure made or contained in such written agreements with such processors include processing provisions as required under Data Protection Laws.
(b) As at policies or procedures have been misleading, deceptive, or inaccurate in any material respect. During the seven year period immediately preceding the date hereofof this Agreement: (iA) each Group Company is in the Subsidiary has at all times complied (and has used commercially reasonable efforts to require the compliance in of its Independent Contractor, consultants and other business partners) with all material respects with Law related to the terms of all Contracts to which it is a party relating to data privacy, security, or breach notification (including provisions that impose conditions or restrictions on the collection, use, storage, transfer or disposal privacy and/or security of Personal Data); (ii) no Group Company has received a written notice (Information, including any enforcement notice), letter or complaint from a supervisory authority or any data subject alleging breach by it of any Data Protection Laws nor has it been involved in any litigation with respect to its processing of Personal DataLaw; (iiiB) no data subject has been awarded compensation by a supervisory authority or by a court of law from any Group Company under any Data Protection Laws; (iv) no written request has been made by a data subject to, or order has been made by a supervisory authority or a court of law against, any Group Company for access to, the rectification, restriction, blocking, erasure or destruction of any Personal Data under any Data Protection Laws; and (v) no Group Company has transferred Personal Data outside of the European Economic Area other than in compliance with Data Protection Laws in all material respects.
(c) Following the Closing Date, Holdco and the Group Companies will be entitled to process the Personal Data comprised in the information of the Group Companies created prior to the Closing Date that are in the control or possession of the Holdco and/or the Group Companies after the Closing Date in the manner in which that Personal Data was processed by the Group Companies in the course of business in the three (3) years immediately prior to the Closing Date, including adaptations made due to the introduction of EU-Regulation 2016/679 (General Data Protection Regulation) in May 2018, in compliance with Data Protection Laws.
(d) Neither the execution, delivery or performance of this Agreement or any of the other agreements contemplated by this Agreement, nor the consummation of any of the transactions contemplated by this Agreement or any such other agreements, nor the Member’s provision to Parent, Holdco and Merger Sub, or Parent’s, Holdco’s or Merger Sub’s possession or use of, Personal Data or any other data or information in the databases of the Group Companies, will result in any violation of the Member’s or any Group Company’s Privacy Policy, contract, or any Data Protection Laws or other Laws pertaining to privacy, Personal Data, data security, or spyware.
(e) Each Group Company has established and is in material compliance with an information security program that: (i) includes administrative, technical and physical safeguards designed to safeguard the security, confidentiality, and integrity of the Information Technology Systems and the data hosted therein; (ii) is designed to protect against unauthorized access to the Information Technology Systems and the systems of any third party service providers that have access to the Information Technology Systems and the data hosted therein; and (iii) complies with applicable Data Protection Laws in all material respects.
(f) Since January 1, 2016, no Group Company has suffered a Data Breach with respect to the Information Technology Systems and no breach or violation of any security program described above has occurred or is threatened, and, to the Knowledge of the Company, there has been no unauthorized access to, disclosure of, appropriation of, or illegal use other processing of any Personal Information in the possession or access to under the Information Technology Systems and the data hosted therein. No third party service provider working on behalf of a Group Company has notified any Group Company that the third party service provider has had, and, to the Knowledge control of the CompanySubsidiary; (C) the Subsidiary has not been required pursuant to any Data Protection Law to notify any individual or Governmental Authority of any such unauthorized access, no third party service provider working on behalf disclosure, misappropriation, or processing; (D) the Subsidiary has not received written notice that it or any of a Group Company has hadits Independent Contractors, a Data Breach consultants or agents is the subject of any inquiry, investigation, or enforcement action of any Governmental Authority with respect to compliance with any data collected or Data Protection Law; and (E) the Subsidiary has used in connection commercially reasonable efforts with respect to protecting the operation operation, availability, confidentiality, integrity, and security of the business. No Group Company has notifieddatabase(s) containing Personal Information that are maintained by or for the Subsidiary against any unauthorized, nor been required to notifymalicious or improper use, any data subject access, transmittal, interruption, modification or supervisory authority of any Data Breachcorruption.
Appears in 1 contract
Samples: Arrangement Agreement (Marizyme Inc)
DATA PROTECTION AND PRIVACY. Except as set forth on Schedule 3.22:
(a) Each Group The Company hasand the Subsidiary have, since January 1, 20162018: (i) complied in all material respects with applicable Company Privacy Policies and Data Protection Laws, including through adopting all appropriate technical and organizational security measures to protect Personal Data against a Data Breach; (ii) except as would not reasonably be expected to adversely affect the Group Companies in any material respectprovided, (A) obtained and maintained all registrations and notifications required under applicable Data Protection Laws, and (B) any processing of personal data Personal Data by or on its behalf has been in accordance with such registrations and notifications; (iii) duly provided data subjects with relevant information notices and acquired any necessary consent of data subjects to the processing of their data, as required under applicable Data Protection Laws, and any processing of Personal Data by or on its behalf has been in accordance with such notices and consents; and (iv) in place written agreements with any third party which it has authorized to have access to Personal Data, including processors, vendors or strategic partners, to ensure that the third party respects and maintains the confidentiality and security of the Personal Data and complies at all times with applicable Data Protection Laws and such written agreements with such processors third parties include processing provisions as required under Data Protection Laws.
(b) As at the date hereof: (i) each Group the Company is and the Subsidiary are in compliance in all material respects with the terms of all Contracts to which it is a party relating to data privacy, security, or breach notification (including provisions that impose conditions or restrictions on the collection, use, storage, transfer or disposal of Personal Data); (ii) no Group neither the Company nor the Subsidiary has received a written notice (including any enforcement notice), letter or complaint from a supervisory authority or any data subject alleging breach by it of any Data Protection Laws nor has it been involved in any litigation with respect to its processing of Personal Data; (iii) no data subject has been awarded compensation by a supervisory authority or by a court of law from any Group the Company or the Subsidiary under any Data Protection LawsLaws or a violation of any Company Privacy Policies; and (iv) no written request has been made by a data subject to, or order has been made by a supervisory authority or a court of law against, any Group the Company or the Subsidiary for access to, the rectification, restriction, blocking, erasure or destruction of any Personal Data under any Data Protection Laws; and (v) no Group Company has transferred Personal Data outside of the European Economic Area other than in compliance with Data Protection Laws in all material respects.
(c) Following the Closing Date, Holdco the Buyer and the Group Companies Company and the Subsidiary will be entitled to process the Personal Data comprised in the information of the Group Companies Company or the Subsidiary created prior to the Closing Date that are in the control or possession of the Holdco Buyer and/or the Group Companies Company or the Subsidiary after the Closing Date in the manner in which that Personal Data was processed by the Group Companies Company or the Subsidiary in the course Ordinary Course of business Business in the three (3) years immediately prior to the Closing Date, including adaptations made due to the introduction of EU-Regulation 2016/679 (General Data Protection Regulation) in May 2018, in compliance with Data Protection Laws.
(d) Neither the execution, delivery or performance of this Agreement or any of the other agreements contemplated by referred to in this Agreement, nor the consummation of any of the transactions contemplated by this Agreement or any such other agreements, nor the MemberSeller’s provision to Parent, Holdco and Merger SubBuyer, or Parent’s, Holdco’s or Merger SubBuyer’s possession or use of, Personal Data or any other data or information in the databases of the Group CompaniesCompany or the Subsidiary, will result in any violation of the Member’s or any Group Company’s Company Privacy PolicyPolicies, any contract, or any Data Protection Laws or other Laws pertaining to privacy, Personal Data, data security, security or spyware.
(e) Each Group The Company has established and is in material compliance with an a written information security program that: (i) includes administrative, technical and physical safeguards designed to safeguard the security, confidentiality, and integrity of the Information Technology Systems and the data hosted therein; (ii) is designed to protect against unauthorized access to or misuse of the Information Technology Systems and the systems of any third party service providers that have access to the Information Technology Systems and the data hosted therein; and (iii) complies with applicable Data Protection Laws and meets generally-accepted standards in all material respectsthe industry of the Company.
(f) Since January 1, 2016, no Group Neither the Company nor the Subsidiary has ever suffered a Data Breach with respect to the Information Technology Systems or any Personal Data within the possession or control of the Company or the Subsidiary and no breach or violation of any security program described above has occurred or is threatened, and, to the Knowledge of the Company, and there has been no unauthorized or illegal use of or access to the Information Technology Systems and the data hosted therein. No third party service provider working on behalf of a Group the Company or the Subsidiary has notified any Group Company that the third party service provider has had, and, to the Knowledge of the Company, no third party service provider working on behalf of a Group Company has had, had a Data Breach with respect to any data collected or used in connection with the operation of the businessBusiness. No Group Neither the Company nor the Subsidiary has notified, nor been required to notify, any data subject or supervisory authority of any Data Breach.
Appears in 1 contract
DATA PROTECTION AND PRIVACY. (a) Each Group Company hasFor the past three (3) years, since January 1with respect to the Business, 2016: (i) the Sellers materially comply and have complied in all material respects with applicable Company Privacy Policies and Data Protection Laws, including through adopting all appropriate technical and organizational security measures to protect Personal Data against a Data Breach; (ii) except as would not reasonably be expected to adversely affect the Group Companies in any material respect, (A) obtained and maintained all registrations and notifications required under applicable Data Protection Laws, and (B) any processing of personal data by or on its behalf has been in accordance with such registrations and notifications; (iii) duly provided data subjects with relevant information notices and acquired any necessary consent of data subjects to the processing of their data, as required under applicable Data Protection Laws, and any processing of Personal Data by or on its behalf has been in accordance with such notices and consents; and (iv) in place written agreements with any third party which it has authorized to have access to Personal Data, including processors, to ensure that the third party respects and maintains the confidentiality and security of the Personal Data and complies at all times with applicable Data Protection Laws and such written agreements with such processors include processing provisions as required under Data Protection LawsRequirements; (ii) to Seller’s Knowledge, the Sellers have not suffered or experienced any Security Breach; (iii) to Seller’s Knowledge, no Personal Information held or Processed by Third-Party Processors has been subject to any Security Breach; (iv) the Sellers, to Seller’s Knowledge and with respect to the Processing of Personal Information, any of their Third Party Processors have not been notified, and there have been no facts or circumstances that applicable Data Protection Requirements would require the Sellers to notify, any Governmental Authority or other Person of any Security Breach; and (v) to Seller’s Knowledge, the Sellers have not received written notice or allegation from, or been subject to any Action from, any Person or Governmental Authority alleging noncompliance with Data Protection Requirements.
(b) As at the date hereof: (i) each Group Company is in compliance The Sellers have obtained all consents required in all material respects with the terms of all under applicable Data Protection Policies and Sellers’ applicable obligations under Contracts to which it is a party relating to data privacy, security, or breach notification (including provisions that impose conditions or restrictions on the for their collection, use, storagedisclosure, transfer or disposal other Processing of Personal Data); (ii) no Group Company has received a written notice (including any enforcement notice), letter or complaint from a supervisory authority or any data subject alleging breach by it of any Data Protection Laws nor has it been involved Information in any litigation connection with respect to its processing of Personal Data; (iii) no data subject has been awarded compensation by a supervisory authority or by a court of law from any Group Company under any Data Protection Laws; (iv) no written request has been made by a data subject to, or order has been made by a supervisory authority or a court of law against, any Group Company for access to, the rectification, restriction, blocking, erasure or destruction of any Personal Data under any Data Protection Laws; and (v) no Group Company has transferred Personal Data outside conduct of the European Economic Area other than in compliance with Data Protection Laws in all material respects.
(c) Following the Closing DateBusiness. To Seller’s Knowledge, Holdco and the Group Companies will be entitled to process the Personal Data comprised in the information of the Group Companies created prior to the Closing Date that are in the control or possession of the Holdco and/or the Group Companies after the Closing Date in the manner in which that Personal Data was processed by the Group Companies in the course of business in the three (3) years immediately prior to the Closing Date, including adaptations made due to the introduction of EU-Regulation 2016/679 (General Data Protection Regulation) in May 2018, in compliance with Data Protection Laws.
(d) Neither neither the execution, delivery or nor performance of this Agreement or any of the other agreements contemplated by this AgreementRelated Documents will (x) violate, nor the consummation of any of the transactions contemplated by this Agreement or any such other agreements, nor the Member’s provision to Parent, Holdco and Merger Sub, or Parent’s, Holdco’s or Merger Sub’s possession or use of, Personal Data or any other data or information in the databases of the Group Companies, will result in any violation of the Member’s or any Group Company’s Privacy Policymaterial respects, contract, or any Data Protection Laws or other Laws pertaining to privacy, Personal Data, data securityRequirements, or spyware(y) require, under applicable Data Protection Requirements, the consent of, or notice to, any Person concerning a transfer of Personal Information to the Purchasers or the Purchaser’s Processing of Personal Information as contemplated in the Transaction.
(ec) Each Group Company has established and is in material compliance with an With respect to the Business, the Sellers have commercially reasonable measures designed to assess its information security program that: (i) includes program, and promptly remediated and addressed any and all high or critical risk vulnerabilities relating to the Sellers’ implementation of commercially reasonable safeguards, including administrative, physical and technical and physical safeguards designed to safeguard the securitysafeguards, confidentiality, and integrity of the Information Technology Systems and the data hosted therein; (ii) is designed to protect against unauthorized access to the Information Technology Systems and the systems of any third party service providers that have access to the Information Technology Systems and the data hosted therein; and (iii) complies with applicable Data Protection Laws in all material respectsits information security program.
(f) Since January 1, 2016, no Group Company has suffered a Data Breach with respect to the Information Technology Systems and no breach or violation of any security program described above has occurred or is threatened, and, to the Knowledge of the Company, there has been no unauthorized or illegal use of or access to the Information Technology Systems and the data hosted therein. No third party service provider working on behalf of a Group Company has notified any Group Company that the third party service provider has had, and, to the Knowledge of the Company, no third party service provider working on behalf of a Group Company has had, a Data Breach with respect to any data collected or used in connection with the operation of the business. No Group Company has notified, nor been required to notify, any data subject or supervisory authority of any Data Breach.
Appears in 1 contract
DATA PROTECTION AND PRIVACY. (a) Each Group Company has, since January 1, 2016: (i) complied Except as has not resulted in all material respects with applicable Company Privacy Policies and Data Protection Laws, including through adopting all appropriate technical and organizational security measures to protect Personal Data against a Data Breach; (ii) except as would not reasonably be expected to adversely affect result in, individually or in the Group Companies aggregate, a Company Material Adverse Effect:
(i) (1) each Company Entity maintains, and since December 31, 2017, has adopted, implemented and maintained a data privacy and security compliance program that complies with all applicable Privacy/Cybersecurity Requirements, protects Company IT Assets and protects Personal Information in the possession or under the control of any Company Entity against reasonably anticipated threats and hazards to its security and the unauthorized use or disclosure thereof, and that includes reasonably comprehensive plans, policies, procedures and administrative, personnel, technical and physical safeguards to protect the Company IT Assets and Personal Information and other material respectdata in the possession or under the control of any Company Entity, (A2) obtained the Company Entities are, and maintained since December 31, 2017, have been, in compliance with all registrations Privacy/Cybersecurity Requirements, including all HIPAA Commitments and notifications required requirements set forth in Company Entity data privacy and security compliance program policies, in the business of the Company Entities, (3) since December 31, 2017, no Person has gained unauthorized access, including any such access reportable to a Governmental Authority under applicable Data Protection LawsLaw, to any Personal Information transmitted, processed or stored by or in the possession or under the control of any Company Entity or to any Company IT Assets, or used, accessed or disclosed any such Personal Information or used or accessed such Company IT Assets for any illegal or unauthorized purpose, (4) since December 31, 2017, no Company Entity has received written notice of any claims, and there have been no Actions (Bincluding any investigation or written notice), from any Governmental Authority or any other Person alleging either a violation of any Person’s rights under Privacy/Cybersecurity Requirements, or breach or compromise of Privacy/Cybersecurity Requirements and (5) the consummation of the transactions contemplated hereby shall not breach or otherwise cause any processing violation of personal Privacy/Cybersecurity Requirements; and
(ii) without limiting Section 3.16(a)(i), since December 31, 2017, (1) no Company Entity has received any notice from any Governmental Authority or other Person in respect of any alleged noncompliance with HIPAA, including the HIPAA Commitments, or any other Privacy/Cybersecurity Requirements, (2) no breach, unauthorized access or other actual or potential noncompliance related to Privacy/Cybersecurity Requirements has occurred, including any breach as that term is defined in 45 C.F.R. §160.103, related to any unsecured Personal Information that is created, retained, collected, used, disclosed, stored, transmitted, received or otherwise processed by a Company Entity, (3) no information security or privacy breach event has occurred that has resulted in or would require notification to any Governmental Authority or other Person by, on behalf of or as a result of a Company Entity under HIPAA or any comparable Laws or other Privacy/Cybersecurity Requirements, including any report of a breach or similar event to the Office for Civil Rights of the Department of Health and Human Services, (4) no Action has been asserted or threatened against any Company Entity alleging a violation of any Person’s data by privacy or on its behalf security rights, or a violation of any Privacy/Cybersecurity Requirement, and there does not exist any colorable basis therefor and (5) no Company Entity is or has been in accordance with such registrations and notifications; (iii) duly provided data subjects with relevant information notices and acquired breach or default under any necessary consent of data subjects Contract related to any provision thereof related to the processing creation, collection, obtaining, tracking, retention, storage, processing, use, sharing, disclosure, transmission, security, confidentiality and/or protection of their data, as required under applicable Data Protection Laws, and any processing of Company IT Assets or Personal Data by or on its behalf has been in accordance with such notices and consents; and (iv) in place written agreements with any third party which it has authorized to have access to Personal Data, including processors, to ensure that the third party respects and maintains the confidentiality and security of the Personal Data and complies at all times with applicable Data Protection Laws and such written agreements with such processors include processing provisions as required under Data Protection LawsInformation.
(b) As at the date hereof: (i) each Group The Company is not subject to any Privacy/Cybersecurity Requirements that, after the Closing, would prohibit the Company Entities from receiving and/or using Personal Information in compliance in all material respects with substantially the terms of all Contracts to which it is a party relating to data privacy, security, or breach notification (including provisions that impose conditions or restrictions on the collection, use, storage, transfer or disposal of Personal Data); (ii) no Group Company has received a written notice (including any enforcement notice), letter or complaint from a supervisory authority or any data subject alleging breach by it of any Data Protection Laws nor has it been involved in any litigation with respect to its processing of Personal Data; (iii) no data subject has been awarded compensation by a supervisory authority or by a court of law from any Group Company under any Data Protection Laws; (iv) no written request has been made by a data subject to, or order has been made by a supervisory authority or a court of law against, any Group Company for access to, the rectification, restriction, blocking, erasure or destruction of any Personal Data under any Data Protection Laws; and (v) no Group Company has transferred Personal Data outside of the European Economic Area other than in compliance with Data Protection Laws in all material respects.
(c) Following the Closing Date, Holdco and the Group Companies will be entitled to process the Personal Data comprised in the information of the Group Companies created same manner as prior to the Closing Date that are in the control or possession of the Holdco and/or the Group Companies after the Closing Date in the manner in which that Personal Data was processed by the Group Companies in the course of business in the three (3) years immediately prior to the Closing Date, including adaptations made due to the introduction of EU-Regulation 2016/679 (General Data Protection Regulation) in May 2018, in compliance with Data Protection LawsClosing.
(d) Neither the execution, delivery or performance of this Agreement or any of the other agreements contemplated by this Agreement, nor the consummation of any of the transactions contemplated by this Agreement or any such other agreements, nor the Member’s provision to Parent, Holdco and Merger Sub, or Parent’s, Holdco’s or Merger Sub’s possession or use of, Personal Data or any other data or information in the databases of the Group Companies, will result in any violation of the Member’s or any Group Company’s Privacy Policy, contract, or any Data Protection Laws or other Laws pertaining to privacy, Personal Data, data security, or spyware.
(e) Each Group Company has established and is in material compliance with an information security program that: (i) includes administrative, technical and physical safeguards designed to safeguard the security, confidentiality, and integrity of the Information Technology Systems and the data hosted therein; (ii) is designed to protect against unauthorized access to the Information Technology Systems and the systems of any third party service providers that have access to the Information Technology Systems and the data hosted therein; and (iii) complies with applicable Data Protection Laws in all material respects.
(f) Since January 1, 2016, no Group Company has suffered a Data Breach with respect to the Information Technology Systems and no breach or violation of any security program described above has occurred or is threatened, and, to the Knowledge of the Company, there has been no unauthorized or illegal use of or access to the Information Technology Systems and the data hosted therein. No third party service provider working on behalf of a Group Company has notified any Group Company that the third party service provider has had, and, to the Knowledge of the Company, no third party service provider working on behalf of a Group Company has had, a Data Breach with respect to any data collected or used in connection with the operation of the business. No Group Company has notified, nor been required to notify, any data subject or supervisory authority of any Data Breach.
Appears in 1 contract
Samples: Merger Agreement (Centene Corp)
DATA PROTECTION AND PRIVACY. (a) Each Group Company and, to the Knowledge of the Company, each Person who Processes Personal Data on their behalf, has, since January 1, 2016: (i) complied in all material respects with applicable any Company Privacy Policies and Data Protection Laws, including through adopting all appropriate technical and organizational security measures to protect Personal Data against a Data BreachRequirements; (ii) except as would not reasonably be expected to adversely affect the Group Companies in any material respect, (A) obtained and maintained all material registrations and notifications required under applicable Data Protection LawsRequirements, and (B) ensured that any processing of personal data by or on its behalf has been in accordance with such registrations and notifications; (iii) duly provided data subjects with relevant information notices and acquired any necessary consent of data subjects to the processing of their data, as required under applicable Data Protection Laws, and any processing Processing of Personal Data by or on its behalf has been in accordance with and complied with such registrations and notifications in all material respects; (iii) duly provided all individuals with any information notices and acquired any consents to the Processing of their data to the extent required under Data Protection Requirements, and reasonably ensured that any Processing of Personal Data by or on its behalf has been in accordance with and complied with such notices and consentsconsents in all material respects; and (iv) in place written agreements with any third party which it has authorized to have access to or Processes Personal DataData on behalf of any Group Company, including processors, to ensure that include any required provisions under Data Protection Requirements and that reasonably require that the third party complies at all times with Data Protection Requirements and respects and maintains the confidentiality confidentiality, integrity, and security of the Personal Data and complies at all times with applicable Data Protection Laws and such written agreements with such processors include processing provisions as required under Data Protection LawsData.
(b) As at the date hereof: (i) each Group Company is in compliance in all material respects with the terms of all Contracts to which it is a party relating to data privacy, security, or breach notification (including provisions that impose conditions or restrictions on the collection, use, storage, transfer or disposal Processing of Personal Data); (ii) no Group Company has received a written notice (including any enforcement notice), letter letter, inquiry or complaint from a supervisory authority authority, Governmental Entity or any data subject Person alleging breach by it violation or potential violation of any Data Protection Laws Requirements, nor has it been involved in any litigation or enforcement activity with respect to its processing Processing of Personal Data; (iii) no data subject Person has been awarded compensation by a any Governmental Entity, self-regulatory or supervisory authority or by a court of law from any Group Company under any Data Protection LawsRequirements; (iv) to the Knowledge of the Company no written request has been made by a data subject any Person to, or order has been made by a any Governmental Entity, self-regulatory or supervisory authority authority, or a court of law against, any Group Company for access to, the rectification, restriction, blocking, erasure or destruction of any Personal Data under any Data Protection LawsRequirements; and (v) no Group Company has transferred Personal Data outside of the European Economic Area other than in compliance with Data Protection Laws in all material respectsRequirements.
(c) Following the Closing Date, Holdco and the Group Companies will be entitled to process the Personal Data comprised in the information of the Group Companies created prior to the Closing Date that are in the control or possession of the Holdco and/or the Group Companies after the Closing Date in the manner in which that Personal Data was processed by the Group Companies in the course of business in the three (3) years immediately prior to the Closing Date, including adaptations made due to the introduction of EU-Regulation 2016/679 (General Data Protection Regulation) in May 2018, in compliance with Data Protection Laws.
(d) Neither the execution, delivery delivery, or performance of this Agreement or any of the other agreements contemplated by this AgreementTransaction Documents, nor the consummation of any of the transactions contemplated by this Agreement or any such other agreementsTransactions, nor the MemberCompany’s provision to ParentBuyer of Personal Data, Holdco and Merger Sub, or Parent’s, Holdco’s or Merger Sub’s possession or use of, Personal Data Information Technology Systems or any other data or information in the databases of the Group Companies, will result in any violation of the Member’s or any Group Company’s Company Privacy Policy, contractContract, or any Data Protection Laws or other Laws Requirements pertaining to privacy, Personal Data, data security, or spywareMalicious Code. Following the First Closing Date, Buyer and the Group Companies will be entitled to Process the Personal Data Processed or otherwise in the possession or control of the Group Companies (or Persons acting on their behalf), or that are otherwise used by, relied on, or necessary for operation of the Group Companies’ business, after the First Closing Date in the manner in which and on substantially the same terms that Personal Data was processed by the Group Companies in the course of business prior to the First Closing Date, without violation of any Data Protection Requirements or any Company Privacy Policy.
(d) Each Group Company that processes Personal Data or as otherwise required by Privacy Requirements has established an Information Security Program, and there have been no actual or, to the Knowledge of the Company, threatened violations of said Information Security Program. Each Group Company has tested and maintained its Information Security Program as required by Privacy Requirements and in a commercially reasonable manner and remediated all critical, high and medium risks, to the extent applicable, and, to the Knowledge of the Company, the Information Security Program has proven sufficient and compliant with Data Protection Requirements in all material respects. The Information Technology Systems operate and perform as is necessary to conduct the business of the Group Companies in all material respects and do not contain any Malicious Code.
(e) Each No Group Company has established and is in material compliance with an information security program that: (i) includes administrative, technical and physical safeguards designed to safeguard the security, confidentiality, and integrity of the Information Technology Systems and the data hosted therein; (ii) is designed to protect against unauthorized access to the Information Technology Systems and the systems of any third party service providers that have access to the Information Technology Systems and the data hosted therein; and (iii) complies with applicable Data Protection Laws in all material respects.
(f) Since January 1, 2016, no Group Company has ever suffered a Data Breach with respect to the Information Technology Systems and no breach or violation of has been adversely affected by any security program described above has occurred Malicious Code or is threateneddenial-of-service attacks, and, to the Knowledge of the Company, there has been no unauthorized or illegal use of or access to the Information Technology Systems or material breach of any Contracts relating to such systems and the data hosted therein. No third party service provider working on behalf of a Group Company has notified any Group Company that the third party service provider has had, and, to To the Knowledge of the Company, no third party service provider working on behalf of a Group Company has had, had a Data Breach with respect to any data collected or used in connection with the operation of the business. No Group Company has notified, nor been required to notify, any data subject or Governmental Entity or supervisory authority of any Data Breach.
(f) The Group Companies and its products and services operate and comply with and have complied with any business associate agreements including any such agreements executed in accordance with HIPAA, the Privacy Rule, the Security Rule and HITECH with all respective customers, vendors, and suppliers, in each case in all material respects. The Company has adopted written privacy and security compliance policies and procedures to the extent required by business associate agreements and Data Protection Requirements, and has conducted HIPAA risk assessments, to the extent required by and in accordance with all applicable business associate agreements and Data Protection Requirements. For purposes of this Section 3.25, the words “processor” shall have the meaning given to them under Data Protection Requirements.
Appears in 1 contract
Samples: Stock Purchase Agreement (Surgalign Holdings, Inc.)
DATA PROTECTION AND PRIVACY. (a) Each Group Company has, since January 1, 2016: (i) complied Except as has not resulted in all material respects with applicable Company Privacy Policies and Data Protection Laws, including through adopting all appropriate technical and organizational security measures to protect Personal Data against a Data Breach; (ii) except as would not reasonably be expected to adversely affect result in, individually or in the Group Companies in any material respectaggregate, a Company Material Adverse Effect:
(1) each Company Entity maintains, and since December 31, 2019, has adopted, implemented and maintained a data privacy and security compliance program that complies with all applicable Privacy/Cybersecurity Requirements, protects Company IT Assets and Personal Information against reasonably anticipated threats and hazards to their security and the unauthorized use or disclosure thereof and that includes comprehensive and robust plans, policies, procedures and administrative, personnel, technical and physical safeguards to protect the Company IT Assets and Personal Information and other data held by the business of the Company Entities, (A2) obtained the Company Entities and maintained to the Company’s Knowledge all registrations of the Company Entities’ processors of Personal Information, are, and notifications required since December 31, 2019, have been, in compliance with all Privacy/Cybersecurity Requirements, (3) since December 31, 2019, no Person has gained unauthorized access, including any such access reportable to a Governmental Authority under applicable Data Protection LawsLaw, related to any Personal Information transmitted or processed by or stored on any Company IT Assets or otherwise possessed or controlled by or for the Company Entities, or used, accessed or disclosed any such Personal Information or Company IT Assets for any illegal or unauthorized purpose, (4) since December 31, 2019, no Company Entity has received written notice of any claims, and there have been no Actions (Bincluding any investigation or written notice), from any Governmental Authority or any other Person alleging either a violation of any Person’s privacy rights or Personal Information or data rights, or breach or compromise of Privacy/Cybersecurity Requirements and (5) the consummation of the transactions contemplated hereby shall not breach or otherwise cause any processing violation of personal Privacy/Cybersecurity Requirements; and
(ii) without limiting Section 3.18(a)(i), since December 31, 2019, (1) no Company Entity has received any notice from any Governmental Authority or Person in respect of any alleged noncompliance with any Privacy/Cybersecurity Requirements, (2) no breach, unauthorized access or other actual or potential noncompliance related to Privacy/Cybersecurity Requirements has occurred, including any breach as that term is defined in 45 C.F.R. §160.103, related to any unsecured Personal Information that is created, retained, collected, used, disclosed, stored, transmitted, received or otherwise processed by a Company Entity, (3) no information security or privacy breach event has occurred that has resulted in or would require notification to any Governmental Authority or other Person by, on behalf of or as a result of a Company Entity under any Privacy/Cybersecurity Requirements, (4) no Action has been asserted or threatened against any Company Entity alleging a violation of any Person’s data by privacy or on its behalf security rights, or a violation of any Privacy/Cybersecurity Requirement, and there does not exist any colorable basis therefor and (5) no Company Entity is or has been in accordance with such registrations and notifications; (iii) duly provided data subjects with relevant information notices and acquired breach or default under any necessary consent of data subjects Contract related to any provision thereof related to the processing creation, collection, obtaining, tracking, retention, storage, processing, use, sharing, disclosure, transmission, security, confidentiality and/or protection of their data, as required under applicable Data Protection Laws, and any processing of Company IT Assets or Personal Data by or on its behalf has been in accordance with such notices and consents; and (iv) in place written agreements with any third party which it has authorized to have access to Personal Data, including processors, to ensure that the third party respects and maintains the confidentiality and security of the Personal Data and complies at all times with applicable Data Protection Laws and such written agreements with such processors include processing provisions as required under Data Protection LawsInformation.
(b) As at the date hereof: (i) each Group Company is in compliance in all material respects with the terms of all Contracts to which it is a party relating to data privacy, security, or breach notification (including provisions that impose conditions or restrictions on the collection, use, storage, transfer or disposal of Personal Data); (ii) no Group Company has received a written notice (including any enforcement notice), letter or complaint from a supervisory authority or any data subject alleging breach by it of any Data Protection Laws nor has it been involved in any litigation with respect to its processing of Personal Data; (iii) no data subject has been awarded compensation by a supervisory authority or by a court of law from any Group Company under any Data Protection Laws; (iv) no written request has been made by a data subject to, or order has been made by a supervisory authority or a court of law against, any Group Company for access to, the rectification, restriction, blocking, erasure or destruction of any Personal Data under any Data Protection Laws; and (v) no Group Company has transferred Personal Data outside of the European Economic Area other than in compliance with Data Protection Laws in all material respects.
(c) Following the Closing Date, Holdco and the Group Companies will be entitled to process the Personal Data comprised in the information of the Group Companies created prior to the Closing Date that are in the control or possession of the Holdco and/or the Group Companies after the Closing Date in the manner in which that Personal Data was processed by the Group Companies in the course of business in the three (3) years immediately prior to the Closing Date, including adaptations made due to the introduction of EU-Regulation 2016/679 (General Data Protection Regulation) in May 2018, in compliance with Data Protection Laws.
(d) Neither the execution, delivery or performance of this Agreement or any of the other agreements contemplated by this Agreement, nor the consummation of any of the transactions contemplated by this Agreement or any such other agreements, nor the Member’s provision to Parent, Holdco and Merger Sub, or Parent’s, Holdco’s or Merger Sub’s possession or use of, Personal Data or any other data or information in the databases of the Group Companies, will result in any violation of the Member’s or any Group Company’s Privacy Policy, contract, or any Data Protection Laws or other Laws pertaining to privacy, Personal Data, data security, or spyware.
(e) Each Group Company has established and is in material compliance with an information security program that: (i) includes administrative, technical and physical safeguards designed to safeguard the security, confidentiality, and integrity of the Information Technology Systems and the data hosted therein; (ii) is designed to protect against unauthorized access to the Information Technology Systems and the systems of any third party service providers that have access to the Information Technology Systems and the data hosted therein; and (iii) complies with applicable Data Protection Laws in all material respects.
(f) Since January 1, 2016, no Group Company has suffered a Data Breach with respect to the Information Technology Systems and no breach or violation of any security program described above has occurred or is threatened, and, to To the Knowledge of the Company, there (i) each Company Entity has, at all times since December 31, 2019, presented a privacy policy which complies with Privacy/Cybersecurity Requirements to individuals prior to the collection of any Personal Information, and no such privacy policy is or has been inaccurate, misleading or deceptive (including by omission), (ii) since December 31, 2019, no unauthorized or illegal use Company Entity has made any statement to the general public regarding any of or the Company Entities’ information security practices applicable to any Personal Information other than those made in such privacy policies, (iii) each Company Entity has in place and follows commercially reasonable procedures to ensure that there are contracts in place with all Personal Information processors, which comply with the requirements of all Privacy/Cybersecurity Requirements in all material respects, and require that such processors process Personal Information in compliance with Privacy/Cybersecurity Requirements in all material respects, and (iv) the Company Entities and their respective Personal Information processors have taken commercially reasonable steps to ensure the reliability of their respective employees and contractors who have access to the Information Technology Systems and the data hosted therein. No third party service provider working on behalf of a Group Company has notified any Group Company that the third party service provider has had, andPersonal Information, to train such employees on all applicable aspects of Privacy/Cybersecurity Requirements and to ensure that all employees with the Knowledge authority and/or ability to access such data are under written obligations of the Company, no third party service provider working on behalf of a Group Company has had, a Data Breach confidentiality with respect to any data collected or used in connection with the operation such data.
(c) The consummation of the business. No Group Company has notified, nor been required to notify, transactions contemplated hereby shall not breach or otherwise cause any data subject or supervisory authority violation of any Data BreachPrivacy/Cybersecurity Requirements. The Company is not subject to any Privacy/Cybersecurity Requirements that, after the Closing, would prohibit the Company Entities from receiving and/or using Personal Information in substantially the same manner as prior to the Closing.
Appears in 1 contract
DATA PROTECTION AND PRIVACY. (a) Each Group Company and, to the Knowledge of the Company, each Person who Processes Personal Data on their behalf, has, since January 1, 2016: (i) complied in all material respects with applicable any Company Privacy Policies and Data Protection Laws, including through adopting all appropriate technical and organizational security measures to protect Personal Data against a Data BreachRequirements; (ii) except as would not reasonably be expected to adversely affect the Group Companies in any material respect, (A) obtained and maintained all material registrations and notifications required under applicable Data Protection LawsRequirements, and (B) ensured that any processing of personal data by or on its behalf has been in accordance with such registrations and notifications; (iii) duly provided data subjects with relevant information notices and acquired any necessary consent of data subjects to the processing of their data, as required under applicable Data Protection Laws, and any processing Processing of Personal Data by or on its behalf has been in accordance with and complied with such registrations and notifications in all material respects; (iii) duly provided all individuals with any information notices and acquired any consents to the Processing of their data to the extent required under Data Protection Requirements, and reasonably ensured that any Processing of Personal Data by or on its behalf has been in accordance with and complied with such notices and consentsconsents in all material respects; and (iv) in place written agreements with any third party which it has authorized to have access to or Processes Personal DataData on behalf of any Group Company, including processors, to ensure that include any required provisions under Data Protection Requirements and that reasonably require that the third party complies at all times with Data Protection Requirements and respects and maintains the confidentiality confidentiality, integrity, and security of the Personal Data and complies at all times with applicable Data Protection Laws and such written agreements with such processors include processing provisions as required under Data Protection LawsData.
(b) As at the date hereof: (i) each Group Company is in compliance in all material respects with the terms of all Contracts to which it is a party relating to data privacy, security, or breach notification (including provisions that impose conditions or restrictions on the collection, use, storage, transfer or disposal Processing of Personal Data); (ii) no Group Company has received a written notice (including any enforcement notice), letter letter, inquiry or complaint from a supervisory authority authority, Governmental Entity or any data subject Person alleging breach by it violation or potential violation of any Data Protection Laws Requirements, nor has it been involved in any litigation or enforcement activity with respect to its processing Processing of Personal Data; (iii) no data subject Person has been awarded compensation by a any Governmental Entity, self-regulatory or supervisory authority or by a court of law from any Group Company under any Data Protection LawsRequirements; (iv) to the Knowledge of the Company no written request has been made by a data subject any Person to, or order has been made by a any Governmental Entity, self-regulatory or supervisory authority authority, or a court of law against, any Group Company for access to, the rectification, restriction, blocking, erasure or destruction of any Personal Data under any Data Protection LawsRequirements; and (v) no Group Company has transferred Personal Data outside of the European Economic Area other than in compliance with Data Protection Laws in all material respectsRequirements.
(c) Following the Closing Date, Holdco and the Group Companies will be entitled to process the Personal Data comprised in the information of the Group Companies created prior to the Closing Date that are in the control or possession of the Holdco and/or the Group Companies after the Closing Date in the manner in which that Personal Data was processed by the Group Companies in the course of business in the three (3) years immediately prior to the Closing Date, including adaptations made due to the introduction of EU-Regulation 2016/679 (General Data Protection Regulation) in May 2018, in compliance with Data Protection Laws.
(d) Neither the execution, delivery delivery, or performance of this Agreement or any of the other agreements contemplated by this AgreementTransaction Documents, nor the consummation of any of the transactions contemplated by this Agreement or any such other agreementsTransactions, nor the MemberCompany’s provision to ParentBuyer of Personal Data, Holdco and Merger Sub, or Parent’s, Holdco’s or Merger Sub’s possession or use of, Personal Data Information Technology Systems or any other data or information in the databases of the Group Companies, will result in any violation of the Member’s or any Group Company’s Company Privacy Policy, contractContract, or any Data Protection Laws or other Laws Requirements pertaining to privacy, Personal Data, data security, or spywareMalicious Code. Following the Closing Date, Buyer and the Group Companies will be entitled to Process the Personal Data Processed or otherwise in the possession or control of the Group Companies (or Persons acting on their behalf), or that are otherwise used by, relied on, or necessary for operation of the Group Companies’ business, after the Closing Date in the manner in which and on substantially the same terms that Personal Data was processed by the Group Companies in the course of business prior to the Closing Date, without violation of any Data Protection Requirements or any Company Privacy Policy.
(d) Each Group Company that processes Personal Data or as otherwise required by Privacy Requirements has established an Information Security Program, and there have been no actual or, to the Knowledge of the Company, threatened violations of said Information Security Program. Each Group Company has tested and maintained its Information Security Program as required by Privacy Requirements and in a commercially reasonable manner and remediated all critical, high and medium risks, to the extent applicable, and, to the Knowledge of the Company, the Information Security Program has proven sufficient and compliant with Data Protection Requirements in all material respects. The Information Technology Systems operate and perform as is necessary to conduct the business of the Group Companies in all material respects and do not contain any Malicious Code.
(e) Each No Group Company has established and is in material compliance with an information security program that: (i) includes administrative, technical and physical safeguards designed to safeguard the security, confidentiality, and integrity of the Information Technology Systems and the data hosted therein; (ii) is designed to protect against unauthorized access to the Information Technology Systems and the systems of any third party service providers that have access to the Information Technology Systems and the data hosted therein; and (iii) complies with applicable Data Protection Laws in all material respects.
(f) Since January 1, 2016, no Group Company has ever suffered a Data Breach with respect to the Information Technology Systems and no breach or violation of has been adversely affected by any security program described above has occurred Malicious Code or is threateneddenial-of-service attacks, and, to the Knowledge of the Company, there has been no unauthorized or illegal use of or access to the Information Technology Systems or material breach of any Contracts relating to such systems and the data hosted therein. No third party service provider working on behalf of a Group Company has notified any Group Company that the third party service provider has had, and, to To the Knowledge of the Company, no third party service provider working on behalf of a Group Company has had, had a Data Breach with respect to any data collected or used in connection with the operation of the business. No Group Company has notified, nor been required to notify, any data subject or Governmental Entity or supervisory authority of any Data Breach.
(f) The Group Companies and its products and services operate and comply with and have complied with any business associate agreements including any such agreements executed in accordance with HIPAA, the Privacy Rule, the Security Rule and HITECH with all respective customers, vendors, and suppliers, in each case in all material respects. The Company has adopted written privacy and security compliance policies and procedures to the extent required by business associate agreements and Data Protection Requirements, and has conducted HIPAA risk assessments, to the extent required by and in accordance with all applicable business associate agreements and Data Protection Requirements. For purposes of this Section 3.25, the words “processor” shall have the meaning given to them under Data Protection Requirements.
Appears in 1 contract
Samples: Stock Purchase Agreement (Surgalign Holdings, Inc.)
DATA PROTECTION AND PRIVACY. (a) Each Group Company has, since January 1, 2016: (i) complied Except as has not resulted in all material respects with applicable Company Privacy Policies and Data Protection Laws, including through adopting all appropriate technical and organizational security measures to protect Personal Data against a Data Breach; (ii) except as would not reasonably be expected to adversely affect result in, individually or in the Group Companies in any material respectaggregate, (A) obtained and maintained all registrations and notifications required under applicable Data Protection Laws, and (B) any processing of personal data by or on its behalf has been in accordance with such registrations and notifications; (iii) duly provided data subjects with relevant information notices and acquired any necessary consent of data subjects to the processing of their data, as required under applicable Data Protection Laws, and any processing of Personal Data by or on its behalf has been in accordance with such notices and consents; and (iv) in place written agreements with any third party which it has authorized to have access to Personal Data, including processors, to ensure that the third party respects and maintains the confidentiality and security of the Personal Data and complies at all times with applicable Data Protection Laws and such written agreements with such processors include processing provisions as required under Data Protection Laws.a Company Material Adverse Effect:
(b) As at the date hereof: (i) each Group Company is in compliance in all material respects with the terms of all Contracts to which it is a party relating to data privacyEntity maintains, securityand since December 31, or breach notification (including provisions that impose conditions or restrictions on the collection2017, usehas adopted, storage, transfer or disposal of Personal Data); (ii) no Group Company has received a written notice (including any enforcement notice), letter or complaint from a supervisory authority or any data subject alleging breach by it of any Data Protection Laws nor has it been involved in any litigation with respect to its processing of Personal Data; (iii) no data subject has been awarded compensation by a supervisory authority or by a court of law from any Group Company under any Data Protection Laws; (iv) no written request has been made by implemented and maintained a data subject toprivacy and security compliance program that complies with all applicable Privacy/Cybersecurity Requirements, or order has been made by a supervisory authority or a court of law against, any Group that is designed to protect Company for access to, the rectification, restriction, blocking, erasure or destruction of any IT Assets and Personal Data under any Data Protection Laws; Information against threats and (v) no Group Company has transferred Personal Data outside of the European Economic Area other than in compliance with Data Protection Laws in all material respects.
(c) Following the Closing Date, Holdco hazards to their security and the Group Companies will be entitled to process the Personal Data comprised in the information of the Group Companies created prior to the Closing Date unauthorized use or disclosure thereof, and that are in the control or possession of the Holdco and/or the Group Companies after the Closing Date in the manner in which that Personal Data was processed by the Group Companies in the course of business in the three (3) years immediately prior to the Closing Dateincludes commercially reasonable plans, including adaptations made due to the introduction of EU-Regulation 2016/679 (General Data Protection Regulation) in May 2018policies, in compliance with Data Protection Laws.
(d) Neither the execution, delivery or performance of this Agreement or any of the other agreements contemplated by this Agreement, nor the consummation of any of the transactions contemplated by this Agreement or any such other agreements, nor the Member’s provision to Parent, Holdco procedures and Merger Sub, or Parent’s, Holdco’s or Merger Sub’s possession or use of, Personal Data or any other data or information in the databases of the Group Companies, will result in any violation of the Member’s or any Group Company’s Privacy Policy, contract, or any Data Protection Laws or other Laws pertaining to privacy, Personal Data, data security, or spyware.
(e) Each Group Company has established and is in material compliance with an information security program that: (i) includes administrative, technical and physical safeguards designed to safeguard the securityprotect such Company IT Assets, confidentiality, Personal Information and integrity of the Information Technology Systems and the data hosted therein; other data;
(ii) is designed to protect against unauthorized access to the Information Technology Systems Company Entities are, and the systems of any third party service providers that since December 31, 2017, have access to the Information Technology Systems and the data hosted therein; and been, in compliance with all Privacy/Cybersecurity Requirements;
(iii) complies with since December 31, 2017, (A) no Person has (1) gained unauthorized access, including any such access reportable to a Governmental Authority under applicable Data Protection Laws in all material respects.Law, to any Personal Information transmitted to or from, processed by or stored on any Company IT Assets or otherwise possessed or controlled by or for the Company Entities, or (2) used, accessed or disclosed any such Personal Information or Company IT Assets for any illegal or unauthorized purpose and (B) no Company Entity has received any written notice of any claims from, and there have been no Actions instituted or threatened (including any investigation) by, any Governmental Authority or any other Person alleging any violation, breach or compromise of any Personal Information, or any violation or breach of any Privacy/Cybersecurity Requirements;
(fiv) Since January 1without limiting the foregoing in this Section 3.16, 2016since December 31, 2017, (A) no Group breach, unauthorized access or other noncompliance related to Privacy/Cybersecurity Requirements has occurred related to any Personal Information that is created, retained, collected, used, disclosed, stored, transmitted, received or otherwise processed by a Company Entity, (B) no information security or privacy breach event has suffered occurred that has resulted in, or would require, notification by or on behalf of a Data Breach Company Entity to any Governmental Authority or other Person under any Privacy/Cybersecurity Requirements, and (C) no Company Entity is or has been in violation, breach or default of any Contracts with respect to the creation, collection, obtaining, tracking, retention, storage, processing, use, sharing, disclosure, transmission, security, confidentiality and/or protection of Company IT Assets or Personal Information; and
(v) since December 31, 2017, the Company Entities have not provided or authorized access or rights to any Personal Information Technology Systems collected, generated or otherwise possessed by or for the Company Entities to any Persons for use outside the Ordinary Course of Business.
(b) Except as has not resulted in and no would not reasonably be expected to result in, individually or in the aggregate, a Company Material Adverse Effect, (i) the consummation of the transactions contemplated hereby shall not cause the Company Entities to be in breach or other violation of any security program described above has occurred or Privacy/Cybersecurity Requirements and (ii) the Company is threatenednot subject to any Privacy/Cybersecurity Requirements that, andafter the Closing, would prohibit the Company Entities from receiving and/or using any Personal Information in substantially the same manner as prior to the Knowledge of the Company, there has been no unauthorized or illegal use of or access to the Information Technology Systems and the data hosted therein. No third party service provider working on behalf of a Group Company has notified any Group Company that the third party service provider has had, and, to the Knowledge of the Company, no third party service provider working on behalf of a Group Company has had, a Data Breach with respect to any data collected or used in connection with the operation of the business. No Group Company has notified, nor been required to notify, any data subject or supervisory authority of any Data BreachClosing.
Appears in 1 contract
