Common use of Personal Information; Data Protection Clause in Contracts

Personal Information; Data Protection. 18.4.1 Notwithstanding anything to the contrary in this Agreement, SUPPLIER shall, and shall cause its subcontractors and all Personnel to, no later than the Effective Date, establish and implement, and thereafter maintain, a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of (i) FIRST TRANSIT INC. PII (as defined below) and any applicable laws, rules or regulations associates with PII; and (ii) FIRST TRANSIT INC. Confidential Information. Such program, the content and implementation of which must be fully documented in writing, shall contain administrative, technical, and physical safeguards appropriate to SUPPLIER’s size and complexity, the nature and scope of SUPPLIER’s activities, and the sensitivity of the personal information and confidential information received from or collected about FIRST TRANSIT INC., its employees, customers and contractors. 18.4.2 As used herein, “FIRST TRANSIT INC. PII” means the personally identifiable information of FIRST TRANSIT INC. and its employees, customers, contractors, vendors and other third parties, including personal data regulated under privacy or data protection laws and non-public personal information or sensitive personal information. Examples of FIRST TRANSIT INC. PII include without limitation: names, addresses, national ID numbers (e.g., social security numbers), telephone numbers, email addresses, human resources information and data, financial account numbers, credit card information, payment information, driver’s license and customer account data. 18.4.3 Any FIRST TRANSIT INC. PII collected or accessed by SUPPLIER in the performance of this Agreement shall be limited to that which is strictly necessary to perform its obligations hereunder or to fulfill any legal requirements. SUPPLIER must immediately notify FIRST TRANSIT INC. of any actual, suspected or alleged security breach that may result in the unauthorized use, access, disclosure, alteration or destruction of FIRST TRANSIT INC. PII. 18.4.4 Upon request from FIRST TRANSIT INC., SUPPLIER shall provide FIRST TRANSIT INC. with any or all FIRST TRANSIT INC. PII in SUPPLIER’s possession. Upon termination or expiration of this Agreement, SUPPLIER shall within ten (10) calendar days thereafter, at FIRST TRANSIT INC.’s sole discretion either (i) provide FIRST TRANSIT INC. with all documents and materials (including any and all copies) containing FIRST TRANSIT INC. PII, together with all other materials and property of FIRST TRANSIT INC., which are in its possession or under its control or (ii) destroy all such specified documents and materials (including any and all copies in any and all formats) and provide FIRST TRANSIT INC. with a certificate of destruction signed by an officer of SUPPLIER.

Personal Information; Data Protection. 18.4.1 Notwithstanding anything to the contrary in this Agreement, SUPPLIER shall, and shall cause its subcontractors and all Personnel to, no later than the Effective Date, establish and implement, and thereafter maintain, a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of (i) FIRST TRANSIT INC. PII (as defined below) and any applicable laws, rules or regulations associates associated with PIIP11; and (ii) FIRST TRANSIT INC. Confidential Information. Such program, the content and implementation of which must be fully documented in writing, shall contain administrative, technical, and physical safeguards appropriate to SUPPLIER’s size and complexity, the nature and scope of SUPPLIER’s activities, and the sensitivity of the personal information and confidential information received from or collected about FIRST TRANSIT INC., its employees, customers and contractors. 18.4.2 As used herein, “FIRST TRANSIT INC. PII” means the personally identifiable information of FIRST TRANSIT INC. and its employees, customers, contractors, vendors and other third parties, including personal data regulated under privacy or data protection laws and non-public personal information or sensitive personal information. Examples of FIRST TRANSIT INC. PII include without limitation: names, addresses, national ID numbers (e.g., social security numbers), telephone numbers, email addresses, human resources information and data, financial account numbers, credit card information, payment information, driver’s license license, and customer account data. 18.4.3 Any FIRST TRANSIT INC. PII collected or accessed by SUPPLIER in the performance of this Agreement shall be limited to that which is strictly necessary to perform its obligations hereunder or to fulfill any legal requirements. SUPPLIER must immediately notify FIRST TRANSIT INC. of any actual, suspected or alleged security breach that may result in the unauthorized use, access, disclosure, alteration or destruction of FIRST TRANSIT INC. PII. 18.4.4 Upon request from FIRST TRANSIT INC., SUPPLIER shall provide FIRST TRANSIT INC. with any or all FIRST TRANSIT INC. PII in SUPPLIER’s possession. Upon termination or expiration of this Agreement, SUPPLIER shall within ten (10) calendar days thereafter, at FIRST TRANSIT INC.’s sole discretion either (i) provide FIRST TRANSIT INC. with all documents and materials (including any and all copies) containing FIRST TRANSIT INC. PII, together with all other materials and property of FIRST TRANSIT INC., which are in its possession or under its control or (ii) destroy all such specified documents and materials (including any and all copies in any and all formats) and provide FIRST TRANSIT INC. with a certificate of destruction signed by an officer of SUPPLIER.