Exhibit C

Jurisdiction Specific Terms

This Exhibit is an integral part of the Cendyn Data Processing Agreement (“DPA”). Capitalized terms which are used but not defined in this document shall have the meaning given to those terms in the DPA. By accepting the DPA, the Parties have agreed to comply with the terms in this Exhibit which apply to the extent that the Parties Process Personal Data originating from, or protected by, Applicable Data Protection Laws in one of the jurisdictions identified herein.

1. EEA.

  • 1.1. Definitions. For purposes of interpreting this Section 1, the following terms shall be interpreted as follows:
  • (a) “EEA Restricted Transfer” includes any transfer of Personal Data subject to the GDPR (including data storage on foreign servers) which is undergoing Processing or is intended for Processing after transfer, to a Third Country (as defined below) or to an international organization.
  • (b) “EU 2021 Standard Contractual Clauses” means the EU 2021 Standard Contractual Clauses included in Exhibit E.
  • (c) “Third Country” (as used in this Section Fehler! Verweisquelle konnte nicht gefunden werden.) means a country outside of the EEA.
  • 1.2. EEA Restricted Transfers.
  • (a) With regard to any EEA Restricted Transfer from Customer to Cendyn, one of the following transfer mechanisms shall apply, in the following order of precedence:
    • i. Cendyn’s certification of a successor of the EU-U.S. Privacy Shield Framework (only to the extent that such self-certification constitutes an “appropriate safeguard” pursuant to the GDPR, as the case may be), provided that the services are covered by the self-certification, if applicable;
    • ii. a valid adequacy decision pursuant to the requirements under the GDPR that provides that the third country, a territory or one or more specified sectors within that third country, or the international organization in question to which Personal Data is to be transferred ensures an adequate level of data protection;
    • iii. the EU 2021 Standard Contractual Clauses (insofar as their use constitutes an “appropriate safeguard” under the GDPR, as the case may be); or
    • iv. any other lawful basis, as laid down in the GDPR, as the case may be
  • (b) In cases where the EU 2021 Standard Contractual Clauses apply:
    • i. Where there is a conflict between the terms of the DPA and the terms of the EU 2021 Standard Contractual Clauses, the terms of the EU 2021 Standard Contractual Clauses shall control.
    • ii. The text contained in Appendix A to this Exhibit C serves to supplement the EU 2021 Standard Contractual Clauses with respect to EEA Restricted Transfers.
    • iii. The Parties are deemed to have accepted, executed, and signed the EU 2021 Standard Contractual Clauses where necessary in their entirety.
    • iv. The Exhibits to the DPA include the information required under Annexes I and II of the EU 2021 Standard Contractual Clauses.
    • v. When Customer instructs Cendyn to integrate its services with a Cendyn partner, the Parties agree that the partner is authorized to join the EU 2021 Standard Contractual Clauses concluded between Cendyn and Customers, as required by Clause 8.8 of the EU 2021 Standard Contractual Clauses and in accordance with Clause 7 of the EU 2021 Standard Contractual Clauses.

2. Canada.

  • 2.1. Definitions. For purposes of interpreting the DPA and this Section 2, the following terms shall be interpreted as follows:
  • (a) “Applicable Data Protection Canadian Laws” means the Canadian Federal Personal Information Protection and Electronic Documents Act (“PIPEDA”), the Personal Information Protection Act of British Columbia, Personal Information Protection Act of Alberta and the Act respecting the Protection of Personal Information in the Private Sector of Quebec.
  • (b) “Processor” (as used in the DPA) includes “Third Party Organization” as defined under PIPEDA.
  • (c) “Personal Data” (as used in the DPA) includes “Personal Information” as defined under PIPEDA.
  • (d) “Personal Data Breach” (as used in the DPA) includes “Breach of Security Safeguards” as defined under PIPEDA.
  • 2.2. Customer confirms that it has obtained a valid consent (as defined under Applicable Data Protection Canadian Laws) where necessary to Process Personal Data of each Data Subject.

3. China

  • 3.1. Definitions. For purposes of interpreting the DPA and this Section 3, the following terms shall be interpreted as follows:
  • (a) “Applicable Chinese Data Protection Laws” means the Cyber Security Law (中华人民共和国网络安全法), the Data Security Law (数据安全法) (when in force), the Personal Information Protection Law (个人信息保护法) (when in force), the Provisions for the Online Protection of Children’s Personal Information (儿童个人信息网络保护规定), the Measures for the Administration of Data Security (数据安全管理办法) (when in force), and the Measures for the Security Assessment for Cross-Border Transfer of Personal Information (个人信息出境安全评估办法) (when in force).
  • (b) “Controller” includes “Data operator” as defined under Applicable Chinese Data Protection Laws.
  • (c) “Data Subject” includes “Personal information subject” as defined under Applicable Chinese Data Protection Laws.

4. California

  • 4.1. Definitions. For purposes of interpreting the DPA and this Section 4, the following terms shall be interpreted as follows:
  • (a) “Applicable California Data Protection Laws” includes the California Consumer Privacy Act of 2018, Assembly Bill 375 of the California House of Representatives, an act to add Title 1.81.5 (commencing with Section 1798.100) to Part 4 of Division 3 of the Civil Code, relating to privacy and approved by the California Governor on June 28, 2018 (“CCPA”); the California Consumer Privacy Act Regulations (“CCPA Regulations”) as may be amended from time to time; and the California Privacy Rights Act (“CPRA”) as of January 1, 2023.
  • (b) The terms “Business Purpose”, “Commercial Purpose”, “Sale”, “Sell”, “Share” along with their corresponding terms, whether capitalized or not, shall have the same meaning as in the Applicable Data Protection California Laws, and their related terms shall be construed accordingly.
  • (c) “Controller” includes “Business” as defined under the CCPA;
  • (d) “Data Subject” includes “Consumer” as defined under the CCPA;
  • (e) “Personal Data” includes “Personal Information” as defined under the CCPA;
  • (f) “Personal Data Breach” includes “Breach of the Security of the System” as defined in Section 1798.82 of the California Civil Code;
  • (g) “Processor” includes “Service provider” as defined under the CCPA; and
  • (h) “Supervisory Authority” includes the Attorney General of the State of California and any authority tasked with the enforcement of the CCPA and other Applicable California Data Protection Laws.

4.2. Cendyn:

  • (a) shall refrain from Selling and Sharing Customer Personal Data;
  • (b) shall refrain from retaining, using, or disclosing Customer Personal Data for a Commercial Purpose other than providing services provided in the Business Relationship or as otherwise permitted by the Applicable California Data Protection Laws.
  • (c) shall refrain from retaining, using or disclosing Customer Personal Data except where permitted under the Agreement; and
  • (d) certifies that it understands the restrictions set out in the subparagraphs (i) through (iii) of this subsection and will comply with them

5. Switzerland.

  • 5.1. Definitions. For purposes of interpreting the DPA and this Section 5, the following terms shall be interpreted as follows:
  • (a) “Applicable Swiss Data Protection Laws” includes the Federal Act on Data Protection of 19 June 1992 (“FADP”) and the Ordinance to the Federal Act on Data Protection (“OFADP”), as may be amended from time to time;
  • (b) “Controller” includes “Controller of the Data File” as defined under the FADP;
  • (c) “Data Subject” includes the natural persons whose Personal Data is Processed;
  • (d) ““EU 2021 Standard Contractual Clauses”” means the EU 2021 Standard Contractual Clauses included in Exhibit E;
  • (e) ““Personal Data”” includes “Personal Data” as defined under the FADP;
  • (f) “Processing” includes “Processing” as defined under the FADP;
  • (g) “Swiss Restricted Transfer” (as used in this Section) includes any transfer of Personal Data (including data storage in foreign servers) which is undergoing Processing or is intended for Processing after transfer subject to the FADP, to a Third Country (as defined below) or an international organization;
  • (h) “Supervisory Authority” includes the Federal Data Protection and Information Commissioner; and
  • (i) “Third Country” (as used in this Section) means a country outside the Swiss Confederation.
  • 5.2. Swiss Restricted Transfers.
  • (a) With regard to any Swiss Restricted Transfer from Customer to Cendyn, one of the following transfer mechanisms shall apply, in the following order of precedence:
    • i. Cendyn’s certification of a successor of the Swiss-U.S. Privacy Shield Framework (only to the extent that such self-certification constitutes an “appropriate safeguard” pursuant to the Applicable Swiss Data Protection Laws, as the case may be), provided that the services are covered by the self-certification, if applicable;
    • ii. the inclusion of the Third Country, a territory or one or more specified sectors within that Third Country, or the international organization in question to which Personal Data is to be transferred in the list published by the Swiss Federal Data Protection and Information Commissioner of States that provide an adequate level of protection for Personal Data within the meaning of the Applicable Swiss Data Protection Laws;
    • iii. the EU 2021 Standard Contractual Clauses (insofar as their use constitutes an “appropriate safeguard” under the Applicable Swiss Data Protection Laws, as the case may be); or
    • iv. any other lawful basis, as laid down in the Applicable Swiss Laws, as the case may be.
  • (b) Where the EU 2021 Standard Contractual Clauses apply:
    • i. Customer shall generally inform the Federal Data Protection and Information Commissioner about the use of the EU 2021 Standard Contractual Clauses.
    • ii. Where there is a conflict between the terms of the DPA and the terms of the EU 2021 Standard Contractual Clauses, the terms of the EU 2021 Standard Contractual Clauses shall control;
    • iii. The text contained in Appendix A to this Exhibit C serves to supplement the EU 2021 Standard Contractual Clauses with respect to Swiss Restricted Transfers;
    • iv. The Exhibits to the DPA include the information required under Annexes I and II of the EU 2021 Standard Contractual Clauses.
    • v. The Parties are deemed to have accepted, executed, and signed the EU 2021 Standard Contractual Clauses where necessary in their entirety.
    • vi. When Customer instructs Cendyn to integrate its services with a Cendyn partner, the Parties agree that the partner is authorized to join the EU 2021 Standard Contractual Clauses concluded between Cendyn and Customers, as required by Clause 8.8 of the EU 2021 Standard Contractual Clauses and in accordance with Clause 7 of the EU 2021 Standard Contractual Clauses.
    • vii. The Parties agree to make the following changes to the terms of the EU 2021 Standard Contractual Clauses:
      • i. For the purpose of Annex I.C and with respect to Clause 13 of the Standard Contractual Clauses: the competent authority shall be the Swiss Federal Data Protection and Information Commissioner, insofar as the data transfer constitutes a Swiss Restricted Transfer.
      • ii. With respect to Clause 17 of the EU 2021 Standard Contractual Clauses, the Parties select the law of the Republic of Ireland.
      • iii. With respect to Clause 18 of the EU 2021 Standard Contractual Clauses, the Parties agree that any dispute arising from the Standard Contractual Clauses shall be resolved by the courts of the Republic of Ireland. The Parties choose the Swiss courts as an alternative place of jurisdiction for Data Subjects habitually resident in Switzerland.

6. United Kingdom.

  • 6.1. Definitions. For purposes of interpreting the DPA and this Section 6, the following terms shall be interpreted as follows:
  • (a) “Applicable UK Data Protection Laws” includes the includes the Data Protection Act 2018, and the UK GDPR;
  • (b) “EU 2021 Standard Contractual Clause” means the EU 2021 Standard Contractual Clauses included in Exhibit E, provided that the Parties interpret them under the terms of subparagraph (b) of Section 6.2.
  • (c) “EU 2010 Standard Contractual Clause” means the EU 2010 Standard Contractual Clauses included in Exhibit E.
  • (d) “Third Country” (as used in this Section) means a country other than the United Kingdom;
  • (e) “UK GDPR” means Regulation (EU) 2016/679 as has been amended and adopted to form a part of the law of England and Wales, Scotland, and Northern Ireland by virtue of Section 3 of the European Union (Withdrawal Agreement) Act 2020; and
  • (f) “UK Restricted Transfer” (as used in this Section) includes any transfer of Personal Data (including data storage in foreign servers) which is undergoing Processing or is intended for Processing after transfer subject to the Applicable UK Data Protection Laws, to a Third Country (as defined above) or an international organization.

6.2. UK Restricted Transfers.

  • (a) With regard to any UK Restricted Transfer from one Party to another within the scope of the Agreement, one of the following transfer mechanisms shall apply, in the following order of precedence:
    • i. Cendyn’s certification of a successor of the EU-U.S. Privacy Shield Framework (only to the extent that such self-certification constitutes an “appropriate safeguard” pursuant to the Applicable UK Laws, as the case may be), provided that the services are covered by the self-certification, if applicable.
    • ii.A valid adequacy decision pursuant to the requirements under the Applicable UK Data Protection Laws that provides that the third country, a territory or one or more specified sectors within that third country, or the international organization in question to which Personal Data is to be transferred ensures an adequate level of data protection.
    • iii. The EU 2021 Standard Contractual Clauses (insofar as their use constitutes an “appropriate safeguard” under the Applicable UK Data Protection Laws, as the case may be).
    • iv. The EU 2010 Standard Contractual Clauses (insofar as their use constitutes an “appropriate safeguard” under the Applicable UK Data Protection Laws, as the case may be).
    • v. Any other lawful basis, as laid down in the Applicable UK Data Protection Laws, as the case may be.
  • (b) If the relevant UK authorities recognize the EU 2021 Standard Contractual Clauses as a valid data transfer mechanism for UK Restricted Transfers, the Parties shall be deemed to have accepted the EU 2021 Standard Contractual Clauses and any necessary addenda to make them applicable to UK Restricted Transfers and agree to replace the EU 2010 Standard Contractual Clauses with the EU 2021 Standard Contractual Clauses as of the day the relevant UK authorities recognize the new EU 2021 Standard Contractual Clauses as a valid data transfer mechanism for UK Restricted Transfers.
  • 6.3 In cases where the EU 2021 Standard Contractual Clauses apply in accordance with Section 6.2:
    • i. Where there is a conflict between the terms of the DPA and the terms of the EU 2021 Standard Contractual Clauses, the terms of the EU 2021 Standard Contractual Clauses shall control;
    • ii. The text contained in Appendix A to this Exhibit C serves to supplement the EU 2021 Standard Contractual Clauses with respect to UK Restricted Transfers;
    • iii. The Exhibits to the DPA include the information required under Annexes I and II of the EU 2021 Standard Contractual Clauses.
    • iv. The Parties are deemed to have accepted, executed, and signed the EU 2021 Standard Contractual Clauses where necessary in their entirety.
    • v. When Customer instructs Cendyn to integrate its services with a Cendyn partner, the Parties agree that the partner is authorized to join the EU 2021 Standard Contractual Clauses concluded between Cendyn and Customers, as required by Clause 8.8 of the EU 2021 Standard Contractual Clauses and in accordance with Clause 7 of the EU 2021 Standard Contractual Clauses.
    • vi. The Parties agree to make the following changes to the terms of the EU 2021 Standard Contractual Clauses:
      • i. For the purpose of Annex I.C and with respect to Clause 13 of the EU 2021 Standard Contractual Clauses, the competent supervisory authority shall be the UK Information Commissioner’s Office (ICO).
      • ii. With respect to Clause 17 of the EU 2021 Standard Contractual Clauses, the Parties select the law of the United Kingdom.
      • iii. With respect to Clause 18 of the EU 2021 Standard Contractual Clauses, the Parties agree that any dispute arising from the EU 2021 Standard Contractual Clauses shall be resolved by the courts of the United Kingdom.
  • (c) In cases where the EU 2010 Standard Contractual Clauses apply in accordance with Section 6.2:
    • i. where there is a conflict between the terms of the DPA and the terms of the EU 2010 Standard Contractual Clauses, the terms of the EU 2010 Standard Contractual Clauses shall control;
    • ii. the text contained in Appendix A to this Exhibit serves to supplement the EU 2010 Standard Contractual Clauses;
    • iii. the data importer indicates Section II(h)(iii) as its choice pursuant to Section II(h) of the EU 2010 Standard Contractual Clauses.
    • iv. the Exhibits to the DPA include the information required under the Annex B of the UK EU 2010 Standard Contractual Clauses.
    • v. the Parties are deemed to have accepted, executed, and signed the EU 2010 Standard Contractual Clauses where necessary in their entirety (including the appendices thereto and the “Illustrative Indemnification Clause” as an operative clause).
    • vi. Russia.
      • i. Definitions. For purposes of interpreting the DPA and this Section 7, the following terms shall be interpreted as follows:
  • (a) “Applicable Russian Data Protection Laws” includes the Federal Law of 27 July 2006 N 152-FZ on personal data, as may be amended from time to time;
  • (b) “Controller” includes “Operator” as defined under Applicable Russian Data Protection Laws;
  • (c) “Data Subject” includes “Personal data subject” as defined under Applicable Russian Data Protection Laws;
  • (d) “Personal Data” includes “Personal Data” as defined under Applicable Russian Data Protection Laws;
  • (e) “Processing” includes “Personal data processing” as defined under Applicable Russian Data Protection Laws;
  • (f) “Russian Restricted Transfer” (as used in this Section) includes any transfer of Personal Data (including data storage in foreign servers) which is undergoing Processing or is intended for Processing after transfer subject to Applicable Russian Data Protection Laws, to a Third Country (as defined below) or an international organization;
  • (g) “Supervisory Authority” includes the Roskomnadzor; and
  • (h) “Third Country” (as used in this Section) means a country other than the Russian Federation.
    • ii. Russian Restricted Transfers.
  • (a) With regard to any Russian Restricted Transfer from one Party to another within the scope of the Agreement, one of the following transfer mechanisms shall apply, in the following order of precedence:
    • i. the Third Country’s ratification of Council of Europe Convention on the Protection of Individuals with Regard to Automatic Processing of Personal Data;
    • ii. the inclusion of the Third Country in the list of other foreign states providing adequate protection of the data subjects’ rights published by the Roskomnadzor;
    • iii. the Data Subject’s consent to the Russian Restricted Transfer; or
    • iv. any other lawful basis, as laid down in the Applicable Russian Data Protection Laws, as the case may be.
  • (b) Customer confirms that it has obtained a valid consent (as defined under Applicable Russian Data Protection Laws) or identified an appropriate legal basis under Applicable Russian Data Protection Laws where necessary to Process Personal Data of each Data Subject and for the subsequent Processing by Cendyn and its sub-Processors.
  • (c) Customer has reviewed the security measures listed in Exhibit C to the DPA and agrees that they meet the standards required under Article 19(2) of the Federal Law of 27 July 2006 N 152-FZ on personal data.
    • v. Serbia.
      • i. Definitions. For purposes of interpreting the DPA and this Section 8, the following terms shall be interpreted as follows:
        • i. “Applicable Serbian Data Protection Laws” includes the Act of 9 November 2018 on Personal Data Protection (Official Gazette No. 87/18), as may be amended from time to time;
    • (b) “Controller” includes “Rukovalac” as defined under Applicable Serbian Data Protection Laws;
    • (c) “Data Subject” includes “Lice na koje se podaci odnose” as defined under Applicable Serbian Data Protection Laws;
    • (d) “Personal Data” includes “Podatak o ličnosti” as defined under Applicable Serbian Data Protection Laws;
    • (e) “Processing” includes “Obrada podataka o ličnosti” as defined under Applicable Serbian Data Protection Laws;
    • (f) “Serbian Restricted Transfer” (as used in this Section) includes any transfer of Personal Data (including data storage in foreign servers) which is undergoing Processing or is intended for Processing after transfer subject to Applicable Serbian Data Protection Laws, to a Third Country (as defined below) or an international organization;
    • (g) “Serbian Standard Contractual Clauses” (as used in this Section) means the Serbian Standard Contractual Clauses (Standardne Ugovorne Klauzule) included in Exhibit C;
    • (h) “Supervisory Authority” includes the “Poverenik za informacije od javnog značaja i zaštitu podataka o ličnosti”.
    • (i) “Third Country” (as used in this Section) means a country other than the Republic of Serbia.
      • ii. Serbian Restricted Transfers

  • (a) With regard to any Serbian Restricted Transfer from one Party to another within the scope of the Agreement, one of the following transfer mechanisms shall apply, in the following order of precedence:
    • i. the Third Country’s ratification of Council of Europe Convention on the Protection of Individuals with Regard to Automatic Processing of Personal Data;
    • ii. the inclusion of the Third Country in the list of foreign states, parts of their territories or one or more sectors of certain activities in those states and international organizations providing adequate protection of the data subjects’ rights adopted by the Serbian government;
    • iii. the Serbian Standard Contractual Clauses (insofar as their use constitutes an “appropriate safeguard” under the Applicable Serbian Data Protection Laws, as the case may be); and
    • iv. any other lawful basis, as laid down in the Applicable Serbian Data Protection Laws, as the case may be.
  • (b) In cases where the Serbian Standard Contractual Clauses apply:
    • i. where there is a conflict between the terms of the DPA and the terms of the Serbian Standard Contractual Clauses, the terms of the Serbian Standard Contractual Clauses shall control; and
    • ii. the Parties are deemed to have accepted, executed, and signed the Serbian Standard Contractual Clauses where necessary in their entirety (including the appendices thereto).

Appendix A (Supplementary Measures to the Standard Contractual Clauses) to Exhibit C – Jurisdiction Specific Terms

By this Appendix A (this “Appendix”), the Parties provide additional safeguards to and additional redress to the Data Subjects to whom Customer Personal Data relates. This Appendix supplements and is made part of, but is not in variation or modification of, the Standard Contractual Clauses that may be applicable to the Restricted Transfer.

  • 1. Applicability of this Appendix.
    • i. This Appendix only applies with respect to Restricted Transfers where the terms of Exhibit C indicate it.
  • iii. Applicability of surveillance laws to Cendyn.
    • i. US surveillance laws
      • i. “FISA” means U.S. Foreign Intelligence Surveillance Act.
      • ii. Cendyn represents and warrants that, as of the date of the DPA, it has not received any national security orders of the type described in paragraphs 150-202 of the judgment of the European Court of Justice in Case C-311/18, Data Protection Commissioner v Facebook Ireland Limited and Maximilian Schrems.
      • iii. Cendyn represents that it reasonably believes that it is not eligible to be required to provide information, facilities, or assistance of any type under FISA Section 702 because:
      • iv. Cendyn does not believe that it qualifies as an “electronic communication service provider” within the meaning of 50 U.S.C. § 1881(b)(4) and is therefore ineligible to receive any process issued under FISA Section 702 for Services it provides to its customers;
      • v. No court has found the Data Importer to be an entity eligible to receive process issued under FISA Section 702: (i) an “electronic communication service provider” within the meaning of 50 U.S.C. § 1881(b)(4) or (ii) a member of any of the categories of entities described within that definition.
      • vi. If Cendyn were to be found eligible for FISA Section 702, which it believes it is not, it is nevertheless also not the type of provider that is eligible to be subject to UPSTREAM collection pursuant to FISA Section 702, as described in paragraphs 62 and 179 of the Schrems II judgment.
      • vii. Executive Order 12,333 does not provide the U.S. government the ability to order or demand Data Importer to provide assistance for the bulk collection of information and Data Importer shall take no action pursuant to U.S. Executive Order 12,333.
    • ii. General provisions about surveillance laws applicable to Cendyn.
      • i. Customer warrants that it has no reason to believe that the laws and practices in the third country of destination of Personal Data applicable to the Processing of Personal Data by Service Provider, including any requirements to disclose personal data or measures authorizing access by public authorities, prevent Service Provider from fulfilling its obligations under the 2010 EU Standard Contractual Clauses (where applicable).
      • ii. Data Importer commits to provide upon request information about the laws and regulations in the destination countries of the transferred data applicable to Data Importer that would permit access by public authorities to the transferred Customer Personal Data, in particular in the areas of intelligence, law enforcement, administrative and regulatory supervision applicable to the transferred data. In the absence of laws governing the public authorities’ access to data, Data Importer shall provide Data Exporter with information and statistics based on the experience of the Data Importer or reports from various sources (such as partners, open sources, national case law and decisions from oversight bodies) on access by public authorities to personal data in situations of the kind of the data transfer at hand. The Data Importer providing the information referred to in this Subsection may choose the means to provide the information.
    • iii. Cendyn shall monitor any legal or policy developments that might lead to its inability to comply with its obligations under the Standard Contractual Clauses and this Appendix, and promptly inform the Data Exporter of any such changes and developments. When possible, the Data Importer shall inform the Data Exporter of any such changes and developments ahead of their implementation.
  • iv. Cendyn’s procedure to respond to orders for Compelled Disclosure of Customer Personal Data.
    • i. In the event Cendyn receives an order from any third party for compelled disclosure of any Customer Personal Data that has been transferred under the Standard Contractual Clauses, Cendyn shall:
      • i. promptly notify Customer, unless prohibited under the law applicable to the requesting third party, and, if prohibited from notifying Customer or the Data Subject, use all lawful efforts to obtain the right to waive the prohibition in order to communicate as much information to Customer and the Data Subject as soon as possible. This includes but it is not limited to informing the requesting public authority of the incompatibility of the order with the safeguards contained in Standard Contractual Clauses and the resulting conflict of obligations for Cendyn;
      • ii. use all lawful efforts to challenge the order for disclosure on the basis of any legal deficiencies under the laws of the requesting party or any relevant conflicts with the law of the European Union or applicable Member State law. For purpose of this section, lawful efforts do not include actions that would result in civil or criminal penalty such as contempt of court under the laws of the relevant jurisdiction;
      • iii. seek interim measures with a view to suspend the effects of the order until the competent court has decided on the merits;
      • iv. not disclose the requested Customer Personal Data until required under the applicable procedural rules;
      • v. provide the minimum amount of information permissible when responding to the request, based on a reasonable interpretation of the request;
      • vi. unless prohibited under the law applicable to the requesting third party, use every reasonable effort to redirect the third party requesting the disclosure of any Personal Data that has been transferred to Cendyn directly to Customer; and
      • vii. document all the steps taken by Cendyn related to the order.
  • v. Information on requests of access or orders for compelleted disclosure to/of Customer Personal Data by public authorities
    • i. Cendyn commits to provide Customer with sufficiently detailed information on all requests of access to Customer Personal Data by public authorities which Cendyn has received over the last five (5) years (if any), in particular in the areas of intelligence, law enforcement, administrative and regulatory supervision applicable to the transferred data and comprising information about the requests received, the data requested, the requesting body and the legal basis for disclosure and to what extent Cendyn has disclosed the requested data. Cendyn may choose the means to provide this information.
  • vi. Backdoor
    • i. Cendyn certifies that:
  • (a) it has not purposefully created back doors or similar programming that could be used to access Cendyn systems’ and/or Customer Personal Data;
  • (b) it has not purposefully created or changed its business processes in a manner that facilitates access to Customer Personal Data or systems, and
  • (c) that national law or government policy does not require Cendyn to create or maintain back doors or to facilitate access to Customer Personal Data or systems or for Cendyn to be in possession or to hand over the encryption key.
    • vii. Information about legal prohibitions
      • i. Cendyn will provide Customer information about the legal prohibitions on Cendyn to provide information under this Appendix. Cendyn may choose the means to provide this information.
    • viii. Other measures to prevent authorities from accessing Customer Personal Data
      • i. Notwithstanding the application of the security measures set forth in Exhibit D of the Agreement, Cendyn will implement internal policies establishing that:
  • (a) where Cendyn is prohibited by law from notifying Customer of an order from a public authority for Customer Personal Data, Cendyn shall take into account the laws of other jurisdictions and use best efforts to request that any confidentiality requirements be waived to enable it to notify the competent Supervisory Authorities;
  • (b) Cendyn must require an official, signed document issued pursuant to the applicable laws of the requesting third party before it will consider a request for access to Customer Personal Data; and
  • (c) Cendyn shall scrutinize every request for legal validity and, as part of that procedure, will reject any request Cendyn considers to be invalid; and
  • (d) if Cendyn is legally required to comply with an order, it will respond as narrowly as possible to the specific request.
    • ix. Inability to Comply with this Appendix.
      • i. Cendyn shall promptly inform Customer of its inability to comply with the Standard Contractual Clauses and this Exhibit. If Cendyn determines that is no longer able to comply with its contractual commitments under this Exhibit, Customer can swiftly suspend the transfer of data and/or terminate the Agreement. If Cendyn determines that is no longer able to comply with the Standard Contractual Clauses or this Exhibit, Cendun shall return or delete the Personal Data received in reliance on the Standard Contractual Clauses. If returning or deleting the Personal Data received is not possible, Cendyn must securely encrypt the data without waiting for Customer’s instructions.
      • ii. Cendyn shall provide Customer with sufficient indications to suspend the transfer and/or terminate the contract.
    • x. Termination.
  • This Appendix shall automatically terminate if the European Commission, a competent Member State Supervisory Authority, or an EEA or competent Member State court approves a different lawful transfer mechanism that would be applicable to the data transfers covered by the Standard Contractual Clauses (and if such mechanism applies only to some of the data transfers, this Appendix will terminate only with respect to those transfers) and that does not require the additional safeguards set forth in this Appendix.