Your browser does not support JavaScript!
LoginShopping Cart - 0 | $0.00 
 

SCHEDULE 9

DATA PROTECTION

[note to PMI lawyers: use this Schedule when PMI entity or a consultant is based in EEA or Switzerland – comment to be removed from the final contract]



  1. Definitions

  2. The terms defined below shall have the meaning given to them, but only for the purposes of this Schedule 9.

    Data Breach”      means any breach of security leading to the accidental or unlawful destruction, damage, loss, alteration, unauthorised disclosure of, or access to, PMI Personal Data transmitted, stored or otherwise Processed.
    Data Controller
        means a person who, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
    Data Processor
        means a person who Processes Personal Data on behalf of a Data Controller.
    Data Subject
        means an identified or identifiable individual. An “identifiable” individual is one who can be identified, directly or indirectly, including by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to his physical, physiological, genetic, mental, economic, cultural or social identity.
    Personal Data
        means any information relating to a Data Subject.
    PMI Personal Data
        means Personal Data that either: (i) PMI, an Affiliate of PMI, or a person acting on its behalf, provides to Consultant, or permits Consultant to access, in connection with the Agreement; or (ii) Consultant creates in providing the Services.
    to “Process
        (and variants of it, such as “Processing”) means to perform any operation or set of operations upon data, whether or not by automatic means, such as collecting, recording, organising, storing, adapting or altering, retrieving, consulting, using, disclosing (by transmission, dissemination or otherwise making available), aligning or combining, blocking, erasing or destroying.
    Services
        means all the services to be provided by Consultant pursuant to the Agreement.


  3. Data Protection

    1. Appointment: PMI appoints Consultant as its Data Processor. Consultant shall Process PMI Personal Data only: (i) on behalf of PMI; (ii) to provide the Services; (iii) so far as necessary to provide the Services; (iv) in accordance with PMI’s reasonable and documented instructions from time to time; and (v) in compliance with all applicable data protection law. Consultant shall ensure that any natural person acting under its authority who has access to PMI Personal Data is bound by contractual obligations that provide equivalent protections in relation to PMI Personal Data to those set out in this Schedule 9.
    2. The Processing: Annex 1 of this Schedule 9 describes the particulars of the Processing under the Agreement.
    3. Subprocessors: Consultant may not appoint any subcontractor as a further Data Processor to Process PMI Personal Data without PMI’s prior written consent. Should Consultant appoint any subcontractor as a further Data Processor, Consultant shall engage them in writing on terms that provide equivalent protections to those set out in this Schedule 9.
    4. Data Transfers: Consultant may not Process PMI Personal Data outside the European Economic Area or Switzerland unless it has first: (i) obtained PMI’s prior written consent; and (ii) agreed with PMI, and put in place, the measures which are necessary to ensure the transfer is in compliance with applicable data protection law.
    5. Assistance to PMI: Consultant shall, upon PMI’s request, assist PMI to assess the impact of the Processing on the protection of PMI Personal Data, including by providing: (i) a systematic description of the way that PMI Personal Data is Processed; (ii) description of the measures it has implemented to protect PMI Personal Data and to assist PMI in responding to Data Subject requests; and (iii) an assessment (in the form of a Data Protection Impact Assessment), of the specific risks, of which Consultant is aware, to the rights and freedoms of Data Subjects arising out of or in connection with Consultant’s Processing. Consultant shall also assist PMI as reasonably requested in cases where PMI decides to carry out a prior consultation with the relevant data protection authority.
    6. Audit: Consultant shall provide PMI with all information that PMI reasonably requests to demonstrate compliance with applicable data protection law. In addition, PMI may, upon reasonable notice and within normal business hours, either itself or through its third party auditors, audit Consultant’s compliance with the terms of this Schedule 9.
    7. Return of PMI Personal Data: Within 14 days of the expiry (or termination) of the Agreement, Consultant shall (at PMI’s election) destroy or return to PMI all PMI Personal Data in its possession or control. This requirement shall not apply to the extent that Consultant is required by any applicable law to retain some or all of PMI Personal Data.
    8. Data Subjects: Consultant shall, if it receives any communication from any person with respect to its Processing of PMI Personal Data (including Data Subjects or data protection authorities): (i) notify PMI within 1 business day of receiving it; (ii) provide any assistance reasonably required by PMI to enable PMI to respond to it; and (iii) not respond directly to it without PMI’s written permission.
    9. Assistance with Security Events: Consultant shall assist PMI with any Data Breach and any suspected or threatened Data Breach (each, a “Security Event”) by: (i) notifying PMI within 24 hours of becoming aware of the Security Event; (ii) providing PMI with all relevant information and documentation in its knowledge, possession or control concerning the Security Event; and (ii) co operating with PMI and taking such steps as PMI may reasonably require to assist in investigating, mitigating and remediating any Security Event.
    10. Security: Consultant shall implement and maintain appropriate technical and organisational measures necessary to protect PMI Personal Data from accidental or unlawful destruction, damage, loss, alteration, unauthorised disclosure or access, including the measures set out in PMI’s information security schedule available at https://www.pmi.com/legal/legal-documents and (without prejudice to the generality of the foregoing), as required by applicable data protection law. Consultant shall ensure that any person authorised to Process PMI Personal Data is bound by contractual obligations of confidentiality.
    11. Client as Data Controller of certain Personal Data relating to Consultant: PMI and its Affiliates will Process on their own behalf (each as a Data Controller) certain Personal Data relating to Consultant, its Affiliates, its and their suppliers, and its and their employees. For details, see the Business Partner Privacy Notice available at https://www.pmi.com/legal/legal-documents.



ANNEX 1 TO SCHEDULE 9


Particulars of the Processing
Duration of the Processing: Services provided under the Agreement 
Subject matter of the Processing: For the duration of the Agreement
Nature and purpose of the Processing: Consultant performs processing of the data to support PMI’s efforts in combating illicit trade of tobacco products, including the establishment of prospective legal claims
Types of Personal Data being Processed: Business contact data, private contact data
Categories of Data Subject to whom the Personal Data being Processed relates:
Non-specific entities potentially involved in the illicit trade of tobacco products