Data Protection Addendum

Effective date

This Data Protection Addendum (“DPA”) forms an integral part of the HERE Mobility License Agreement including the HERE Mobility Master Terms and Conditions (and any Annexes, Exhibits and Schedules attached thereto), HERE Mobility Products - Partner Terms of Services (and any Annexes, Exhibits and Schedules attached thereto) or any other written agreement (“Agreement”), entered into between HERE and the partner accepting such Agreement (whether as an existing partner who already executed the Agreement, or a new partner accepting the Agreement now) (“Partner”), with respect to Partner’s access to and/or use of the Mobility Products (as defined under the Agreement).

You represent and warrant that you have the full authority to bind the Partner to the terms and conditions of this DPA. If you or the Partner cannot be bound by, or do not agree to, or may not comply with, this DPA, or if you do not have the authority to bind the Partner to this DPA, please do not share, provide or attempt to receive any Personal Data from HERE. You also represent and warrant that you, on your own behalf as an individual and on behalf of the Partner (be it your employer or another legal entity that engages your services), have read, understood and agree to comply with this DPA in full and that you are entering into a binding legal agreement with HERE Global B.V. (“HERE”, “we”, or “us”), to reflect the Parties’ agreement with regard to the Processing of Personal Data.

Each reference to the DPA in this DPA means this DPA including its Schedules and Appendices (if applicable). Except as explicitly stated in this DPA, all capitalized terms shall have the meaning attributed to them in the Agreement including, without limitation: ​Data Protection Laws; GDPR; Account; Affiliate; Consumer Data; Driver Data; Driver App; Mobility Products; Mobility Marketplace Supply Verticals; Mobility Marketplace Service Suite(s); Marketplace Dispatcher; Partner Account Data; Partner Personnel Data; Partner-Controlled Consumer Data; and Partner Personnel. 

If you need a signed copy of this DPA, please send a signed copy to mobility.privacy@here.com, and we will provide you with a countersigned copy.

1. Data Processing Terms

In the course of using the Mobility Products, HERE and the Partner (individually “Party”, together “Parties “) Process Personal Data. This DPA sets forth the Parties’ agreements and obligations including without limitation, the use of means, measures, procedures and good-faith efforts with respect to the Processing of Personal Data in connection with the Mobility Products in accordance with the requirements of Data Protection laws.

2. Definitions.

2.1 Controller, Processor (and Process), Data Subject shall have the meaning attributed to them under Data Protection Law.

2.2 “Controller to Controller SCCs” shall mean the Standard Contractual Clauses (Controller to Controller Transfers – Set II) in the Annex to the European Commission Decision dated December 27, 2004, as may be amended or replaced from time to time by the European Commission.

2.3 “Controller to Processor SCCs” shall mean the Standard Contractual Clauses (Processors) in the Annex to the European Commission Decision dated February 5, 2010, as may be amended or replaced from time to time by the European Commission.

2.4 “Personal Data” shall mean information relating to an identified or identifiable Data Subject, also referred to as ‘personal data’ under applicable Data Protection Laws, which is provided, consumed, accessed, made available for access or otherwise Processed in the course of accessing and using the Mobility Products or performing the Agreement.

2.5 “Privacy Shield” shall mean the EU-US and/or Swiss-US Privacy Shield Framework (as applicable), as administered by the U.S. Department of Commerce, the European Commission and the Swiss Administration.

2.6 “Privacy Shield Principles” shall mean the Privacy Shield Principles, as supplemented by the Supplemental Principles and contained in Annex II to the European Commission Decision C(2016)4176 of July 12, 2016, as may be amended, superseded or replaced.

2.7 “Security Incident” shall mean any actual or reasonably suspected unauthorized access to, acquisition of, or disclosure of Personal Data a Party Processes on the other Party’s behalf.

3. Relationship of the Parties.

The Parties acknowledge and agree that as between the Partner and HERE with regard to the Processing of Personal Data related to Partner’s access and use of any Mobility Products:

3.1 Partner Personnel Data:

Partner is the Controller, and HERE is the Processor with respect to Partner Personnel Data.

3.2 Partner Account Data:

Partner is the Controller, and HERE is an independent Controller with respect to Partner Account Data.  

3.3 Driver Data:

3.3.1 HERE and Partner are independent Controllers with respect to Driver Data which is Processed by either of them respectively, in connection with the access and/or use by Drivers of the Driver App; and

3.3.2 HERE is the Processor and Partner is the Controller with respect to Driver Data which is provided by Partner to HERE via the Mobility Supply API.

3.4 Consumer Data:

3.4.1 HERE and Partner are independent Controllers with respect to Consumer Data which is Processed by either of them respectively, in connection with the consumption and/or use by Consumers of any Mobility Services offered or provided to Consumers by Partner via the Mobility Kiosk and/or the Mobility Web Widget;

3.4.2 HERE is the Processor and Partner is the Controller with respect to Consumer Data which is provided by Partner to HERE via the Mobility for Concierge;

3.4.3 HERE is the Processor and Partner is the Controller with respect to Partner-Controlled Consumer Data which is provided by Partner to HERE via the Marketplace Dispatcher specifically with respect to Partner’s provision of Mobility Services; and

3.4.4 HERE and Partner are independent Controllers, HERE is the Processor and Partner is the Controller, or HERE is the Controller and Partner is the Processor (all as applicable) with respect to Consumer Data which is provided by Partner (directly or by the Consumer) to HERE via the Mobility Demand API and/or the Mobility SDK. The determination of HERE as a Controller or Processor shall be based on the implementation of the Mobility Demand API and/or the Mobility SDK with each specific Partner.

(A) with respect to Section 3.4.1, Partner and HERE shall each be responsible for establishing a legal basis including and where required, obtaining all consents and approvals and making all notices (as applicable), required for Partner and HERE (respectively) to Process Personal Data of the applicable Data Subjects in each of Partner and HERE (respectively) capacity as a Controller; and

(B) with respect to Sections 3.4.2-3.4.4, Partner in its capacity as a Controller shall be responsible for establishing a legal basis including and where required, obtaining all consents and approvals and making all notices (as applicable), required for Partner and HERE to Process Personal Data of the applicable Data Subjects, including without limitation by making such required disclosure in its online terms of use and privacy policy and obtaining express consent from data subjects, therefore.

3.4.5 HERE is the Controller or Processor, and Partner is the Processor or sub-Processor with respect to Consumer Data which is Processed by Partner via the Mobility Marketplace Supply Verticals and/or the Marketplace Dispatcher. The determination of HERE as a Controller or Processor shall be based on the applicable Mobility Marketplace Service Suite from which the Consumer Data originated. Notwithstanding the foregoing, Partner may be a Controller of such Consumer Data if it established a legal basis directly with the Consumer(s) in accordance with applicable Data Protection Laws.

The Parties further acknowledge and agree that the Parties are not joint controllers with respect to any Personal Data Processed hereunder, as this term is referred to under the GDPR.

4. Personal Data Processing.

This DPA applies when Personal Data is Processed by HERE and/or by a Partner. To the extent that EU Privacy Laws and Regulations apply to the Personal Data, the following shall apply:

4.1 Processing by a Controller. 

4.1.1 With respect to any Personal Data that a Party (including anyone on its behalf) provides, transmits, uploads or makes available for access to the other Party, via or in connection with the Mobility Products, such Party represents and warrants to the other Party, that: (i) it shall Process and shall ensure that anyone acting on its behalf Processes Personal Data only in accordance with applicable Data Protection Laws and this DPA; (ii) it shall ensure when providing Personal Data to the other Party, the accuracy, quality, and legality of the Personal Data that it provides and/or uploads to the Mobility Products; (iii) the means and processes by which it (including via anyone on its behalf) acquired such Personal Data, and that the provision of such Personal Data to the other Party via the Mobility Products for Processing by the other Party in accordance with the Agreement, are in compliance with all applicable Data Protection Laws. Each Party acting as a Controller confirms, and at the other Party’s request will demonstrate, that the Personal Data of Data Subjects provided and/or uploaded by it to the Mobility Products was collected only from Data Subjects that received appropriate disclosures and notifications, as required under applicable Data Protection Laws, including for the use, distribution and trans-border transfer of such Data Subjects’ Personal Data, as required for the purpose of carrying out the Agreement, and/or otherwise in accordance with this DPA, and that such Party has established a legal basis directly with the Data Subjects’ as required pursuant to the applicable Data Protection Laws. If a third party provided the notices to the Data Subjects and received their consent or has established another legal basis with the Data Subjects, each Party acting as a Controller will bear sole responsibility to verify and will be able to demonstrate that the notices and consents were sufficient for the purposes of use set forth in the Agreement and adequate pursuant to the applicable Data Protection Laws or that another legal basis has been established in accordance with applicable Data Protection Laws.

4.1.2 With respect to any Personal Data that a Party acting as a Processor (including anyone on its behalf) receives, is granted access to or is otherwise made available to it in connection with the Mobility Products, such Party undertakes to: (i) treat Personal Data as Confidential Information in accordance with the terms of this DPA and the Agreement; (ii)  access and use any Data Subjects’ Personal Data only in accordance with the terms and conditions of, and for the purposes set forth in the Agreement.

4.2 Processing as a Processor. With respect to Personal Data that a Party (including anyone on its behalf) provides, transmits, uploads or makes available to the other Party for the Processing on its behalf in connection with the Mobility Products, such Party instructs the other Party to Process such Personal Data in accordance with the terms of this DPA and the Agreement. With respect to any Personal Data that such Party provides to, transmits or allows access to the other Party, such Party shall ensure that such Personal Data was collected and provided to the other Party pursuant to applicable Data Protection Laws, following provision of the required notices and establishment of a valid legal basis in accordance with applicable Data Protection Laws, for the other Party to Process such Personal Data pursuant to this DPA. The subject-matter, nature and purpose of the Processing, type of Personal Data, and the categories of Data Subjects are set forth in the Annex applicable to the Mobility Products that Partner accesses and uses.

4.3 Lawful Basis for Processing. Where and as applicable Partner and HERE’s lawful basis for Processing of Personal Data will be for performance of a contract with the data subject, for legitimate interests, for compliance with a legal obligation, and/or pursuant to data subject’s consent.

4.4 Details of the Processing​. Each Party further undertakes that it shall and shall ensure that any third party acting on its behalf shall: (i) process Personal Data lawfully, fairly and transparently; (ii) collect Personal Data for specified, explicit and legitimate purposes and not further process it in a manner that is incompatible with those purposes; (iii) limit the Processing of Personal Data to what is necessary in relation to the purposes for which it is processed; (iv) ensure that to the best of their knowledge, the Personal Data it collects is accurate and, where necessary, kept up to date and that inaccurate data is rectified or deleted without delay; (v) keep all Personal Data Processed by it in an identifiable form for no longer than necessary for the purposes for which it is processed; and (vi) protect and secure all Personal Data it Processes, including against unauthorized or unlawful processing, accidental loss, destruction or damage, using appropriate technical or organizational measures.

5. Data Subjects Rights and Cooperation.

5.1 Each Party has established and maintains a procedure for the exercise of Data Subject’s personal rights, as required by applicable Data Protection Laws.

5.2 Each Party will cooperate with the other Party and use commercially reasonable efforts to provide the other Party with assistance in connection with: (i) any required notification to Data Subjects and supervising authorities, as applicable, taking into account the nature of Processing and the information available to a Party; (ii) impact assessments and prior consultations conducted by a Party (at the requesting Party’s expense); as required by applicable Data Protection Laws; (iii) a Party’s demonstration of compliance with applicable Data Protection Laws; (iv) a Party’s handling of requests to exercise Data Subjects’ rights, in accordance with the terms of Section 5.3; and (v) a Party’s handling of Data Subjects or other third parties’ complaints and governmental inquiries in connection with Personal Data Processed in connection with Partner’s use of Mobility Products pursuant to the Agreement.

5.3 Unless prohibited under applicable Data Protection Laws, each Party will promptly notify the other Party of: (i) any violation by the Party, or anyone on such Party’s behalf of any provision of this DPA or a Party’s instruction pursuant thereof; (ii) any official competent supervisory proceedings in connection with Personal Data Processed in connection with Partner’s use of Mobility Products pursuant to the Agreement; (iii) any legal or factual circumstances preventing a Party from executing any of such Party’s obligations under the terms of this DPA; and (iv) any material changes impacting the technical and organizational security measures implemented by a Party which cause such measures to fall short of such Party’s information security obligations as set forth in this DPA.

5.4 To the extent legally permitted, each Party to the extent acting as a Processor or Controller hereunder, will promptly notify the other Party if it receives a request from a Data Subject, whose Personal Data is included in the data collected in connection with Partner’s use of Mobility Products pursuant to the Agreement, to exercise the right to access, correct, amend or delete such Data Subject’s Personal Data, or to exercise such other personal right that the Data Subject is entitled to pursuant the applicable Data Protection Laws. Such Party will provide the other Party with commercially reasonable cooperation and assistance in relation to handling the Data Subject’s request, to the extent legally permitted. Any Data Subject wishing to exercise his/her rights vis-à-vis HERE in its capacity as a Controller, in connection with the Mobility Products, may submit a request by contacting HERE at: mobility.privacy@here.com. Any Data Subject wishing to exercise his/her rights vis-à-vis Partner in its capacity as a Controller, in connection with the Mobility Products, may submit a request by contacting Partner at the email address provided by Partner to HERE pursuant to the Agreement. Each Party undertakes to make all reasonable efforts to accommodate these requests.

5.5 To the extent Partner, in its access and/or use of the Mobility Products as a Data Controller, does not have the ability to correct, amend, block or delete Personal Data as required by applicable Data Protection Laws, HERE shall comply with any commercially reasonable request by Partner to facilitate such actions to the extent HERE is legally permitted and technically able to do so, at Partner’s reasonable expense. Neither Party acting as a Processor hereunder shall respond to any such request without the other Party’s prior written consent except to confirm that the request relates to such Processor unless it is required under applicable Data Protection Laws.

6. The Parties’ Personnel and Subcontractors.

6.1 Each Party shall ensure that its and its Affiliates’ personnel, subcontractors and service providers that are engaged in the Processing of Personal Data: (i) are informed of the confidential nature of the Personal Data; (ii) receive appropriate security and privacy awareness training (or refresher sessions) on their responsibilities and are subject to obligations of confidentiality and such obligations survive the termination of that persons’ or subcontractors’ engagement with such party; and (iii) access to Personal Data is limited to those who require such access for the purpose of performing under the Agreement. All relevant Affiliates, subcontractors and service providers, to whom a Party transfers Personal Data in the course of the performance of the Agreement have entered into written agreements with such Party or other legal instruments that bind them by substantially the same material obligations under this DPA.

6.2 Each Party shall: (i) be responsible for the sufficiency of the security, privacy, and confidentiality safeguards of its and its Affiliates’ personnel, subcontractors and service providers with respect to the Personal Data; and (ii) be liable for any failure by its and its Affiliates’ personnel, subcontractors and service providers to comply with the terms of this DPA. Each Party assumes all responsibility for the acts and omissions of its and its Affiliates’ personnel, subcontractors and services providers, in connection with the Processing of Personal Data.

7. Controllers, Processors and Subprocessors.  

7.1 In order to provide the Data Subject with certain services as part of the Mobility Products, HERE acting as Processor hereunder shall be authorized to engage with certain third-party service providers that shall act in the capacity of a Controller (including with respect to Data for which HERE acts as a Processor) to the extent that it is required in order to carry out the Mobility Products functions in the course of the Partner’s engagement with HERE (each, an “External Controller”). In each such case, HERE shall enter into a written contract with each External Controller which imposes at least equivalent obligations on each such External Controller as are imposed on HERE under this Agreement and in such a manner that the Processing of Personal Data will meet the requirements of the applicable Data Protection Laws. Partner agrees to notify its applicable Data Subjects on such External Controllers in its online terms of use and privacy policy and shall be responsible for establishing a legal basis including and where required, obtaining all consents and approvals and making all notices (as applicable), required by applicable Data Protection Laws in connection with the sharing of Personal Data of the applicable Data Subjects with such External Controllers. HERE uses Twilio Inc., as an External Controller, for the purposes of providing HERE with telecommunication connectivity services, which enables HERE, amongst other functionalities, to programmatically send and receive text messages, as part of the Mobility Products.

7.2 A Party acting as Processor hereunder shall be authorized to subcontract the Processing of Personal Data to processors and subprocessors, as applicable and as reasonably required for its performance under the Agreement. In such case, such Processor shall enter into a written contract with its subprocessor which imposes at least equivalent obligations on the subprocessor as are imposed on such Processor under this Agreement; such contract shall include a description of the technical and organizational measures, which the subprocessor has to implement in such a manner that the Processing will meet the requirements of the applicable Data Protection Laws. If required by the Controller, such Processor will inform the Controller of the name, address and role of each involved subprocessor. Notwithstanding the foregoing, HERE´s use of processors (in such cases where HERE is the “Controller” of Personal Data), including its use of any payment processing service providers, is at HERE´s sole discretion.

7.3 A Party acting as Processor hereunder shall notify the Controller in advance (by email or by posting it in the Account) of any changes to the list of subprocessors in place on the Effective Date (except for emergency replacements or deletions of subprocessors without replacement). If the Controller has a legitimate reason that relates to the subprocessor´s Processing of Personal Data, the Controller may object to Processor´s use of a subprocessor, by notifying Processor in writing within ten (10) days after receipt of Processor`s notice and in such event, the Parties will discuss a resolution in good faith. Processor may choose to: (i) refrain from using the subprocessor, or (ii) take the corrective steps requested by the Controller as specified in its objection and use the subprocessor. If none of these options are reasonably possible and the Controller continues to object for a legitimate reason, either Party may terminate the Agreement on thirty (30) days´ written notice. If the Controller does not object within ten (10) days of receipt of the notice, the Controller is deemed to have accepted the new subprocessor. Where legally required, the Processor shall enter into the unchanged version of the Standard Contractual Clauses for the transfer of personal data to processors established in third countries pursuant to Commission Decision 2010/87/EU (“Standard Contractual Clauses”) prior to the subprocessor´s Processing of Data. Partner hereby accedes to the Standard Contractual Clauses between HERE and its subprocessor.

8. Accountability; Documentation.

8.1 Each Party undertakes to adequately document its privacy practices and activities in relation to the Processing of Personal Data, pursuant to the applicable requirements under applicable Data Protection Laws.

8.2 A Party acting as Processor hereunder shall Process Personal Data only in accordance with the Controller’s written instructions as set forth in this DPA. Such Processor shall inform the Controller, in writing, if it becomes aware or reasonably believes that its data Processing instructions violate applicable Data Protection Law.

8.3 Each Party’s and its Affiliates’ liability arising out of or related to this DPA (whether in contract, tort or under any other theory of liability) is subject to Section 10 (‘Limitation of Liability’) of the Agreement and any reference in such section to the liability of a Party means that Party and its Affiliates in the aggregate.

9. Deletion or Return of Personal Data.  

9.1 Where a Party Processes Personal Data as a Processor hereunder, it shall, at the choice of the other Party, delete or return all the Personal Data to the other Party upon termination or expiration of the Agreement, and delete all existing copies of the Personal Data at its possession or control, unless: (i) applicable laws require the retention of such Personal Data for a certain period of time by Processor and/or its subprocessors, or (ii) if such retention is otherwise legally permitted. If such retention is legally permitted and/or required, then Processor and/or its subprocessors may retain such Personal Data for such purposes; provided that such Personal Data is afforded continuous protection under the terms set forth in this DPA, regardless of the expiration or termination of the Agreement, until such Personal Data is permanently deleted. 

9.2 Where a Party is allowed or legally required to retain Personal Data according to applicable law, such Party will only retain such Personal Data in accordance with the procedures and timeframes specified in its data retention and destruction policies and procedures, and applicable law.

10. Anonymized and Aggregated Data

Partner acknowledges and agrees that HERE may render anonymous Personal Data so that it no longer relates to an identified or identifiable natural person or that a Data Subject is no longer identifiable (“De-Identified Data”), and may maintain, use and distribute such De-Identified Data for its own purposes; and Partner agrees to the extent required under this DPA and/or applicable Data Protection Law to include the relevant language and terms in its privacy policy, and inform the applicable Data Subjects, and to the extent legally required, obtain legal and valid consent or establish another legal basis regarding such usage by HERE in accordance with applicable Data Protection Laws.

11. Audit Rights.  

11.1 Each Party may audit the other Party’s privacy and security practices to determine and ensure compliance under this DPA if: (i) a Security Incident has occurred; (ii) the auditing Party reasonably suspects that the other Party is not in compliance with its obligations under this DPA; (iii) an audit is formally requested from it by a competent data protection authority; or (iv) applicable Data Protection Laws provides the auditing Party with a direct audit right. Such audit may only be performed via a reputable third-party auditor (who does not have a conflict of interests and is bound by strict confidentiality obligations), upon at least thirty (30) days prior written notice. The audited Party will reasonably support the auditing

Party in its auditing process. An audit will be limited to once in a calendar year and limited to a maximum of one business day, during normal business hours and without disrupting the audited Party’s regular course of business, and the auditing Party will bear its own audit costs. All the information provided by the audited Party or obtained by the auditing Party as part of an audit shall be considered as the audited Party’s Confidential Information.

11.2 If the Standard Contractual Clauses apply, nothing in this Section 11 varies or modifies the Standard Contractual Clauses nor affects the supervisory authorities’ or Data Subjects’ rights under the Standard Contractual Clauses.

12. Technical and Organizational Measures

12.1 During the term of the Agreement, each Party, will implement and maintain administrative, physical and technical organizational measures (including with respect to its personnel, facilities, hardware and software, storage and networks, access controls, monitoring and logging, and incident response) to protect the security, confidentiality and integrity of the Personal Data, pursuant to the Party’s information security policies and procedures and as required by applicable Data Protection Laws. Each Party will regularly monitor compliance with these safeguards, ensuring a level of protection that is reasonable and sufficient in terms of the risks related to the Processing taking into account the nature of the involved Personal Data. Partner shall provide HERE with a copy of its technical and organizational measures simultaneously with the execution of this Agreement unless Partner’s technical and organizational measures are substantially similar to those set forth in Section 12.2 below. In such case, Partner hereby represents and warrants to HERE that: (i) its implemented technical and organizational measures are in compliance with applicable Data Protection Laws and are at least as protective as those set forth in Section 12.2 below; and (ii) it shall promptly notify HERE, in writing, if there is any change in its implemented technical and organizational measures and shall provide HERE with a copy of its updated implemented technical and organizational measures.

12.2 The following defines HERE´s current security measures. HERE assures Partner that it: (i) ensures that its senior management assigns security responsibilities and reviews the implementation of security within the organization. Senior management has nominated appropriate personnel to be responsible for the overall security, risk management, information security, privacy and controls for handling Personal Data; (ii) has established and demonstrates commitment to security through an organization-wide security policy (“Security Policy”). The Security Policy and related guidelines are communicated to all HERE employees, subcontractors and services providers; (iii) has its own, dedicated information classification schema based on information sensitivity (for example, internal, confidential, and secret) and established measures to ensure that information ownership is defined at all times. This schema includes appropriate security controls to protect Partner information, Personal Data and assets, where applicable; (iv) conducts security risk assessments as part of its normal business operations at least at an annual frequency, incorporating emerging threats, possible business impacts and probabilities of occurrence; and modifies the security related processes, procedures and guidelines based on the findings in such security risk assessments; (v) has implemented appropriate access control and access rights management designed to ensure that data is only processed by a minimum number of authorized persons who have access to requisite data needed to perform their work-related duties (i.e., role-based access control with least privileges); (vi) maintains the following: processes for authorizing and terminating user access and subcontractor access, including emergency access termination procedure; password management policy including password complexity requirements, no common or shared user accounts in use, password aging where systems do not support use of password managers, and secure delivery of credentials to users; audit records of all existing user privileges, shall be retained and reviewed regularly to remove excess privileges, and processes which ensure segregation of duties; (vii) maintains a sufficient audit trail and the use of access privileges (changes, who, what, when) is in place when dealing with sensitive (confidential or secret) information; (viii) collects logs pertaining to user access to Partner Processed Data and stores such logs for at least three (3) months unless otherwise restricted by local legislation; (ix) has implemented reasonable and appropriate information security measures (e.g., hardening, patching, antivirus, IDS, etc.) to protect Personal Data against unauthorized or accidental access, use, disclosure, deletion, destruction, loss, alteration or amendment; (x) only stores and processes Personal  Data in an environment where requisite security controls have been implemented, and ensures that IT infrastructure and networks are designed and managed to protect IT systems, information, users and electronic communications; and (xi) uses industry standard techniques to secure the connectivity between Partner and HERE against eavesdropping and alteration (including wireless access or remote connection), in solutions and services.

12.3 HERE may change the implemented security measures at any time without notice so long as it maintains a comparable or better level of security.

13. Breach Management and Notification.

13.1 Each Party will: (i) maintain security incident management policies and procedures as required under applicable law; and (ii) upon a Party becoming aware of a Security Incident, promptly provide the other Party with written notice thereof. Such notice shall be provided prior to notifying any governmental authority or making any public disclosure thereof unless prohibited under applicable law. If a Party becomes aware of any Security Incident, it will promptly: (a) investigate the Security Incident and provide the other Party with information about the Security Incident; and (b) take reasonable steps designed to mitigate the effects and to minimize any damage resulting from the Security Incident. Each Party agrees that an unsuccessful Security Incident attempt will not be subject to this Section 13. An unsuccessful Security Incident attempt is one that results in no unauthorized access to, or loss, disclosure or alteration of, Personal Data or to any of a Party’s equipment or facilities storing Personal Data, and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond IP addresses or headers) or similar incidents; and each Party’s obligation to report or respond to a Security Incident under this Section 13 is not and will not be construed as an acknowledgement by such Party of any fault or liability with respect to the Security Incident. Each Party undertakes to provide commercially reasonable support and assistance to the other Party, for the other Party’s fulfilment of breach notification duties under applicable Data Protection Laws, in relation to Personal Data. Notification(s) of Security Incidents, if any, will be delivered to one or more of the other Party’s business, technical or administrative contacts by any means a Party reasonably selects, including via email. It is each Party’s sole responsibility to ensure it maintains accurate contact information on the other Party’s support systems at all times.

13.2 When and in so far as the Parties are functioning as independent Controllers, each Party represents and warrants to the other Party, that (i) it shall maintain robust security incident management policies and procedures as required under applicable law; and (ii) to the extent it deems it applicable, it shall upon becoming aware of a security breach, provide the other Party with written notice thereof.

14. International Transfers of Data

14.1 The Parties may use, engage in, certify, or self-certify with applicable instruments, measures, contracts and other mechanisms, to facilitate the lawful transfer of Personal Data between territories, as required under applicable Data Protection Laws. The Parties may transfer Data Subjects’ Personal Data in the European Economic Area (“EEA”) to other territories that are formally recognized by the European Commission as providing adequate protection to Personal Data (“Adequacy Recognition”).

14.2 To the extent necessary under applicable Data Protection Laws, the Parties undertake to implement instruments to safeguard international data transfers, such as the Controller to Controller SCCs, the Controller to Processor SCCs, self-certification with the Privacy Shield Framework and a statement of compliance with the Privacy Shield Principles, and such other lawful instruments to transfer Personal Data between the Parties and between a Party to its Affiliates, service providers and other third parties. As applicable, if: (i) the Privacy Shield is invalidated; (ii) a Party or any of its Affiliates or service providers are no longer able to continue complying with the principles of the Privacy Shield; (iii) the Adequacy Recognition is invalidated or otherwise terminated; (iv) the Standard Contractual Clauses are invalidated or no longer in effect; and (v) any other Personal Data transfer safeguard is no longer in effect for any reason, then the Parties will take such alternative lawful measures, as may be available and applicable, to continue facilitating the lawful transfer of the Personal Data.

14.3 If a Party is unable to provide an alternative measure to continue transferring Personal Data lawfully, then the other Party may terminate this DPA and Agreement, upon a written notice with immediate effect.

14.4 Notwithstanding the foregoing, Partner acknowledges that Personal Data may be stored and/or processed by or on behalf of HERE in a different country than where Mobility Products are provided. Personal Data from a Partner in the EEA or Switzerland may only be exported or accessed by HERE or its subprocessors outside the EEA or Switzerland, if: (i) the recipient, or the country or territory in which it processes or accesses Data, ensures an adequate level of protection as determined by the European Commission; or (ii) Standard Contractual Clauses for the transfer of Personal Data to processors established in third countries apply.

15. Term and Termination.

This DPA will commence on the Effective Date of the Agreement, will remain in effect for the duration of the Agreement and shall survive expiration or termination of the Agreement. If a Party is unable to or becomes unable to comply with any of the terms and conditions of this DPA, in good faith, then the other Party may immediately terminate the Agreement upon a written notice.

16. Compliance.

Each Party will designate a privacy contact and/or data protection officer, to oversee the Processing of the Personal Data and to serve as a point of contact for the other Party on privacy and data protection matters. HERE’s designated contact may be reached by email at mobility.privacy@here.com. Partner shall, within 5 business days from executing the Agreement, email to such mailbox the contact information of Partner’s designated privacy contact; provided that if Partner fails to do so, Partner agrees that HERE may send any notices pertaining to this DPA to the email address associated with its Account.

17. Miscellaneous

This DPA supersedes and replaces all prior, and contemporaneous proposals, statements, sales materials or presentations and agreements, oral and written, with regard to the subject matter of this DPA, including any prior data processing addenda, entered into between HERE and Partner. Nothing in this DPA reduces the Parties’ obligations under the Agreement, including in relation to the collection and protection of Personal Data or permits either Party to Process (or permit the Processing of) Personal Data in a manner which is prohibited by the Agreement. In the event of any conflict or inconsistency between this DPA and the Agreement, this DPA shall prevail solely with respect to the subject matter of this DPA and solely if such conflict or inconsistency originate from the requirements of Article 28 of the GDPR (except where explicitly agreed otherwise in writing, signed on behalf of the Parties). This DPA is not intended to and does not in any way limit or derogate from the Parties (each as Controller) respective obligations and liabilities under the Agreement, and/or pursuant to the GDPR or any law applicable to Controller, in connection with the collection, handling and use of Personal Data.

916