Common use of Privacy and Data Protection Laws Clause in Contracts

Privacy and Data Protection Laws. Each Party shall comply with all applicable state, federal and foreign privacy and data protection Laws that are or that may in the future be applicable to the provision of the Services under this Agreement (“Privacy and Security Rules”). (a) Each Party represents and warrants that it shall: (i) maintain adequate physical, electronic and administrative security, at least to the level of industry standards, to prevent the unauthorized disclosure of any information identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household (“Personal Information”); (ii) comply with all applicable laws, regulations and orders regarding the security of Personal Information; and (iii) shall notify the other Party promptly, but in every instance in less than seventy-two (72) hours, of any known or reasonably suspected Information Security Incident, as defined below. (b) For the avoidance of doubt, neither Party shall process for marketing purposes, sell, aggregate, analyze or anonymize, or otherwise use, any and all information, data, materials, works, expressions, prompts, searches, inquiries, Personal Information, or other content, provided or accessed by a Party (“Party Information”) unless necessary to provide or receive the Services or as otherwise approved by the providing Party in writing. Neither Party shall knowingly perform the Services in a manner that causes the other Party to violate any Privacy and Security Rules. Where either Party believes that compliance with any instruction infringes any Privacy and Security Rules, such Party shall immediately notify the other Party. (c) Neither Party will: (i) retain, use, or disclose the other Party’s Party Information for any purpose other than for the purposes set forth in the instructions and in this section or to provide or receive the Services as described in this Agreement; (ii) sell such information, as such term is defined in the California Consumer Privacy Act (“CCPA”); (iii) retain, use, or disclose the other Party’s Party Information outside of the direct business relationship between the Parties; (iv) share the other Party’s Party Information with a third party for Cross-Context Behavioral Advertising or Targeted Advertising, as those terms are defined in the CCPA; or (v) use the other Party’s Party Information for another business or person unless necessary to detect information security incidents, or protect against fraudulent or illegal activity. Each Party is providing its Party Information for a business purpose, and nothing about this Agreement or the Services involves a “selling” or “sale” of Personal Information under the laws identified in the Privacy and Security Rules. (d) To the extent a Party or its resources processes aggregated and anonymized Party Information provided by the other Party, the receiving Party represents and undertakes, as follows: (i) it shall not make any attempts to re-identify the aggregated and anonymized Party Information; (ii) Each Party has implemented and will maintain technical safeguards that prohibit re-identification of aggregated and anonymized Party Information; (iii) Each Party has implemented and will maintain business processes that prohibit re-identification of aggregated and anonymized Party Information and prevent inadvertent release of aggregated and anonymized Party Information; and (iv) Each Party will periodically reassess its technical safeguards and processes to ensure that they are still adequate to prevent the re-identification or the inadvertent release of aggregated and anonymized Party Information. (e) Promptly after (i) a Party no longer needs to process the other Party’s Party Information to perform or receive the Services, (ii) this Agreement terminates or expires, or (iii) upon written request, each Party shall return to the other Party or securely dispose of, and require all such Party’s resources to return or securely dispose of, all originals and copies of the other Party’s Party Information. Each Party shall provide a written statement to the other Party certifying that it has complied with the requirements in this Section 5.3. Neither Party shall be required to return, destroy, or erase any of the other Party’s Party Information if prohibited by applicable law or commercial impracticability, in which case the retaining Party shall retain, in its then current state, all such Party Information within its control or possession in accordance with this Agreement and perform its obligations under this Agreement as soon as such law or commercial impracticability no longer prevents it from doing so, provided that for as long as the Party Information is stored by such Party, and each Party shall only make such use of the other Party’s Party Information as required by law. (f) In order to address changing obligations under Privacy and Security Rules, Provider may provide Recipient with additional privacy and information security terms. Both Parties shall (i) negotiate in good faith any additional privacy and information security terms that Provider or Recipient deems appropriate to address obligations under any Privacy and Security Rules; and (ii) promptly obtain the agreement of any Party resource to comply with such additional terms. (g) In the event a Party will have access to the other Party’s systems, each Party shall access such the other Party’s system solely for the purpose of receiving or providing the Services, as applicable, and shall only provide access to its Recipient or Provider personnel and other resources, as applicable, with a legitimate business need in order to receive or provide such Services, as applicable. Each Party will periodically review its access controls to confirm that access to the other Party’s computer network is limited to its authorized Recipient or Provider personnel and resources, as applicable. Each Party will maintain the confidentiality of access credentials to the other Party’s computer network and any Party Information of the other Party. Each Party will immediately notify the other Party of any potential loss, disclosure, or unauthorized access of or to its access credentials to the other Party’s computer network or any Party Information of the other Party. Each Party is solely responsible for activity associated with its access credentials. Neither Party will not knowingly introduce any malware or any other code that is designed to disrupt, disable, erase, alter, harm or otherwise impair the other Party, the other Party’s Party Information or the computer network. (h) Each Party shall make relevant personnel available for interviews and provide all information and assistance reasonably requested by the other Party regarding the processing of the other Party’s Party Information. Upon request, each Party will promptly complete a questionnaire regarding the processing of the other Party’s Party Information. In addition, Recipient shall provide Provider with any documents requested by Provider related to the foregoing, including without limitation, any security assessment and security control audit reports. Provider shall make such a request no more than once a year, except in the event of an information security incident. If any assessment requested by Provider shows a material breach by Recipient of this Agreement, Recipient will pay or reimburse Provider for all reasonable assessment costs, and reasonable costs incurred by Provider for investigating or remediating the breach. Recipient shall maintain reasonably detailed records of (i) its processing activities, (ii) its compliance with this Agreement, and (iii) information security incidents, which shall be made available to Provider for review upon request.