HITACHI DIGITAL SERVICES - CUSTOMER DATA PROTECTION ADDENDUM

This Customer Data Protection Addendum ("Addendum") supplements the Hitachi Digital Services ‘As a Service’ Terms and Conditions and/or Hitachi Digital Services Trial Services Agreement – Energy Data Insights (as it may apply), available at https://www.47lining.com/paas/docs/express-for-edi/express-for-edi-docs-audience@latest/express-for-edi-docs/commercial-terms/eula/ , as updated from time to time between You and Hitachi governing Your use of the Services (the “Master Agreement”) when applicable Data Protection Laws apply to Your use of the Services in regard of processing Personal Data. This Addendum is an agreement between You and the entity you represent (“Customer”, “you” or “your”) and the applicable Hitachi Digital Services entity contracting entity under the Master Agreement (“Hitachi”). Unless otherwise defined in this Addendum or the Master Agreement, all capitalized terms used in this Addendum will have the meanings given to them in this Section 1 of this Addendum.

Without prejudice to the terms of the Master Agreement, the Parties agree that the supply of Services that are the subject of the Master Agreement do not include or contemplate the processing of Personal Data on Your behalf by Hitachi. Notwithstanding the foregoing, if Hitachi is required to process Personal Data on Your behalf under the Master Agreement, the Parties will comply with this Addendum with respect to any such Processing of the Personal Data identified in Schedule 1 (“Data Processing Particulars”), attached hereto. Except as expressly modified by this Addendum, the terms of the Master Agreement remain in full force and effect.

DEFINITIONS

Unless expressly defined in this Addendum, all capitalized terms will have the same meaning as in the Master Agreement. In this Addendum, the following terms will have the following meanings:

Contract Model Clauses: meaning EU Standard Contractual Clauses approved by the EUROPEAN COMMISSION IMPLEMENTING DECISION (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.

Your Personal Data: Personal Data Processed by Hitachi or a Subprocessor on Your behalf pursuant to the Master Agreement.

Data Controller: the Party who determines the purposes and means of the Processing of Personal Data.

Data Protection Laws: the data protection laws and regulations in force in each jurisdiction where Your Personal Data is Processed by Hitachi, which may include, without limitation, applicable laws from beyond such jurisdiction, which in context apply to the relevant Processing of Your Personal Data.

Data Subject: an identified or identifiable natural person, or as the equivalent term is defined by applicable Data Protection Laws, and which is listed in Schedule 1 (“The Categories of Data Subjects”).

Personal Data: personal information about a Data Subject that You provide to Hitachi to Process or otherwise use under the Master Agreement.

Process(ed)/(ing): any operation or set of operations which is performed on Your Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment, combination, restriction, erasure or destruction.

Processor: Hitachi or a Subprocessor (as relevant).

Purpose: fulfillment of the Parties’ obligations in the Master Agreement.

Security Breach: any accidental or unauthorized access, destruction, disclosure, modification, or transfer of Personal Data.

Services: the work to be provided by or on behalf of Hitachi to You pursuant to the Master Agreement.

Subprocessor: any third party (which may include, without limitation, an affiliate of Hitachi) appointed by or on behalf of Hitachi to Process Your Personal Data on Your behalf for the Purpose.
TERM

The terms of this Addendum will remain in effect from the Effective Date until the sooner of: (i) termination of the Master Agreement; or (ii) the termination of this Addendum in accordance with its terms (the “Term”). Further, the terms of this Addendum will only apply to Personal Data for which Schedule 1 has been completed and during the period of Processing activities as required for each transaction made under the Master Agreement.
PROCESSING OF CUSTOMER PERSONAL DATA
1. Parties’ Roles. The Parties agree that with respect to Your Personal Data, You are the Data Controller, Hitachi is a Processor, and Hitachi may engage Subprocessors pursuant to Section 4 of this Addendum. You hereby instruct Hitachi (and authorize Hitachi to instruct each Subprocessor) to Process Your Personal Data and to transfer Your Personal Data to any country or territory as reasonably necessary for the provision of the Services.
2. Hitachi’s Obligations. To the extent Hitachi is a Processor (or equivalent local term) under applicable Data Protection Laws, Hitachi will:
  1. comply with Data Protection Laws to the extent applicable to Your Personal Data;
  2. Process Your Personal Data for the Purpose and in accordance with Your written instructions, which include the terms of the Master Agreement and this Addendum;
  3. comply with applicable and binding decisions of data protection authorities, arbitrators, or courts relating to the Processing of Your Personal Data;
  4. comply with Your reasonable and legally permissible instructions with respect to the Processing of Your Personal Data; and
  5. to the extent reasonable and permissible, provide You with notice where Hitachi is required to disclose Your Personal Data pursuant to applicable law.
  6. To the extent the California Consumer Privacy Act of 2018, codified at Cal. Civ. Code §1798.100 et seq. is applicable, Hitachi shall not: (i) Sell Personal Data; (ii) retain, use, or disclose Personal Data for any purpose, whether commercial or not, other than performing its obligations under the Master Agreement; or (iii) retain, use, or disclose Personal Data outside of the direct business relationship between Hitachi and You.
3. Your Obligations. You will:
  1. be, and always remain, the Data Controller for any Personal Data provided to Hitachi under the Master Agreement;
  2. comply with all of Your obligations under Data Protection Laws, including collection of valid consent where necessary;
  3. be responsible for any unauthorized access, acquisition, use, disclosure, modification or destruction to Personal Data caused by Your acts or omissions and those of Your affiliates, end users, or their respective personnel, agents or other representatives when using or receiving the Services. You will only use or provide Hitachi with Personal Data that You have the legal right to collect, process, use, and transfer, and only to the extent that is necessary or required for the Purpose; and
  4. ensure that the Processing of Your Personal Data pursuant to Your instructions and/or this Addendum will not cause Hitachi, its Affiliates or its Subprocessors to breach any applicable law. ```
SUBPROCESSORS
1. You authorize Hitachi to appoint Subprocessors as outlined in this Section 4.
2. Hitachi may continue to use those Subprocessors already engaged by Hitachi as of the Effective Date, subject in each case to Hitachi meeting the obligations set out in this Section 4 as soon as is reasonably practicable.
3. Hitachi will give You prior written notice of the appointment of any new Subprocessor, including all necessary details of the Processing to be undertaken by the Subprocessor. If, within seven (7) days of the date of that notice, You notify Hitachi in writing of any objections (on reasonable grounds) to the proposed appointment, Hitachi will not appoint (or disclose Your Personal Data to) that proposed Subprocessor until reasonable steps have been taken to address the objections raised by You. If the Parties cannot reach agreement on a new Subprocessor within thirty (30) days from the date of that notice Hitachi may, upon written notice to You, terminate the relevant Services without incurring any liability for so doing. In such event, You will pay Hitachi for the relevant Services performed, up to and including the effective date of termination, plus any early end-sum(s) that become due under the Master Agreement.
4. With respect to each new Subprocessor, before the Subprocessor first Processes Your Personal Data, Hitachi will:
  1. Require that the Subprocessor is capable of providing the level of protection for Your Personal Data required by the Data Protection Laws and this Addendum;
  2. Ensure that the arrangement is governed by a written contract including terms which offer at least the same level of protection for Your Personal Data as those set out in this Addendum and meet applicable requirements under Data Protection Laws.
5. Hitachi will execute contracts with its Subprocessors that are no less protective than the terms of this Addendum and in any event, Hitachi will be responsible to ensure that that each Subprocessor performs in compliance with the requirements set forth in this Addendum.
SECURITY

Taking into account the state of the art, costs of implementation, nature, scope, context and purposes of Processing, as well as the rights and freedoms of natural persons, Hitachi will, in relation to Your Personal Data, implement appropriate technical and organizational measures to ensure an appropriate level of security, including any measures required by Data Protection Laws.
DATA SUBJECT RIGHTS

Taking into account the nature of the Processing, should a data subject contacts Hitachi with regard to correction or deletion of its personal data, Hitachi will use commercially reasonable efforts to forward such requests to You.
SECURITY BREACH
1. Hitachi will promptly notify You upon Hitachi becoming aware of a Security Breach affecting Your Personal Data, and will provide You with sufficient information, to the extent known to Hitachi, to allow You to meet any obligations under Data Protection Laws to report or inform impacted individuals and/or any relevant data authority of the Security Breach.
2. Hitachi will provide reasonable cooperation to You and take commercially reasonable steps to assist in the investigation, mitigation and remediation of such Security Breach.
DELETION OR RETURN OF COMPANY PERSONAL DATA

Upon expiration of the Term, Hitachi will delete or destroy, and will instruct any Subprocessors to delete or destroy, Your Personal Data in accordance with the Master Agreement or, where agreed in advance with You, Hitachi will return Your Personal Data to You. Notwithstanding the foregoing, Hitachi will retain copies of Your Personal Data where required by relevant Data Protection laws and may also do so in accordance with its legally compliant internal data retention policies where permitted by relevant Data Protection Laws.
MAINTENANCE OF RECORDS

Hitachi will, during the Term and for not less than twelve (12) months thereafter, maintain complete and accurate records and information that Hitachi reasonably deems necessary to demonstrate its compliance with this Addendum and, upon at least 30 days’ advance written notice, will provide You with documentation in order to verify Hitachi’s compliance with its obligations under this Addendum. You will request and Hitachi will provide such documentation no more than once per year unless You reasonably suspect that Hitachi is in material breach of its obligations hereunder.
DATA TRANSFERS

If the Processing of Your Personal Data involves a data transfer across national borders, Hitachi will take measures to ensure such transfer is compliant with Data Protection Laws. Such measures may include entering into Contract Model Clauses where appropriate, and in such cases, Schedule 1 to this Addendum will serve as Annex 1 to the Contract Model Clauses.
LIABILITY

To the extent permitted under applicable law, Hitachi’s total liability under this Addendum for any and all claims arising hereunder will be subject to the limitations set forth in the Master Agreement.
GENERAL TERMS
1. Unless otherwise required by law, this Addendum will be governed and construed in accordance with the laws of the jurisdiction identified in the Master Agreement.
2. In the event of a conflict between the terms of this Addendum and any other terms agreed upon by the Parties with respect to the subject matter hereof, including the Master Agreement, the terms of this Addendum will prevail to the extent of the conflict.
3. Any amendment of this Addendum will only be valid and enforceable when made in writing and signed by authorized representatives of both Parties.
4. Should any provision of this Addendum be invalid or unenforceable under applicable law, then the remainder of this Addendum will remain valid and in full force and effect. The invalid or unenforceable provision will be either (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

IN WITNESS WHEREOF, this Addendum is entered into and becomes a binding part of the Master Agreement as of the Effective Date.

HITACHI			CUSTOMER
	By			By
	Name			Name
	Title			Title
	Date			Date

SCHEDULE 1 TO CUSTOMER DATA PROTECTION ADDENDUM

DATA PROCESSING PARTICULARS

The Subject Matter and Duration of the Processing

The subject matter and duration of the Processing are set out in the Master Agreement and this Addendum and as follows: [INSERT DESCRIPTION AND DURATION AS NEEDED].

The Nature and Purpose of the Processing

[INSERT DESCRIPTION]

Categories of Personal Data Processed