Common use of Deletion or return obligations Clause in Contracts

Deletion or return obligations. 9.1 Subject to Paragraphs 9.2 and 9.5, upon the date of cessation of any Services involving the Processing of Customer Personal Data (the “Cessation Date”), Firefly shall immediately cease all Processing of the Customer Personal Data for any purpose other than for storage. 9.2 Subject to Paragraph 9.5, to the extent technically possible in the circumstances (as determined in Firefly’s sole discretion), on written request to Firefly (to be made no later than fourteen (14) Business Days after the Cessation Date (the “Post-cessation Storage Period”)), Firefly shall: (a) return a complete copy of all Customer Personal Data within Firefly’s possession to Customer by secure file transfer, promptly following which Firefly shall Delete all other copies of such Customer Personal Data; or (b) Delete all Customer Personal Data then within Firefly’s possession. 9.3 Firefly shall comply with any written request made pursuant to Paragraph 9.2 within sixty (60) Business Days of the Cessation Date. 9.4 In the event that during the Post-cessation Storage Period, Customer does not instruct Firefly in writing to either Delete or return the Customer Personal Data pursuant to Paragraph 9.2, Firefly shall promptly after the expiry of the Post-cessation Storage Period either (at its option): (a) Delete; or (b) irreversibly render Anonymised Data, all Customer Personal Data then within Firefly’s possession to the fullest extent technically possible in the circumstances. 9.5 Firefly and any Subprocessor may retain Customer Personal Data where required by applicable law, for such period as may be required by such applicable law, provided that Firefly and any such Subprocessor shall ensure: (a) the confidentiality of all such Customer Personal Data; and (b) that such Customer Personal Data is only Processed as necessary for the purpose(s) specified in the applicable law requiring its storage and for no other purpose.

Deletion or return obligations. 9.1 Subject to Paragraphs 9.2 and 9.5, upon the date of cessation of any Services involving the Processing of Customer Personal Data (the “Cessation Date”), Firefly Crunchy Data shall immediately cease all Processing of the Customer Personal Data for any purpose other than for storage. 9.2 Subject to Paragraph 9.5, to the extent technically possible in the circumstances (as determined in FireflyCrunchy Data’s sole discretion), on written request to Firefly Crunchy Data (to be made no later than fourteen (14) Business Days days after the Cessation Date (the “Post-cessation Storage Period”)), Firefly Crunchy Data shall: (a) return a complete copy of all Customer Personal Data within FireflyCrunchy Data’s possession to Customer by secure file transfer, promptly following which Firefly Crunchy Data shall Delete all other copies of such Customer Personal Data; or (b) Delete all Customer Personal Data then within FireflyCrunchy Data’s possession. 9.3 Firefly Crunchy Data shall comply with any written request made pursuant to Paragraph 9.2 within sixty thirty (6030) Business Days of the Cessation Datedays thereof. 9.4 In the event that during the Post-cessation Storage Period, Customer does not instruct Firefly Crunchy Data in writing to either Delete or return the Customer Personal Data pursuant to Paragraph 9.2, Firefly Crunchy Data shall promptly after the expiry of the Post-cessation Storage Period either (at its option): (a) Delete; or (b) irreversibly render Anonymised Data, Delete all Customer Personal Data then within FireflyCrunchy Data’s possession to the fullest extent technically possible in the circumstances. 9.5 Firefly Crunchy Data and any Subprocessor may retain Customer Personal Data where required by applicable law, for such period as may be required by such applicable law, provided that Firefly Crunchy Data and any such Subprocessor shall ensure: (a) the confidentiality of all such Customer Personal Data; and (b) that such Customer Personal Data is only Processed as necessary for the purpose(s) specified in the applicable law requiring its storage and for no other purpose.

Deletion or return obligations. 9.1 9.1. Subject to Paragraphs 9.2 and 9.5, upon the date of cessation of any Services involving the Processing of Customer Personal Data (the “Cessation Date”), Firefly shall immediately cease all Processing of the Customer Personal Data for any purpose other than for storage. 9.2 9.2. Subject to Paragraph 9.5, to the extent technically possible in the circumstances (as determined in Firefly’s sole discretion), on written request to Firefly (to be made no later than fourteen (14) Business Days after the Cessation Date (the “Post-cessation Storage Period”)), Firefly shall: (a) return a complete copy of all Customer Personal Data within Firefly’s possession to Customer by secure file transfer, promptly following which Firefly shall Delete all other copies of such Customer Personal Data; or (b) Delete all Customer Personal Data then within Firefly’s possession. 9.3 9.3. Firefly shall comply with any written request made pursuant to Paragraph 9.2 within sixty (60) Business Days of the Cessation Date. 9.4 9.4. In the event that during the Post-cessation Storage Period, Customer does not instruct Firefly in writing to either Delete or return the Customer Personal Data pursuant to Paragraph 9.2, Firefly shall promptly after the expiry of the Post-cessation Storage Period either (at its option): (a) Delete; or (b) irreversibly render Anonymised Data, all Customer Personal Data then within Firefly’s possession to the fullest extent technically possible in the circumstances. 9.5 9.5. Firefly and any Subprocessor may retain Customer Personal Data where required by applicable law, for such period as may be required by such applicable law, provided that Firefly and any such Subprocessor shall ensure: (a) the confidentiality of all such Customer Personal Data; and (b) that such Customer Personal Data is only Processed as necessary for the purpose(s) specified in the applicable law requiring its storage and for no other purpose.

Deletion or return obligations. 9.1 1. Subject to Paragraphs 9.2 and 9.5, upon the date of cessation of any Services involving the Processing of Customer Personal Data (the “Cessation Date”), Firefly Receipt Bank shall immediately cease all Processing of the Customer Personal Data for any purpose other than for storage. 9.2 2. Subject to Paragraph 9.5, to the extent technically possible in the circumstances (as determined in FireflyReceipt Bank’s sole discretion), on written request to Firefly Receipt Bank (to be made no later than fourteen (14) Business Days after the Cessation Date (the “Post-cessation Storage Period”)), Firefly Receipt Bank shall: (a) return make available for extraction from the Receipt Bank Products a complete copy of all Customer Personal Data within Firefly’s possession to Customer by secure file transfer, promptly accessible via the Receipt Bank Products and keep it available for extraction for a period of sixty (60) business Days following which Firefly shall Delete all other copies of such Customer Personal Datarequest (the “Data Extraction Period”); or (b) Delete all Customer Personal Data then within FireflyReceipt Bank’s possession. 9.3 Firefly 3. Receipt Bank shall comply with any written request made pursuant to Paragraph 9.2 9.2(b) within sixty (60) Business Days of the Cessation Date. 9.4 In 4. Following the expiry of the Data Extraction Period or in the event that during the Post-Post- cessation Storage Period, Period Customer does not instruct Firefly Receipt Bank in writing to either Delete or return the Customer Personal Data pursuant to Paragraph 9.2, Firefly Receipt Bank shall promptly after the expiry of the Post-cessation Storage Period either (at its option): (a) Delete; or (b) irreversibly render Anonymised Data, Delete all Customer Personal Data then within FireflyReceipt Bank’s possession to the fullest extent technically possible in the circumstances. 9.5 Firefly 5. Receipt Bank and any Subprocessor may retain Customer Personal Data Data: (a) where required by applicable law; and/or (b) pursuant to Paragraph 9.6, for such period as may be required by such applicable law, in each case provided that Firefly Receipt Bank and any such applicable Subprocessor shall ensureensures: (ac) the confidentiality of all such Customer Personal Data; and (bd) that such Customer Personal Data is only Processed as necessary for (as applicable): (i) the purpose(s) specified in the applicable law requiring its storage; and/or (ii) in the context of Paragraph 9.6, for storage purposes only, to assist Customer (or its Partner Users) in complying with their recordkeeping obligations to local tax authorities. 6. Customer expressly instructs Receipt Bank to retain one (1) copy of each Item that Users have submitted to the Receipt Bank Products for a period of ten (10) years following the relevant submission date unless and for no other purposeuntil the earlier of: (a) the Customer’s instruction to Delete such retained Items; or (b) the expiry of the applicable ten (10) year period, at which point Receipt Bank shall promptly Delete such retained Items.

Deletion or return obligations. 9.1 Subject to Paragraphs 9.2 and 9.5, upon the date of cessation of any Services involving the Processing of Customer Personal Data (the “Cessation Date”), Firefly Receipt Bank shall immediately cease all Processing of the Customer Personal Data for any purpose other than for storage. 9.2 . Subject to Paragraph 9.5, to the extent technically possible in the circumstances (as determined in FireflyReceipt Bank’s sole discretion), on written request to Firefly Receipt Bank (to be made no later than fourteen (14) Business Days after the Cessation Date (the “Post-cessation Storage Period”)), Firefly Receipt Bank shall: (a) return : make available for extraction from the Receipt Bank Products a complete copy of all Customer Personal Data within Firefly’s possession to Customer by secure file transfer, promptly accessible via the Receipt Bank Products and keep it available for extraction for a period of sixty (60) business Days following which Firefly shall Delete all other copies of such Customer Personal Datarequest (the “Data Extraction Period”); or (b) or Delete all Customer Personal Data then within FireflyReceipt Bank’s possession. 9.3 Firefly . Receipt Bank shall comply with any written request made pursuant to Paragraph 9.2 9.2(b) within sixty (60) Business Days of the Cessation Date. 9.4 In . Following the expiry of the Data Extraction Period or in the event that during the Post-cessation Storage Period, Period Customer does not instruct Firefly Receipt Bank in writing to either Delete or return the Customer Personal Data pursuant to Paragraph 9.2, Firefly Receipt Bank shall promptly after the expiry of the Post-cessation Storage Period either (at its option): (a) Delete; or (b) irreversibly render Anonymised Data, Delete all Customer Personal Data then within FireflyReceipt Bank’s possession to the fullest extent technically possible in the circumstances. 9.5 Firefly . Receipt Bank and any Subprocessor may retain Customer Personal Data Data: where required by applicable law; and/or pursuant to Paragraph 9.6, for such period as may be required by such applicable law, in each case provided that Firefly Receipt Bank and any such applicable Subprocessor shall ensure: (a) ensures: the confidentiality of all such Customer Personal Data; and (b) and that such Customer Personal Data is only Processed as necessary for (as applicable): the purpose(s) specified in the applicable law requiring its storage; and/or in the context of Paragraph 9.6, for storage purposes only, to assist Customer (or its Partner Users) in complying with their recordkeeping obligations to local tax authorities. Customer expressly instructs Receipt Bank to retain one (1) copy of each Item that Users have submitted to the Receipt Bank Products for a period of ten (10) years following the relevant submission date unless and until the earlier of: the Customer’s instruction to Delete such retained Items; or the expiry of the applicable ten (10) year period, at which point Receipt Bank shall promptly Delete such retained Items. Receipt Bank shall make available to Customer on request such information as Receipt Bank (acting reasonably) considers appropriate in the circumstances to demonstrate its compliance with this Data Processing Addendum. Subject to Paragraphs 10.3 and 10.4, in the event that Customer (acting reasonably) is able to provide documentary evidence that the information made available by Receipt Bank pursuant to Paragraph 10.1 is not sufficient in the circumstances to demonstrate Receipt Bank’s compliance with this Data Processing Addendum, Receipt Bank shall allow for and contribute to audits, including onpremise inspections, by Customer or an auditor mandated by Customer in relation to the Processing of the Customer Personal Data by Receipt Bank. Customer shall give Receipt Bank reasonable notice of any audit or inspection to be conducted under Paragraph 10.1 (which shall in no event be less than one (1) month’s notice unless required by a Supervisory Authority pursuant to Paragraph 10.4(f)) and shall use its best efforts (and ensure that each of its mandated auditors uses its best efforts) to avoid causing, and hereby indemnifies Receipt Bank in respect of, any damage, injury or disruption to Receipt Bank’s premises, equipment, Personnel, data, and business (including any interference with the confidentiality or security of the data of Receipt Bank’s other purposecustomers or the availability of Receipt Bank’s services to such other customers) while its Personnel and/or its auditor’s Personnel (if applicable) are on those premises in the course of any onpremise inspection. Receipt Bank need not give access to its premises for the purposes of such an audit or inspection: to any individual unless he or she produces reasonable evidence of their identity and authority; to any auditor whom Receipt Bank has not given its prior written approval (not to be unreasonably withheld); unless the auditor enters into a non-disclosure agreement with Receipt Bank on terms acceptable to Receipt Bank; where, and to the extent that, Receipt Bank considers, acting reasonably, that to do so would result in interference with the confidentiality or security of the data of Receipt Bank’s other customers or the availability of Receipt Bank’s services to such other customers; outside normal business hours at those premises; or on more than one occasion in any calendar year during the term of the Agreement, except for any additional audits or inspections which Customer is strictly and specifically required to carry out by Data Protection Law or a Supervisory Authority, provided that Customer has identified the relevant requirement in its notice to Receipt Bank of the audit or inspection. Customer shall bear any third party costs in connection with such inspection or audit and reimburse Receipt Bank for all costs incurred by Receipt Bank and time spent by Receipt Bank (at Receipt Bank’s then-current professional services rates) in connection with any such inspection or audit. Subject to Paragraph 11.3, to the extent that any Processing by either Receipt Bank or any Subprocessor of Customer Personal Data involves a Restricted Transfer, the Parties agree that: Customer – as “data exporter”; and Receipt Bank or Subprocessor (as applicable) – as “data importer”, shall be deemed to have been entered into the Standard Contractual Clauses with immediate effect upon the commencement of the relevant Restricted Transfer and the associated Processing. In respect of any Standard Contractual Clauses entered into pursuant to Paragraph 11.1: Clause 9 of such Standard Contractual Clauses shall be populated as follows: “The Clauses shall be governed by the law of the Member State in which the data exporter is established.” Clause 11(3) of such Standard Contractual Clauses shall be populated as follows: “The provisions relating to data protection aspects for sub-processing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.” Appendix 1 to such Standard Contractual Clauses shall be populated with the corresponding information set out in Annex 1 (Data Processing Details); and Appendix 2 to such Standard Contractual Clauses shall be populated as follows: “The technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) are those established and maintained under Paragraph 4 of the Data Processing Addendum.” Paragraph 11.1 shall not apply to a Restricted Transfer unless its effect is to allow the relevant Restricted Transfer and the associated Processing to take place without breach of applicable Data Protection Laws (for example: Paragraph 11.1 shall not apply to any Processing by a Subprocessor who is self-certified under the EU-U.S. Privacy Shield).