Provider shall not: (1) access, process, or otherwise use Customer Data other than as necessary to facilitate the System; or (2) give Customer Data access to any third party, except Provider’s subcontractors that have a need for such access to facilitate the System and are subject to a reasonable written agreement governing the use and security of Customer Data. Further, Provider: (3) shall exercise reasonable efforts to prevent unauthorized disclosure or exposure of Customer Data; and (4) shall comply with all privacy and security laws governing Provider’s handling of Customer Data (“Privacy/Security Laws”) that are applicable both specifically to Provider and generally to data processors in the jurisdictions in which Provider does business and operates physical facilities.
(a) Statutory Special Terms. The parties recognize and agree that Attachment __ (____): (i) governs the following Customer Data: __________ [list the data governed by the privacy/security law in question]; and (ii) applies only to such Customer Data and not to any of the parties’ other rights or duties pursuant to this Agreement. If Provider receives a “right to know,” deletion, “right to be forgotten,” or similar request related to Customer Data, Provider may respond in accordance with applicable law. Nothing in this Agreement precludes Provider from asserting rights or defenses it may have under applicable law related to such requests.
(b) Additional Fees. Customer recognizes and agrees that Provider may charge additional fees (without limitation) (i) for activities (if any) required by Privacy/Security Laws and (ii) for activities Customer requests to help it comply with Privacy/Security Laws.
(c) Privacy Policy. Customer acknowledges Provider’s privacy policy at __________, and Customer recognizes and agrees that such privacy policy is not part of this Agreement and that nothing in this Agreement restricts Provider’s right to alter such privacy policy.
(d) De-Identified Data. Notwithstanding the provisions above of this Section __, Provider may use, reproduce, sell, publicize, or otherwise exploit De-Identified Data (as defined below) in any way, in its sole discretion, including without limitation aggregated with data from other customers. (“De-Identified Data” refers to Customer Data with the following removed: information that identifies or could reasonably be used to identify an individual person, a household, or Customer.)
(e) Erasure. Provider may permanently erase Customer Data if Customer’s account is delinquent, suspended, or terminated for 30 days or more, without limiting Provider’s other rights or remedies.
(f) Required Disclosure. Notwithstanding the provisions above of this Section __, Provider may disclose Customer Data as required by applicable law or by proper legal or governmental authority. Provider shall give Customer prompt notice of any such legal or governmental demand and reasonably cooperate with Customer in any effort to seek a protective order or otherwise to contest such required disclosure, at Customer’s expense.