Terms Related to U.S. Data Protection Laws

This U.S. Data Protection Laws Schedule (this “Schedule”) sets forth obligations pursuant to the California Consumer Privacy Act of 2018 (codified at Cal. Civ. Code § 1798.100 et seq.), as amended, and all regulations and judicial opinions issued related thereto (the “CCPA”) and any United States laws, rules, regulations, decrees, orders or other mandates applicable to the protection or Processing of Personal Information (each as defined below), including the CCPA and others solely as may be applicable to the Personal Information provided by Client under the Agreement (collectively, “U.S. Data Protection Laws” or “Data Protection Laws”).

To the extent Pension Benefit Information, LLC (“PBI”) is operating as a service provider, contractor, or processor as defined in applicable U.S. Data Protection Laws (in which case, PBI is a “Service Provider”) in connection with or through the services provided to Client by Service Provider (the “Services”), then the terms and conditions set forth in this Schedule shall be incorporated into the agreement(s) between Service Provider and Client for such Services (the “Agreement”).

  1. Certification of Compliance. The Parties agree to comply in all material respects with applicable Data Protection Laws.
  2. Exemptions. The Parties acknowledge that the Data Protection Laws contain relevant exemptions for certain data subject to the Fair Credit Reporting Act (FCRA), the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), and the Driver’s Privacy Protection Act (DPPA). Additionally, the Parties acknowledge that the Data Protection Laws have relevant exemptions for publicly available information, data that is deidentified or aggregate consumer data, or data that is maintained in a manner that is not personal information or personal data under the Data Protection Laws, as applicable (“Personal Information”). For clarity, by way of example under the CCPA, Personal Information does not include, (a) lawfully obtained, truthful information that is a matter of public concern; (b) publicly available information, which is lawfully made available from federal, state and local government records; or (c) a business has reasonable basis to believe is lawfully made available to the general public by the consumer or from widely distributed media. The Parties acknowledge that, to the extent that PBI Processes or may Process data within these categories, such data is exempt from Data Protection Laws and the obligations thereunder. In addition to the foregoing, Personal Information is not required to be deleted if an exception applies pursuant to the applicable Data Protection Laws. For purposes of this Schedule, “Process” means any processing or other access to or operation or set of operations performed on Personal Information, and “Process,” “Processes,” and “Processed” shall have corresponding meanings.
  3. Restrictions. PBI is prohibited from retaining, using, or disclosing Personal Information provided to PBI by Client for any purpose other than for the specific purposes set forth in the Agreement, or as otherwise permitted by law, including retaining, using, or disclosing Personal Information provided to PBI by Client for a commercial purpose other than as specified in the Agreement.
  4. Consumer Requests. If and to the extent PBI has possession of Personal Information from Client, PBI will reasonably cooperate with Client by providing copies of or access to Personal Information in PBI’s possession necessary for Client to respond to consumers under Data Protection Laws. PBI shall notify Client within a reasonable amount of time if PBI receives a consumer request under a Data Protection Law related to an individual’s Personal Information (where PBI is able to verify such Personal Information is associated with Client). For clarity, PBI is a not a system of record for Client data. Client is responsible for its own compliance obligations related to consumer requests in accordance with applicable Data Protection Laws. PBI is entitled to rely upon and act in accordance with any instructions, guidelines, or information provided to PBI by Client related to the consumer requests and will incur no liability to Client in doing so.
  5. Deletion Requests from Client. When Client has received a verifiable consumer request to delete a consumer’s Personal Information and has directed PBI to do the same in its capacity as a Service Provider, PBI will delete that Personal Information, absent an exception. For clarity, PBI is a not a system of record for Client data.
  6. Miscellaneous. Terms used but not defined herein shall have the meaning set forth in the Agreement or the applicable Data Protection Laws. Nothing in this Schedule limits or restricts the Parties’ rights and obligations under the Agreement in relation to the protection of Personal Information or permits the processing of Personal Information in a manner which is prohibited by the Agreement. To the extent there is a conflict between this Schedule and the Agreement, this Schedule shall govern.

Last Updated: 1/10/2024