Vendor Data Privacy Agreement

The terms of this DPA form part of the contract between the Vendor and Element for the provision of the Services (the “Vendor Agreement”) and shall apply to Vendor when Processing Personal Data subject to Applicable Privacy Laws, as such terms are defined in this DPA, in the course of performing the Services. In the event of a conflict between this DPA and any other agreement between Element and Vendor (including the Vendor Agreement), this DPA shall control. If an Element-related party transfers Personal Data directly to Vendor, each such Element-related party enters into this DPA automatically with Vendor and the Vendor will act as the “processor” or "service provider” of such data.

The parties agree as follows:

1. Definitions.

1.1 “Applicable Privacy Laws” means to the extent applicable to the Vendor and/or Element (i) the Irish Data Protection Acts 1988 to 2018, (ii) the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”), (iii) the EU’s ePrivacy Directive 2002/58/EC (as amended) (the “ePrivacy Directive”), (iv) any relevant transposition of, or successor or replacement to, those laws (including, when it comes into force, the successor to the ePrivacy Directive), (v) the UK Data Protection Laws, (vi) all applicable federal, state or provincial data protection and data privacy laws and regulations of the United States and/or Canada, and (vii) all other laws, regulations and codes of conduct in any relevant jurisdiction applicable to the Processing of Personal Data, as they may be amended or replaced from time to time, including laws and regulations that are enacted or become effective after the effective date of this DPA including the guidance and codes of practice issued by a relevant data protection regulator, including the Irish Data Protection Commission, the European Data Protection Board and any equivalent regulatory authorities in Canada and/or the United States.

1.2 “Authority” means any government authority, agency, body or department, whether federal, provincial, territorial or municipal, having or claiming jurisdiction over the Agreement and “Authorities” means all such authorities, agencies, bodies and departments.

1.3 "Controller to Processor SCCs" means Module 2 of the EU Standard Contractual Clauses set out in the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as amended or replaced from time to time by a competent authority under the Applicable Privacy Laws.

1.4 “EU Restricted Transfer” means, as appropriate, a transfer of Personal Data by: (i) Element to Vendor or any Subprocessor (or any onward transfer); or (ii) Vendor to any Subprocessor (or any onward transfer), in each case, where such transfer would be prohibited by the GDPR (including any relevant transposition of, or successor or replacement to, the GDPR, and including guidance and codes of practice issued by the Irish Data Protection Commission and/or the European Data Protection Board) in the absence of the protection for the transferred Personal Data provided by the EU Standard Contractual Clauses.

1.5 "EU Standard Contractual Clauses" means the standard contractual clauses set out in the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as amended or replaced from time to time by a competent authority under the Applicable Privacy Laws.

1.6 “Personal Data” means any information Processed by Vendor from or on behalf of Element that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household or that otherwise falls within the meaning of personal data under Applicable Privacy Laws. Personal Data includes the Personal Data of Element’s clients and its drivers.

1.7 “Personal Data Breach” means any (i) loss, alteration, destruction, theft, unauthorized or unlawful access or modification to or use of, or unauthorized or unlawful disclosure of any Personal Data under the custody or control of Vendor, an affiliate, subcontractor or Subprocessor; or (ii) actual or suspected breach of security on or at Vendor, an affiliate’s, subcontractor’s or Subprocessor’s facilities relating to the Services or Personal Data.

1.8 “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, destruction or otherwise making available. The terms “Process,” “Processes,” and “Processed” shall have the same meaning.

1.9 "Processor to Processor SCCs" means Module 3 of the EU Standard Contractual Clauses set out in the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as amended or replaced from time to time by a competent authority under the Applicable Privacy Laws.

1.10 “Subprocessor” means, as appropriate: (i) any entity engaged by Vendor to Process Personal Data; and/or (ii) the Vendor in circumstances where Element acts as processor such as when Processing Personal Data to provide the services to Element’s clients and customers.

1.11 "UK Data Protection Laws" means the GDPR as transposed into United Kingdom national law by operation of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 ("UK GDPR"), together with the Data Protection Act 2018, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as amended) and other data protection or privacy legislation in force from time to time in the United Kingdom.

1.12 “UK IDTA" means the EU Standard Contractual Clauses as amended by the International Data Transfer Addendum, to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner under section 119A(1) Data Protection Act 2018 as amended or replaced from time to time, pursuant to Article 46 of the UK GDPR.

1.13 "UK Restricted Transfer” means, as appropriate, a transfer of Personal Data by: (i) Element to Vendor or any Subprocessor (or any onward transfer); or (ii) Vendor to any Subprocessor (or any onward transfer), in each case, where such transfer would be prohibited by UK Data Protection Laws in the absence of the protection for the transferred Personal Data provided by the UK Standard Contractual Clauses or any other mechanism permitted under UK Data Protection Laws.

2. Roles of the Parties.

2.1 The parties agree that with respect to Personal Data, Element is the “controller”, “enterprise”, “organisation” or an analogous term as defined by Applicable Privacy Laws, and Vendor is the “processor” or an analogous term as defined by Applicable Privacy Laws, except that where Element acts as the “processor” or “service provider” as such terms are defined by Applicable Privacy Laws, such as when Processing Personal Data to provide the Services to Element’s clients and customers, then Vendor will be a Subprocessor. This DPA applies when Vendor Processes Personal Data as a “processor,” or Subprocessor.

3. Scope of Processing.

3.1 The nature, purpose and subject matter of the Processing are to provide the Services as set forth in Annex A to this DPA, and the duration of the Processing will be for the duration necessary to perform the Services. The types of Personal Data and the categories of data subject that may be subject to the Processing are set forth in Annex A to this DPA.

4. Compliance.

4.1 Element and Vendor will each comply with Applicable Privacy Laws and will each take steps to protect Personal Data as required by Applicable Privacy Laws. This will include, at a minimum, Vendor (i) ensuring that each person Processing Personal Data is subject to a duty of confidentiality (or are under an appropriate statutory obligation of confidentiality) with respect to such Personal Data and such persons require such information on a “need to know basis” to perform the Services and their obligations under this Agreement; (ii) ensuring that all Personal Data collected, received, handled or Processed by it under this Agreement, irrespective of the format in which it is contained, is protected in accordance with the requirements of Applicable Privacy Law (including Article 32 GDPR as applicable) against loss or theft, as well as unauthorized access, disclosure, copying, use or modification by adequate security safeguards appropriate to its sensitivity, amount, distribution, format and method of storage comprised of organizational, physical, and technological safeguards to protect the security, confidentiality, and integrity of Personal Data, and (iii) fully cooperating with, and assisting in, any investigation by Element or any Authority, following the approval and direction of Element, of a complaint that any such Personal Data has been collected, used or disclosed by Vendor, an affiliate, subcontractor or a Subprocessor contrary to this Agreement or to the Applicable Privacy Laws. Upon reasonable written request, Vendor will make available to Element information necessary (i) to demonstrate the Vendor’s compliance with Applicable Privacy Laws and this DPA; or (ii) for Element to conduct any data protection impact assessments. Vendor shall maintain at all times during this Agreement appropriate disaster recovery and back-up plans and ensure adequate procedures are in place with respect to the Personal Data in its possession. Vendor agrees that from time to time, it will review its procedures and those of its affiliates and Subprocessors providing Services hereunder with respect to security safeguards through risk assessments, benchmarking or other means, to determine whether they are still consistent with Applicable Privacy Laws, appropriate to the risks, and consistent with best practices, and if not, agrees to revise the same as required to achieve such compliance.

5. Personal Data Processing.

5.1 Element provides or makes available Personal Data to Vendor for the limited purposes of providing the Services to Element and/or Element’s clients and customers as set forth in the DPA. At all times, Vendor will Process Personal Data solely to provide the Services and in accordance with the lawful documented or written instructions provided by Element, including those provided in the DPA, except where otherwise required by law. Vendor shall ensure that it, and its related entities’ employees and those of any Subprocessor providing Services hereunder receiving or having access to such Personal Data are advised of the terms and conditions relating to Personal Data described in this DPA and require such persons to abide by such requirements in writing in a form reasonably acceptable to Element. For the avoidance of doubt, Vendor will not (i) collect, retain, use, or otherwise disclose Personal Data outside of the direct business relationship with Element; (ii) collect, retain, use, or otherwise disclose Personal Data for any purpose other than performing the Processing instructed by Element or as otherwise permitted by Applicable Privacy Laws; (iii) sell Personal Data or share Personal Data for targeted online advertising; or (iv) combine Personal Data with data received from another person or persons except as permitted for a service provider or processor under Applicable Privacy Laws.

6. Subprocessors.

6.1 Element acknowledges and agrees that Vendor may engage a Subprocessor or make changes in respect of an engaged Subprocessor so long as Vendor notifies Element at least thirty (30) business days in advance of such engagement or change and provides Element with the opportunity to object to the engagement or change in respect of the Subprocessor. Vendor shall also notify Element of any relocation of Personal Data outside of its original data residency as specified in Section 5. Vendor shall make available to Element a current list of Subprocessors that contains the name, purpose and location of Processing of each Subprocessor upon request and notify Element of any updates to such list as soon as feasible. If Element notifies Vendor in writing of any objections in respect of matters notified pursuant to this Section 5, Vendor shall use all reasonable endeavours to address the objections raised by Element and shall inform Element of the steps taken. If Element is not reasonably satisfied with such steps, Element may terminate this DPA and receive a prorated refund of any prepaid unused fees related to the Vendor Agreement.

6.2 Vendor agrees that its engagement of any Subprocessor shall be pursuant to a written contract that contains restrictions on Processing of Personal Data that are consistent with the terms of this DPA and, without limiting the foregoing, require the Subprocessor to meet the obligations of Vendor with respect to Processing of Personal Data herein. Vendor shall be liable to Element, its affiliates, their subcontractors and their clients for the acts and omissions of its Subprocessors to the same extent that Vendor would itself be liable under this DPA for its own acts or omissions.

6.3 Without prejudice to the foregoing requirements of this Section 5, if Vendor engages a Subprocessor for the performance of any of its obligations pursuant to this Agreement, Vendor shall: (i) if the engagement involves an EU Restricted Transfer: (a) ensure that the Processor to Processor SCCs are at all relevant times entered into between Vendor and the Subprocessor; and (b) ensure that it has carried out a risk assessment of the engagement that involves an EU Restricted Transfer prior to any such transfer and in compliance with Applicable Privacy Laws; (ii) if the engagement involves a UK Restricted Transfer: (a) ensure that the Processor to Processor SCCs, read in accordance with, and deemed amended by, the provisions of Part 4 (Mandatory Clauses) of the UK IDTA, are at all relevant times entered into between Vendor and the Subprocessor; and (b) ensure that it has carried out a risk assessment of the engagement that involves an UK Restricted Transfer prior to any such transfer and in compliance with UK Data Protection Laws.

6.4 Subprocessor shall solely Process Personal Data for the purposes of providing the Services.

7. Data Subject Requests.

7.1 Vendor will immediately notify Element in writing in the event Vendor receives a request from, or on behalf of, any individual to exercise such individual’s rights under Applicable Privacy Laws with respect to Personal Data (a “Data Subject Request”). If Vendor receives a Data Subject Request, Vendor will advise the Data Subject to submit Data Subject’s request to Element and Element will be responsible for responding to such request, including, where necessary, using the functionality of the Services. Vendor shall not communicate with such individuals without Element’s prior consent. Vendor will provide such information and assistance as may reasonably be required to allow Element to comply with its obligations under Applicable Privacy Laws to respond to Data Subject Requests and to respond to requests received directly by Element from, or on behalf of, any individual to exercise such individual’s rights under Applicable Privacy Laws with respect to Personal Data Processed under or in connection with this DPA.

8. LAW ENFORCEMENT REQUESTS

8.1 Vendor represents and warrants to Element that, as of the date of this DPA, it has not received a request for disclosure or access to Personal Data from any government intelligence, security service/agencies or law enforcement authority in the country to which the Personal Data is being exported (“Government Request”). If, after the date of this DPA, Vendor receives or becomes aware of any Government Request, Vendor shall attempt to redirect the law enforcement or government agency to request that Personal Data directly from Element. If compelled to disclose Personal Data to a law enforcement or government agency, Vendor shall give Element reasonable notice of the demand and cooperate to allow Element to seek a protective order or other appropriate remedy unless Vendor is legally prohibited from doing so. Vendor shall not voluntarily disclose Personal Data to any law enforcement or government agency. Vendor and Element shall (as soon as reasonably practicable) discuss and determine whether any transfers of Personal Data pursuant to this DPA should be suspended in the light of such Government Requests and whether to notify the appropriate Authority.

9. Personal Data Breach.

9.1 Should a Personal Data Breach occur, Vendor will notify Element without undue delay (but no later than 24 hours) after becoming aware of such Personal Data Breach. Vendor shall also promptly (i) investigate the Personal Data Breach and provide Element with information about the Personal Data Breach; and (ii) take reasonable steps to remediate and mitigate the effects of the Personal Data Breach.

9.2 Notice. When notifying Element of any Personal Data Breach, Vendor shall provide Element with sufficient information which allows Element to meet its obligations to report a Personal Data Breach under Applicable Privacy Laws or inform individuals of the Personal Data Breach. Vendor shall co-operate with Element and take such reasonable commercial steps as are directed by Element to assist in the investigation, mitigation and remediation of such Personal Data Breach and to minimize any damage resulting from the Personal Data Breach (including taking all commercially reasonable steps to enforce against any person that is or may be engaging in activities relating to the Personal Data Breach any rights Vendor has to require such person to cease such activities relating to the Personal Data Breach) and specify the date on which those actions were taken or the expected time frame for implementing such intended actions, in order to enable Element to (a) perform a thorough investigation into the Personal Data Breach, and (b) formulate a response and to take suitable further steps in respect of the Personal Data Breach in order to meet any requirement under Applicable Privacy Laws.

9.3 Information. Without limiting the generality of the foregoing, Vendor shall provide Element with detailed information about the Personal Data Breach, including: (i) how and when the Personal Data Breach occurred and was discovered; (ii) any steps taken to address the Personal Data Breach, mitigate such Personal Data Breach, any steps taken to prevent, a recurrence and specify the date on which those steps were taken or the expected time frame for implementing such intended steps; (iii) sufficient information to allow Element to notify individuals who may be affected by the Personal Data Breach to understand the significance to them of the Personal Data Breach and to take steps, if any are possible, to reduce the risk of harm that could result from it or to mitigate that harm, and any other information required by Applicable Privacy Laws; (iv) sufficient information to enable Element to determine if notice must be given to any Authorities, any third party organizations or to individuals (including to determine if the Personal Data Breach creates a real risk of significant harm to an individual who may be affected); (v) to the extent Vendor has knowledge, a description of the categories of Personal Data involved for each affected Individual and if Vendor does not have such knowledge, the Vendor shall provide the reasons to Element why it is impossible to provide such a description; (vi) as available, all other information relating to the Personal Data Breach that Vendor becomes aware of; and (vii) such other information as is reasonably requested by Element and would not conflict with any legal obligations.

9.4 Notices. Vendor shall assist Element in the coordination of any external communications relating to the Personal Data Breach released by Element, including with any Authority, third party organization or affected individuals, with Element, in accordance with the communication protocols prescribed by Element and Applicable Privacy Laws. Without limiting the generality of the foregoing, taking into account the nature of Processing and the information available to Vendor, Vendor will provide reasonable assistance and information in its possession, including reasonable information about the nature of the Personal Data Breach and steps taken by Vendor to remedy the Personal Data Breach, to Element as may be necessary for Element to satisfy any notification obligations required under Applicable Privacy Laws Data Protection Law applicable to any Personal Data Breach, including information required by Element so that Element may notify (i) the relevant Authority; and (ii) individuals affected by such Personal Data Breach without undue delay.

9.5 Costs. Vendor shall use reasonable efforts to immediately stop any unauthorized use or distribution of Personal Data that is known or may be reasonably suspected by Vendor. Vendor will reimburse Element for the reasonable expenses that Element may incur as a result of a Personal Data Breach caused by Vendor or any Vendor affiliate, subcontractor or Subprocessor, including but not limited to, the expenses incurred in investigating the breach and notifying affected individuals.

9.6 Vendor Communications. The content of any Vendor filings, communications, notices, press releases, or reports related to any Personal Data Breach naming Element must first be approved by Element prior to any publication or communication thereof to any third party, except that the foregoing shall not prohibit Vendor from communicating with law enforcement when required to do so pursuant to the Applicable Privacy Laws.

9.7 Records. Additionally, Vendor will keep and maintain accurate and up-to-date records of all Personal Data Breaches (including in accordance with any requirements prescribed by Applicable Privacy Laws) during the term of this Agreement and for a period of sixty (60) months thereafter. Vendor will provide such records to Element upon request (which, for certainty, Element may provide to Authorities).

10. Assistance and Suspension of Processing. 10.1 Vendor will provide all assistance reasonably necessary for Element to comply with Applicable Privacy Laws (including Articles 32 to 36 GDPR as applicable), and Element may take appropriate steps to ensure that Vendor Processes Personal Data in a manner consistent with Element’s obligations under Applicable Privacy Laws and Vendor shall cooperate with such steps. If Vendor determines that it can no longer meet its own obligations under Applicable Privacy Laws, Vendor will immediately notify Element of such determination. Upon such notice or in the event Element otherwise becomes aware of unauthorized Processing of Personal Data, Element may take appropriate steps to stop and remediate the unauthorized processing such as directing Vendor to suspend its Processing of Personal Data until Vendor can meet its material obligations under Applicable Privacy Laws. Vendor shall immediately notify Element in writing if it reasonably believes that any instruction from Element (including the terms of this Agreement) infringes Applicable Privacy Laws.

11. Audits.

11.1 At least annually, upon Element’s reasonable request, Vendor shall allow for and contribute to reasonable audits by Element or its designated auditor to assess Vendor’s compliance with Applicable Privacy Laws and this DPA. Such audits shall include, but shall not be limited to, manual reviews and automated scans of Vendor’s policies, procedures, and safeguards relevant to the Processing of Personal Data. As an alternative, with Element’s written consent and at Vendor’s expense, Vendor may arrange for a qualified and independent third party to conduct such an audit so long as (i) the third party uses an appropriate and accepted control standard or framework and audit procedure; and (ii) the report of such audit is provided to Element upon request. Vendor shall also make available to Element upon request all information reasonably necessary to demonstrate Vendor’s compliance with Applicable Privacy Laws and this DPA.

12. Return or Deletion.

12.1 Within thirty (30) days of the end of Vendor’s provision of the Services, Vendor will, at the election of Element, securely return or delete all Personal Data in a format that is usable by Element at no cost to Element, unless (i) otherwise agreed in writing by Element; or (ii) Applicable Privacy Laws require further retention of such Personal Data and in such instance, (a) Element is notified in writing in advance of Vendor’s intention to retain such Personal Data; (b) Vendor only retains such Personal Data for the minimum period required by Applicable Privacy Laws, (c) this DPA shall continue to apply until such Personal Data is deleted or returned (at Element’s choice).

12.2 Not later than thirty (30) days following the termination of this DPA, Vendor shall ensure that the destruction of records and devices containing Personal Data is carried out in a manner that ensures the security, privacy or confidentiality of the Personal Data, including at minimum: (i) ensuring that any shredding is done by cross-cutting or confetti shredding all paper records; or (ii) wiping or physically destroying electronic records and devices in a manner that ensures that the Personal Data cannot be reconstituted in conformity with industry best practices.

13. INTERNATIONAL TRANSFERS

13.1 The parties agree that in the event of any EU Restricted Transfer from Element to Vendor, Element ( as “data exporter”) and Vendor (as “data importer”) enter into and agree to be bound by the Controller to Processor SCCs which are hereby incorporated into the DPA by reference and will come into effect upon the commencement of such EU Restricted Transfer, subject to the following clarifications: (i) Clause 7 – Docking clause shall apply; (ii) Clause 9 – Use of subprocessors. “Option 1” shall apply and the “time period” shall be at least 30 days; (iii) Clause 11(a) – Redress. The optional language shall not apply; (iv) Clause 13(a) – Supervision. The following shall be inserted: The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex B (Details of Transfer) to this DPA, shall act as competent supervisory authority; (v) Clause 17 – Governing law. “Option 1” shall apply, and the “Member State” shall be Ireland; (vi) Clause 18 – Choice of forum and jurisdiction, any dispute shall be resolved by the courts of Ireland; (vii) Annex 1 to the Controller to Processor SCCs shall be deemed to be pre-populated with the relevant sections of Annex B (Details of Transfer) to this DPA and the processing operations are as described in Annex A (Details of Processing) to this DPA; and (viii) Annex 2 to the Controller to Processor SCCs shall be deemed to be pre-populated with the relevant sections of Annex C (Technical and Organisational Measures) of this DPA.

13.2 The parties agree that in the event of any UK Restricted Transfer from Element to Vendor, Element ( as “data exporter”) and Vendor (as “data importer”) enter into and agree to be bound by the Controller to Processor SCCs (as read in accordance with, and deemed amended by, the provisions of Part 4 (Mandatory Clauses) of the UK IDTA) which are hereby incorporated into the DPA by reference and will come into effect upon the commencement of such UK Restricted Transfer, subject to the following clarifications: (i) Clause 13(a) – Supervision, the following shall be inserted: The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, shall be the UK’s Information Commissioner’s Office; (ii) Clause 17 – Governing law. The following shall be inserted “These Clauses shall be governed by the laws of England and Wales.”; (iii) Clause 18(b) – Choice of forum and jurisdiction. The Member State shall be the courts of England and Wales; (iv) for the purposes of Table 2 in Part 1 (Tables) of the UK IDTA, the parties select the “neither party” option; and (v) Part 1 (Tables) of the UK IDTA shall be deemed to be pre-populated with the relevant sections of Annexes B to D of this DPA.

13.3 If, at any time, a supervisory authority or a court with competent jurisdiction over a party mandates that transfers from Controllers in the EEA or the UK, to Processors established outside the EEA or the UK must be subject to specific additional safeguards (including but not limited to specific technical and organisational measures), the parties shall work together in good faith to implement such safeguards and ensure that any such transfer of Personal Data is conducted with the benefit of such additional safeguards.

13.4 In respect of any transfers of Personal Data to the United Kingdom from the EEA, if the United Kingdom is, at any time during the term of this DPA, no longer recognised by the European Commission as providing an adequate level of protection for Personal Data and is not covered by an alternative framework recognised by the relevant authorities or courts as providing an adequate level of protection for Personal Data, then such transfer shall be considered to be an EU Restricted Transfer and: (i) where the transfer is a transfer from Element to Vendor, the provisions of paragraph 13.1 shall apply to such transfers; or (ii) where the transfer is a transfer from Vendor to a Subprocessor, the provisions of Section 6.3(i) of the Agreement shall apply to such transfer; until the earlier of: (a) the date upon which the European Commission issues a new decision recognising the United Kingdom as providing an adequate level of protection for Personal Data; (b) the date upon which Element either adopts itself where the transfer is a transfer from Element to Vendor or directs Vendor to adopt, and Vendor so adopts, where the transfer is a transfer from Vendor to a Subprocessor, an alternative appropriate safeguarding measure for transfers from the EEA to the United Kingdom under Articles 46 to 49 of the GDPR; (c) the date upon which the Controller to Processor SCCs or Processor to Processor SCCs cease to be considered an appropriate safeguard for the protection of Personal Data; or (d) the date upon which Vendor stops processing Personal Data under this DPA.

13.5 In the event that the provisions of Sections 13.1 and 13.2 of this DPA or Section 6.3 of this DPA are relevant to transfers of Personal Data under this DPA and are not complied with by Vendor in Element’s opinion, acting reasonably, or where the Controller to Processor SCCs, Processor to Processor SCCs, or the UK IDTAs cease to be considered an appropriate safeguard for the protection of Personal Data by the European Commission, the Irish Data Protection Commission or court of competent authority and no equivalent, successor mechanism is issued by the European Commission or the Irish Data Protection Commission then without prejudice to any other rights or remedies that Element may have, the parties agree that (a) Element shall have the right to require that the transfers of Personal Data in question shall pause and that Vendor shall immediately pause all such transfers once it receives notification from Element to that effect and (b) where Element, in its sole discretion, determines that the Services are and/or the Vendor Agreement is no longer viable due to either the non-compliance referred to in this paragraph or cessation of the Controller to Processor SCCs, Processor to Processor SCCs or the UK IDTAs being considered an appropriate safeguard / transfer mechanism then Element shall be entitled to terminate this DPA immediately.

14. Indemnification.

14.1 Vendor agrees that it will indemnify and hold harmless Element and its related affiliates, their directors, officers, shareholders, employees, contractors, clients and agents from any third party claim related in any way to Vendor’s, any Vendor affiliate’s, subcontractor’s or Subprocessor’s Processing of Personal Data, including but not limited to claims related to a Personal Data Breach.

15. Term.

15.1 The term of this DPA begins as and from the effective date of the Vendor Agreement. The term of this DPA will end upon the later of termination of the DPA or the termination of the Vendor Agreement or Vendor’s written confirmation of destruction or return, if requested by Element, of all Personal Data processed by Vendor under the DPA.

15.2 Element shall be entitled to terminate the Vendor Agreement as insofar as it concerns processing of Personal Data in accordance with the DPA if:

(i) the Processing of Personal Data by Vendor has been suspended by the Element pursuant to Section 10 and if compliance with this DPA is not restored within a reasonable time and in any event within one (1) month following the suspension;

(ii) Vendor is in substantial or persistent breach of this DPA or its obligations under the Applicable Privacy Laws; or

(iii) Vendor fails to comply with a binding decision of a competent court or the competent Authorities regarding its obligations pursuant to this DPA, or any other Applicable Privacy Laws.

16. Third-Party Beneficiary.

16.1 Any Element client or customer that has Personal Data processed by Vendor or a subprocessor engaged by Vendor pursuant to this DPA shall be a third-party beneficiary of such Vendor’s and subprocessor’s obligations hereunder with respect to such Personal Data and entitled to enforce such obligations against such Vendor and/or subprocessor.

17. Amendments.

17.1 Vendor agrees that Element may change the terms of this DPA at any time without prior notice. This DPA as well as any updated terms can be found at https://www.elementfleet.com/ vendor-data-privacy-agreement.

Annex A: Details of Processing

1. Categories of Data Subjects and Personal DataIn the course of performing the Services, Vendor may Process Personal Data about Element’s clients and customers, including individual drivers. Some or all of the following categories of Personal Data may be Processed:

• Individual identifiers (e.g., name, email address, postal address, usernames, and phone number)

• Online identifiers (e.g., device advertising identifiers, cookies, and other unique online identifiers)

• Characteristics of protected classifications (e.g., race or gender)

• Commercial or transactions information (e.g., information about products or services obtained or considered)

• Internet or other electronic network activity information (e.g., browsing history, search history, and interactions with a website, email, or application)

• Record-keeping information (e.g., financial information)

• Audio or visual information (e.g., video or call recordings)

• Account log-in information

• Professional or employment-related information

• Education information

• Geolocation information

• Sensitive personal information (e.g., social insurance or driver’s license number)

• Certain vehicle data such as Vehicle Identification Number (VIN)

• Inferences drawn from the other categories of Personal Data collected

• Other Personal Data as instructed by Element and/or Element’s clients and customers

2. Nature, purpose AND SUBJECT MATTER of the Processing

Vendor Processes Personal Data to provide the Services relating to fleet management, which may include fleet management services, managed maintenance, fueling, rentals, title and registration, collision management, safety and motor vehicle records (MVRs), telematics, electric vehicle (EV) products, transportation, tolls and violations, remarketing, acquisition, and compliance.

Annex B: Details of Transfer

A. LIST OF PARTIES

Data exporter(s): [Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]

Data importer(s): [Identity and contact details of the data importer(s), including any contact person with responsibility for data protection]

B. DESCRIPTION OF TRANSFER

C. COMPETENT SUPERVISORY AUTHORITY

Irish Data Protection Commission

Annex C: Organisational and Technical Measures

Description of the technical and organisational measures implemented by the Processor (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

The Vendor shall use good industry practice (including compliance with ISO27001 and ISO 27002) to keep all records, documentation, data (including Personal Data) and information relevant to the Vendor Agreement and/or the Services (“Relevant Information”) secure and shall exercise at least the same degree of care to protect Relevant Information as it does to protect its own data and information. Without limiting any of its other obligations under the Vendor Agreement, the Vendor shall:

(i) ensure that the Vendor’s systems are subject to appropriate access control systems and access rights are only given to the Vendor’s personnel who need to access the Relevant Information and in accordance with the principle of least privilege;

(ii) take reasonable steps to ensure the reliability of the Vendor’s personnel who have access to the Relevant Information and ensure that such personnel are obliged to keep the Relevant Information confidential;

(iii) ensure that all of the Relevant Information, including any Relevant Information that is placed on a portable electronic device (such as laptops, memory sticks and back-up tapes), is securely encrypted;

(iv) provide the Services in compliance with ISO 27001 and 27002 (as such standards are amended from time to time), or such other standards as the Vendor may propose and which are acceptable to Element (acting reasonably);

(v) take steps in accordance with good industry practice to prevent unauthorised access or use of the Vendor’s system or of Element’s operating systems arising out of access to the Element’s operating systems by the Vendor or its personnel pursuant to the Vendor Agreement. In particular, the Vendor shall ensure that appropriate firewalls are used and that an intrusion detection system and data loss prevention controls are in place to continuously monitor for unauthorised access or interference with the Vendor’s systems;

(vi) take steps in accordance with good industry practice to prevent unauthorised disclosure, loss, destruction or alternation of any of the Relevant Information and to monitor for the foregoing;

(vii) notify Element in writing immediately (and in any event within twenty four (24) hours) of it becoming aware of any confirmed security incident affecting its network and the Vendor’s systems that could potentially affect Element and/or the Relevant Information, and reasonably respond without delay to all queries and requests for information from Element about any security incident, whether discovered by the Vendor or Element. The Vendor shall provide such notification in accordance with any incident reporting procedures notified by Element to the Vendor; and

(viii) ensure that the Vendor’s technical and organisational controls are reviewed regularly, and the control assurance is tested regularly (including with a penetration test by external parties which is conducted no less than annually);

(ix) provide Element with prior written notice of any material changes relating to the information technology systems or practices utilised by the Vendor in connection with the provision of the Services;

(x) allow Element to conduct penetration testing in respect of the Vendor’s systems upon request from Element provided that Element shall consult with the Vendor in respect of the scope of any such scheduled penetration testing in advance and account for any reasonable feedback from the Vendor on material operational obstacles to the scope of any such scheduled penetrating testing proposed by Element and Element agrees to share the results of any penetration testing with the Vendor; and

(xi) at the choice of Element, securely return (in a format reasonably required by Element) or destroy the Relevant Information upon termination or expiry of this Agreement unless the Vendor is required to retain the Relevant Information for compliance with applicable laws in which case the Vendor will securely retain the Relevant Information solely for compliance with such applicable laws.