Privacy and Personal Information Protection

Under this Schedule and applicable laws regulating the Processing of Personal Information (“Applicable Privacy Laws”), Customer is the data controller and GSS is the data processor.

Customer and GSS warrant that they will comply with all obligations under Applicable Privacy Laws in connection with the Processing of Personal Information that is collected by or disclosed to it under the MSA.

1.              DEFINITIONS

The terms “Personal Information”, “Process” and “Processing” have the meaning under Applicable Privacy Laws, and “Customer Personal Information” means Personal Information disclosed to GSS by Customer, including all Personal Information about or concerning users and stakeholders with which Customer engages through its usage of the Online Service.

Unless otherwise specifically provided, all terms with a capital letter have the same meaning than under the MSA. If a term is not defined, it will have the meaning given under Applicable Privacy Laws.

·       Subject matter and Purpose of the processing: Stakeholder engagement and grievances management in connection with Customer’s operations or development projects.

·       Duration of the processing: During the Subscription Term.

·       Type of Personal Information processed: Personal coordinates (name, physical and email addresses, phone number, etc.) of data subjects.

·       Categories of data subject: third party stakeholders.

2.              DATA PROCESSING OBLIGATIONS

GSS agrees that, in relation to Customer Personal Information, it must (a) only Process it for the purposes of providing the functionality of the Online Service to Customer; (b) not disclose Customer Personal Information to any other person without Customer’s prior written consent, unless the disclosure is required by applicable law (and GSS immediately notifies Customer, unless such notification is prohibited by that law); (c) take appropriate action to ensure any GSS personnel who Process Customer Personal Information understand and comply with the GSS’ privacy and confidentiality obligations under the MSA and this Schedule; (d) upon request, provide all reasonable assistance to Customer to facilitate the exercise of rights of Data Subjects; (e) provide information reasonably required by Customer to meet its obligations under Applicable Privacy Laws and to demonstrate compliance with this Schedule; and (f) promptly notify Customer as soon as it has received a complaint from any individual regarding the way his or her Personal Information has been processed and cooperate when Customer is investigating any claim related to individual complaints.

3.              PERSONAL INFORMATION TRANSFERS

GSS must not transfer Customer Personal Information outside of the country where it is hosted as of the Effective Date, unless approved in writing by Customer.

4.              INFORMATION SECURITY AND BREACH NOTIFICATION

4.1.         GSS has put into place and agrees to maintain during the Subscription Term appropriate, technical and organizational measures to secure Customer Personal Information, having regard to the risk of accidental or unauthorized access, loss, destruction, misuse, modification, disclosure or damage to Personal Information.

4.2.         If GSS has knowledge of any (i) accidental loss or destruction of, or unauthorized disclosure of or access to Customer Personal Information; or (ii) data security breach on any of the systems used in the provision of the Online Service, GSS must (A) expeditiously report such incident to Customer; (B) mitigate, to the extent practicable, any harmful effect of such disclosure or access that is known to GSS or its subcontractors; (C) cooperate with Customer in providing any notices to affected individuals regarding the incident, as directed by Customer; and (D) cooperate with any investigation into the incident that is subsequently undertaken by any data privacy authority, in consultation with Customer.

5.              COMPLIANCE

GSS will provide Customer (and its auditors and other advisers) with all reasonable co-operation and assistance in relation to any compliance request pursuant to this Schedule, including as a result of a request by any regulatory body.

6.              SUB-CONTRACTORS

In the event GSS wishes to delegate the Processing of Customer Data to a sub-contractor or change a previously appointed sub-contractor, GSS will provide a notice of such appointment or change in appointment to Customer. All sub-contractors retained by GSS and having access to unencrypted Customer Personal Information will be retained pursuant to written agreements providing terms and obligations equivalent to that of this Schedule and the relevant portions of the MSA.