Terms Related to Data Processing under Data Privacy Laws

This U.S. Data Privacy Schedule (this “Schedule”) sets forth obligations pursuant to the California Consumer Privacy Act of 2018 (codified at Cal. Civ. Code § 1798.100 et seq.), as amended, and all regulations and judicial opinions issued related thereto (the “CCPA”) and any United States laws, rules, regulations, decrees, orders or other mandates applicable to the Processing of Personal Information (each as defined below), including the CCPA and others, solely as may be applicable to the Personal Information provided by Client (as defined in the Agreement) under the Agreement (collectively, “Data Privacy Laws”).

To the extent Pension Benefit Information, LLC (“PBI”) is operating as a “service provider,” “contractor,” or “processor” to Client as those terms are defined in applicable Data Privacy Laws (in which case, PBI is a “Service Provider”), then the terms and conditions set forth in this Schedule shall be incorporated into the agreement(s) between PBI and Client (the “Agreement”). The Agreement specifies the business purpose(s) for which PBI receives Personal Information from Client or collects Personal Information on behalf of Client and in connection with which PBI Processes Personal Information on Client’s behalf (the “Services”). For purposes of this Schedule, “Process” means any processing or other access to or operation or set of operations performed on Personal Information, whether by manual or automated means, and “Process,” “Processes,” “Processing,” and “Processed” shall have corresponding meanings. “Personal Information” means “personal information” or “personal data” as those terms are defined in the Data Privacy Laws, as applicable.

  1. Certification of Compliance. Client and PBI agree to comply in all material respects with applicable Data Privacy Laws.
  2. Exemptions. Client and PBI acknowledge that the Data Privacy Laws contain potentially applicable exemptions for certain activities and/or data subject to regulation under U.S. federal laws, including the Fair Credit Reporting Act (FCRA), the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), and the Driver’s Privacy Protection Act (DPPA). Additionally, Client and PBI acknowledge that the Data Privacy Laws may exempt certain data from their definition of Personal Information including publicly available data, consumer data that is deidentified, aggregate consumer data, or data that would not be considered Personal Information based on the manner in which it is collected or maintained. For example, under the CCPA, Personal Information does not include (a) lawfully obtained, truthful information that is a matter of public concern; (b) publicly available information, which is lawfully made available from federal, state and local government records; or (c) information that a business has a reasonable basis to believe is lawfully made available to the general public by the consumer or from widely distributed media. Client and PBI acknowledge that to the extent PBI Processes or may Process data that is exempted from regulation, the Data Privacy Laws do not apply with respect to such Processing.
  3. Service Provider Restrictions. When acting as a Service Provider, PBI is prohibited from retaining, using, or disclosing Personal Information provided by Client for any purpose other than those specified in the Agreement, as otherwise instructed by Client, or as permitted by law. Except to the extent permitted by Data Privacy Laws or as necessary to perform the Services under the Agreement, PBI is further restricted from combining Personal Information that it receives from Client with Personal Information that it collects from other businesses or from its own interaction with consumers. PBI will not “sell” or “share” Personal Information that it receives from Client, as those terms are defined under the Data Privacy Laws. Notwithstanding the foregoing, PBI may use and retain Personal Information it receives from Client for any legal purpose outlined in the Data Privacy Laws or other applicable laws, including, without limitation, for its internal use to build or improve the quality of Services, identify and repair technical errors that impair existing or intended functionality, perform internal operations that are reasonably aligned with the expectations of the applicable consumer or reasonably anticipated based on such consumer’s existing relationship with Client, or are otherwise compatible with Processing data in furtherance of the provision of a product or service specifically requested by a consumer or the performance of a contract to which the consumer is a party. PBI does not use Personal Information provided by Client to perform services on behalf of other businesses except with Client’s consent or at Client’s direction.
  4. Use of Subcontractors. If PBI retains a subcontractor to Process Personal Information on behalf of Client, PBI will require the subcontractor to comply with applicable Data Privacy Laws and an equivalent level of privacy protections as those set forth in this Schedule, as applicable.
  5. Consumer Requests. If and to the extent PBI possesses Personal Information from Client, PBI will reasonably cooperate with and assist Client in meeting Client’s obligations under the Data Privacy Laws by providing copies of or access to Personal Information in PBI’s possession necessary for Client to respond to consumers’ requests. When Client has received a verifiable consumer request to delete a consumer’s Personal Information and has directed PBI to do the same in its capacity as a Service Provider, PBI will delete that Personal Information, unless retention of the Personal Information is required by law or otherwise legally permitted. PBI shall notify Client within a reasonable amount of time if PBI receives a consumer request under a Data Privacy Law related to an individual’s Personal Information (where PBI is able to verify such Personal Information is associated with Client). For clarity, PBI’s systems are not systems of record for Client data. Client is responsible for its own compliance obligations related to consumer requests in accordance with Data Privacy Laws. PBI is entitled to rely upon and act in accordance with any instructions, guidelines, or information provided to PBI by Client related to the consumer requests and will incur no liability to Client in doing so.
  6. Miscellaneous. Terms used but not defined herein shall have the meaning set forth in the Agreement or in the applicable Data Privacy Laws. Nothing in this Schedule limits or restricts Client’s or PBI’s rights and obligations under the Agreement in relation to the protection of Personal Information or permits the processing of Personal Information in a manner which is prohibited by the Agreement. Client acknowledges that the terms of this Schedule, in the event of a conflict with the terms of the Agreement, apply in addition to, and not in lieu of, the Agreement, with respect to the Processing of Personal Information provided by Client.

Last Updated: 9/18/2024