Data Protection and Privacy
A. To the extent the Services involve the processing of personally identifiable information on behalf of Herbalife (“Personal Information”), VENDOR NAME agrees at all times:
(i) To process Personal Information solely in accordance with Herbalife’s instructions as set forth herein and as communicated in writing from time to time, and to respond promptly to all enquiries by Herbalife regarding the processing of the Personal Information;
(ii) To process Personal Information solely for purposes of providing the Services except where such further processing is required by any applicable law, regulation, or governmental authority;
(iii) Where required, to maintain a record of processing activities containing the information specified in art 30 of the General Data Protection Regulation (EU) 2016/679 of 27 April 2016.
(iv) Not to disclose or transfer Personal Information to any third party, including subcontractors, without Herbalife’s prior written permission except where such disclosure or transfer is required by any applicable law, regulation, or governmental authority in which case VENDOR NAME will, wherever possible, promptly notify Herbalife in writing prior to complying with any such request for disclosure and shall comply with Herbalife’s reasonable directions with respect to such disclosure or transfer;
(v) Where processing credit card data, to process such data in a manner fully compliant with the applicable rules and regulations of the payment card clearing networks and the requirements of the Payment Card Industry Data Security Standard (PCI-DSS), as updated or amended, or its successor;
(vi) Not to transfer Personal Information to any other country outside the country in which the data originated without Herbalife’s prior written permission, provided however that data transfers between European Economic Area (“EEA”) countries shall not require Herbalife’s permission;
(vii) To provide assistance to Herbalife as reasonably required to ensure that Personal Information is accurate and, where necessary, kept up to date and to use best efforts to ensure that Personal Information which are inaccurate or incomplete are erased or rectified;
(viii) To ensure that Herbalife is promptly notified of any communication received from any individual relating to that individual’s rights to access, modify or correct the Personal Information and to comply with all Herbalife’s reasonable instructions in responding to such communications;
(ix) To ensure that technical and organizational measures are adopted to protect Personal Information against accidental or unlawful destruction or accidental loss or damage, alteration, unauthorized disclosure or access and against all other unauthorized or unlawful forms of processing or required by any applicable data protection law; and provide a description of such technical and organization measures at Herbalife’s request; and maintain the confidentiality of such technical and organizational measures.
(x) To inform Herbalife in writing within 24 hours of discovery of any suspected accidental or unlawful destruction or accidental loss or damage, alteration, unauthorized disclosure or access to the Personal Information (“Security Incident”) by contacting us at firstname.lastname@example.org;
(xi) To train staff responsible for processing the Personal Information regarding the obligations set forth in this Agreement and disciplining such staff for failing to comply with those obligations.
B. VENDOR NAME agrees that Herbalife may inspect, with reasonable notice, its processing of Personal Information, and that VENDOR NAME will furnish Herbalife with all materials necessary for Herbalife to confirm that VENDOR NAME has complied with the obligations set forth in this Agreement. Herbalife reserves the right to audit VENDOR NAME. At Herbalife’s request, VENDOR NAME shall cooperate with any requests for inspection from a supervisory authority with respect to Personal Information processed by VENDOR NAME pursuant to this Agreement.
C. VENDOR NAMErepresents and warrants that nothing in any applicable data protection legislation (or any other applicable laws or regulations) prevents it from fulfilling its obligations under this Agreement and undertakes and agrees that, in the event of a change in any such laws that is likely to have a material adverse effect on VENDOR NAME’s compliance with this Agreement or in the event VENDOR NAME otherwise cannot comply with this Agreement for whatever reason(s), VENDOR NAME shall notify Herbalife within fifteen (15) days.
D. In the event of the termination of this Agreement in part or in whole, VENDOR NAME shall, within fifteen (15) days of Herbalife’s request, send Herbalife all Personal Information held by VENDOR NAME on behalf of Herbalife, together with all copies in any media of such data or destroy the same, unless VENDOR NAME is required, by any applicable law, regulation or governmental authority, to retain such data or a part thereof. In the event Herbalife requests Personal Information to be destroyed, VENDOR NAME agrees to take reasonable measures to ensure no data is recoverable to the maximum extent feasible and shall provide Herbalife with a certificate of destruction.
E. VENDOR NAME represents and warrants that it will comply with applicable privacy and data protection legislation in its collection, use and processing of Personal Information in performance of the Services hereunder.
F. In the event of a Security Incident, at Herbalife’s request and pursuant to Herbalife’s instructions, VENDOR NAME shall assist with and/or perform all remediation efforts that are required by applicable law or by any governmental authority in similar circumstances, regardless of whether applicable law explicitly imposes such remediation obligations on VENDOR NAME or Herbalife or both. Such remediation efforts may include without limitation, investigation and resolution of the causes and impacts of the Security Breach; development and delivery of notices to affected individuals; provision of free credit reports, credit monitoring and repair, and identity restoration products for affected individuals, and/or such other measures that Company determines are reasonable and commensurate with the nature and level of severity of the Security Incident (collectively, “Remediation Measures”). VENDOR NAME shall be solely responsible for the costs and expenses of all Remediation Measures, whether undertaken by VENDOR NAME or Company. Notwithstanding anything to the contrary contained this Agreement, there shall be no limitation of liability applicable to the above referenced Remediation Measures.
G. Notwithstanding anything to the contrary contained this Agreement, VENDOR NAME agrees to indemnify, defend and hold harmless Herbalife, its affiliates and their respective agents, officers and employees from and against any and all demands, losses, costs, expenses, obligations, liabilities, damages, recoveries and deficiencies, including interest, penalties, reasonable attorneys’ fees, cost of investigation and legal or other expenses or costs arising out of or relating to a Security Incident or breach of this [“Data Protection and Privacy Section ##”] by VENDOR NAME, its officers, agents, servants, employees, designees, assignees or permittees. Notwithstanding anything to the contrary contained this Agreement, there shall be no limitation of liability applicable to the above referenced indemnity obligation.
H. Herbalife shall have the right to terminate this agreement immediately in the event of a material breach of this [“Data Protection and Privacy Section ##”].