Personal Data Protection

WHEREAS, Applicable Data Protection Law requires that Walmart and Contractors enter into a written agreement containing terms and conditions for Processing Walmart Personal Data;

WHEREAS, this Addendum sets out additional terms, requirements, and conditions on which the Contractor will Process Walmart Personal Data.

NOW, THEREFORE, in consideration of the mutual covenants and agreements hereinafter set forth and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the parties hereto agree as follows:

1. DEFINITIONS. The following definitions and rules of interpretation apply in this Addendum. Capitalized terms used and not defined in this Addendum have the respective meanings assigned to them in the Agreement.

   "Applicable Data Protection Law" means any applicable law(s) and/or regulations relating to Personal Data or collection, use, storage, disclosure, transfer, or other Processing of Personal Data of or by any government, or any authority, department, or agency thereof, or self-regulatory organization.

   "Contracted Business Purposes" means (a) short-term, transient use, provided that the Data Subject’s Personal Data is not disclosed to another third party (as defined in Applicable Data Protection Law if defined and otherwise having the ordinary meaning) and is not used to build a profile about the Data Subject or otherwise alter the Data Subject’s experience outside the current interaction; and (b) performing services on behalf of the Client, including providing analytic services, providing storage, or providing similar services on behalf of the Client.

"Personal Data" means, in addition to any definition provided for "personal data" or for any similar term (e.g., "personal information" or "personally identifiable information") by Applicable Data Protection Law, all Direct Identifiers as well as any data relating to an identified or reasonably identifiable individual, household, or a device. Personal Data does not include any De-identified Data.

"Process" means collecting, retaining, using, disclosing, retrieving, destroying, erasing, or otherwise processing Walmart Personal Data. The terms "Processed" and "Processing" have a correlative meaning.

"Sell" has the meaning of "sell," "sale of personal data," or similar term, as set forth in the Applicable Data Protection Law. The terms "Sale" and "Selling" have correlative meanings.

"Share" has the meaning of "share" set forth in the Applicable Data Protection Law, or if not defined, means the sharing of Personal Data for cross-contextual behavioral advertising or targeted marketing. The term "Sharing" has a correlative meaning.

"Usage Data" means Service usage data collected and processed by Walmart in connection with the provision of the Services, including without limitation data used to identify the source and destination of a communication, activity logs, and data used to optimize and maintain performance of the Services, and to investigate and prevent system abuse.

"Walmart Personal Data" means Personal Data that the Contractor Processes and that it receives from or on behalf of Walmart or that is otherwise made available to the Contractor by Walmart or Client.

2. CONTRACTOR’S REPRESENTATIONS, WARRANTIES, COVENANTS, AND ACKNOWLEDGEMENTS.

   2.1. Limited Disclosure; Processing Only for Contracted Business Purposes. Each party agrees and acknowledges that the other party is disclosing or making available certain Personal Data (in the case of Walmart, any Personal Data included in the Walmart Data, such as information about Walmart buyers; in the case of Contractor, solely Personal Data related to Authorized Users and their accounts) solely for the limited and specified Contracted Business Purposes for which a party provides or permits access to the other party for Personal Data or as otherwise permitted under Applicable Data Protection Law. Except for Usage Data, which is considered Walmart’s Personal Data and for which Walmart is and shall remain a Controller, each party is a Processor of the other party with respect to the Personal Data of the other party.

   2.2. Personal Data Obligations. Each party shall: (a) only Process such Personal Data for the Contracted Business Purposes or as otherwise expressly permitted under Applicable Data Protection Law; (b) Process the Personal Data of the other party in accordance with the requirements of Applicable Data Protection Law such that the party provides the same or greater level of protection for such Personal Data as required of the other party by Applicable Data Protection Law; (c) promptly comply with any request or instruction of a party requiring the other party to provide, modify, transfer, or delete the Personal Data of the other party (to the extent required under Applicable Data Protection Law and not subject to an applicable exception under Applicable Data Protection Law), or to stop, mitigate, or remedy any unauthorized Processing; (d) reasonably cooperate and assist the other party with meeting the other party’s compliance obligations under Applicable Data Protection Law and responding to inquiries related to either party’s compliance with Applicable Data Protection Law, including responding to verifiable consumer requests, taking into account the nature of the party’s Processing and the information available to the party; (e) limit the Processing of Personal Data of the other party to activities reasonably necessary and proportionate to achieve the Contracted Business Purposes or another compatible operational purpose, and not further Process such Personal Data in a manner incompatible with such purposes; (f) provide all notices including a privacy notice that are required by Applicable Data Protection Law in a manner and form that is compliant with all requirements of Applicable Data Protection Law; (g) notify the other party immediately if it receives any complaint, notice, or communication that directly or indirectly relates either party’s compliance with Applicable Data Protection Law, including, without limitation, any verifiable consumer request under Applicable Data Protection Law about an individual that is the subject of the other party’s Personal Data received by the party. Subject to the terms and conditions of this Addendum, the parties may use the Personal Data of the other party to retain a subcontractor, where the subcontractor meets the requirements under Applicable Data Protection Law.

   2.3. Prohibitions on use of Personal Data. Each party shall not: (a) Sell or Share the Personal Data or otherwise Process or make the Personal Data of the other party available for the party’s own commercial purposes or in a way that does not comply with Applicable Data Protection Law and this Addendum; (b) Process the Personal Data outside of the direct business relationship between the parties, unless otherwise expressly permitted by Applicable Data Protection Law; or (c) combine the Personal Data of the other party with other Personal Data it receives from, or on behalf of, a third party or that it collects from its own interaction with an individual who is the subject of the Personal Data except as otherwise permitted under Applicable Data Protection Law.

   2.4. Aggregate and De-Identified Personal Data. If Applicable Data Protection Law permits, the parties may aggregate, de-identify, or anonymize Personal Data, so it is no longer Personal Data, and may use such aggregated, de-identified, or anonymized data for its own research and development purposes. The parties will not attempt to or actually re-identify any previously aggregated, de-identified, or anonymized data and will contractually prohibit downstream data recipients from attempting to or actually re-identifying such data.

3. VERIFICATION OF CONTRACTOR’S COMPLIANCE. Upon Walmart’s written request, to confirm Contractor’s compliance with this Addendum and Applicable Data Protection Law, Contractor grants Walmart or, upon Walmart’s election, a third party on Walmart’s behalf, permission to perform an assessment, audit, examination, or review of all controls in Contractor’s physical and/or technical environment in relation to all Walmart Personal Data being Processed and/or services being provided to Walmart pursuant to this Addendum. Contractor shall fully cooperate with such assessment by providing access to knowledgeable personnel, physical premises, documentation, infrastructure, and application software that processes, stores, or transports Walmart Personal Data for Walmart pursuant to this Addendum. In addition, upon Walmart’s written request, Contractor shall provide Walmart with the results of any audit performed by or on behalf of Contractor that assesses the Contractor’s information security program or compliance with Applicable Data Protection Law as relevant to Contractor’s Processing of Walmart Personal Data.

4. COMPLIANCE WITH APPLICABLE DATA PROTECTION LAW. Contractor represents, warrants, and covenants that it is and shall remain in full compliance with all applicable requirements of Applicable Data Protection Law when Processing Walmart Personal Data. Contractor represents and warrants that it has no reason to believe any Applicable Data Protection Law requirements or restrictions prevent it from Processing Walmart Personal Data or otherwise performing in full compliance with this Addendum and Applicable Data Protection Law. If Contractor determines that Applicable Data Protection Law or other circumstance prevents the Contractor from fulfilling all or part of its obligations under this Addendum, Contractor shall notify Walmart and the parties shall suspend the Processing of Walmart Personal Data until that Processing complies with Applicable Data Protection Law and this Addendum. If the parties are unable to bring the Processing of Walmart Personal Data into compliance with Applicable Data Protection Law and this Addendum within a reasonable period, they may terminate the Agreement and this Addendum upon written notice to the other party.