All individuals or organizations that provide goods or services (each a “Supplier”) to United Rentals, Inc., or any of its affiliates or subsidiaries (individually or collectively, “Company”) must comply with these Data Processing Terms. These Data Processing Terms form part of any agreement between Company and Supplier that references these Data Processing Terms, or to which these Data Processing Terms are attached or incorporated (the “Agreement”). In the event of a conflict between these Data Processing Terms and the Agreement, these Data Processing Terms shall control with respect to its subject matter, unless the Agreement sets forth more stringent standards (i.e., standards more protective of Company and Company’s Personal Data (defined below)).
1. Data Protection
1.1 Scope. These Data Processing Terms apply to Supplier if Supplier Processes any Personal Data in connection with Supplier’s performance of the Services (as such terms are defined below).
1.2 Definitions. For the purposes of these Data Processing Terms, the following definitions shall apply:
a. “Adequacy Decision” means a decision issued by the European Commission under Article 45 of the GDPR.
b. “Applicable Law” means all applicable laws (including those arising under common law), statutes, ordinances, regulations, directives, treaties, codes and other pronouncements having the effect of law of the United States, any foreign country or any domestic or foreign state, county, city or other political subdivision, including those promulgated or enforced by any governmental authority, as amended or supplemented.
c. “Cardholder Data” means: (i) with respect to a payment card, the account holder’s name, account number, security codes, card validation code/value, service codes (i.e., the three or four digit number on the magnetic stripe that specifies acceptance requirements and limitations for a magnetic stripe read transaction), PIN or PIN block, valid to and from dates, and magnetic stripe data; and (ii) information and data related to a payment card transaction that is identifiable with a specific account, regardless of whether or not a physical card is used in connection with such transaction.
d. “Data Transfer” means the access of Personal Data by a Person, or transfer, delivery, or disclosure of Personal Data to a Person, where such Person is located in a country other than the country from which the Personal Data originated.
e. “EEA” means collectively, the member states of the European Union and Switzerland.
f. “GDPR” means Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, as amended or supplemented.
g. “PCI Standards” means the data security standards for the protection of payment card information with which the payment card companies collectively or individually require merchants to comply, including, but not limited to, the Payment Card Industry Data Security Standards currently in effect and as modified during the term of the Agreement
h. “Personal Data Breach” means any accidental, unlawful or unauthorized access, acquisition, use, modification, disclosure, loss, destruction of or damage to Personal Data or any other unauthorized Processing of Personal Data.
i. “Personal Data” means any information relating to an identified or identifiable natural person, or any information that identifies, relates to, describes or could reasonably be linked with a particular natural person or household, which Supplier accesses or acquires from Company, which Company provides to Supplier, or which Supplier collects or acquires on behalf of Company; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Personal Data includes, without limitation: (a) name; (b) mailing address; (c) telephone or fax number; (d) email address; and (e) government identification number. Personal Data also includes any Personal Information, Personally Identifiable Information or similar terms as defined under Privacy Laws.
j. “Privacy Laws” means all (i) Applicable Laws relating to the privacy, confidentiality, retention or security of Personal Data including, but not limited to, the GDPR, the California Consumer Privacy Act of 2018 (“CCPA”), the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), provincial privacy laws (including those in British Columbia, Alberta, and Quebec), and Canadian anti-spam law; the Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM); the FTC Disposal of Consumer Report Information and Records Rule, 16 C.F.R. § 682 (2005); the Federal “Privacy of Consumer Financial Information” Regulation (12 CFR Part 30) issued pursuant to Section 504 of the Gramm-Leach-Bliley Act of 1999 (15 U.S.C. §6801, et seq.); HIPAA and the HITECH Act, and all other similar international, federal, state, provincial, and local requirements, (ii) all applicable industry standards concerning privacy, data protection, confidentiality or information security currently in effect and as they become effective, including the Payment Card Industry Data Security Standard, and any other similar standards, and (iii) applicable provisions of all Company privacy policies, statements or notices that are provided or otherwise made available to Supplier. For the avoidance of doubt, Privacy Laws are applicable with respect to any receipt of, access to, or Processing of Personal Data, whether intentionally or unintentionally.
k. “Process” or “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, alteration, use, access, disclosure, copying, transfer, storage, deletion, alignment or combination, restriction, adaptation, retrieval, consultation, destruction, disposal, or other use of Personal Data.
1.3 Limitation on Use.
a. Scope of the Processing. Supplier will Process Personal Data in connection with the Services described in the Agreement and during the term of such Agreement, subject to compliance with Applicable Laws and the Agreement. The type of Personal Data Processed by Supplier is described in the Agreement. The Processing may involve Personal Data of employees of Company, customers of Company, and business contact information of Company customers, suppliers and other business partners, as further described in the Agreement.. Under no circumstances will Supplier use, process, or disclose the Personal Data for its own commercial purposes or for any purpose other than providing the Services.
b. Processing Pursuant to Company’s Instructions. Supplier acknowledges that, with respect to the Personal Data, Company is the controller and Supplier is a data processor as defined under applicable Privacy Laws. Supplier will Process Personal Data only on behalf of Company as necessary to provide the Services in accordance with the Agreement (including these Data Processing Terms) and in accordance with Company’s instructions issued from time to time in writing (collectively, the “Instructions”). Supplier will Process the Personal Data and perform the Services at all times in compliance with Applicable Law. Supplier may not: (i) use Personal Data for any purpose other than as provided in Section 1.3.a; (ii) sell, assign or lease to third parties any Personal Data; or (iii) commercially exploit Personal Data or otherwise Process Personal Data for Supplier’s own purposes. If Applicable Law requires Supplier to conduct Processing that is or could be construed as inconsistent with the Instructions, then Supplier must notify Company immediately and prior to commencing the Processing, unless Applicable Law prohibits such notice on important grounds of public interest. Supplier must notify Company immediately if Supplier believes that any Instruction from Company violates or would result in Processing in violation of Applicable Law.
1.4 Limitation on Disclosure. Supplier will not disclose Personal Data to any third party without first obtaining Company’s written consent, except as provided in Section 1.7 (Data Subject Requests) or Section 1.11 (Production Requests). Supplier will impose enforceable written obligations on all employees, contractors and agents that Process Personal Data on Supplier’s behalf to protect the confidentiality of the Personal Data (during the term of their employment or engagement and thereafter).
1.5 Technical and Organizational Measures; Security Requirements
a. Security Requirements. Supplier shall comply with Company’s requirements for administrative, technical and physical control measures applicable to Supplier’s delivery of the Services and Company’s requirements for physical security at the facilities set forth herein, in the Agreement, and as otherwise provided by Company to Supplier in writing (the “Security Requirements”). Company shall notify Supplier in writing of any changes, updates, modifications or amendments of the Security Requirements. Supplier will comply, and will ensure that Supplier’s agents and subcontractors comply, with the Security Requirements, as amended by Company from time to time.
b. Safeguards. In addition to any specific requirements set forth in the Security Requirements, Supplier shall establish a written information security program with respect to Personal Data (and provide a copy of same to Company) (“WISP”) which must substantially conform to the framework set forth by the International Standards Organization in a standards document entitled “Code of practice for information security management” (ISO/IEC 27002:2013, and as may be amended from time to time) and which, consistent with Section 1.5(c) below: (i) ensures the security, confidentiality, integrity and availability of Personal Data; (ii) protects against any anticipated threats or hazards to the security, confidentiality, availability or integrity of Personal Data; (iii) protects against any unauthorized access to, use or disclosure of Personal Data; and (iv) ensures the proper and secure disposal of Personal Data. Supplier will, in accordance with the WISP and Privacy Laws, take all necessary technical and organizational security measures against the unauthorized or unlawful Processing of Personal Data and against the loss, alteration or destruction of, or damage to, Personal Data. In assessing the appropriate level of security, Supplier shall take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing Personal Data as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
c. Documentation. During the term of this Agreement and for a period of seven years thereafter, Supplier shall maintain, and provide for the Company’s review, at the Company’s request: (a) the WISP and (b) other applicable security program documents, including its incident response policies, encryption standards and/or other computer security protection policies or procedures, that constitute compliance with Privacy Laws. Supplier shall provide the Company with any amendments to such policies or programs, and any new policies or programs related to information privacy and security as may be adopted by Supplier from time to time, within 30 days after the adoption of any such amendment, policy or program.
d. Security Assessment. Without limiting the generality of the foregoing, Supplier’s WISP shall provide for: (a) regular assessment and re-assessment of the risks to the confidentiality, integrity and availability of Personal Data and systems acquired or maintained by Supplier and its agents and contractors, including (x) identification of internal and external threats that could result in a Personal Data Breach, (y) assessment of the likelihood and potential damage of such threats, and (z) assessment of the sufficiency of policies, procedures, and information systems of Supplier and Subcontractors (defined below), and other arrangements in place, to control risks; and (b) protection against such risks.
e. Media. Supplier shall remove all Personal Data from any media taken out of service and shall destroy or securely erase such media in accordance with current industry standards such as NIST 800-88 or an equivalent superseding standard, Privacy Laws and otherwise in a manner designed to protect against unauthorized access to or use of any Personal Data in connection with such destruction or erasure. No media on which Personal Data is stored may be used or re-used to store data of any other customer of Supplier or to deliver data to a third party, including another Supplier customer, unless securely erased.
1.6 Subcontracting. Supplier may subcontract the Processing of Personal Data only with the prior written permission of Company. Prior to any disclosure of Personal Data to a subcontractor or other Processing of Personal Data by a subcontractor (each, a “Subcontractor”), Supplier must have entered into an agreement that requires the Subcontractor to comply with the same obligations and restrictions as provided in these
Data Processing Terms. Supplier will provide the agreement to Company promptly upon request. Supplier will remain accountable and responsible for the Processing of Personal Data by, and for all actions and omissions of, such Subcontractors.
1.7 Data Subject Requests. Supplier will promptly notify Company in writing (and in any event within 2 business days of receipt), unless specifically prohibited by Applicable Law, if Supplier receives: (i) any requests from an individual with respect to Personal Data Processed including, but not limited to, opt-out requests, requests for access, rectification, erasure, restriction or data portability, requests involving an objection to Processing or automated decision-making, and all similar requests; or (ii) any complaint, inquiry or notice of investigation under Applicable Law relating to the Processing of Personal Data including, but not limited to, allegations that the Processing infringes an individual’s rights under Applicable Law. Supplier will at no additional charge: (a) implement appropriate processes (including technical and organizational measures) to assist Company in responding to such requests or complaints from individuals; and (b) cooperate fully with Company with respect to, and facilitate Company’s authentication, recording, investigation, processing, execution and resolution of, all such requests, complaints, inquiries or notices of investigation. Supplier will not respond to any such request, complaint, inquiry or notice of investigation unless authorized to do so in writing by Company, or required to do so by Applicable Law.
1.8 Personal Data Breaches.
a. Supplier shall notify Company in writing immediately (and in any event within 24 hours) whenever Supplier reasonably believes that there has been a Personal Data Breach, including the presence of malware. Supplier’s notice to Company of a Personal Data Breach must contain the following: (1) a description of the categories and approximate number of data subjects, as well as the categories and approximate number of Personal Data records affected by the Personal Data Breach; (2) the name and contact details of any Data Protection Officer appointed by Supplier; (3) Supplier’s assessment, developed through reasonable diligence, of the likely consequences of the Personal Data Breach with respect to the affected Personal Data and data subjects; and (4) any additional information required pursuant to Privacy Laws applicable to Supplier or Company.
b. In the event of any Personal Data Breach, Supplier will investigate the Personal Data Breach, take all necessary steps to eliminate or contain the exposure of Personal Data, and keep Company advised of the status of the Personal Data Breach and Supplier’s investigation and steps taken to remedy same. Supplier further agrees to provide, at Supplier’s sole cost, reasonable assistance and cooperation requested by Company, in the furtherance of any correction, remediation, or investigation of such Personal Data Breach by Company and/or the mitigation of any damages resulting from such Personal Data Breach, including any notification that Company may determine appropriate to send to affected individuals, regulators or third parties, and/or the provision of any credit reporting service that Company deems appropriate to provide to affected individuals. In addition, within 30 days of identifying or being informed of a Personal Data Breach, Supplier shall develop and execute a plan that reduces the likelihood of a recurrence of a Personal Data Breach.
c. If Company determines that any Personal Data Breach must be disclosed to a third party, including but not limited to, data subjects, governmental authorities, or data protection authorities, then Supplier shall fully cooperate with and assist Company in fulfilling Company’s reporting and disclosure obligations. Unless required by Applicable Law, Supplier shall not notify any individual or any third party other than law enforcement of any potential Personal Data Breach without first consulting with, and obtaining the written permission of, Company.
1.9 Information Return or Deletion. Upon termination or expiration of the Agreement for any reason, or upon Company’s request (and without regard to the default status of the Parties under the Agreement), Supplier shall within 10 days return, in a manner and format reasonably requested by Company, or, at Company’s direction, destroy, all Personal Data in Supplier’s possession or control, except to the extent otherwise required by Applicable Law. If Supplier has a legal obligation to retain Personal Data beyond the period otherwise specified by the Agreement, Supplier will notify Company in writing of that obligation (unless precluded from doing so pursuant to Applicable Law), and will return or destroy Personal Data in accordance with these Data Processing Terms as soon as possible after that legally required retention period has ended. Supplier will perform any destruction of Personal Data pursuant to these Data Processing Terms in such a manner as to permanently and securely destroy the Personal Data in accordance with Privacy Laws and industry standards so that the information cannot be read or reconstructed as a practicable matter through forensic or other means. Upon Company’s request, Supplier will provide a written explanation of the method used for data disposal/destruction, along with a written certification that such that Personal Data has been returned or securely destroyed in accordance with these Data Processing Terms.
1.10 Investigations.Upon notice to Supplier, Supplier shall assist and support Company in the event of an investigation by any regulator, including a data protection regulator or similar authority, if and to the extent such investigation relates to Personal Data handled by Supplier on behalf of Company. Such assistance shall be at Company’s expense, except where such investigation was required due to Supplier’s acts or omissions, in which case such assistance shall be at Supplier’s sole expense.
1.11 Certification. Supplier hereby certifies that Supplier understands, and will comply with, the restrictions set forth in these Data Processing Terms with respect to Personal Data.
2.1 Annual Audit. In addition to any other audit rights under the Agreement, once every 12 months, subject to any contrary provisions of Section 2.3 of these Data Processing Terms, Supplier will provide to Company, or an independent third party chosen by Company and reasonably acceptable to Supplier, on reasonable notice: (i) access to Supplier’s information, Processing premises, and records; (ii) reasonable assistance and cooperation of Supplier’s relevant staff; and (iii) reasonable facilities at Supplier’s premises, for the purpose of Company’s audit of Supplier’s compliance with these Data Processing Terms. Company may, instead of conducting an on-site audit, request a copy of Supplier’s most recent third party assessment, such as an ISO 27001, SSAE 18 SOC 2, ISAE 3402 or similar assessment. Supplier will provide a copy of such assessment to Company promptly upon request. Company the right to conduct an audit as described in this paragraph, even if such a certificate is provided. Each party will bear its own expenses in connection with an audit pursuant to this Section 2.1.
2.2 Personal Data Breach Audit. If Supplier gives notice of a Personal Data Breach as described in Section 1.8, then Company shall have the following audit rights, without regard to the frequency limitation in Section 2.1. Subject to Section 2.3 of these Data Processing Terms, Company will have the right to perform, by an independent third party chosen by Company and reasonably acceptable to Supplier, or through Company’s own personnel, a follow-up audit to ensure all reasonably necessary corrective actions have been taken. If such an audit concludes that Supplier has not adequately taken corrective action to remedy the problems, then (i) Supplier will promptly take whatever corrective actions are reasonably necessary to remedy the problems; and (ii) Supplier will reimburse Company for all reasonable costs of the audit.
2.3 Audit Confidentiality. The parties agree that if Supplier’s pre-existing written policies, provided to Company upon request, do not permit Company’s own personnel to perform any audit or security review required or permitted under these Data Processing Terms, Company will conduct such audit or security review through a third-party auditor selected by Company and reasonably acceptable to Supplier, and Supplier will reimburse Company’s cost of conducting any such audit or security review. Company agrees that any third-party auditor or security firm will enter into a written agreement with Supplier and Company that requires such firm to (i) use any Supplier confidential information solely for purposes of the inspection or audit, and (ii) keep Supplier’s confidential information confidential in accordance with any applicable provisions of the Agreement. The parties further agree that if Supplier policies also prohibit Company’s third-party auditors from performing any audit or security review, Supplier will, upon Company’s request, engage Supplier’s independent auditing firm, acting with a duty to Supplier, to conduct such audit or security review, at Supplier’s expense, and such firm will provide Company with a management representation letter certifying to Company the results of such audit or review, including all findings, comments and recommendations for further action.
3. Cross-Border Transfers
Data Transfers made pursuant to the Agreement or the Services must comply with this Section 3. If any Data Transfer mechanism identified herein is invalidated or repealed by a court of competent jurisdiction or competent governmental authority, then Supplier must immediately adopt and comply with one of the other Data Transfer mechanisms set forth below.
3.1 Transfers by Company. Data Transfers made by a Company affiliate established in the EEA to Supplier (including any Subcontractor of Supplier) in a location that is outside the EEA and not covered by an Adequacy Decision must be in accordance with one or more of the approved means set forth below:
a. BCR-P. Binding Corporate Rules for Processors implemented by Supplier and approved by all applicable supervisory authorities pursuant to Article 47 of the GDPR and other applicable Privacy Laws (“BCR-Ps”), in which case Supplier represents, warrants, and covenants that it will: (i) maintain such BCR-Ps for the duration of the Agreement; (ii) promptly notify Company of any subsequent material changes in such authorization; and (iii) downstream any of its obligations under its BCR-Ps by entering into an appropriate onward transfer agreement with any Subcontractor.
b. Privacy Shield. With respect to a Data Transfer to Supplier in the United States, pursuant to certification of Supplier under the EU-US Privacy Shield Program and the Swiss-US Privacy Shield Program, in which case Supplier represents, warrants, and covenants that it: (i) has certified to the United States Department of Commerce that it complies with the Privacy Shield principles and supplemental principles located at https://www.privacyshield.gov/, as may be amended from time to time (“Privacy Shield Obligations”); (ii) will maintain its certification to such Privacy Shield Programs for the duration of the Agreement; and (iii) will downstream its Privacy Shield Obligations by entering into an appropriate onward transfer agreement with any Subcontractor.
c. Model Clauses. In all cases not covered by Section 3.1.a or 3.1.b above, the relevant Data Transfer will be governed by the Standard Contractual Clauses (Controller to Processor) attached hereto (the “C2P Model Clauses”). Supplier must abide by C2P Model Clauses, which are hereby incorporated in their entirety into these Data Processing Terms by reference. The C2P Model Clauses apply to Supplier as the data importer, and by executing the Agreement, Supplier is also executing the C2P Model Clauses as the data importer. Supplier agrees also to execute the C2P Model Clauses directly upon request.
3.2 Transfers by Supplier.Supplier will not transfer any Personal Data across national borders, except upon the prior written consent of Company. Supplier will not export outside the EEA any Personal Data collected, stored or otherwise Processed by Supplier in the EEA, except pursuant to Company Instruction. Supplier must ensure that all Data Transfers comply with Privacy Laws at all times.
4. Additional Supplier Obligations
4.1 Supplier represents, warrants and covenants that no Personal Data has been collected by Supplier or transferred by Supplier to third parties in violation of any Privacy Laws. There are no notices, claims, investigations or proceedings pending, or, to the knowledge of Supplier, threatened, by state or federal agencies, or private parties involving notice or information to individuals that Personal Data held or stored by Supplier has been compromised, lost, taken, accessed or misused. Supplier has not received any notice regarding any violation of any Privacy Laws, and Supplier has no reason to believe that the security of any Personal Data Processed by Supplier has been breached or potentially breached.
4.2 All consumer-facing websites and mobile applications operated by Supplier on Company’s behalf must contain a link to a privacy statement that complies with Privacy Laws and that Company has approved in writing. Notwithstanding any such privacy statement, Supplier may Process Personal Data only in accordance with this Agreement and only as necessary to provide the Services to Company. Web sites and mobile applications that would appear to a consumer as being provided by Company must post a Company privacy statement and must be approved prior to launch by Company.
4.3 Supplier shall indemnify Company and its officers, directors, employees and agents (“Indemnitees”), and hold Indemnitees harmless, from and against, any and all losses, damages and expenses, including any and all incidental and consequential losses, damages and expenses, which shall include without limitation costs of (i) investigation, including forensic computer services or assistance, (ii) notification to individuals and governmental authorities, (iii) credit monitoring or restoration, and (iv) reasonable attorneys’ fees, related to or arising from (X) Supplier’s breach of these Data Processing Terms or (Y) any Personal Data Breach involving Personal Data Processed by Supplier.
5. Changes to these Data Processing Terms
5.1 Company can change these Data Processing Terms in its sole discretion at any time and from time to time. Any changes to these Data Processing Terms will be binding upon Supplier when posted at [____________________________]; provided, however, that Supplier will have a reasonable period of time to implement any change in the Data Processing Terms (not to exceed any time period provided by applicable law, rule, or regulation to implement such change). Supplier is obligated to check this URL regularly for any changes. The most recent changes to the Data Processing Terms will appear at the bottom of the Data Processing Terms in the section entitled “Material Revisions to Data Processing Terms.”
6. Survival; Third-Party Beneficiaries; Further Assurances; Validity
6.1 Supplier’s obligations under these Data Processing Terms will survive the termination or expiration of its Services or any related agreements and will continue for so long as Supplier, or any of its affiliates or subcontractors retain or have access to Personal Data. Supplier acknowledges and agrees that each entity referenced in the definition of “Company” above is an intended third party beneficiary of Supplier’s obligations and liabilities under these Data Processing Terms, including without limitation Supplier’s obligations with respect to Personal Data, and as such, each will have a right of its own to enforce these Data Processing Terms.
6.2 Further Assurances. Supplier will provide relevant information and assistance requested by Company to demonstrate Supplier’s compliance with its obligations under these Data Processing Terms and Privacy Laws and to assist Company in meeting Company’s obligations under applicable Privacy Laws with respect to Supplier’s Processing of Personal Data. If any change in Processing is required by a modification in Privacy Laws, or to ensure ongoing compliance with Privacy Laws, then Company will have the right to require Supplier to implement the requested change.
6.3 Validity. If any part of these Data Processing Terms are held unenforceable, the validity of all remaining parts will not be affected.
7. Security Requirements
7.1 Supplier will adopt, implement, and maintain appropriate security procedures and practices to prevent the unauthorized access, acquisition, destruction, modification, use, or disclosure of Personal Data. Such procedures and practices will be compliant, at a minimum, with the Agreement, these Data Processing Terms, and the Privacy Laws.
7.2 Consistent with the foregoing, Supplier shall:
7.2.1 (x) physically or logically segregate Personal Data from all other data held by Supplier and prevent any commingling thereof; (y) ensure that portable devices that Process Personal Data, such as laptops, tablet computers, iPads, personal digital assistants, cellular phones, smart phones, iPods, e-readers, USB devices/external drives, CDs, diskettes, wearable or wearaputic devices, and other similar portable devices are configured to make use of industry standard encryption and, if applicable, mobile device management technology that fully protects these devices’ storage, installation, privilege assignment and transmission capabilities from unauthorized access at a level which meets regulatory compliance requirements, as they may be updated from time to time and otherwise use industry standard encryption
technologies for transmitting and storing all Personal Data; and (z) store and otherwise Process all Personal Data solely from the United States and such other designated locations indicated as approved Processing locations in the Agreement.
7.2.2 take reasonable steps to ensure the reliability of all Supplier employees, personnel and Subcontractors who will be provided with access to Personal Data;
7.2.3 ensure that its information security program includes industry standard password, firewall, operating system, and anti-virus and malware protections to protect Personal Data stored or otherwise handled on computer systems;
7.2.4 encrypt, using industry standard encryption tools, all records and files (A) containing Personal Data that Supplier transmits or sends wirelessly or across public networks; and (B) containing Sensitive Personal Data that Supplier: (x) stores on laptops or storage media; (y) stores on portable devices; and (z) stores on any device that is transported outside of the physical or logical controls of Supplier. Supplier will safeguard the security, confidentiality, and integrity of all encryption keys associated with encrypted Personal Data. “Sensitive Personal Data” is Personal Data, which due to its nature has been classified by applicable Privacy Laws as deserving additional privacy and security protections, including (without limitation): (i) an individual’s name in combination with the individual’s: (A) Social Security number, Taxpayer Identification Number, information contained in a passport or other travel document, driver’s license number, or other identification number issued by a government or public body; or (B) financial account number; (ii) an individual’s username in combination with password, PIN, or access code that would grant access to an online account; (iii) Cardholder Data; (iv) racial or ethnic origin; (v) political opinions, religious or philosophical beliefs, or trade union membership; (vi) genetic data; (vii) biometric data; (viii) health data; and (ix) data concerning a natural person's sex life or sexual orientation;
7.2.5 maintain an incident response program that specifies the actions to be taken by Supplier when it has reason to believe that a Personal Data Breach may have or has occurred;
7.2.6 where Supplier Processes Cardholder Data in connection with the Services, comply with the PCI Standards with respect to Cardholder Data. Consistent with Supplier’s obligations as set forth in the Agreement, Supplier hereby acknowledges its responsibility for the protection and security of Cardholder Data in connection with the performance of the Services. Supplier further represents and warrants that it will not take any actions that will compromise Company’s ability to comply with the PCI Standards.
7.2.7 where Supplier, directly, or through any of its affiliates or Subcontractors, connects to Company’s computing systems and/or networks, ensure that: (i) all Supplier interconnectivity to Company’s computing systems and/or networks and all attempts at same will be only through Company’s security gateways/firewalls; (ii) Supplier will not access, and will not permit any other person or entity to access, Company’s computing systems and/or networks without Company’s authorization, and any such actual or attempted access will be consistent with any such authorization; and (iii) Supplier’s systems connecting to Company’s systems or networks, and those Supplier systems which, if compromised, could affect the security, confidentiality, integrity, or availability of Company's computing systems or networks, will be actively protected by an industry standard malware detection/scanning program with up-to-date anti-virus definitions, prior to and while accessing any of Company’s computing systems and/or networks. Supplier agrees that Company may perform periodic network assessments, and should any such assessment reveal inadequate security by Supplier or its affiliates, or Subcontractors, Company, in addition to other remedies it may have, may suspend access to Company’s computing systems and/or networks until such security issue has been resolved.
7.3 Supplier agrees that: (i) its employees and agents will be required, as a condition of employment or retention, to protect all Personal Data in Supplier’s possession or otherwise acquired by or accessible to Supplier; (ii) its employees and agents who will be provided access to, or otherwise come into contact with, Personal Data, will receive appropriate training relating to the protection of Personal Data; (iii) it will maintain appropriate access controls, including, but not limited to, limiting access to Personal Data to the minimum number of Supplier employees and agents who require such access for purposes of providing goods and/or services to Company; and (iv) it will impose appropriate disciplinary measures for violations of its information security policies and procedures.
7.4 Supplier shall, as further specified in its WISP, conduct periodic risk assessments to identify and assess reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of electronic, paper, and other records containing Personal Data and evaluate and improve, where necessary, the effectiveness of its safeguards for limiting those internal and external risks. Supplier shall conduct such reviews and, as appropriate, revise its WISP: (i) at least annually or whenever there is a material change in Supplier’s business practices that may reasonably affect the security, confidentiality, or integrity of Personal Data; (ii) in accordance with prevailing industry practices; (iii) in accordance with any new, amended, or re-interpreted Privacy Laws, and (iv) as reasonably requested by Company. Supplier agrees not to alter or modify its WISP or its security safeguards in such a way that will weaken or compromise the security, confidentiality, or integrity of Personal Data.
Material Revisions to Data Processing Terms:
C2P Model Clauses
STANDARD CONTRACTUAL CLAUSES (PROCESSORS)
For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection
The Data Exporter and Data Importer (as listed in Annex 3 hereto), and
HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.
For the purposes of the Clauses:
personal data, special categories of data, process/processing, controller, processor, data subject and supervisory authority shall have the same meaning as in GDPR;
the data exporter means the controller who transfers the personal data;
the data importer means the processor who agrees to receive from the data exporter personal data intended for processing on its behalf after the transfer in accordance with its instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of applicable Data Protection Law;
the sub-processor means any processor engaged by the data importer or by any other sub-processor of the data importer who agrees to receive from the data importer or from any other sub-processor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with its instructions, the terms of the Clauses and the terms of the written subcontract;
the applicable data protection law means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
technical and organisational security measures means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
DETAILS OF THE TRANSFER
The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1, which forms an integral part of the Clauses.
THIRD-PARTY BENEFICIARY CLAUSE
The data subject can enforce against the data exporter this clause 3, clause 4(b) to clause 4(i), clause 5(a) to clause 5(e) and clause 5(g) to clause 5(j), clause 6.1 and clause 6.2, clause 7, clause 8.2 and clause 9 to clause 12 as third-party beneficiary.
The data subject can enforce against the data importer this clause 3.2, clause 5(a) to clause 5(e) and clause 5(g), clause 6, clause 7, clause 8.2 and clause 9 to clause 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
The data subject can enforce against the sub-processor this clause 3.3, clause 5(a) to clause 5(e) and clause 5(g), clause 6, clause 7, clause 8.2, and clause 9 to clause 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.
The Parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.
OBLIGATIONS OF THE DATA EXPORTER
The data exporter agrees and warrants:
that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
that it has instructed and throughout the duration of the personal data-processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;
that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;
that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
that it will ensure compliance with the security measures;
that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection;
to forward any notification received from the data importer or any sub-processor pursuant to clause 5(b) and clause 8.3 to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2 and a summary description of the security measures, as well as a copy of any contract for sub-processing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
that, in the event of sub-processing, the processing activity is carried out in accordance with clause 11 by a sub-processor providing at least the same level of protection for the personal data and the rights of data subjects as the data importer under the Clauses; and
that it will ensure compliance with clause 4(a) to clause 4(i).
OBLIGATIONS OF THE DATA IMPORTER
The data importer agrees and warrants:
to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;
that it will promptly notify the data exporter about:
any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;
any accidental or unauthorised access; and
any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;
to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
to make available to the data subject upon request a copy of the Clauses, or any existing contract for sub-processing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
that, in the event of sub-processing, it has previously informed the data exporter and obtained its prior written consent;
that the processing services by the sub-processor will be carried out in accordance with clause 11; and
to send promptly a copy of any sub-processor agreement it concludes under the Clauses to the data exporter.
The Parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in clause 3 or in clause 11 by any Party or sub-processor is entitled to receive compensation from the data exporter for the damage suffered.
If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or its sub-processor of any of their obligations referred to in clause 3 or in clause 11 because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, in which case the data subject can enforce its rights against such entity.
The data importer may not rely on a breach by a sub-processor of its obligations in order to avoid its own liabilities.
If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the sub-processor of any of their obligations referred to in clause 3 or in clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the sub-processor agrees that the data subject may issue a claim against the data sub-processor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the sub-processor shall be limited to its own processing operations under the Clauses.
MEDIATION AND JURISDICTION
The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
to refer the dispute to the courts in the Member State in which the data exporter is established.
The Parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.
COOPERATION WITH SUPERVISORY AUTHORITIES
The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
The Parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any sub-processor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any sub-processor preventing the conduct of an audit of the data importer, or any sub-processor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in clause 5(b).
The Clauses shall be governed by the law of the Member State in which the data exporter is established.
VARIATION OF THE CONTRACT
The Parties undertake not to vary or modify the Clauses. This does not preclude the Parties from adding clauses on business related issues where required as long as they do not contradict the Clauses.
The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the sub-processor which imposes the same obligations on the sub-processor as are imposed on the data importer under the Clauses. Where the sub-processor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the sub-processor’s obligations under such agreement.
The prior written contract between the data importer and the sub-processor shall also provide for a third-party beneficiary clause as laid down in clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.
The provisions relating to data protection aspects for sub-processing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.
The data exporter shall keep a list of sub-processing agreements concluded under the Clauses and notified by the data importer pursuant to clause 5(j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.
OBLIGATION AFTER THE TERMINATION OF PERSONAL DATA PROCESSING SERVICES
The Parties agree that on the termination of the provision of data-processing services, the data importer and the sub-processor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
The data importer and the sub-processor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data-processing facilities for an audit of the measures referred to in paragraph 1.
On behalf of the data exporter:
Company NameIncorporating JurisdictionSignature and official stamp, if applicable
United Rentals Gmbh & Co. KGGermany
United Rentals BVNetherlands
United Rentals SASFrance
United Rentals UK LimitedUnited Kingdom
On behalf of the data importer:
Name (written out in full): …
Other information necessary in order for the contract to be binding (if any):
to the Standard Contractual Clauses
This Appendix forms part of the Clauses and must be completed and signed by the parties
The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix
The data exporter is (please specify briefly your activities relevant to the transfer):
The data exporter is the legal entit(ies) specified below that is transferring personal data to data importer for processing in accordance with the Agreement and otherwise pursuant to data exporter’s instruction.
The data importer is (please specify briefly activities relevant to the transfer):
The data importer is a provider of the Services (described in the Agreement) which processes personal data upon the instruction of the data exporter in accordance with the Agreement.
The personal data transferred concern the following categories of data subjects (please specify):
The processing may involve personal data of employees of data exporter, customers of data exporter, and business contact information of data exporter’s customers, suppliers and other business partners, as further described in the Agreement.
Categories of data
The personal data transferred concern the following categories of data (please specify):
Personal data may include, where applicable and necessary to the Services provided:
Business contact data (e.g., name, title, address and contact information)
Employee data where applicable to the Services (e.g., name, address, salary and benefits, SSN or national ID, performance data, employment record, health information)
Customer data (.e.g., name, title, address, payment and account details, transaction details, customer service)
Special categories of data (if appropriate)
The personal data transferred concern the following special categories of data (please specify):
The personal data transferred will be subject to the following basic processing activities (please specify):
The objective of processing of personal data by data importer is the performance of the Services pursuant to the Agreement.
On behalf of the data exporter:
Company NameIncorporating JurisdictionSignature and official stamp, if applicable
United Rentals Gmbh & Co. KGGermany
United Rentals BVNetherlands
United Rentals SASFrance
United Rentals UK LimitedUnited Kingdom
Authorised Signature …
to the Standard Contractual Clauses
This Appendix forms part of the Clauses and must be completed and signed by the parties.
Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):
Data importer will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Personal Data, as further described in the Security Requirements (as defined pursuant to the Agreement and Data Processing Terms that reference and incorporate these Standard Contractual Clauses.