Transition Services Agreement dated May 22, 2019
TRANSITION SERVICES AGREEMENT
by and between
KONTOOR BRANDS, INC.
Dated as of May 22, 2019
TABLE OF CONTENTS
Section 1.01. Certain Definitions
Section 2.01. Services
Section 2.02. Standard for Service
Section 2.03. Consents
Section 2.04. Subcontracted Services
Section 2.05. Management of Services
Section 2.06. Ownership
Section 3.01. Service Charges
Section 3.02. Invoices
Section 3.03. Payment
Section 3.04. Invoice Disputes
Section 3.05. No Set-off Rights
Section 4.01. Title to Intellectual Property.
Section 5.01. Cooperation for Statutory and Tax Filings
TERM AND TERMINATION
Section 6.01. Transition Period
Section 6.02. Termination.
LIMITATION OF LIABILITY; INDEMNITY
Section 7.01. Limitation of Liability
Section 7.02. Indemnification
Section 7.03. Obligation to Correct
Section 7.04. Exclusive Remedy
Section 8.01. Access to Records and Properties
Section 8.02. Systems
Section 8.03. Cyber Events
Section 9.01. Notice
Section 9.02. Force Majeure
Section 9.03. Confidentiality
Section 9.04. No Partnership, Joint-Venture Or Agency Created.
Section 9.05. Successors and Assigns
Section 9.06. Counterparts; Effectiveness
Section 9.07. Interpretation; Incorporation of Terms by Reference
Section 9.08. Governing Law
Section 9.09. Jurisdictions
Section 9.10. WAVIER OF JURY TRIAL
Section 9.11. Specific Performance
Section 9.12. Performance
Section 9.13. Amendments; No Waivers
TRANSITION SERVICES AGREEMENT
TRANSITION SERVICES AGREEMENT dated as of May 22, 2019 (as the same may be amended from time to time in accordance with its terms and together with the schedules and exhibits hereto, this Agreement), by and between V.F. Corporation, a Pennsylvania corporation (VF), and Kontoor Brands, Inc., a North Carolina corporation (Kontoor Brands).
R E C I T A L S
WHEREAS, on or about the date hereof the parties hereto have entered into that certain Separation and Distribution Agreement (as amended, modified or supplemented from time to time, the Separation and Distribution Agreement), pursuant to which VF has agreed to distribute the Jeanswear Business to the holders of the VF Common Stock as of the Record Date;
WHEREAS, pursuant to the Separation and Distribution Agreement and in connection with the transactions contemplated thereby, VF and Kontoor Brands have agreed to enter into this Agreement in order to provide for the provision both (i) from VF and the VF Group to Kontoor Brands and the Kontoor Brands Group and (ii) from Kontoor Brands and the Kontoor Brands Group to VF and the VF Group of certain transitional services in order to facilitate the orderly transition of the Jeanswear Business from VF and the members of the VF Group to Kontoor Brands and the members of the Kontoor Brands Group, upon the terms and subject to the conditions hereinafter set forth; and
WHEREAS, the party, or applicable member of its Group, providing an applicable Service (as defined below) hereunder, as set forth in the Services Schedules (as defined below) is referred to as Provider and the party, or an applicable member of its Group, receiving an applicable Service hereunder, as set forth in the Services Schedules, is referred to as Recipient.
NOW, THEREFORE, in consideration of the foregoing recitals and the mutual covenants, conditions, and agreements hereinafter expressed, the parties hereto agree as follows:
Section 1.01. Certain Definitions. (a) The following terms, as used herein, have the following meanings; provided that capitalized terms used but not otherwise defined in this Section 1.01 shall have the respective meanings ascribed to such terms in the Separation and Distribution Agreement:
Accounting Referee means a nationally recognized independent accounting firm that is jointly retained by the parties.
Cyber Event means any actual unauthorized, accidental or unlawful access, use, exfiltration, theft, disablement, destruction, loss, alteration, disclosure, transmission of any Systems or any information or data (including any personally identifiable information) stored therein or transmitted thereby.
Damages means all liabilities, costs, damages, losses, claims, demands, charges, suits, penalties, Taxes and expense (including reasonable attorneys and other professionals fees and disbursements) and whether or not pursuant to a Third Party Claim.
Incident Response Management Services means the Services as described under the heading Information Security - Incident Response Management in the Services Schedules.
Prime Rate shall mean the prime rate published in the eastern edition of The Wall Street Journal or a comparable newspaper if The Wall Street Journal shall cease publishing the prime rate.
Services shall mean the services set forth on the Services Schedules to be provided, or caused to be provided, by Provider to Recipient pursuant to this Agreement.
(b) Each of the following terms is defined in the Section set forth opposite such term:
Force Majeure Event
Other Service Implications
Separation and Distribution Agreement
Section 2.01. Services. During the Transition Period (as defined below) (or, with respect to a particular Service, such shorter period as may be specified in the Services Schedules with respect to any such Service), VF shall provide (or cause to be provided by an Affiliate or a Subcontractor in accordance with Section 2.04) to Kontoor Brands or the applicable member of its Group the services described on Schedule A-1 attached hereto and Kontoor Brands shall provide (or cause to be provided by an Affiliate or a Subcontractor in accordance with Section 2.04) to VF or the applicable member of its Group the services described on Schedule A-2 attached hereto (together with Schedule A-1, the Services Schedules). The Services (or any portion thereof) shall be provided for the period of time specified in the Services Schedules; provided that, unless otherwise specified in the Service Schedules, the term of any or all the Services (or any portion thereof) may be earlier terminated by Recipient by providing thirty (30) days prior written notice to Provider (Termination Notice); provided further that if it is technically infeasible or commercially impracticable to terminate one Service without terminating one or more other Services, Recipient shall be required to concurrently terminate all such Services for which separate termination would be technically infeasible or commercially impractical. Following receipt of a Termination Notice, Provider will provide Recipient with written notice (Provider Notice) that termination of any applicable Service will require the termination or partial termination of, or otherwise affect the performance of any other Services as a result of the technical infeasibility or commercially impracticality to terminate only the Service requested to be terminated (Other Service Implications), which notice shall set forth a reasonably detailed overview of any Other Service Implications. Recipient may withdraw its Termination Notice by delivering a withdrawal notice within five (5) Business Days following the receipt of such Provider Notice from Provider. If Recipient does not withdraw the Termination Notice within such period, such Termination Notice will be final and irrevocable (including as to any Other Service Implications) and Recipient
shall no longer be entitled to receive the Service from Provider. Upon the effective date of termination of any Service pursuant to this Section 2.01, (i) the Provider of the terminated Service will have no further obligation to provide the terminated Service and (ii) the relevant Recipient will have no obligation to pay any future Service Charges relating to any such Service other than (A) the applicable portion of the Service Charge for the remainder of the calendar month in which such termination is effective, (B) Service Charges and any other fees, costs and expenses owed and payable in accordance with the terms of this Agreement in respect of Services provided prior to the effective date of termination and (C) any third party costs and expenses incurred by the Provider or any of its Affiliates in respect of such Services between the time of such termination and the time the provision of such Service would have terminated absent such early termination to the extent Provider cannot avoid the incurrence of such costs or expenses using commercially reasonable efforts, which in each case shall be, from time to time, invoiced and paid as provided in Article III. Upon the effective date of termination of any Service pursuant to this Section 2.01, the relevant Provider shall reduce for the next monthly billing period the amount of the Service Charge for the category of Services in which the terminated Service was included (such reduction to reflect the elimination of all costs incurred in connection with the terminated Service to the extent the same are not required to provide other Services to Recipient), and, upon request of Recipient, Provider shall provide Recipient with documentation and/or information regarding the calculation of the amount of the reduction. In connection with termination of any Service, the provisions of this Agreement not relating solely to such terminated Service shall survive any such termination. Upon thirty (30) days advance written notice prior to the expiration of any Service, Recipient may request an extension of such Service by submitting to the relevant Provider an extension request in the form attached hereto as Schedule B. Any such extension shall be effective only by the mutual written agreement of Provider and Recipient to the terms applicable to such Service during any such extension period. For the avoidance of doubt, (x) Provider is not obligated to extend any Service and Services shall only be extended on terms mutually agreed to by Provider and Recipient and (y) in no event shall any extension provide for an extension of any Service for a period that would exceed, in the aggregate, twenty-four (24) months from the Distribution Date.
Section 2.02. Standard for Service. (a) Except as otherwise provided in this Agreement or the Services Schedules, Provider agrees to use its commercially reasonable efforts to perform each Service such that the nature, quality, standard of care, skill, level of priority and the service level at which such Service is performed is not materially less than the nature, quality, standard of care, level of priority and service level at which substantially the same service was provided to the Recipient and the members of its Group, as applicable, during the twelve (12) month period immediately prior to the date hereof (or, if not so previously provided, then substantially the same as that applicable to similar services provided by Provider).
(b) It is understood and agreed that Provider may from time to time modify, change or enhance the manner, nature, quality and/or standard of care of any Service provided to Recipient or the members of its Group to the extent Provider is making a similar change in the performance of services similar to such Services for Provider or the members of its Group or to the extent that such change is in connection with the relocation of Providers employees; provided that any such modification, change or enhancement will not reasonably be expected to have a material adverse effect on the provision of such Service in accordance with the standards set forth in Section 2.02(a).
(c) The Services shall only be made available by the applicable Provider for, and the applicable Recipient shall only be entitled to utilize the Services for, the benefit of the operation of its respective Business.
Section 2.03. Consents. The parties hereto shall cooperate and use commercially reasonable efforts to obtain any consents, permits or licenses from any third party that may be required in connection with the provision of the Services hereunder; provided that (i) Provider shall not be required to provide any Service hereunder to the extent the provision of such Service is prevented by the failure, after the exercise of commercially reasonable efforts, to obtain any such consent, permit or license and (ii) Provider shall not be required to pay any such third party any amounts to obtain any such consents, permits or licenses.
Section 2.04. Subcontracted Services. Provider may, directly or through one or more Affiliates, hire or engage one or more subcontractors or other third parties (each, a Subcontractor), or cause one or more of its Affiliates, to perform any or all of Providers obligations to provide Services under this Agreement; provided,
that Provider shall remain ultimately responsible for ensuring that the obligations set forth in this Agreement are satisfied with respect to any Service provided by any Subcontractor or Affiliate.
Section 2.05. Management of Services. Management of, and control over, the provision of the Services provided hereunder (including the determination or designation at any time of the equipment, employees and other resources of Provider, its Affiliates or any Subcontractor engaged in accordance with Section 2.04 to be used in connection with the provision of such Services as set forth herein) shall reside solely with Provider; provided that (i) the Services shall, at all times, be provided in accordance with the standards and requirements set forth herein and in the Services Schedules, and (ii) the Services shall, at all times, be administered by the parties, the members of each of their respective Groups and each of their respective employees, officers, directors and agents in accordance with the governance model set forth on Schedule C (the Governance Model). Without limiting the generality of the foregoing, except as provided in the Services Schedules or the Governance Model, all labor matters relating to any employees of Provider, its Affiliates and any Subcontractor shall be within the exclusive control of such entity, and Recipient shall not have any rights with respect to such matters. Except as provided in the Services Schedules or Section 3.01, Provider shall be solely responsible for the payment of all salary and benefits and all applicable Taxes and premiums and remittances with respect to employees of Provider used to provide any Services hereunder. Except as expressly provided in the Services Schedules, Provider shall be an independent contractor in connection with the performance of Services hereunder for any and all purposes (including federal or state tax purposes), and the Persons performing Services in connection herewith shall not be deemed to be employees or agents of Recipient.
Section 2.06. Ownership. All procedures, methods, systems, strategies, tools, equipment, facilities and other resources owned by Provider, its Affiliates, or any Subcontractor and used by them in connection with the provision of Services (for the avoidance of doubt, excluding any such items being the property of Recipient that are provided by Recipient to Provider to facilitate Providers provision of the Services to Recipient) hereunder shall remain the property of Provider, its Affiliates or such Subcontractor and shall at all times be under the sole direction and control of Provider, its Affiliates or such Subcontractor.
Section 2.07. Local Agreements. With respect to Services delivered in a particular country and to the extent required by applicable Law or local practice, the parties may cause the members of their respective Groups providing such Service to enter into one or more local services agreements for the purpose of implementing this Agreement in that country or with respect to any particular Service to be performed in such country; provided that to the extent that there shall be a conflict between the provisions of this Agreement and the provisions of any such agreement, this Agreement shall control with respect to all matters.
Section 3.01. Service Charges. Recipient shall pay to Provider in respect of such Services the fee that is set forth on the Services Schedule for such Services (or category of Services, as applicable) (each such fee constituting a Service Charge). During the term of this Agreement, the amount of a Service Charge for any Service (or category of Services, as applicable) shall not increase, except (i) to the extent such costs and amounts increase for other business units of Provider using the same service at the same location, (ii) changes in actual compensation and benefits costs or (iii) as reasonably required by VF in order to preserve the Intended Tax Treatment (as defined in the Tax Matters Agreement) of the Distribution in accordance with Applicable Law. For the avoidance of doubt, out-of-pocket costs paid to any third party provider that is providing goods or services used by Provider in providing the Services (e.g., license costs for software) and any Taxes (including any value added, excise, sales, use and similar Taxes) imposed under Applicable Law on or on account of the provision of Services (but not on any income of Provider received in connection with the provision of such Services) will be an incremental cost to Recipient in addition to the Service Charges and will be charged to Recipient at the actual third party cost or amount of Taxes so imposed.
Section 3.02. Invoices. In accordance with the Services Schedules, Provider shall deliver invoices to Recipient in the local, functional currency of such Provider and Recipient on a monthly basis on the 15th day of each month with respect to Services provided in the previous month; provided that no invoices shall be delivered pursuant to this Section 3.02 in respect of the period between Distribution Date and the end of the calendar month in which the Distribution Date occurs (the Stub Month), and any amounts to be invoiced by an applicable Provider in respect of the Stub Month shall be included in the invoice to be delivered by such Provider in respect of Services provided in the full calendar month immediately following the Distribution Date. Each invoice shall set forth a description of the Services to which it relates and reference to the applicable section of the Services Schedules.
Section 3.03. Payment. Subject to Section 3.04, Recipient shall pay the amount of an invoice by wire transfer to Provider within thirty (30) days of the date of receipt of such invoice (the Payment Date) to the account specified by Provider; provided that in the event for any applicable invoicing period, multiple payments in the same currency are required to be paid or received pursuant to this Section 3.03 between a member of the VF Group (whether as Provider or Recipient), on the one hand, and a member of the Kontoor Brands Group (whether as Provider or Recipient), on the other hand, then for purposes of making such payments pursuant to this Section 3.03, such amounts shall be netted and one payment between such parties will be made on a net basis. If the Recipient fails to pay the undisputed portion of any amount payable (including pursuant to Section 3.04) by the applicable Payment Date, the Provider may require the Recipient to pay to the Provider, in addition to the amount due, interest at an interest rate of the Prime Rate, compounded monthly, accruing from the applicable Payment Date through and including the date of actual payment.
Section 3.04. Invoice Disputes. If Recipient delivers written notice of a good faith dispute of any invoiced amount provided on an invoice within fifteen (15) days of receipt thereof (the Invoice Objection), Recipient and Provider shall attempt in good faith to resolve such dispute within thirty (30) days after the delivery of such Invoice Objection. If Recipient and Provider are able to resolve such dispute within such thirty (30) day period, the Payment Date for the amount Recipient and Provider agreed shall be ten (10) days after such resolution. If Recipient and Provider are unable to resolve all such disputes within such thirty (30) day period, the matters remaining in dispute shall be submitted to the Accounting Referee to resolve any remaining disputed items as soon as practicable, but in no event later than sixty (60) days after its retention. The resolution of disputed items by the Accounting Referee shall be final and binding. The cost of such Accounting Referees review and report shall be borne by Provider and Recipient in inverse proportion as they may prevail on the matters resolved by the Accounting Referee, which proportionate allocation shall be calculated on an aggregate basis based on the relevant dollar values of the amounts in dispute and shall be determined by the Accounting Referee at the time the determination of such Accounting Referee is rendered on the merits of the matters submitted. The Payment Date for any amounts the Accounting Referee determines are owed shall be ten (10) days after the Accounting Referee renders its decision.
Section 3.05. No Set-off Rights. Subject to the foregoing Recipient shall pay the full amount of the Service Charges and shall not set-off, counterclaim or otherwise withhold any amount owed to Provider under this Agreement on account of any obligation owed by Provider to Recipient.
Section 4.01. Title to Intellectual Property.
(a) This Agreement and the performance of the Services hereunder will not affect or result in the transfer of any rights, title and interest in or to, or the ownership of, any Intellectual Property of Provider or any other member of its Group and neither party will gain, by virtue of this Agreement or the provision of Services hereunder, by implication or otherwise, any rights, title, interest, license or ownership in, to or under any Intellectual Property owned by the other party or any other member of such other partys Group. For the
avoidance of doubt, to the extent Provider uses any Intellectual Property in connection with providing a Service hereunder, such Intellectual Property, and any derivative works or modifications thereof or improvements thereto (collectively, Improvements), shall remain, as between the parties, the sole and exclusive property of Provider. To the extent ownership of any such Intellectual Property and Improvements does not vest in Provider, Recipient hereby assigns to Provider all of its right, title and interest in and to such Intellectual Property and Improvements.
Section 5.01. Cooperation for Statutory and Tax Filings. Recipient undertakes and agrees to cooperate in accordance with the standard for Services described in Section 2.02 to enable Provider to complete in a timely manner any and all statutory and Tax filings required to be filed by Provider that include any information related to their respective Business, as applicable. Recipient will provide and, as applicable, cause its employees and its Affiliates and their employees to provide, all such reasonable cooperation to Provider, the members of its Group and their respective representatives with respect to such filings as is reasonably requested including preparing or causing to be prepared (to the extent consistent with past practices) and furnishing or causing to be furnished records, information, work papers, reports and other documents as requested by Provider, its Affiliates or their respective representatives and causing Transferred Employees who possess relevant knowledge to make themselves available for consultation with respect to the foregoing; provided, that notwithstanding anything to the contrary in this Section 5.01, Recipient will only be obligated to cause any Person to cooperate with Provider pursuant to this Section 5.01 if and for so long as Recipient is capable of directing the actions of such Person. This Section 5.01 shall not be construed to require VF or any member of its Group to make available any Tax Return (as defined in the Tax Matters Agreement) to Kontoor Brands or any member of its Group unless the provision of such Tax Return is expressly contemplated by the Tax Matters Agreement.
TERM AND TERMINATION
Section 6.01. Transition Period. The term of this Agreement (the Transition Period) shall commence on the date hereof and continue with respect to each of the Services for the term set forth on the Services Schedule, unless earlier terminated pursuant to this Article VI or, with respect to any given Service or Services, pursuant to Section 2.01.
Section 6.02. Termination.
(a) Notwithstanding Section 6.01, each party reserves the right to immediately terminate this Agreement by written notice to the other in the event that:
(i) the other party breaches or is in default of any material obligation under this Agreement and such breach or default remains uncured for thirty (30) days after receipt of written notice from the non-breaching party;
(ii) the other party shall (A) apply for or consent to the appointment of a receiver, trustee or liquidator, (B) admit in writing a general inability to pay debts as they mature, (C) make a general assignment for the benefit of creditors, or (D) file a voluntary petition or have filed against it a petition (which is not dismissed within sixty (60) days) for an order of relief under the federal bankruptcy code, as the same may be amended, so as to take advantage of any insolvency laws or to file an answer admitting the general obligations of an insolvency petition; or
(iii) the other party shall have been prevented from exercising normal managerial control over all or any substantial part of its property by reason of the entry of any order, judgment or decree by any court or
governmental agency of competent jurisdiction approving a petition seeking the reorganization of such party, or appointment of a receiver, trustee, liquidator or the like of such party or a substantial part of its assets.
(b) This Agreement may be terminated upon the mutual written consent of the parties hereto.
(c) Upon the effective date of termination of this Agreement pursuant to this Article VI, neither party will have any further obligations to provide Services or pay any future Service Charges relating to any Services; provided that Recipient shall remain obligated to the relevant Provider for the Service Charges and any other fees, costs and expenses owed and payable in accordance with the terms of this Agreement in respect of Services provided prior to the effective date of termination.
(d) Except as provided for in Section 2.01, any termination of this Agreement with respect to any one or more Services pursuant to Section 2.01 shall not terminate this Agreement with respect to any other Service then being provided pursuant to this Agreement.
(e) Survival. The parties hereby acknowledge and agree that the obligations of each party set forth in Section 2.01, Section 2.06, Section 5.01, Section 6.02(c), Section 6.02(e), Article VII and Article IX hereof shall survive any termination of this Agreement.
LIMITATION OF LIABILITY; INDEMNITY
Section 7.01. Limitation of Liability. (a) Provider may rely conclusively on, and will have no liability to Recipient for acting pursuant to and in accordance with, any notice or request which Recipient or those acting on its behalf provides to Provider in connection with the performance of the Services.
(b) NOTWITHSTANDING ANYTHING TO THE CONTRARY IN THIS AGREEMENT, NO PARTY HERETO SHALL BE LIABLE FOR (I) ANY SPECIAL, INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, INDIRECT OR OTHER SIMILAR DAMAGES OR DAMAGES FOR LOST PROFITS OR DIMINUTION IN VALUE) EXCEPT TO THE EXTENT THAT THE OTHER PARTY IS REQUIRED TO PAY ANY SUCH AMOUNTS TO A THIRD PARTY, IN EACH CASE ARISING FROM ANY CLAIM RELATING TO THIS AGREEMENT OR ANY OF THE SERVICES PROVIDED HEREUNDER (INCLUDING DELIVERABLES ASSOCIATED THEREWITH), INCLUDING PERFORMANCE OR FAILURE TO PERFORM UNDER THIS AGREEMENT, OR (II) THE FURNISHING, PERFORMANCE, OR USE OF ANY GOODS OR SERVICES SOLD OR PERFORMED PURSUANT HERETO, WHETHER BASED UPON AN ACTION OR CLAIM IN CONTRACT, TORT (INCLUDING NEGLIGENCE OR STRICT LIABILITY), BREACH OF WARRANTY, OR OTHERWISE, IN EACH CASE, EXCEPT IN THE CASE OF GROSS NEGLIGENCE OR INTENTIONAL MISCONDUCT OF SUCH PARTY. FURTHER, THE LIABILITY OF PROVIDER TO RECIPIENT FOR ANY LOSS OR DAMAGE ARISING IN CONNECTION WITH PROVIDING THE SERVICES HEREUNDER SHALL NOT EXCEED THE TOTAL AMOUNT BILLED OR BILLABLE TO RECIPIENT UNDER THIS AGREEMENT FOR THE SERVICE THAT IS THE SUBJECT OF THE DISPUTE.
(c) EACH PARTY ACKNOWLEDGES AND AGREES THAT, EXCEPT AS OTHERWISE PROVIDED IN THIS AGREEMENT, ALL SERVICES ARE PROVIDED ON AN AS IS, WHERE IS BASIS AND WITH ALL FAULTS AND THAT PROVIDER MAKES NO REPRESENTATIONS OR WARRANTIES, WHETHER EXPRESS, IMPLIED OR STATUTORY, WITH RESPECT TO THE SERVICES TO BE PROVIDED HEREUNDER, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT WHICH ARE SPECIFICALLY DISCLAIMED.
Section 7.02. Indemnification. (a) Except to the extent otherwise provided in this Agreement, Recipient shall indemnify, defend and hold harmless Provider and its Affiliates and all of their respective directors,
officers, employees, agents, successors and assigns against, any Damages which any such Person may sustain or incur arising out of, related to or resulting from the performance of the Services by Provider or any of the members of its Group, including by reason of any claim, demand, suit or recovery by any third party, except to the extent such Damages arise out of or result from Providers or any of its Affiliates or Subcontractors gross negligence or intentional misconduct.
(b) Except to the extent otherwise provided in this Agreement, Provider shall indemnify, defend and hold harmless Recipient and its Affiliates and all of their respective directors, officers, employees, agents, successors and assigns against, any Damages which any such Person may sustain or incur arising out of, related to or resulting from Providers or any of its Affiliates or Subcontractors provision of any Services to Recipient or any of the members of its Group, including by reason of any claim, demand, suit or recovery by any third party, solely to the extent such Damages are caused by the gross negligence or intentional misconduct of Provider of its Affiliates or Subcontractors.
(c) Section 5.04 of the Separation and Distribution Agreement is hereby incorporated into this Agreement by this reference, mutatis mutandis, in relation to claims of indemnification made by Provider under Section 7.02(a) hereof.
Section 7.03. Obligation to Correct. In the event of any breach of this Agreement by Provider with respect to any material error or defect in the provision of any individual Service, Provider shall, at Recipients request, correct such error or defect or re-perform such Service in a timely manner as promptly as practical after Recipients request at the expense of Provider.
Section 7.04. Exclusive Remedy. The provisions of this Article VII shall be the sole and exclusive remedies of the Provider, Recipient or any of their Affiliates and all of their respective directors, officers, employees, agents, successors and assigns, as applicable, for any Damages, whether arising from statute, principle of strict liability, tort, contract or any other theory of liability at law or in equity under this Agreement.
ACCESS AND DATA PROTECTION
Section 8.01. Access to Records and Properties. Recipient shall, during normal business hours and with reasonable prior notice, in such a manner as to not interfere unreasonably with the conduct of the Kontoor Brands Business or the VF Business, as applicable, provide Provider (a) with access to or copies of information (including, if necessary, its books and records) and (b) physical access to computer and communications systems, servers, software and other information technology equipment (Systems) in order to maintain or service such system servers, software and equipment, in each case solely for the purposes of Providers provision of the Services and solely to the extent necessary for Provider to provide the Services.
Section 8.02. Systems. The parties will reasonably cooperate to ensure that only those persons who are specifically authorized to have access to the Systems of Provider, Recipient or any of the members of their respective Group gain such access, and such persons shall access such Systems only for the limited purpose of supporting the provision of the Services and shall abide by any and all access policies, procedures, rules and restrictions applicable to such Systems, including with respect to data security and applicable security, privacy and antitrust laws, that are provided to such person in advance of such access or from time to time thereafter. The parties will take all reasonable steps to prevent the unauthorized or unlawful access, use, damage, disablement, destruction, alteration, disruption, impairment or loss of such Systems and any information contained therein.
The parties acknowledge and agree that certain data protection matters resulting from the processing of personal data relating to performance of the Services shall be addressed and governed by a Data Processing Agreement, substantially in the form attached as Exhibit A hereto, to be entered into by the parties, in accordance with applicable privacy laws.
Section 8.03. Cyber Events. In the event that either party (or any member of its Group) becomes aware of an actual or suspected Cyber Event of any of the Systems used by or on behalf of either party (or any member of either partys Group) that is reasonably likely to relate to or otherwise affect any Service (including any data processing activities provided as part of any Service), then (a) such party shall immediately notify the other party, (b) to the extent that VF or any member of its Group is providing Incident Response Management Services to the Kontoor Brands Group, VF shall, as promptly as practicable, initiate the response to such Cyber Event in accordance with its applicable incident response policies and procedures and the applicable Services Schedule, and (c) to the extent that VF and the other members of its Group are no longer providing Incident Response Management Services to the Kontoor Brands Group, the representatives of each party shall, as promptly as practicable, meet, confer (including by sharing all relevant information relating to such Cyber Event) and determine which party shall lead the response to such Cyber Event (such party, the Responding Party), which response shall be carried out in accordance with the Responding Partys applicable incident response policies and procedures. The parties acknowledge and agree that, in the event of any such Cyber Event, time shall be of the essence, and accordingly, in the case of the foregoing clause (c), the determination of the Responding Party shall be made by VF in its sole discretion (after considering in good faith any comments from Kontoor Brands with respect thereto).
Section 9.01. Notice. Except with respect to routine communications in accordance with the terms of the Governance Model, any notice, instruction, direction or demand under the terms of this Agreement required to be in writing shall be duly given upon delivery, if delivered by hand, facsimile transmission, mail, or e-mail transmission to the following addresses:
If to VF to:
105 Corporate Center Blvd.
Greensboro, North Carolina 27408
Attn: General Counsels Office
with a copy to:
Davis Polk & Wardwell LLP
450 Lexington Avenue
New York, New York 10017
Attn: Marc O. Williams
If to Kontoor Brands to:
Kontoor Brands, Inc.
400 N. Elm Street,
Greensboro, North Carolina 27401
Attn: General Counsels Office
with a copy to:
Davis Polk & Wardwell LLP
450 Lexington Avenue
New York, New York 10017
Attn: Marc O. Williams
or such other address or facsimile number as such party may hereafter specify for the purpose by notice to the other party hereto. All such notices, requests and other communications shall be deemed received on the date of receipt by the recipient thereof if received prior to 5:00 p.m. in the place of receipt and such day is a Business Day in the place of receipt. Otherwise, any such notice, request or communication shall be deemed not to have been received until the next succeeding Business Day in the place of receipt.
Section 9.02. Force Majeure. Provider shall not (and no Person acting on Providers behalf shall) be responsible for a delay in or non-performance with respect to the delivery of any Service if the performance of such Service becomes impossible or impracticable, including, as a result of an act of god or public enemy, war, terrorism, government acts or regulations, fire, flood, embargo, quarantine, epidemic, unusually severe weather or other cause similar to the foregoing (a Force Majeure Event); provided, however, that Provider notifies the Recipient as soon as reasonably practicable, in writing, upon learning of the occurrence of the Force Majeure Event. Subject to compliance with this Section 9.02, Providers obligations hereunder with respect to such Service shall be postponed for such time as its performance is suspended or delayed on account of the Force Majeure Event, and upon the cessation of the Force Majeure Event, Provider will use its commercially reasonable efforts to resume its performance hereunder.
Section 9.03. Confidentiality. Each party acknowledges that it or a member of its Group may have in its possession, and, in connection with this Agreement, may receive, Confidential Information of the other party or any member of its Group (including information in the possession of such other party relating to its clients or customers). Each party shall hold and shall cause its Representatives and the members of its Group and their Representatives to hold in strict confidence and not to use, except as permitted by this Agreement all such Confidential Information concerning the other Group unless (a) such party or any of the members of its Group or its or their Representatives is compelled to disclose such Confidential Information by judicial or administrative process or by other requirements of Applicable Law or (b) such Confidential Information can be shown to have been (i) in the public domain through no fault of such party or any of the members of its Group or its or their Representatives, (ii) lawfully acquired after the Distribution Date on a non-confidential basis from other sources not known by such party to be under any legal obligation to keep such information confidential or (iii) developed by such party or any of the members of its Group or its or their Representatives without the use of any Confidential Information of the other Group. Notwithstanding the foregoing, such party or member of its Group or its or their Representatives may disclose such Confidential Information to the members of its Group and its or their Representatives so long as such Persons are informed by such party of the confidential nature of such Confidential Information and are directed by such party to treat such information confidentially. The obligation of each party and the members of its Group and its and their Representatives to hold any such Confidential Information in confidence shall be satisfied if they exercise the same level of care with respect to such Confidential Information as they would with respect to their own proprietary information. If such party or any of a member of its Group or any of its or their Representatives becomes legally compelled to disclose any documents or information subject to this Section 9.03, such party will promptly notify the other party and, upon request, use commercially reasonable efforts to cooperate with the other partys efforts to seek a protective order or other remedy. If no such protective order or other remedy is obtained or if the other party waives in writing such partys compliance with this Section 9.03, such party or the member of its Group or its or their Representatives may furnish only that portion of the information which it concludes, after consultation with counsel, is legally required to be disclosed and will exercise its commercially reasonable efforts to
obtain reliable assurance that confidential treatment will be accorded such information. Each party agrees to be responsible for any breach of this Section 9.03 by it, the members of its Group and its and their Representatives.
Section 9.04. No Partnership, Joint-Venture Or Agency Created. The relationship of Provider and Recipient shall be that of independent contractors only. Nothing in this Agreement shall be construed as making one party a partner, joint-venturer, agent or legal representative of the other or otherwise as having the power or authority to bind the other in any manner.
Section 9.05. Successors and Assigns. The provisions of this Agreement shall be binding upon and inure to the benefit of the parties hereto and their respective successors and permitted assigns; provided that neither party may assign, delegate or otherwise transfer any of its rights or obligations under this Agreement without the consent of the other party hereto. If any party or any of its successors or permitted assigns (i) shall consolidate with or merge into any other Person and shall not be the continuing or surviving corporation or entity of such consolidation or merger or (ii) shall transfer all or substantially all of its properties and assets to any Person, then, and in each such case, proper provisions shall be made so that the successors and assigns of such party shall assume all of the obligations of such party under this Agreement.
Section 9.06. Counterparts; Effectiveness. This Agreement may be signed in any number of counterparts, each of which shall be an original, with the same effect as if the signatures thereto and hereto were upon the same instrument. This Agreement shall become effective when each party hereto shall have received a counterpart hereof signed by the other party hereto. Until and unless each party has received a counterpart hereof signed by the other party hereto, this Agreement shall have no effect and no party shall have any right or obligation hereunder (whether by virtue of any other oral or written agreement or other communication).
Section 9.07. Interpretation; Incorporation of Terms by Reference. This Agreement is an Ancillary Agreement as such term is defined in the Separation and Distribution Agreement and shall be interpreted in accordance with the terms of the Separation and Distribution Agreement in all respects, provided that in the event of any conflict or inconsistency between the terms of this Agreement and the terms of the Separation and Distribution Agreement in respect of the subject matter of this Agreement, the terms of this Agreement shall control in all respects. The captions herein are included for convenience of reference only and shall be ignored in the construction or interpretation hereof.
Section 9.08. Governing Law. This Agreement shall be governed by and construed in accordance with the laws of the State of New York, without regard to the conflicts of law rules of such state.
Section 9.09. Jurisdictions. The parties hereto agree that any suit, action or proceeding seeking to enforce any provision of, or based on any matter arising out of or in connection with, this Agreement or the transactions contemplated hereby shall be brought in the United States District Court for the Southern District of New York or in any New York State court sitting in New York City, so long as one of such courts shall have subject matter jurisdiction over such suit, action or proceeding, and that any cause of action arising out of this Agreement shall be deemed to have arisen from the transaction of business in the State of New York, and each of the parties hereby irrevocably consents to the exclusive jurisdiction of such courts (and of the appropriate appellate courts therefrom) in any such suit, action or proceeding and irrevocably waives, to the fullest extent permitted by law, any objection that it may now or hereafter have to the laying of the venue of any such suit, action or proceeding in any such court or that any such suit, action or proceeding brought in any such court has been brought in an inconvenient forum. Process in any such suit, action or proceeding may be served on any party anywhere in the world, whether within or outside of the jurisdiction of any such court. Without limiting the foregoing, each party agrees that service of process on such party as provided in Section 9.01 shall be deemed effective service of process on such party.
Section 9.10. WAVIER OF JURY TRIAL. EACH OF THE PARTIES HERETO HEREBY IRREVOCABLY WAIVES ANY AND ALL RIGHT TO TRIAL BY JURY IN ANY LEGAL PROCEEDING
ARISING OUT OF OR RELATED TO THIS AGREEMENT OR THE TRANSACTIONS CONTEMPLATED HEREBY.
Section 9.11. Specific Performance. Each party to this Agreement acknowledges and agrees that damages for a breach or threatened breach of any of the provisions of this Agreement would be inadequate and irreparable harm would occur. In recognition of this fact, each party agrees that, if there is a breach or threatened breach, in addition to any damages, the other nonbreaching party to this Agreement, without posting any bond, shall be entitled to seek and obtain equitable relief in the form of specific performance, temporary restraining order, temporary or permanent injunction, attachment, or any other equitable remedy which may then be available to obligate the breaching party (i) to perform its obligations under this Agreement or (ii) if the breaching party is unable, for whatever reason, to perform those obligations, to take any other actions as are necessary, advisable or appropriate to give the other party to this Agreement the economic effect which comes as close as possible to the performance of those obligations (including, but not limited to, transferring, or granting liens on, the assets of the breaching party to secure the performance by the breaching party of those obligations).
Section 9.12. Performance. Each party shall cause to be performed all actions, agreements and obligations set forth herein to be performed by any member of such partys Group.
Section 9.13. Amendments; No Waivers. (a) Any provision of this Agreement may be amended or waived if, and only if, such amendment or waiver is in writing and is signed, in the case of an amendment, by VF and Kontoor Brands, or in the case of a waiver, by the party against whom the waiver is to be effective.
(b) No failure or delay by any party in exercising any right, power or privilege hereunder shall operate as a waiver thereof nor shall any single or partial exercise thereof preclude any other or further exercise thereof or the exercise of any other right, power or privilege. The rights and remedies herein provided shall be cumulative and not exclusive of any rights or remedies provided by Applicable Law.
* * * * *
IN WITNESS WHEREOF, each of the parties has caused this Agreement to be duly executed as of the day and year first above written.
|By:||/s/ Joe Alkire|
|Name: Joe Alkire|
|Title: Vice President, Corporate Development, Treasury, Investor Relations|
|KONTOOR BRANDS, INC.|
|By:||/s/ Rustin Welton|
|Name: Rustin E. Welton|
|Title: VP & CFO|
Data Processing Agreement
This Data Processing Agreement (DPA) is entered into by and between
LeeWrangler International Sagl, having its principal place of business at Via Vite 3 6855 Stabio (Switzerland); in its own interest and also acting as principal entity for the EMEA region, on behalf of all Limited Risk Distributors companies and other affiliate companies belonging to the Kontoor Brands Group in the EMEA region (all together, the Controller);
VF International Sagl having its principal place of business at Via Laveggio 5 6855 Stabio (Switzerland), in its own interest and also acting as principal entity for the EMEA region, on behalf of all Limited Risk Distributors companies and other affiliate companies belonging to the VF Group in the EMEA region (all together, the Processor);
(each a Party and collectively the Parties).
|Whereas,||The Processor parent company VF Corporation, has separated into two independent publicly traded entities in the U.S.A.: VF Corporation and Kontoor Brands, Inc. (the Controllers parent company), which will hold VFs jeans (LEE and WRANGLER brands) business (the Transaction). The Controller hereunder is the Kontoor Brands Groups principal entity for the EMEA region.|
|Whereas,||In the context of the Transaction VF Corporation and Kontoor Brands Inc. have entered into a transitional services agreement (the Services Agreement) in order to facilitate the orderly transition of the Jeanswear Business from VF and the members of the VF Group to the Kontoor Brands Group.|
|Whereas,||under the Services Agreement concluded, Processor agreed to provide the Controller with the services as further specified in Appendix 1 of this DPA (the Services);|
|Whereas,||in rendering the Services, the Processor may from time to time be provided with, or have access to, information of the Controller which may qualify as personal data within the meaning of the Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR) and the Swiss Federal Act on Data Protection of June 19, 1992 (FADP) as well as other applicable data protection laws and provisions; and|
|Whereas,||the Parties agree that the sets of data transfers covered by this DPA qualify as commissioned data processing as per Art. 28 of the GDPR with Processor qualifying as processor within the meaning of the GDPR and that they would like to use this DPA as the required contractual processing agreement.|
NOW, THEREFORE, in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the Controller to the Processor of the Personal Data specified in Appendix 1, the Parties have entered into this DPA as follows:
For the purposes of this DPA, the terminology and definitions as used by the GDPR shall apply. In addition, the terms defined throughout the DPA and below shall apply:
|Data Subject||shall mean the natural or legal person whose data is processed.|
|Member State||shall be understood as referring to a country that is a member of the European Union (EU) or the European Economic Area (EEA).|
|Personal Data||shall mean any information relating to an identified or identifiable natural or legal person (Data Subject, as defined above).|
|Personality Profile||shall mean a collection of data that permits an assessment of essential characteristics of the personality of a natural person.|
|Security Breach||shall mean a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed which affects the Personal Data of the Controller covered by this DPA.|
|Sub-processor||shall mean any further processor, located within or outside the EU/EEA, that is engaged by Processor as a sub-contractor for the performance of the Services or parts of the Services on behalf of the Controller provided that such Sub-processor has access to the Personal Data of Controller exclusively for purposes of carrying out the subcontracted Services on behalf of the Controller.|
2. General responsibilities of the Parties
2.1 Responsibilities of the Controller
2.1.1 The Controller is responsible to confirm that the processing activities relating to the Personal Data, as specified in the Services Agreement and this DPA, are lawful, fair and transparent in relation to the Data Subjects, as set out in Appendix 1. The Controller is responsible to confirm that Data Subjects are informed of the collection of special categories of personal data or Personality Profiles, whereas Data Subjects must be notified of the Controller, the purpose of the processing and the categories of data recipients (article 14 FADP).
2.1.2 The Controller is responsible to confirm before processing is carried out that the technical and organizational measures of the Processor, as set out in Appendix 2, are appropriate and sufficient to protect the rights of the Data Subject.
2.1.3 The Controller is responsible to comply with any notification and/or registration obligation set forth by the FADP prior to the a transfer of Personal Data.
2.2 Obligations of the Processor
2.2.1 The Processor agrees and warrants that it will process the Personal Data only on behalf of the Controller and in compliance with its instructions and this DPA. If it cannot provide such compliance for whatever reasons, it agrees to inform promptly the Controller of its inability to comply, in which case, the Controller is entitled to suspend the transfer of data and/or terminate the Service Agreement and this DPA.
2.2.3 The Processor is obliged to implement the technical and organizational measures as specified in Appendix 2 before processing the Personal Data on behalf of the Controller. The Processor may amend the technical and organizational measures from time to time provided that the amended technical and organizational measures are not less protective than those set out in Appendix 2.
2.2.4 The Processor agrees and warrants that it will deal promptly and properly with all inquiries from the Controller relating to its processing of the Personal Data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred.
2.2.5 The Processor shall be obliged to ensure that persons authorized to process the Personal Data on behalf of the Controller, in particular employees of Processor and any Sub-processors, including their employees, process such Personal Data in compliance with the Controllers instructions.
2.2.6 The Processor is obliged to provide to the Controller the respective information on records of processing activities relating to the services under this DPA, to the extent necessary for the Controller to comply with its obligation to maintain records of processing.
2.2.7 If so required by the Controller, the Processor shall provide required assistance to the Controller in ensuring the Controllers compliance relating to data protection impact assessments and prior consultation with the supervisory authorities, taking into account the nature of the processing and the information available to the Processor.
2.2.8 Whether the Processor has appointed a DPO (if required by applicable data protection law) and/or a representative (if the Processor is established outside the Union), is obliged to provide the DPO (and/or representative) contact details to the Controller.
2.2.9 The Processor is obliged - at the choice of the Controller - to delete or return to the Controller all Personal Data which are processed by the Processor on behalf of the Controller under this DPA after the end of the provision of the Services, and delete any existing copies. Where the Processor is to delete the Personal Data, it shall certify to the Controller that it has done so, unless EU or Member State law requires the Processor to retain such Personal Data. In that case, the Processor warrants that it will guarantee the confidentiality of the Personal Data transferred and will not actively process the Personal Data transferred anymore.
2.2.10 The Processor shall not disclose or transfer any Personal Data processed on behalf of the Controller to any third party, without previously informing the Controller and obtaining the Controllers prior written consent, unless it is legally required or permitted to do so under applicable law.
2.2.11 The Processor, and any Sub-processor appointed according to Section 8 of this DPA, cooperates with the Controller and with the Supervisory Authority, upon request, in the provision of documents, in the performance of obligations and/or in any further tasks, when such tasks are requested directly or indirectly by a Supervisory Authority.
2.3 The Parties are required to comply with those obligations under the GDPR, the FADP and under any other applicable data protection laws that apply to the Controller in its role as data controller or to the Processor in its role as data processor.
3.1 As required by Section 2.2.1 of this DPA, the Processor is obliged to process the Personal Data only on behalf of the Controller and in accordance with Controllers instructions and the Services Agreement (including this DPA), including with regard to transfers of Personal Data to a third country or an international organization, unless the Processor is required to do so by EU or EU Member State law to which the Processor is subject. In such a case, the Processor shall inform the Controller of that legal requirement under EU or EU Member State
law before processing the Personal Data beyond the Controllers instructions, unless that law prohibits such information on important grounds of public interest, in which case the information to Controller shall specify the legal requirement under such EU or EU Member State law.
3.2 The Controller may give specifications to such instructions provided in this DPA and the Services Agreement as well as further instructions. Any further instructions that go beyond the instructions contained in this DPA or the Services Agreement shall be within the subject matter of the Services Agreement and this DPA. Otherwise, the further instruction requires a change request pursuant to the Services Agreement.
3.3 Instructions shall be given in writing, unless the urgency or other specific circumstances require another (e.g. oral, electronic) form. Instructions in another form than in writing or in electronic form shall be documented in appropriate form.
3.4 The Processor shall, in addition to other notification obligations provided in this DPA, notify the Controller, without undue delay, if it holds that an instruction violates applicable data protection laws (Challenged Instruction). Upon providing such notification, the Processor is not obliged to follow the Challenged Instruction. If the Controller confirms the Challenged Instruction upon the Processors information and acknowledges its liability for the Challenged Instruction, the Processor will implement such Challenged Instruction, unless the Challenged Instruction relates to (i) the implementation of technical and organizational measures, (ii) the rights of the Data Subjects, or (iii) the engagement of Sub-processors. In case of (i) to (iii), the Controller may contact a competent supervisory authority for a legal assessment of the Challenged Instruction. If the supervisory authority declares the Challenged Instruction as lawful, the Processor shall follow the Challenged Instruction.
4. Monitoring, audits, and inspections by the Controller
4.1 In order to assist the Controller with its legal obligation to diligently choose a service provider, the Processor shall monitor, by appropriate means, its own compliance and the compliance of its employees and Sub-processors with the respective data protection obligations of the Processor laid down in Art. 28 of the GDPR and in this DPA in connection with the services. The Processor is obliged to make available to the Controller any information necessary to demonstrate compliance with such obligations. To document such self-monitoring activities, the Processor will provide to the Controller periodic (at least annual) and, if available, occasion-based reports (also on demand of the Controller) regarding such controls (Audit Report). The Audit Reports shall be limited to information and data processing systems that are relevant to the Services but shall at least include confirmation of proper instruction to the employees and Sub-processors, compliance with the technical and organizational measures, confirmation of commitment to data secrecy, any occurred data breaches and/or security incidents, and the required and/or recommended improvements. The Controller shall have the right to request such audit reports at any time in order to control the Processors compliance with its data protection obligations.
4.2 Controller may request inspections conducted by the Controller or another auditor mandated by the Controller (On-Site Audit). Such On-Site Audit is subject to the following conditions: (i) On-Site Audits are limited to processing facilities and personnel of the Processor involved in the processing activities covered by this DPA; (ii) On-Site Audits occur no more than once annually or as required by applicable data protection law or by a competent supervisory authority or immediately subsequent to a material Security Breach that affected the Personal Data processed by the Processor under this DPA; (iii) may be performed during regular business hours, without substantially disrupting the Processors business operations and in accordance with the Processors security policies, and after a reasonable prior notice; and (iv) the Controller shall bear any costs arising out of or in connection with the On-Site Audit at the Controller and the Processor, unless such On-Site Audit identified that the Processor is not in compliance with its obligations in Art. 28 of the GDPR, in this DPA or in any applicable data protection law in which case the Processor shall bear any such costs. The Controller may create an audit report summarizing the findings and observations of the On-Site Audit (On-Site Audit Report). On-Site Audit Reports as well as Audit Reports are confidential information of the Processor and the
Controller will not disclose them to third parties except for the Controllers legal counsel and consultants, the Controllers data protection officer, the Controllers employees, and the other affiliates of the Controller or if the Controller is required to disclose the information under applicable data protection law or upon a request from a competent supervisory authority or if the Processor consented to the disclosure.
5. Data secrecy
5.1 The Processor shall be obliged to ensure that persons authorized to process the Personal Data on behalf of the Controller, in particular employees of Processor and any Sub-processors, including their employees, have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality relating to the Personal Data and processing activities covered by this DPA. Upon request, Processor will demonstrate compliance with this obligation.
6. Notification obligation and Security Breach
6.1 In addition to other notification obligations provided in this DPA, the Processor shall notify Controller without undue delay about: (i) any legally binding request for disclosure of the Personal Data by a law enforcement authority, unless otherwise prohibited (such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation), or any orders by courts and competent regulators/authorities relating to the processing of Personal Data under this DPA; (ii) any complaints or requests received directly from a Data Subject (e.g., regarding access, rectification, erasure, restriction of processing, data portability, objection to processing of data, automated decision-making) without responding to that request unless the Processor has been otherwise authorized to do so or otherwise required by applicable law; and (iii) any Security Breach as defined herein or by applicable data protection law relating to the Services provided by the Processor.
In any case, the Processor shall communicate to the Controller within max of 4 hours that the Security Breach has occurred. Within the further max 20 hours the Processor shall collect and provide to the Controller the following detailed information:
the type of breach
the nature, sensitivity, and volume of Personal Data impacted
ease of identification of individuals
severity of consequences for individuals (ex. physical harm, psychological distress, humiliation or damage to reputation)
the list of Data Subjects affected by the Security Breach (when available) including the contact information
the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned
likely consequences for the Controller of the Personal Data breach suffered by the Processor and/or by Sub-processors
measures taken or to be taken to address the Personal Data breach, to mitigate the effects and to minimize any damage resulting from the Security Breach.
The Processor shall assist the Controller with the Controllers obligation under applicable data protection law to inform the Data Subjects and the supervisory authorities, as applicable, by providing relevant information taking into account the nature of the processing and the information available to the Processor.
6.2 The Processor will indemnify and hold the Controller harmless of any claims, damages, liabilities, assessments, losses, costs, administrative fines and other expenses (including, without limitation, reasonable attorneys fees and legal expenses) arising out of or resulting from any claim, allegation, demand, suit, action,
order or any other proceeding by a third party (including supervisory authorities) which the Controller suffers due to a Security Breach caused by the Processor, Processors employees, directors, managers, agents or other staff members or by Processors Sub-processors.
7. Response to Data Subject requests
7.1 The Processor shall assist the Controller, especially through appropriate technical and organizational measures, insofar as this is possible, with the fulfilment of the Controllers obligation to respond to requests for exercising the Data Subjects rights.
7.2 In addition to the assistance specified above, the Controller may request and require additional assistance from the Processor in order to comply with the rights exercised by the Data Subjects. The Controller is obliged to determine whether or not a Data Subject has a right to exercise any such Data Subject rights and to give specifications to the Processor to what extent the assistance is required.
8.1 The Processor shall not engage any Sub-processor without previously informing the Controller and obtaining the Controllers prior written consent. Provided that Processor obtains such prior specific authorization, Processors engagement of Sub-processors is subject to the following conditions:
The Processor shall choose such Sub-processor diligently with special attention to its good standing and experience with the provision of the subcontracted Services and the suitability of its technical and organizational measures. The Processor shall enter into a written contract with any Sub-processor and such contract shall (i) impose upon the Sub-processor the same obligations as imposed by this DPA upon the Processor, to the extent applicable to the subcontracted Services, (ii) describe the subcontracted Services, and (iii) describe the technical and organizational measures the Sub-processor has to implement pursuant to Appendix 2 of this DPA, as applicable to the subcontracted Services. The Processor must promptly send the Controller a copy of the contract between the Processor and the Sub-processor.
The Processor shall throughout the term of this DPA, at no charge to the Controller, actively monitor, regularly audit and, where applicable, take steps to enforce the compliance by each Sub-processor with its obligations, report promptly to the Controller any detected or reported non-compliance by the Sub-processor and all actions taken to remedy any non-compliance. If at any time a Sub-processor fails to remedy any non-compliance within a reasonable time after notice requiring remedy, the Controller may revoke the approval for such Sub-processor. Where the Sub-processor fails to fulfil its data protection obligations, the Processor shall remain fully liable to the Controller for the performance of the Sub-processors obligations.
The Processor is required to inform the Controller at the latest 30 days before a Sub-processor (who must be engaged in compliance with this DPA) is granted access to the Personal Data covered by this DPA, thereby giving the Controller the opportunity to object to such Sub-processor.
If the Controller has a legitimate reason, the Controller can revoke the approval of any Sub-processor at any time. In this case, Section 8(c) of this DPA shall apply mutatis mutandis.
In case any Sub-processor is located outside the EU/EEA in a country that is not recognized as providing an adequate level of data protection, the Processor will (i) ensure that the Controller and the Sub-processor enter into a direct data processing agreement based on the Standard Contractual Clauses for the Transfer of Personal Data to Processors Established In Third Countries pursuant to Commission Decision 2010/87/EU of 5 February 2010, or (ii) provide the Controller with information on the Sub-processors certification under the Privacy Shield program and regularly, at least annually, re-confirm that the Sub-processors certification under the Privacy Shield program is still valid, or (iii) provide the Controller with other information and relevant documentation on the mechanism for international data transfers pursuant to Art. 46 of the GDPR that is used to lawfully disclose the Controllers Personal Data to the Sub-processor.
8.2 The Controller hereby expressly approves the Sub-processors engaged by the Processor for providing the Services before and up to the date of signing of this DPA.
9. Local law compliance
9.1 The Parties have the right to ask for changes to any part of this DPA to the extent required to satisfy any interpretations, guidance or orders issued by competent Union or Member State authorities, the competent Swiss authorities, national implementation provisions, or other legal developments concerning the GDPR and FADP requirements for the commissioning of data processors in general or other requirements for the commissioning of data processors. The Parties will agree on the necessary changes in good faith effort taking their obligation to carry out this contractual relationship in compliance with applicable data protection law into account.
10. Effectiveness, term and termination
10.1 This DPA shall be effective from March 31st, 2019 and shall have the same term as the Services Agreement. Save as otherwise agreed herein, termination rights and requirements shall be the same as set forth in the Services Agreement.
11. Document hierarchy
11.1 In the event of contradictions or inconsistencies between the provisions of this DPA and the Services Agreement and/or other agreements between the Parties, the provisions of this DPA shall prevail with regard to the Parties data protection obligations. In case of doubt as to whether clauses in such other agreements relate to the Parties data protection obligations, this DPA shall prevail.
12. Other provisions
12.1 Each Party is liable for its obligations set out in this DPA and in applicable data protection law. Any liability arising out of or in connection with a violation of the obligations of this DPA or under applicable data protection law, shall follow, and be governed by, the liability provisions set forth in, or otherwise applicable to, the Services Agreement, unless otherwise provided within this DPA. If the liability is governed by the liability provisions set forth in, or otherwise applicable to, the Services Agreement, for the purpose of calculating liability caps and/or determining the application of other limitations on liability, the liability occurring under this DPA shall be deemed to occur under the relevant Services Agreement.
12.2 The Processor will defend, indemnify, and hold harmless the Controller and the officers, directors, employees, successors, and agents of the Controller (collectively, indemnified parties) from all claims, damages, liabilities, assessments, losses, costs, administrative fines and other expenses (including, without limitation, reasonable attorneys fees and legal expenses) arising out of or resulting from any claim, allegation, demand, suit, action, order or any other proceeding by a third party (including supervisory authorities) that arises out of or relates to the violation of the Processors obligations under this DPA.
12.3 This DPA shall be governed by the laws of Switzerland, except as otherwise stipulated by applicable data protection law. The place of jurisdiction for all disputes regarding this DPA shall be as determined by the Services Agreement, except as otherwise stipulated by applicable data protection law.
12.4 Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties intentions as closely as possible or - should this not be possible - (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein. The foregoing shall also apply if this DPA contains any omission.
[Signatures on next page]
|Signature for Controller|
|Signature for Processor|