Terms Related to Data Processing under Data Privacy Laws

This U.S. Data Privacy Schedule (this “Schedule”) sets forth obligations pursuant to the California Consumer Privacy Act of 2018 (codified at Cal. Civ. Code § 1798.100 et seq.), as amended, and all regulations and judicial opinions issued related thereto (the “CCPA”) and any United States laws, rules, regulations, decrees, orders or other mandates applicable to the Processing of Personal Information (each as defined below), including the CCPA and others, solely as may be applicable to the Personal Information provided by Client (as defined in the Agreement) under the Agreement (collectively, “Data Privacy Laws”).

To the extent The Berwyn Group, Inc. (“Berwyn”) is operating as a “service provider,” “contractor,” or “processor” to Client as those terms are defined in applicable Data Privacy Laws (in which case, Berwyn is a “Service Provider”), then the terms and conditions set forth in this Schedule shall be incorporated into the agreement(s) between Berwyn and Client (the “Agreement”). The Agreement specifies the business purpose(s) for which Berwyn receives Personal Information from Client or collects Personal Information on behalf of Client and in connection with which Berwyn Processes Personal Information on Client’s behalf (the “Services”).  For purposes of this Schedule, “Process” means any processing or other access to or operation or set of operations performed on Personal Information, whether by manual or automated means, and “Process,” “Processes,” “Processing,” and “Processed” shall have corresponding meanings. “Personal Information” means “personal information” or “personal data” as those terms are defined in the Data Privacy Laws, as applicable.

1. 1. Certification of Compliance. Client and Berwyn agree to comply in all material respects with applicable Data Privacy Laws.
   2. Exemptions. Client and Berwyn acknowledge that the Data Privacy Laws contain potentially applicable exemptions for certain activities and/or data subject to regulation under U.S. federal laws, including the Fair Credit Reporting Act (FCRA), the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), and the Driver’s Privacy Protection Act (DPPA). Additionally, Client and Berwyn acknowledge that the Data Privacy Laws may exempt certain data from their definition of Personal Information including publicly available data, consumer data that is deidentified, aggregate consumer data, or data that would not be considered Personal Information based on the manner in which it is collected or maintained. For example, under the CCPA, Personal Information does not include (a) lawfully obtained, truthful information that is a matter of public concern; (b) publicly available information, which is lawfully made available from federal, state and local government records; or (c) information that a business has a reasonable basis to believe is lawfully made available to the general public by the consumer or from widely distributed media. Client and Berwyn acknowledge that to the extent Berwyn Processes or may Process data that is exempted from regulation, the Data Privacy Laws do not apply with respect to such Processing.
   3. Service Provider Restrictions. When acting as a Service Provider, Berwyn is prohibited from retaining, using, or disclosing Personal Information provided by Client for any purpose other than those specified in the Agreement, as otherwise instructed by Client, or as permitted by law. Except to the extent permitted by Data Privacy Laws or as necessary to perform the Services under the Agreement, Berwyn is further restricted from combining Personal Information that it receives from Client with Personal Information that it collects from other businesses or from its own interaction with consumers. Berwyn will not “sell” or “share” Personal Information that it receives from Client, as those terms are defined under the Data Privacy Laws. Notwithstanding the foregoing, Berwyn may use and retain Personal Information it receives from Client for any legal purpose outlined in the Data Privacy Laws or other applicable laws, including, without limitation, for its internal use to build or improve the quality of Services, identify and repair technical errors that impair existing or intended functionality, perform internal operations that are reasonably aligned with the expectations of the applicable consumer or reasonably anticipated based on such consumer’s existing relationship with Client, or are otherwise compatible with Processing data in furtherance of the provision of a product or service specifically requested by a consumer or the performance of a contract to which the consumer is a party. Berwyn does not use Personal Information provided by Client to perform services on behalf of other businesses except with Client’s consent or at Client’s direction.
   4. Use of Subcontractors. If Berwyn retains a subcontractor to Process Personal Information on behalf of Client, Berwyn will require the subcontractor to comply with applicable Data Privacy Laws and an equivalent level of privacy protections as those set forth in this Schedule, as applicable.
   5. Consumer Requests. If and to the extent Berwyn possesses Personal Information from Client, Berwyn will reasonably cooperate with and assist Client in meeting Client’s obligations under the Data Privacy Laws by providing copies of or access to Personal Information in Berwyn’s possession necessary for Client to respond to consumers’ requests. When Client has received a verifiable consumer request to delete a consumer’s Personal Information and has directed Berwyn to do the same in its capacity as a Service Provider, Berwyn will delete that Personal Information, unless retention of the Personal Information is required by law or otherwise legally permitted. Berwyn shall notify Client within a reasonable amount of time if Berwyn receives a consumer request under a Data Privacy Law related to an individual’s Personal Information (where Berwyn is able to verify such Personal Information is associated with Client). For clarity, Berwyn’s systems are not systems of record for Client data. Client is responsible for its own compliance obligations related to consumer requests in accordance with Data Privacy Laws. Berwyn is entitled to rely upon and act in accordance with any instructions, guidelines, or information provided to Berwyn by Client related to the consumer requests and will incur no liability to Client in doing so.
   6. Miscellaneous. Terms used but not defined herein shall have the meaning set forth in the Agreement or in the applicable Data Privacy Laws. Nothing in this Schedule limits or restricts Client’s or Berwyn’s rights and obligations under the Agreement in relation to the protection of Personal Information or permits the processing of Personal Information in a manner which is prohibited by the Agreement. Client acknowledges that the terms of this Schedule, in the event of a conflict with the terms of the Agreement, apply in addition to, and not in lieu of, the Agreement, with respect to the Processing of Personal Information provided by Client.

Last Updated: 10/7/2024