US Privacy Laws 2023 – Loqate (Service Provider)

Please note that the provisions contained in this Schedule 1 are effective from 1 January 2023:

I. Definitions.

A. “Agreement” means any written contract currently in effect between the Client and GBG, including any order forms, schedules, other amendments, or any other binding written documents.

B. “Applicable US Data Protection Laws” means the California Consumer Privacy Act of 2018 and its corresponding regulations (“CCPA”) and the California Privacy Rights Act and its corresponding regulations, the Virginia Consumer Data Protection Act, the Colorado Privacy Act, Utah’s Consumer Privacy Act, the Connecticut Data Privacy Act, and any other U.S. federal, state, or local data protection and privacy laws, regulations, or guidance, as amended from time to time, that are applicable in relation to the processing of personal information under the Agreement.

C. “collects,” “consumer,” “processes,” “personal information”, and any other terms not defined hereunder, but which are defined under Applicable US Data Protection Laws, shall have the definition allocated to that term under the relevant Applicable US Data Protection Law.

D. “CPRA” means the CCPA, as amended by the California Privacy Rights Act, and its corresponding regulations, as amended from time to time.

E. “Client Personal Information” means the personal information provided by the Client to GBG, or which GBG collected on Client’s behalf to perform the service(s) for Client under the Agreement.

 

II. CPRA Service Provider Agreement Requirements.

A. Service Provider Obligations. GBG agrees that:

(1) It shall not sell or share any Client Personal Information that it collects pursuant to the Agreement;

(2) It is processing the Client Personal Information pursuant to the Agreement, and the Client is disclosing the Client Personal Information to GBG only for the following limited and specified Business Purpose(s) listed in Subsection (3) below.

(3) The specific Business Purpose for which GBG is processing Client Personal Information pursuant to the written Agreement with Client is to perform services on behalf of the Client by verifying Client’s consumers’ information, provide Client support, as further detailed in the Agreement and in accordance with the CPRA (the “Business Purposes”). GBG shall not retain, use, or disclose any Client Personal Information that it collected pursuant to the Agreement for any purpose other than Business Purpose(s), or as otherwise permitted by the CPRA.

(4) It shall not retain, use, or disclose the Client Personal Information that it collected pursuant to the Agreement for any purpose other than the Business Purposes, unless expressly permitted by the CPRA.

(5) It shall not retain, use, or disclose the Client Personal Information that it collected pursuant to the Agreement for any commercial purpose other than the Business Purpose, outside the direct business relationship between the GBG and the Client, unless expressly permitted by the CPRA.

(6) It shall not retain, use or disclose the Client Personal Information that it collected pursuant to the Agreement outside of the direct business relationship between the Client and GBG, unless expressly permitted by the CPRA.

(7) It shall comply with all applicable sections of the CPRA, including – with respect to the Client Personal information it collected pursuant to the Agreement—providing the same level of privacy protection as required of businesses by the CPRA. This includes using reasonable commercial efforts to cooperate with the Client in responding to and complying with consumers’ requests made to Client in relation to GBG’s processing under the Agreement pursuant to the CPRA, and implementing reasonable security procedures and practices appropriate to the nature of the Client Personal Information to protect it from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with the CPRA.

(8) It grants the Client the right to take reasonable and appropriate steps to ensure that GBG uses the Client Personal Information that it collected pursuant to the Agreement in a manner consistent with the Client’s obligations under the CPRA, at Client’s cost. This may include ongoing manual reviews of GBG’s system and regular internal or third-party assessments, audits, or other technical and operational testing once every twelve (12) months, with twenty-eight (28) days advance notice, in accordance with any audit clauses set out in the Agreement.

(9) It shall notify the Client after it makes a determination that it can no longer meet its obligations under the CPRA.

(10) It grants the Client the right, upon notice, to take reasonable and appropriate steps to stop and remediate GBG’s unauthorized use of Client Personal Information.

B. CPRA Subcontractors. If GBG subcontracts with another person in providing services to Client, GBG shall have a contract with the subcontractor that complies with the CPRA.

C. California Consumer Requests.

(1) If GBG receives a request made pursuant to the CPRA directly from a consumer in regards to any processing it is conducting as a service provider, GBG shall inform the consumer that the request cannot be acted upon because the request has been sent to a service provider.

(2) GBG shall enable the Client to comply with consumer requests made pursuant to the CPRA.

 

III. Additional State Requirements for Processors.

A. Scope of Processing. The parties agree that:

(1) GBG shall be bound to the processing instructions, requirements, and limitations set out in the Agreement.

(2) The nature and purpose of the processing are as set out in the Agreement.

(3) The duration of the processing shall last throughout the duration in which the Agreement is in effect.

(4) The rights and obligations of both parties are set out in the Agreement.

(5) The types of personal data subject to GBG processing depends on the product(s) you contracted to take from us under your Agreement, and may be as follows, respectively:

 

Product

Consumer Personal Information Processed under the relevant Product

Verify

IP address, Postal Address, Geocode (only at your affirmative opt-in)

Capture

IP address, Postal Address, and geolocation (only at your affirmative opt-in)

Data Maintenance

May include the following (as set out in your order form): name, address, email, phone number

Phone/Email Validation Services

May include the following (as set out in your order form): phone number, email

 

B. GBG Obligations. GBG shall, in accordance with Applicable US Data Protection Laws:

(1) Adhere to Client’s instructions.

(2) Assist Client to meet its obligations under Applicable Data Protection Law. Therefore, GBG shall, taking into account the nature of the processing and information available to the GBG and in accordance with its obligations under Applicable US Data Protection Law, assist the Client by:

(i) taking appropriate technical and organizational measures, insofar as reasonably practicable;

(ii) aiding in the fulfillment of the Client’s obligation to respond to consumer requests to exercise their rights, insofar as such obligations are related to GBG’s processing of the Client Personal Information under the Agreement;

(iii) helping to meet the Client’s obligations in relation to the security of processing the Client Personal Information and in relation to the notification of a breach of the security system;

(iv) providing information to the Client necessary to enable the Client to conduct and document any data protection assessments required from Client under Applicable US Data Protection Law, but GBG shall only be responsible for the measures that are allocated to it; and

(v) Notwithstanding the instructions of the Client, GBG shall ensure that each person processing the Client Personal Information is subject to a duty of confidentiality with respect to the Client Personal Data.

C. Subcontractors. GBG shall engage a subcontractor only after providing the Client with an opportunity to object within thirty (30) days of notification to legal@gbgplc.com and pursuant to a written contract, which requires the subcontractor to meet the obligations of the GBG with respect to the Client Personal Information. If Client does not provide such written objection within thirty (30) days of the notification date, then Client shall be deemed to have approved the new subcontractor if it continues to utilize the relevant GBG service offering. The subcontractors that will serve as subprocessors under the Agreement are set out in the following link: https://www.gbgplc.com/en/legal-and-regulatory/loqate-authorised-subprocessor-list/, and are hereby deemed to be approved by the Client. Client acknowledges and understands that GBG is not providing a bespoke service to Client and GBG may be unable to accommodate Client requests in regards to specific subcontractors. Thus, if Client objects to any subcontractor it shall have the right to terminate this Agreement within thirty (30) days of notice to GBG.

D. Data Security. GBG and Client shall implement appropriate and technical and organizational measures to ensure a level of security appropriate to the risk and establish a clear allocation of the responsibilities between them to implement the measures.

E. GBG’s Obligations at Termination or Expiration of the Agreement.

(1) At the Client’s selection, GBG shall delete or return all Client Personal Information at the end of the provision of the services, unless retention is required by applicable law. However, Client agrees that GBG may instead delete the Client Personal Information if returning it is commercially unreasonable.

F. Client Reviews and Audits. GBG shall:

(1) make available to Client all information necessary to demonstrate compliance with its obligations under Applicable US Data Protection Laws.

(2) allow for and contribute to reasonable audits and inspections by the Client or Client’s designated auditor, as further detailed in the Agreement. Alternatively, Client consents that GBG may, at its discretion, arrange for a qualified and independent auditor to conduct, annually, and at GBG’s expense, an audit of GBG’s policies and technical and organizational measures in support of its obligations under Applicable US Data Protection Laws using an appropriate and accepted control standard or framework and audit procedure for the audits, as applicable. GBG shall provide a report of the audit to Client on request.

 

 IV. Miscellaneous

 A. Additional US Data Protection Laws.

(a) In the event that additional applicable privacy laws are enacted, the Parties shall in good faith negotiate any additional terms that may be required thereunder.

(b) In the event the California Privacy Protection Agency makes any edits to the latest version of the CPRA regulations that are not substantive, those edits will be deemed to be incorporated herein verbatim via reference.

B. Applicability; Order of Precedence;. The terms set out throughout this Amendment shall only apply to Client Personal Information that is subject to the Applicable US Data Protection Laws. In the event of any conflict between the terms set out in this Amendment and those set out in the Agreement, the parties shall use good faith to interpret conflicting terms in a consistent manner. In the event of an irreconcilable conflict, the terms shall be afforded the following order of precedence: 1) this Amendment; 2) the Agreement. For the avoidance of doubt, any additional data security measures or data protection terms that were contracted into in the Agreement will not be deemed to be in conflict with this Amendment and shall continue to remain in effect throughout the Agreement term.