Cardholder Data. (a) As among the Parties hereto, the Cardholder Data shall be the property of and exclusively owned by Bank. (b) The Program Privacy Policy applicable to the Cardholder Data is attached as Schedule 6.2 hereto. Any modifications to the Program Privacy Policy shall be approved by the Management Committee, provided that the Program Privacy Policy shall comply with Applicable Law at all times. (c) Bank shall not use, or permit to be used, the Cardholder Data, except as provided in this Section 6.2. Bank may use the Cardholder Data in compliance with Applicable Law and the Program Privacy Policy solely (i) for purposes of soliciting or marketing (in each case, solely as directed by the NMG Companies or the Management Committee) or servicing customers listed in the Cardholder Data for NMG Credit Cards, Approved Ancillary Products, and any other products and services approved by the Management Committee, (ii) as otherwise necessary to carry out its obligations or exercise its rights hereunder, or (iii) as required by Applicable Law. Bank has no rights to use the Cardholder Data for marketing purposes except as expressly provided herein. (d) Bank shall not disclose, or permit to be disclosed, the Cardholder Data, except as provided in this Section 6.2. Bank shall not, directly or indirectly, sell or otherwise transfer any right in or to the Cardholder Data other than to NMG or any of its Affiliates. Bank may disclose the Cardholder Data in compliance with Applicable Law and the Program Privacy Policy solely: (i) to its authorized subcontractors in connection with a permitted use of such Cardholder Data under this Section 6.2, provided that each such authorized subcontractor agrees in a written agreement satisfactory to NMG and Bank to maintain all such Cardholder Data as strictly confidential and not to use or disclose such information to any Person other than Bank or an NMG Company, except as required by Applicable Law or any Governmental Authority (after giving Bank and the NMG Companies prior notice and an opportunity to defend against such disclosure); provided, further, that each such authorized subcontractor maintains, and agrees in writing to maintain, an information security program that is designed to meet all requirements of Applicable Law, including, at a minimum, maintenance of an information security program that is designed to: (w) ensure the security and confidentiality of the Cardholder Data; (x) protect against any anticipated threats or hazards to the security or integrity of the Cardholder Data; (y) protect against unauthorized access to or use of the Cardholder Data; and (z) ensure the proper disposal of Cardholder Data; and provided, further, that each such authorized subcontractor agrees to notify promptly Bank and the NMG Companies of any unauthorized disclosure, use, or disposal of, or access to, Cardholder Data and to cooperate with Bank and the NMG Companies in any investigation thereof and remedial action with respect thereto; (ii) to its Affiliates, and its and such Affiliates’ employees, attorneys and accountants with a need to know such Cardholder Data in connection with a permitted use of such Cardholder Data under this Section 6.2; provided that (A) any such Person is bound by terms substantially similar to this Section 6.2 as a condition of employment or of access to Cardholder Data or by professional obligations imposing comparable terms; and (B) Bank shall be responsible for the compliance by each such Person with the terms of this Section 6.2; (iii) to any Governmental Authority with authority over Bank (A) in connection with an examination of Bank; or (B) pursuant to a specific requirement to provide such Cardholder Data by such Governmental Authority or pursuant to compulsory legal process; provided that Bank seeks the full protection of confidential treatment for any disclosed Cardholder Data to the extent available under Applicable Law governing such disclosure, and with respect to clause (B), to the extent permitted by Applicable Law, Bank (1) provides at least ten (10) Business Days’ prior notice of such proposed disclosure to NMG if reasonably possible under the circumstances, and (2) seeks to redact the Cardholder Data to the fullest extent possible under Applicable Law governing such disclosure; or (iv) to the extent permitted in the Risk Management Policies and Operating Procedures, to any consumer reporting agency in accordance with the federal Fair Credit Reporting Act. (e) To the extent Bank has access to the following information in accordance with the provisions of this Agreement and subject to Applicable Law and the Program Privacy Policy, Bank shall transmit to the NMG Companies at such times as may be requested by NMG and in formats agreed to by the Parties in advance from time to time: (i) for any customer who has applied for an NMG Credit Card, regardless of the marketing channel of such application: (A) the customer’s name, address, email address, telephone number, social security number and all other information supplied on the application or prescreened response submitted by the customer; (B) an indication of whether or not the customer has been approved for an NMG Credit Card; and (C) if the customer has been approved for an NMG Credit Card or Non-Card Payment Plan, the NMG Credit Card or Non-Card Payment Plan issued (or to be issued) to such customer; (ii) for each Cardholder, joint-Cardholder and authorized buyer, (1) such person’s name, address, email address, telephone number, social security number and Account number; (2) any reported change to any of the foregoing information; (3) transaction and experience data; and (4) any such other Cardholder Data as the NMG Companies may reasonably request; (iii) the Cardholder’s name and account number for any Account that is delinquent; (iv) the Cardholder’s name and account number for any Account that has been closed; and (v) the Cardholder Data for all categories of information available on the NMG Companies’ credit Systems as of the date hereof. Notwithstanding the foregoing, no Party hereto shall be required to provide any information on a personally identifiable basis if the provision of such personally identifiable information would cause such Party to be considered a “consumer reporting agency” for purposes of the Fair Credit Reporting Act. (f) Bank shall cooperate with the NMG Companies to provide NMG and its Affiliates with the maximum ability permissible under Applicable Law and the Program Privacy Policy to receive, use and disclose the Cardholder Data, including, as necessary or appropriate, through use of consents or opt-out provisions, in each case as directed by the NMG Companies. Without limiting the foregoing, NMG and each of its Affiliates may receive, use and disclose the Cardholder Data in compliance with Applicable Law and the Program Privacy Policy (i) for purposes of promoting the Program or promoting NMG Goods and Services, (ii) as otherwise necessary to carry out its obligations under this Agreement, and (iii) as otherwise permitted by Applicable Law. (g) The NMG Companies may use the Cardholder Data in compliance with Applicable Law and the Program Privacy Policy. Each of the NMG Companies may disclose the Cardholder Data in compliance with Applicable Law and the Program Privacy Policy solely: (i) to its existing subcontractors as of the Effective Date and to authorized subcontractors that enter into agreements with an NMG Company after the Effective Date (“Future Subcontractors”) in connection with a permitted use of such Cardholder Data under this Section 6.2, provided that each such existing subcontractor and Future Subcontractor agrees in a written agreement satisfactory to NMG and Bank to maintain all such Cardholder Data as strictly confidential in perpetuity and not to use or disclose such information to any Person other than an NMG Company or Bank, except as required by Applicable Law or any Governmental Authority (after giving the NMG Companies prior notice and an opportunity to defend against such disclosure); provided, further, that each such existing subcontractor and Future Subcontractor maintains, and agrees in writing to maintain, an information security program that is designed to meet all requirements of Applicable Law, including, at a minimum, maintenance of an information security program that is designed to: (w) ensure the security and confidentiality of the Cardholder Data; (x) protect against any anticipated threats or hazards to the security or integrity of the Cardholder Data; (y) protect against unauthorized access to or use of the Cardholder Data; and (z) ensure the proper disposal of Cardholder Data; and provided, further, that each such existing subcontractor and Future Subcontractor agrees to notify promptly Bank and the NMG Companies of any unauthorized disclosure, use, or disposal of, or access to, Cardholder Data and to cooperate with Bank and the NMG Companies in any investigation thereof and remedial action with respect thereto; (ii) to its Affiliates, and its and such Affiliates’ employees, attorneys and accountants with a need to know such Cardholder Data in connection with a permitted use of such Cardholder Data under this Section 6.2; provided that (A) any such Person is bound by terms substantially similar to this Section 6.2 as a condition of employment or of access to Cardholder Data or by professional obligations imposing comparable terms; and (B) the NMG Companies shall be responsible for the compliance by each such Person with the terms of this Section 6.2; or (iii) to any Governmental Authority with authority over such NMG Company (A) in connection with an examination of such NMG Company; or (B) pursuant to a specific requirement to provide such Cardholder Data by such Governmental Authority or pursuant to compulsory legal process; provided that such NMG Company seeks the full protection of confidential treatment for any disclosed Cardholder Data to the extent available under Applicable Law governing such disclosure, and with respect to clause (B), to the extent permitted by Applicable Law, such NMG Company (1) provides at least ten (10) Business Days’ prior notice of such proposed disclosure to Bank if reasonably possible under the circumstances, and (2) seeks to redact the Cardholder Data to the fullest extent possible under Applicable Law governing such disclosure. (h) With respect to the sharing, use and disclosure of the Cardholder Data following the termination of this Agreement: (i) the rights and obligations of the Parties under this Section 6.2 shall continue through any Termination Period; (ii) if NMG exercises its rights under Section 17.2, Bank shall transfer its right, title and interest in the Cardholder Data to NMG or its Nominated Purchaser as part of such transaction, and Bank’s right to use and disclose the Cardholder Data shall terminate upon the termination of the Termination Period; and (iii) if NMG provides notice that it shall not exercise its rights under Section 17.2, NMG and its Affiliates’ right to use and disclose the Cardholder Data hereunder shall terminate upon the termination of the Termination Period.
Appears in 1 contract
Sources: Credit Card Program Agreement (Neiman Marcus, Inc.)
Cardholder Data. (a) As Subject to the provisions of Section 6.1(a) and Section 6.3(a) hereof, as among the Parties hereto, the Cardholder Data shall be the property of and exclusively owned by Bank.
(b) The Program Privacy Policy applicable to the Cardholder Data is attached as Schedule 6.2 hereto. Any modifications to the Program Privacy Policy shall be approved by the Management Operating Committee, ; provided that the Program Privacy Policy shall comply with Applicable Law at all times; provided, further, that the Privacy Policy shall provide Belk and its Affiliates with the maximum availability and use of Cardholder Data, including the ability for Belk and its Affiliates to provide Cardholder Data to their vendors and Licensees.
(c) Bank shall not use, or permit to be used, the Cardholder Data, except as provided in this Section 6.2. Bank may use the Cardholder Data in compliance with Applicable Law and the Program Privacy Policy solely (i) for purposes of soliciting or marketing (in each case, solely as directed by the NMG Companies Belk or the Management Operating Committee) or servicing customers listed in the Cardholder Data for NMG Belk Credit Cards, Approved Ancillary Products, and any other products and services approved by the Management Operating Committee, (ii) as otherwise necessary to carry out its obligations or exercise its rights hereunder, or (iii) as required by Applicable Law. Bank has no rights to use the Cardholder Data for marketing purposes except as expressly provided herein.
(d) Bank shall not disclose, or permit to be disclosed, the Cardholder Data, except as provided in this Section 6.2. Bank shall not, directly or indirectly, sell or otherwise transfer any right in or to the Cardholder Data other than to NMG Belk or any one of its Affiliates. Bank may disclose the Cardholder Data in compliance with Applicable Law and the Program Privacy Policy solely:
(i) to its authorized subcontractors in connection with a permitted use of such Cardholder Data under this Section 6.2, provided that each such authorized subcontractor agrees in a written agreement reasonably satisfactory to NMG and Bank to maintain all such Cardholder Data as strictly confidential and not to use or disclose such information to any Person other than Bank or an NMG CompanyBelk, except as required by Applicable Law or any Governmental Authority (after giving Bank and the NMG Companies Belk prior notice and an opportunity to defend against such disclosure); provided, further, that each such authorized subcontractor maintains, and agrees in writing to maintain, an information security program that is designed to meet all requirements of Applicable Law, including, at a minimum, maintenance of an information security program that is designed to: (wA) ensure the security and confidentiality of the Cardholder Data; (xB) protect against any anticipated threats or hazards to the security or integrity of the Cardholder Data; (yC) protect against unauthorized access to or use of the Cardholder Data; and (zD) ensure the proper disposal of Cardholder Data; and provided, further, that each such authorized subcontractor or Bank agrees to notify promptly Bank and the NMG Companies Belk of any unauthorized disclosure, use, or disposal of, or access to, Cardholder Data and to cooperate with Bank and the NMG Companies Belk in any investigation thereof and remedial action with respect thereto;
(ii) to its Affiliates, and its and such Affiliates’ ' employees, attorneys and accountants with a need to know such Cardholder Data in connection with a permitted use of such Cardholder Data under this Section 6.2; provided that (A) any such Person is bound by terms substantially similar to this Section 6.2 as a condition of employment or of access to Cardholder Data or by professional obligations imposing comparable terms; and (B) Bank shall be responsible for the compliance by each such Person with the terms of this Section 6.2;
(iii) to any Governmental Authority with authority over Bank (A) in connection with an examination of Bank; or (B) pursuant to a specific requirement to provide such Cardholder Data by such Governmental Authority or pursuant to compulsory legal process; provided that Bank seeks the full protection of confidential treatment for any disclosed Cardholder Data to the extent available under Applicable Law governing such disclosure, and with respect to clause (B), to the extent permitted by Applicable Law, Bank (1) provides at least ten (10) Business Days’ ' prior notice of such proposed disclosure to NMG Belk if reasonably possible under the circumstances, and (2) seeks to redact the Cardholder Data to the fullest extent possible under Applicable Law governing such disclosure; or
(iv) to the extent permitted in the Risk Management Policies and Operating Procedures, to any consumer reporting agency in accordance with the federal Fair Credit Reporting Act.
(e) To the extent Bank has access to the following information in accordance with the provisions of this Agreement and subject to Applicable Law and the Program Privacy Policy, Bank shall transmit to the NMG Companies at such times as may be requested by NMG Belk on a daily basis and in formats agreed to by the Parties in advance from time to time:
(i) for any customer who has applied for an NMG a Belk Credit Card, regardless of the marketing channel of such application: (A) the customer’s 's name, address, email address, telephone number, social security number and all other information supplied on the application or prescreened response submitted by the customer; (B) an indication of whether or not the customer has been approved for an NMG a Belk Credit Card; and (C) if the customer has been approved for an NMG a Belk Credit Card, the Belk Credit Card or Non-Card Payment Plan, the NMG Credit Card or Non-Card Payment Plan issued (or to be issued) to such customer;
(ii) for each Cardholder, joint-Cardholder and authorized buyer, (1A) such person’s 's name, address, email address, telephone number, social security number and Account number; (2) any reported change to any of the foregoing information; (3) transaction and experience data; and (4) any such other Cardholder Data as the NMG Companies may reasonably requestNumber;
(iii) the Cardholder’s name and account number for any Account that is delinquent;
(iv) the Cardholder’s name and account number for any Account that has been closed; and
(v) the Cardholder Data for all categories of information available on the NMG Companies’ credit Systems as of the date hereof. Notwithstanding the foregoing, no Party hereto shall be required to provide any information on a personally identifiable basis if the provision of such personally identifiable information would cause such Party to be considered a “consumer reporting agency” for purposes of the Fair Credit Reporting Act.
(f) Bank shall cooperate with the NMG Companies to provide NMG and its Affiliates with the maximum ability permissible under Applicable Law and the Program Privacy Policy to receive, use and disclose the Cardholder Data, including, as necessary or appropriate, through use of consents or opt-out provisions, in each case as directed by the NMG Companies. Without limiting the foregoing, NMG and each of its Affiliates may receive, use and disclose the Cardholder Data in compliance with Applicable Law and the Program Privacy Policy (i) for purposes of promoting the Program or promoting NMG Goods and Services, (ii) as otherwise necessary to carry out its obligations under this Agreement, and (iii) as otherwise permitted by Applicable Law.
(g) The NMG Companies may use the Cardholder Data in compliance with Applicable Law and the Program Privacy Policy. Each of the NMG Companies may disclose the Cardholder Data in compliance with Applicable Law and the Program Privacy Policy solely:
(i) to its existing subcontractors as of the Effective Date and to authorized subcontractors that enter into agreements with an NMG Company after the Effective Date (“Future Subcontractors”) in connection with a permitted use of such Cardholder Data under this Section 6.2, provided that each such existing subcontractor and Future Subcontractor agrees in a written agreement satisfactory to NMG and Bank to maintain all such Cardholder Data as strictly confidential in perpetuity and not to use or disclose such information to any Person other than an NMG Company or Bank, except as required by Applicable Law or any Governmental Authority (after giving the NMG Companies prior notice and an opportunity to defend against such disclosure); provided, further, that each such existing subcontractor and Future Subcontractor maintains, and agrees in writing to maintain, an information security program that is designed to meet all requirements of Applicable Law, including, at a minimum, maintenance of an information security program that is designed to: (w) ensure the security and confidentiality of the Cardholder Data; (x) protect against any anticipated threats or hazards to the security or integrity of the Cardholder Data; (y) protect against unauthorized access to or use of the Cardholder Data; and (z) ensure the proper disposal of Cardholder Data; and provided, further, that each such existing subcontractor and Future Subcontractor agrees to notify promptly Bank and the NMG Companies of any unauthorized disclosure, use, or disposal of, or access to, Cardholder Data and to cooperate with Bank and the NMG Companies in any investigation thereof and remedial action with respect thereto;
(ii) to its Affiliates, and its and such Affiliates’ employees, attorneys and accountants with a need to know such Cardholder Data in connection with a permitted use of such Cardholder Data under this Section 6.2; provided that (A) any such Person is bound by terms substantially similar to this Section 6.2 as a condition of employment or of access to Cardholder Data or by professional obligations imposing comparable terms; and (B) the NMG Companies shall be responsible for the compliance by each such Person with the terms of this Section 6.2; or
(iii) to any Governmental Authority with authority over such NMG Company (A) in connection with an examination of such NMG Company; or (B) pursuant to a specific requirement to provide such Cardholder Data by such Governmental Authority or pursuant to compulsory legal process; provided that such NMG Company seeks the full protection of confidential treatment for any disclosed Cardholder Data to the extent available under Applicable Law governing such disclosure, and with respect to clause (B), to the extent permitted by Applicable Law, such NMG Company (1) provides at least ten (10) Business Days’ prior notice of such proposed disclosure to Bank if reasonably possible under the circumstances, and (2) seeks to redact the Cardholder Data to the fullest extent possible under Applicable Law governing such disclosure.
(h) With respect to the sharing, use and disclosure of the Cardholder Data following the termination of this Agreement:
(i) the rights and obligations of the Parties under this Section 6.2 shall continue through any Termination Period;
(ii) if NMG exercises its rights under Section 17.2, Bank shall transfer its right, title and interest in the Cardholder Data to NMG or its Nominated Purchaser as part of such transaction, and Bank’s right to use and disclose the Cardholder Data shall terminate upon the termination of the Termination Period; and
(iii) if NMG provides notice that it shall not exercise its rights under Section 17.2, NMG and its Affiliates’ right to use and disclose the Cardholder Data hereunder shall terminate upon the termination of the Termination Period.
Appears in 1 contract
Cardholder Data. (a) As among the Parties heretobetween Bank and Company, the Cardholder Data shall be the property of Bank; provided, however, that if any particular Cardholder Data shall also constitute Shopper Data, Company shall be permitted to use such Shopper Data in accordance with the provisions of this Agreement applicable to Shopper Data and exclusively owned by Bankwithout regard to any additional restrictions that may be applicable to Cardholder Data, and that Shopper Data shall be the property of Company in accordance with Section 6.3. For avoidance of doubt, some data can constitute both Cardholder Data and Shopper Data for purposes of this Agreement, in which case Bank shall have a property interest and use rights in such data as Cardholder Data under Section 6.2 and Company shall have a property interest and use rights in that same data as Shopper Data under Section 6.3. In addition, in its capacity as servicer, Company shall maintain all Cardholder Data and shall provide Bank with full access to Cardholder Data; provided that such access shall be through reports and data feeds consistent with Company’s data security policies but shall not include access to Company’s Systems beyond the ability to view data to the extent provided pursuant to Section 4.10 and Section 4.18(d).
(b) The initial Program Privacy Policy Notice applicable to the Cardholder Data is attached as Schedule 6.2 hereto6.2(b), which shall be separate and distinct from the privacy notice(s) that Bank maintains for its other portfolios. Bank shall cooperate with Company to provide Company the maximum ability permissible under Applicable Law and the Program Privacy Notice to obtain, use and disclose Shopper Data and Cardholder Data, including through the sharing of such data as permitted pursuant the Program Privacy Notice and through the use of disclosures, consents, opt-in provisions or opt-out provisions. Any modifications to the Program Privacy Policy Notice shall be approved by the Management Committeeboth parties, provided that the Program Privacy Policy shall comply with (i) modifications required by a change in Applicable Law at all timesfollowing the Effective Date shall be approved and incorporated in accordance with the provisions of Section 4.8 and (ii) Bank shall not unreasonably object to any modifications thereto permissible by Applicable Law that shall broaden Company’s ability to receive and use Cardholder Data obtained from Bank.
(c) Bank shall not use, or permit to be used, may use the Cardholder Data, except as provided in this Section 6.2. Bank may use Data and any other information derived from the Cardholder Data in compliance with Applicable Law and the Program Privacy Policy solely (i) for purposes of soliciting or marketing (in each caseNotice, solely as directed by the NMG Companies or the Management Committeeset forth in clause (c) or servicing customers listed in the Cardholder Data for NMG Credit Cards, Approved Ancillary Products, and any other products and services approved by the Management Committee, (ii) as otherwise necessary to carry out its obligations or exercise its rights hereunder, or (iii) as required by Applicable Law. Bank has no rights to use the Cardholder Data for marketing purposes except as expressly provided hereinof Schedule 6.2.
(d) Bank shall disclose, or permit to be disclosed, the Cardholder Data in compliance with Applicable Law, the Program Privacy Notice and the Credit Card Agreement, solely as set forth in clause (d) of Schedule 6.2.
(e) Bank shall not, directly or indirectly, sell, or otherwise transfer any right in or to the Cardholder Data, except (i) with respect to any written off Cardholder Indebtedness in compliance with clause (d)(ii) above, (ii) to any potential third-party purchaser to the extent permitted hereunder, and (iii) to a Person in connection with a securitization transaction related to the Accounts to the extent permitted hereunder, provided that, such Person shall be bound by a confidentiality agreement affording protections substantially similar to the confidentiality and use provisions of this Agreement with such modifications as may be customary for confidentiality agreements in connection with such securitizations (and any material modifications shall be submitted to Company for approval, which approval shall not be unreasonably delayed, conditioned or withheld).
(f) Bank shall provide to Company the information set forth in clause (f) of Schedule 6.2 in accordance with the terms thereof.
(g) Company shall not use, or permit to be used, Cardholder Data, except as provided in this Section 6.2(g) and subject to the other provisions and procedures of this Agreement, unless such information shall also constitute Shopper Data, as provided in Section 6.3. Company may use the Cardholder Data and any other information derived from the Cardholder Data in compliance with Applicable Law and the Program Privacy Notice (i) for purposes of promoting the Program, including promoting Nordstrom Goods and/or Services available for purchase on an Account at or through any Company Channel, (ii) in connection with or for the purpose of promoting the Loyalty Program, (iii) for analytics and reporting related to the Program, (iv) for all commercially reasonable purposes in the same manner as Company uses Shopper Data, (v) to exercise its rights or carry out its obligations under this Agreement, and (vi) for any other purpose to the maximum extent permitted by Applicable Law and the Program Privacy Notice. Company shall disclose, or permit to be disclosed, the Cardholder Data, except as provided in this Section 6.2. Bank shall not, directly or indirectly, sell or otherwise transfer any right in or to the Cardholder Data other than to NMG or any of its Affiliates. Bank may disclose the Cardholder Data only in compliance with Applicable Law and Law, the Program Privacy Policy Notice and the Credit Card Agreement, solely:
(i) to its authorized subcontractors in connection with a permitted use of such Cardholder Data under this Section 6.2, provided that each such authorized subcontractor agrees in a written agreement satisfactory to NMG and Bank to maintain all such Cardholder Data as strictly confidential and not to use or disclose such information to any Person other than Bank or an NMG Company, except as required by Applicable Law or any Governmental Authority (after giving Bank and the NMG Companies prior notice and an opportunity to defend against such disclosure); provided, further, that each such authorized subcontractor maintainsAffiliates, and agrees in writing to maintainemployees, an information security program that is designed to meet all requirements agents, attorneys, auditors, accountants and other advisors of Applicable Law, including, at a minimum, maintenance of an information security program that is designed to: (w) ensure the security and confidentiality of the Cardholder Data; (x) protect against any anticipated threats Company or hazards to the security or integrity of the Cardholder Data; (y) protect against unauthorized access to or use of the Cardholder Data; and (z) ensure the proper disposal of Cardholder Data; and provided, further, that each such authorized subcontractor agrees to notify promptly Bank and the NMG Companies of any unauthorized disclosure, use, or disposal of, or access to, Cardholder Data and to cooperate with Bank and the NMG Companies in any investigation thereof and remedial action with respect thereto;
(ii) to its Affiliates, and its and such Affiliates’ employees, attorneys and accountants with a need to know such Cardholder Data in connection with a permitted use of such Cardholder Data under this Section 6.2 and to its service providers and subcontractors in connection with a permitted use of such Cardholder Data under this Section 6.2; provided that (A) any each such Person is bound by terms substantially similar subject to this Section 6.2 as a condition an obligation to maintain the confidential status of employment or of access to Cardholder Data or by professional obligations imposing comparable terms; and at least as restrictive as that set forth herein, (B) Bank each such Person is subject to an obligation to maintain an information security program that is designed to meet all requirements of Applicable Law, and, at a minimum, all requirements set forth in Section 6.1(c), and (C) Company shall be responsible for the compliance by of each such Person with the terms of this Section 6.2Section;
(iiiii) to any Governmental Authority with asserting authority over Bank Company (A) in connection with an examination of BankCompany; or (B) pursuant to a specific requirement to provide for such Cardholder Data by such Governmental Authority or pursuant to compulsory legal process; provided provided, however, that Bank seeks Company shall seek the full protection of confidential treatment for any such disclosed Cardholder Data to the extent available under Applicable Law governing such disclosure, and with respect to clause (B), Company shall provide reasonable advance notice to Bank to the extent permitted by Applicable Law, Bank (1) provides at least ten (10) Business Days’ prior notice of such proposed disclosure to NMG if reasonably possible practicable under the circumstances, and (2) seeks to redact the Cardholder Data to the fullest extent possible under Applicable Law governing such disclosure; or
(iv) to the extent permitted in the Risk Management Policies and Operating Procedures, to any consumer reporting agency in accordance with the federal Fair Credit Reporting Act.
(e) To the extent Bank has access to the following information in accordance with the provisions of this Agreement and subject to Applicable Law and the Program Privacy Policy, Bank shall transmit to the NMG Companies at such times as may be requested by NMG and in formats agreed to by the Parties in advance from time to time:
(i) for any customer who has applied for an NMG Credit Card, regardless of the marketing channel of such application: (A) the customer’s name, address, email address, telephone number, social security number and all other information supplied on the application or prescreened response submitted by the customer; (B) an indication of whether or not the customer has been approved for an NMG Credit Card; and (C) if the customer has been approved for an NMG Credit Card or Non-Card Payment Plan, the NMG Credit Card or Non-Card Payment Plan issued (or to be issued) to such customer;
(ii) for each Cardholder, joint-Cardholder and authorized buyer, (1) such person’s name, address, email address, telephone number, social security number and Account number; (2) any reported change to any of the foregoing information; (3) transaction and experience data; and (4) any such other Cardholder Data as the NMG Companies may reasonably request;
(iii) the Cardholder’s name and account number for any Account that is delinquent;
(iv) the Cardholder’s name and account number for any Account that has been closed; and
(v) the Cardholder Data for all categories of information available on the NMG Companies’ credit Systems as of the date hereof. Notwithstanding the foregoing, no Party hereto shall be required to provide any information on a personally identifiable basis if the provision of such personally identifiable information would cause such Party to be considered a “consumer reporting agency” for purposes of the Fair Credit Reporting Act.
(f) Bank shall cooperate with the NMG Companies to provide NMG and its Affiliates with the maximum ability permissible under Applicable Law and the Program Privacy Policy to receive, use and disclose the Cardholder Data, including, as necessary or appropriate, through use of consents or opt-out provisions, in each case as directed by the NMG Companies. Without limiting the foregoing, NMG and each of its Affiliates may receive, use and disclose the Cardholder Data in compliance with Applicable Law and the Program Privacy Policy (i) for purposes of promoting the Program or promoting NMG Goods and Services, (ii) as otherwise necessary to carry out its obligations under this Agreement, and (iii) as otherwise permitted by Applicable Law.
(g) The NMG Companies may use the Cardholder Data in compliance with Applicable Law and the Program Privacy Policy. Each of the NMG Companies may disclose the Cardholder Data in compliance with Applicable Law Notice (and the Program Privacy Policy solely:
(i) to its existing subcontractors as of the Effective Date and to authorized subcontractors that enter into agreements with an NMG Company after the Effective Date (“Future Subcontractors”) in connection with a permitted use of such Cardholder Data under this Section 6.2, provided that each such existing subcontractor and Future Subcontractor agrees in a written agreement satisfactory to NMG and Bank to maintain all such Cardholder Data as strictly confidential in perpetuity and not to use or disclose such information subject to any Person other than an NMG Company or Bankapplicable provisions of this Agreement, except as required by Applicable Law or any Governmental Authority (after giving the NMG Companies prior notice including ARTICLE V, Section 3.5 and an opportunity to defend against such disclosureSection 4.8); provided, further, that each such existing subcontractor and Future Subcontractor maintains, and agrees in writing to maintain, an information security program that is designed to meet all requirements of Applicable Law, including, at a minimum, maintenance of an information security program that is designed to: (w) ensure the security and confidentiality of the Cardholder Data; (x) protect against any anticipated threats or hazards to the security or integrity of the Cardholder Data; (y) protect against unauthorized access to or use of the Cardholder Data; and (z) ensure the proper disposal of Cardholder Data; and provided, further, that each such existing subcontractor and Future Subcontractor agrees to notify promptly Bank and the NMG Companies of any unauthorized disclosure, use, or disposal of, or access to, Cardholder Data and to cooperate with Bank and the NMG Companies in any investigation thereof and remedial action with respect thereto;
(ii) to its Affiliates, and its and such Affiliates’ employees, attorneys and accountants with a need to know such Cardholder Data in connection with a permitted use of such Cardholder Data under this Section 6.2; provided that (A) Company shall not disclose or permit to be disclosed any such Person is bound by terms substantially similar to this Section 6.2 as a condition of employment or of access to Cardholder Data (or by professional obligations imposing comparable terms; and (Binformation derived therefrom) to a prospective Nominated Purchaser, except under the NMG Companies shall be responsible for the compliance by each such Person circumstances or in accordance with the terms of this procedures set forth in Section 6.2; or
(iii) to any Governmental Authority with authority over such NMG Company (A) in connection with an examination of such NMG Company; or (B) pursuant to a specific requirement to provide such Cardholder Data by such Governmental Authority or pursuant to compulsory legal process; provided that such NMG Company seeks the full protection of confidential treatment for any disclosed Cardholder Data to the extent available under Applicable Law governing such disclosure, and with respect to clause (B15.2(f), to the extent permitted by Applicable Law, such NMG Company (1) provides at least ten (10) Business Days’ prior notice of such proposed disclosure to Bank if reasonably possible under the circumstances, and (2) seeks to redact the Cardholder Data to the fullest extent possible under Applicable Law governing such disclosure.
(h) With respect to the sharing, use and disclosure of the Cardholder Data following the expiration or termination of this Agreement, the following shall apply:
(i) the rights and obligations of the Parties parties under this Section 6.2 shall continue through the Termination Date and, to the extent necessary to exercise the parties’ respective rights and obligations, during any Termination Interim Servicing Period;
(ii) if NMG Company exercises its rights Purchase Option under Section 17.2, 15.2 Bank shall transfer its right, title and interest in the Cardholder Data to NMG Company or its Nominated Purchaser as part of such transactiontransaction and remove all the Cardholder Data from any list of Persons used by Bank or a third party in connection with solicitation of Credit Cards, debit cards, or other products bearing a Bank Licensed ▇▇▇▇, and (subject to Bank’s documentation retention policy (which shall in all events prohibit all use and disclosure of the Cardholder Data except as required to comply with Applicable Law) or other obligations under Applicable Law) Bank’s right to use and disclose the Cardholder Data shall terminate upon the termination of on the Termination PeriodDate. Notwithstanding the foregoing, nothing in this Section 6.2(h)(ii) shall obligate Bank or any third party to remove data from any marketing list information about any Person that Bank obtained independently from (and without any use of or reference to) this Program or restrict Bank’s use of such independently obtained information; and
(iii) if NMG provides notice that it shall Company does not exercise its rights Purchase Option under Section 17.215.2, NMG and its Affiliates’ Company’s right to use and disclose the Cardholder Data hereunder (but not Shopper Data, including Program Generated Shopper Data) shall terminate upon the termination except as required to comply with Applicable Law as of the Termination PeriodDate or the end of any Interim Servicing Period and promptly thereafter Company shall return or destroy in a commercially reasonable and technically feasible manner such Cardholder Data (but not Shopper Data, including Program Generated Shopper Data) and shall certify such return or destruction to Bank upon request.
(i) The parties shall reasonably cooperate to use, disclose and share Non-Personally Identifiable Information regarding the Program, as mutually agreed upon from time to time to, among other things, monitor Program performance, comply with funding requirements (e.g. rating agency and master trust filing requirements) and support planning and financial reporting processes.
(j) Nothing in this Section 6.2 shall restrict Company’s use of Shopper Data.
Appears in 1 contract
Cardholder Data. (a) As among the Parties heretobetween Bank and Company, the Cardholder Data shall be the property of and exclusively owned by Bank. In its capacity as servicer, Company shall maintain all Cardholder Data and shall provide Bank with full access to Cardholder Data.
(b) The Program Privacy Policy initial privacy notice applicable to the Cardholder Data is attached as Schedule 6.2 hereto6.2(b), which shall be separate from the privacy notice(s) that Bank maintains for its other portfolios. Bank shall cooperate with Company to provide Company the maximum ability permissible under Applicable Law and Network Rules to use and disclose Cardholder Data, including, as necessary or appropriate, through the Program Privacy Notice and/or the use of disclosures, consents, opt-in provisions or opt-out provisions. Any modifications to the Program Privacy Policy Notice shall be approved by the Management Committeeboth parties, provided that the Program Privacy Policy Notice at all times shall (i) comply with Applicable Law at all timesand (ii) provide Company access to and the right to use Cardholder Data to the fullest extent permitted by Applicable Law and Network Rules, including for its business purposes.
(c) Bank shall not use, or permit to be used, the Cardholder Data, except as provided in this Section 6.2. Bank may use the Cardholder Data and any other information derived from the Cardholder Data in compliance with Applicable Law Law, the Network Rules and the Program Privacy Policy solely Notice, solely: (i) as necessary to exercise its rights or carry out its obligations hereunder; (ii) for purposes of soliciting promoting the Program or marketing (in each case, solely as directed by the NMG Companies promoting Goods and/or Services available for purchase on an Account at or the Management Committee) or servicing customers listed in the Cardholder Data for NMG Credit Cards, Approved Ancillary Products, and through any other products and services approved by the Management Committee, (ii) as otherwise necessary to carry out its obligations or exercise its rights hereunder, or Company Channel; (iii) for purposes of performing analysis and modeling, provided, however, that Cardholder Data used for analysis and modeling other than with respect to the Program shall be Non-Personally Identifiable Information, shall be aggregated with data from other portfolios, and shall not be used in connection with or for the benefit of any co-branded or private label credit program that is or may be offered by Bank on behalf of or in association with any Competing Retailer; or (iv) as required by necessary or appropriate for purposes of compliance with Applicable Law, regulatory examination, internal auditing functions, risk assessment or management functions, Network Rules or as otherwise set forth in 12 CFR 40.15(a)(1)-(7). Bank has no rights to shall not use the Cardholder Data for marketing or any other purposes except as expressly provided herein. Notwithstanding the foregoing, each party acknowledges that Bank may independently gather information from individuals independent of the Program, including from Persons who may or may not also be Cardholders, and that Bank and its Affiliates may have rights to use and disclose such information independent of whether such information also constitutes Cardholder Data or Company Guest Data under this Agreement; provided, however, except as expressly permitted pursuant to this Agreement, Bank and its Affiliates may not, in any event, take into account that a Person is a Cardholder or intentionally target for solicitation such customers through the use of the Cardholder Data. Bank shall not commingle Cardholder Data into any Bank marketing database except as provided in this Section 6.2(c).
(d) Bank shall not disclose, or permit to be disclosed, the Cardholder Data, except as provided in this Section 6.2. Bank shall not, directly or indirectly, sell or otherwise transfer any right in or to the Cardholder Data other than to NMG or any of its Affiliates. Bank may disclose the Cardholder Data in compliance with Applicable Law and Law, the Network Rules, the Program Privacy Policy Notice and the Credit Card Agreement, solely:
(i) to its authorized subcontractors (including Company in its capacity as servicer) in connection with a permitted use of such Cardholder Data under this Section 6.2, ; provided that (A) each such authorized subcontractor agrees in a written agreement satisfactory is subject to NMG and Bank an obligation to maintain all such the confidential status of Cardholder Data at least as strictly confidential restrictive as that set forth herein, and not to use or disclose (B) Bank shall be responsible for the compliance of each such information to any Person subcontractor (other than Bank or an NMG Company, except Company in its capacity as required by Applicable Law servicer or any Governmental Authority (after giving Bank and subcontractor of Company in such capacity) with the NMG Companies prior notice and an opportunity to defend against such disclosure); provided, further, that each such authorized subcontractor maintains, and agrees in writing to maintain, an information security program that is designed to meet all requirements terms of Applicable Law, including, at a minimum, maintenance of an information security program that is designed to: (w) ensure the security and confidentiality of the Cardholder Data; (x) protect against any anticipated threats or hazards to the security or integrity of the Cardholder Data; (y) protect against unauthorized access to or use of the Cardholder Data; and (z) ensure the proper disposal of Cardholder Data; and provided, further, that each such authorized subcontractor agrees to notify promptly Bank and the NMG Companies of any unauthorized disclosure, use, or disposal of, or access to, Cardholder Data and to cooperate with Bank and the NMG Companies in any investigation thereof and remedial action with respect thereto;this Section.
(ii) to its Affiliates, and its and such Affiliates’ to employees, attorneys agents, attorneys, auditors and accountants of Bank and its Affiliates, with a need to know such Cardholder Data in connection with a permitted use of such Cardholder Data under this Section 6.2Section; provided that (A) any each such Person is bound by terms substantially similar subject to this Section 6.2 as a condition an obligation to maintain the confidential status of employment or of access to Cardholder Data or by professional obligations imposing comparable terms; at least as restrictive as that set forth herein, and (B) Bank shall be responsible for the compliance by of each such Person with the terms of this Section 6.2Section;
(iii) to a potential third-party purchaser with respect to any written off Cardholder Indebtedness or otherwise to the extent permitted under this Agreement, or to a trustee in connection with a securitization transaction to the extent permitted under this Agreement; or
(iv) to any Governmental Authority with asserting authority over Bank or any of its Affiliates (A) in connection with an examination of BankBank or any such Affiliate; or (B) pursuant to a specific requirement to provide such Cardholder Data by such Governmental Authority or pursuant to compulsory legal process, provided, however, that Bank shall seek the full protection of confidential treatment for any disclosed Cardholder Data to the extent available under Applicable Law governing such disclosure and with respect to clause (B) Bank shall provide reasonable advance notice to Company to the extent reasonably practicable under the circumstances.
(e) Bank shall not, directly or indirectly, sell, or otherwise transfer any right in or to the Cardholder Data, except
(i) with respect to any written off Cardholder Indebtedness, (ii) to any potential third-party purchaser to the extent permitted hereunder, and (iii) to a trustee in connection with a securitization transaction related to the Accounts to the extent permitted hereunder, provided that, such trustee shall be bound by a confidentiality agreement affording protections substantially similar to the confidentiality and use provisions of this Agreement with such modifications as may be customary for confidentiality agreements in connection with such securitizations (and any material modifications shall be submitted for approval of Company, which approval shall not be unreasonably delayed, conditioned or withheld).
(f) Subject to Applicable Law, Bank shall provide the information below to Company on a daily basis:
(i) [*]
(ii) [*]
(iii) [*]
(iv) [*] To the extent that Company, as servicer for Bank, has access to the information Bank is obligated to provide under this Section 6.2(f), the parties acknowledge and agree that Bank shall be deemed to have fulfilled its obligation hereunder.
(g) Company shall not use, or permit to be used, Cardholder Data, except as provided in this Section 6.2(g) and subject to the other provisions and procedures of this Agreement, including ARTICLE V and Section 3.5. Company may use the Cardholder Data and any other information derived from the Cardholder Data in compliance with Applicable Law, the Network Rules and the Program Privacy Notice (i) for purposes of promoting the Program or promoting Goods and/or Services available for purchase on an Account at or through any Company Channel, (ii) for all commercially reasonable purposes in the same manner as Company uses Company Guest Data, (iii) as otherwise necessary to carry out its obligations under this Agreement, and (iv) as otherwise permitted by Applicable Law, the Network Rules and the Program Privacy Notice. Company shall maintain protocols regarding Cardholder Data intended to ensure that (i) Cardholder Data is logically isolated (and accordingly always separately identifiable) from Company’s other data and (ii) the use and disclosure of Cardholder Data is limited as provided by Applicable Law and this Agreement.
(h) Company shall not disclose, or permit to be disclosed, the Cardholder Data, except as provided in this Section 6.2(h). Company may disclose the Cardholder Data in compliance with Applicable Law, the Network Rules, the Program Privacy Notice and the Credit Card Agreement, solely:
(i) to its subcontractors in connection with a permitted use of such Cardholder Data under this Section 6.2; provided that Bank (A) each such subcontractor is subject to an obligation to maintain the confidential status of Cardholder Data at least as restrictive as that set forth herein, and (B) Company shall be responsible for the compliance of each such subcontractor with the terms of this Section;
(ii) to its Affiliates, and to employees, agents, attorneys, auditors and accountants of Company or its Affiliates, with a need to know such Cardholder Data in connection with a permitted use of such Cardholder Data under this Section; provided that (A) each such Person is subject to an obligation to maintain the confidential status of Cardholder Data at least as restrictive as that set forth herein, and (B) Company shall be responsible for the compliance of each such Person with the terms of this Section;
(iii) to any Governmental Authority asserting authority over Company (A) in connection with an examination of Company; or (B) pursuant to a specific requirement to provide for such Cardholder Data by such Governmental Authority or pursuant to compulsory legal process; provided, however, that Company seeks the full protection of confidential treatment for any such disclosed Cardholder Data to the extent available under Applicable Law governing such disclosure, and with respect to clause (B), Company shall provide reasonable advance notice to Bank to the extent permitted by Applicable Law, Bank (1) provides at least ten (10) Business Days’ prior notice of such proposed disclosure to NMG if reasonably possible practicable under the circumstances, and (2) seeks to redact the Cardholder Data to the fullest extent possible under Applicable Law governing such disclosure; or
(iv) to the extent permitted in the Risk Management Policies and Operating Procedures, to any consumer reporting agency in accordance with the federal Fair Credit Reporting Act.
(e) To the extent Bank has access to the following information in accordance with the provisions of this Agreement and subject to Applicable Law and the Program Privacy Policy, Bank shall transmit to the NMG Companies at such times as may be requested by NMG and in formats agreed to by the Parties in advance from time to time:
(i) for any customer who has applied for an NMG Credit Card, regardless of the marketing channel of such application: (A) the customer’s name, address, email address, telephone number, social security number and all other information supplied on the application or prescreened response submitted by the customer; (B) an indication of whether or not the customer has been approved for an NMG Credit Card; and (C) if the customer has been approved for an NMG Credit Card or Non-Card Payment Plan, the NMG Credit Card or Non-Card Payment Plan issued (or to be issued) to such customer;
(ii) for each Cardholder, joint-Cardholder and authorized buyer, (1) such person’s name, address, email address, telephone number, social security number and Account number; (2) any reported change to any of the foregoing information; (3) transaction and experience data; and (4) any such other Cardholder Data as the NMG Companies may reasonably request;
(iii) the Cardholder’s name and account number for any Account that is delinquent;
(iv) the Cardholder’s name and account number for any Account that has been closed; and
(v) the Cardholder Data for all categories of information available on the NMG Companies’ credit Systems as of the date hereof. Notwithstanding the foregoing, no Party hereto shall be required to provide any information on a personally identifiable basis if the provision of such personally identifiable information would cause such Party to be considered a “consumer reporting agency” for purposes of the Fair Credit Reporting Act.
(f) Bank shall cooperate with the NMG Companies to provide NMG and its Affiliates with the maximum ability permissible under Applicable Law and the Program Privacy Policy to receive, use and disclose the Cardholder Data, including, as necessary or appropriate, through use of consents or opt-out provisions, in each case as directed by the NMG Companies. Without limiting the foregoing, NMG and each of its Affiliates may receive, use and disclose the Cardholder Data in compliance with Applicable Law and the Program Privacy Policy (i) for purposes of promoting the Program or promoting NMG Goods and Services, (ii) as otherwise necessary to carry out its obligations under this Agreement, and (iii) as otherwise permitted by Applicable Law, the Program Privacy Notice and the Network Rules (and subject to any other applicable provisions of this Agreement, including ARTICLE V and Section 3.5); provided that, for the avoidance of doubt, the parties agree that Company shall not disclose, or permit to be disclosed, any Cardholder Data (or information derived therefrom) to a prospective Nominated Purchaser except at the time, under the circumstances and in accordance with the procedures set forth in Section 15.2(h).
(gi) The NMG Companies may With respect to use the and disclosure of Cardholder Data in compliance with Applicable Law and following expiration or termination of this Agreement, the Program Privacy Policy. Each of the NMG Companies may disclose the Cardholder Data in compliance with Applicable Law and the Program Privacy Policy solelyfollowing shall apply:
(i) to its existing subcontractors as of the Effective Date and to authorized subcontractors that enter into agreements with an NMG Company after the Effective Date (“Future Subcontractors”) in connection with a permitted use of such Cardholder Data under this Section 6.2, provided that each such existing subcontractor and Future Subcontractor agrees in a written agreement satisfactory to NMG and Bank to maintain all such Cardholder Data as strictly confidential in perpetuity and not to use or disclose such information to any Person other than an NMG Company or Bank, except as required by Applicable Law or any Governmental Authority (after giving the NMG Companies prior notice and an opportunity to defend against such disclosure); provided, further, that each such existing subcontractor and Future Subcontractor maintains, and agrees in writing to maintain, an information security program that is designed to meet all requirements of Applicable Law, including, at a minimum, maintenance of an information security program that is designed to: (w) ensure the security and confidentiality of the Cardholder Data; (x) protect against any anticipated threats or hazards to the security or integrity of the Cardholder Data; (y) protect against unauthorized access to or use of the Cardholder Data; and (z) ensure the proper disposal of Cardholder Data; and provided, further, that each such existing subcontractor and Future Subcontractor agrees to notify promptly Bank and the NMG Companies of any unauthorized disclosure, use, or disposal of, or access to, Cardholder Data and to cooperate with Bank and the NMG Companies in any investigation thereof and remedial action with respect thereto;
(ii) to its Affiliates, and its and such Affiliates’ employees, attorneys and accountants with a need to know such Cardholder Data in connection with a permitted use of such Cardholder Data under this Section 6.2; provided that (A) any such Person is bound by terms substantially similar to this Section 6.2 as a condition of employment or of access to Cardholder Data or by professional obligations imposing comparable terms; and (B) the NMG Companies shall be responsible for the compliance by each such Person with the terms of this Section 6.2; or
(iii) to any Governmental Authority with authority over such NMG Company (A) in connection with an examination of such NMG Company; or (B) pursuant to a specific requirement to provide such Cardholder Data by such Governmental Authority or pursuant to compulsory legal process; provided that such NMG Company seeks the full protection of confidential treatment for any disclosed Cardholder Data to the extent available under Applicable Law governing such disclosure, and with respect to clause (B), to the extent permitted by Applicable Law, such NMG Company (1) provides at least ten (10) Business Days’ prior notice of such proposed disclosure to Bank if reasonably possible under the circumstances, and (2) seeks to redact the Cardholder Data to the fullest extent possible under Applicable Law governing such disclosure.
(h) With respect to the sharing, use and disclosure of the Cardholder Data following the termination of this Agreement:
(i) the The rights and obligations of the Parties parties under this Section 6.2 shall continue through any the Termination Date and, if applicable, the end of the Interim Servicing Period;.
(ii) if NMG If Company exercises its rights under Section 17.215.2, Bank shall transfer its right, title and interest in the Cardholder Data to NMG Company or its Nominated Purchaser as part of such transaction, and (subject to Bank’s documentation retention or other obligations under Applicable Law) Bank’s right to use and disclose the Cardholder Data shall terminate upon the termination of on the Termination Period; andDate.
(iii) if NMG provides notice that it shall If Company does not exercise its rights Purchase Option under Section 17.215.2, NMG and its Affiliates’ Company’s right to use and disclose the Cardholder Data hereunder shall terminate only to the extent required by Applicable Law.
(j) The parties shall reasonably cooperate to use, disclose and share Non-Personally Identifiable Information regarding the Program, as mutually agreed upon the termination from time to time to, among other things, monitor Program performance, comply with funding requirements (e.g. rating agency and master trust filing requirements) and support planning and financial reporting processes.
(k) Nothing in this Section 6.2 shall restrict Company’s use of the Termination PeriodCompany Guest Data. Section 6.3.
Appears in 1 contract
Sources: Credit Card Program Agreement
Cardholder Data. (a) As among the Parties hereto, the Cardholder Data shall be the property of and exclusively owned by Bank.
(b) The Program Privacy Policy applicable to the Cardholder Data is attached as Schedule 6.2 hereto. Any modifications to the Program Privacy Policy shall be approved by the Management Committee, provided that the Program Privacy Policy shall comply with Applicable Law at all times.
(c) Bank shall not use, or permit to be used, the Cardholder Data, except as provided in this Section 6.2. Bank may use the Cardholder Data in compliance with Applicable Law and the Program Privacy Policy solely (i) for purposes of soliciting or marketing (in each case, solely as directed by the NMG Companies Pier 1 or the Management Committee) or servicing customers listed in the Cardholder Data for NMG Pier 1 Credit Cards, Approved Ancillary Products, and any other products and services approved by the Management Committee, (ii) as otherwise necessary to carry out its obligations or exercise its rights hereunder, or (iii) as required by Applicable Law. Bank has no rights to use the Cardholder Data for marketing purposes except as expressly provided herein.
(d) Bank shall not disclose, or permit to be disclosed, the Cardholder Data, except as provided in this Section 6.2. Bank shall not, directly or indirectly, sell or otherwise transfer any right in or to the Cardholder Data other than to NMG Pier 1 or any of its Affiliates, or to its Nominated Purchaser or a successor of Bank by merger or acquisition. Bank may disclose the Cardholder Data in compliance with Applicable Law and the Program Privacy Policy solely:
(i) to its authorized subcontractors in connection with a permitted use of such Cardholder Data under this Section 6.2, provided that each such authorized subcontractor agrees in a written agreement satisfactory to NMG Pier 1 and Bank to maintain all such Cardholder Data as strictly confidential and not to use or disclose such information to any Person other than Bank or an NMG CompanyPier 1, except as required by Applicable Law or any Governmental Authority (after giving Bank and the NMG Companies Pier 1 prior notice and an opportunity to defend against such disclosure); provided, further, that each such authorized subcontractor maintains, and agrees in writing to maintain, an information security program that is designed to meet all requirements of Applicable Law, including, at a minimum, maintenance of an information security program that is designed to: (w) ensure the security and confidentiality of the Cardholder Data; (x) protect against any anticipated threats or hazards to the security or integrity of the Cardholder Data; (y) protect against unauthorized access to or use of the Cardholder Data; and (z) ensure the proper disposal of Cardholder Data; and provided, further, that each such authorized subcontractor agrees to notify promptly Bank and the NMG Companies Pier 1 of any unauthorized disclosure, use, or disposal of, or access to, Cardholder Data and to cooperate with Bank and the NMG Companies Pier 1 in any investigation thereof and remedial action with respect thereto;
(ii) to its Affiliates, and its and such Affiliates’ employees, attorneys and accountants with a need to know such Cardholder Data in connection with a permitted use of such Cardholder Data under this Section 6.2; provided that (A) any such Person is bound by terms substantially similar to this Section 6.2 as a condition of employment or of access to Cardholder Data or by professional obligations imposing comparable terms; and (B) Bank shall be responsible for the compliance by each such Person with the terms of this Section 6.2;
(iii) to any Governmental Authority with authority over Bank (A) in connection with an examination of Bank; or (B) pursuant to a specific requirement to provide such Cardholder Data by such Governmental Authority or pursuant to compulsory legal process; provided that Bank seeks the full protection of confidential treatment for any disclosed Cardholder Data to the fullest extent available under Applicable Law governing such disclosure, and with respect to clause (B), to the extent permitted by Applicable Law, Bank (1) provides at least ten (10) Business Days’ prior notice of such proposed disclosure to NMG Pier 1 if reasonably possible under the circumstances, and (2) seeks to redact the Cardholder Data to the fullest extent possible under Applicable Law governing such disclosure; or
(iv) to the extent permitted in the Risk Management Policies and Operating Procedures, to any consumer reporting agency in accordance with the federal Fair Credit Reporting Act.
(e) To the extent Bank has access shall cooperate with Pier 1 to the following information in accordance provide Pier 1 and its Affiliates with the provisions of this Agreement and subject to maximum ability permissible under Applicable Law and the Program Privacy PolicyPolicy to receive, Bank shall transmit to use and disclose the NMG Companies at such times Cardholder Data, including, as necessary or appropriate, through use of consents or opt-out provisions, in each case as directed by Pier 1. Without limiting the foregoing, Pier 1 and its Affiliates may be requested by NMG receive, use and disclose the Cardholder Data in formats agreed to by compliance with Applicable Law and the Parties in advance from time to time:
Program Privacy Policy (i) for any customer who has applied for an NMG Credit Cardpurposes of promoting the Program or promoting Pier 1 Goods and Services, regardless of the marketing channel of such application: (A) the customer’s name, address, email address, telephone number, social security number and all other information supplied on the application or prescreened response submitted by the customer; (B) an indication of whether or not the customer has been approved for an NMG Credit Card; and (C) if the customer has been approved for an NMG Credit Card or Non-Card Payment Plan, the NMG Credit Card or Non-Card Payment Plan issued (or to be issued) to such customer;
(ii) for each Cardholderas otherwise necessary to carry out its obligations under this Agreement, joint-Cardholder and authorized buyer, (1) such person’s name, address, email address, telephone number, social security number and Account number; (2) any reported change to any of the foregoing information; (3) transaction and experience data; and (4) any such other Cardholder Data as the NMG Companies may reasonably request;
(iii) the Cardholder’s name and account number for any Account that is delinquent;
(iv) the Cardholder’s name and account number for any Account that has been closed; and
(v) the Cardholder Data for all categories of information available on the NMG Companies’ credit Systems as of the date hereofotherwise permitted by Applicable Law. Notwithstanding the foregoing, no Party hereto shall be required to provide any information on a personally identifiable basis if the provision of such personally identifiable information would cause such Party to be considered a “consumer reporting agency” for purposes of the Fair Credit Reporting Act.
(f) Bank shall cooperate with the NMG Companies to provide NMG and its Affiliates with the maximum ability permissible under Applicable Law and the Program Privacy Policy to receive, use and disclose the Cardholder Data, including, as necessary or appropriate, through use of consents or opt-out provisions, in each case as directed by the NMG Companies. Without limiting the foregoing, NMG and each of its Affiliates may receive, use and disclose the Cardholder Data in compliance with Applicable Law and the Program Privacy Policy (i) for purposes of promoting the Program or promoting NMG Goods and Services, (ii) as otherwise necessary to carry out its obligations under this Agreement, and (iii) as otherwise permitted by Applicable Law.
(g) The NMG Companies may use the Cardholder Data in compliance with Applicable Law and the Program Privacy Policy. Each of the NMG Companies may disclose the Cardholder Data in compliance with Applicable Law and the Program Privacy Policy solely:
(i) to its existing subcontractors as of the Effective Date and to authorized subcontractors that enter into agreements with an NMG Company after the Effective Date (“Future Subcontractors”) in connection with a permitted use of such Cardholder Data under this Section 6.2, provided that each such existing subcontractor and Future Subcontractor agrees in a written agreement satisfactory to NMG and Bank to maintain all such Cardholder Data as strictly confidential in perpetuity and not to use or disclose such information to any Person other than an NMG Company or Bank, except as required by Applicable Law or any Governmental Authority (after giving the NMG Companies prior notice and an opportunity to defend against such disclosure); provided, further, that each such existing subcontractor and Future Subcontractor maintains, and agrees in writing to maintain, an information security program that is designed to meet all requirements of Applicable Law, including, at a minimum, maintenance of an information security program that is designed to: (w) ensure the security and confidentiality of the Cardholder Data; (x) protect against any anticipated threats or hazards to the security or integrity of the Cardholder Data; (y) protect against unauthorized access to or use of the Cardholder Data; and (z) ensure the proper disposal of Cardholder Data; and provided, further, that each such existing subcontractor and Future Subcontractor agrees to notify promptly Bank and the NMG Companies of any unauthorized disclosure, use, or disposal of, or access to, Cardholder Data and to cooperate with Bank and the NMG Companies in any investigation thereof and remedial action with respect thereto;
(ii) to its Affiliates, and its and such Affiliates’ employees, attorneys and accountants with a need to know such Cardholder Data in connection with a permitted use of such Cardholder Data under this Section 6.2; provided that (A) any such Person is bound by terms substantially similar to this Section 6.2 as a condition of employment or of access to Cardholder Data or by professional obligations imposing comparable terms; and (B) the NMG Companies shall be responsible for the compliance by each such Person with the terms of this Section 6.2; or
(iii) to any Governmental Authority with authority over such NMG Company (A) in connection with an examination of such NMG Company; or (B) pursuant to a specific requirement to provide such Cardholder Data by such Governmental Authority or pursuant to compulsory legal process; provided that such NMG Company seeks the full protection of confidential treatment for any disclosed Cardholder Data to the extent available under Applicable Law governing such disclosure, and with respect to clause (B), to the extent permitted by Applicable Law, such NMG Company (1) provides at least ten (10) Business Days’ prior notice of such proposed disclosure to Bank if reasonably possible under the circumstances, and (2) seeks to redact the Cardholder Data to the fullest extent possible under Applicable Law governing such disclosure.
(h) With respect to the sharing, use and disclosure of the Cardholder Data following the termination of this Agreement:
(i) the rights and obligations of the Parties under this Section 6.2 shall continue through any Termination Period;; and
(ii) if NMG Pier 1 exercises its rights under Section 17.216.2, Bank shall transfer its right, title and interest in the Cardholder Data to NMG Pier 1 or its Nominated Purchaser as part of such transaction, and Bank’s right to use and disclose the Cardholder Data shall terminate upon the termination of the Termination Period; and
(iii) if NMG provides notice that it shall not exercise its rights under Section 17.2, NMG and its Affiliates’ right to use and disclose the Cardholder Data hereunder shall terminate upon the termination of the Termination Period.
Appears in 1 contract
Sources: Credit Card Program Agreement (Pier 1 Imports Inc/De)
Cardholder Data. (a) As among the Parties hereto, the Cardholder Data shall be the property of and exclusively owned by Bank.
(b) The Program Privacy Policy applicable to the Cardholder Data is attached as Schedule 6.2 hereto. Any modifications to the Program Privacy Policy shall be approved by the Management Committee, provided that the Program Privacy Policy shall comply with Applicable Law at all times.
(c) Bank shall not use, or permit to be used, the Cardholder Data, except as provided in this Section 6.2. Bank may use the Cardholder Data in compliance with Applicable Law and the Program Privacy Policy solely (i) for purposes of soliciting or marketing (in each case, solely as directed by the NMG Companies Pier 1 or the Management Committee) or servicing customers listed in the Cardholder Data for NMG Pier 1 Credit Cards, Approved Ancillary Products, and any other products and services approved by the Management Committee, (ii) as otherwise necessary to carry out its obligations or exercise its rights hereunder, or (iii) as required by Applicable Law. Bank has no rights to use the Cardholder Data for marketing purposes except as expressly provided herein.
(d) Bank shall not disclose, or permit to be disclosed, the Cardholder Data, except as provided in this Section 6.2. Bank shall not, directly or indirectly, sell or otherwise transfer any right in or to the Cardholder Data other than to NMG Pier 1 or any of its Affiliates, or to its Nominated Purchaser or a successor of Bank by merger or acquisition. Bank may disclose the Cardholder Data in compliance with Applicable Law and the Program Privacy Policy solely:
(i) to its authorized subcontractors in connection with a permitted use of such Cardholder Data under this Section 6.2, provided that each such authorized subcontractor agrees in a written agreement satisfactory to NMG Pier 1 and Bank to maintain all such Cardholder Data as strictly confidential and not to use or disclose such information to any Person other than Bank or an NMG CompanyPier 1, except as required by Applicable Law or any Governmental Authority (after giving Bank and the NMG Companies Pier 1 prior notice and an opportunity to defend against such disclosure); provided, further, that each such authorized subcontractor maintains, and agrees in writing to maintain, an information security program that is designed to meet all requirements of Applicable Law, including, at a minimum, maintenance of an information security program that is designed to: (w) ensure the security and confidentiality of the Cardholder Data; (x) protect against any anticipated threats or hazards to the security or integrity of the Cardholder Data; (y) protect against unauthorized access to or use of the Cardholder Data; and (z) ensure the proper disposal of Cardholder Data; and provided, further, that each such authorized subcontractor agrees to notify promptly Bank and the NMG Companies Pier 1 of any unauthorized disclosure, use, or disposal of, or access to, Cardholder Data and to cooperate with Bank and the NMG Companies Pier 1 in any investigation thereof and remedial action with respect thereto;
(ii) to its Affiliates, and its and such Affiliates’ ' employees, attorneys and accountants with a need to know such Cardholder Data in connection with a permitted use of such Cardholder Data under this Section 6.2; provided that (A) any such Person is bound by terms substantially similar to this Section 6.2 as a condition of employment or of access to Cardholder Data or by professional obligations imposing comparable terms; and (B) Bank shall be responsible for the compliance by each such Person with the terms of this Section 6.2;
(iii) to any Governmental Authority with authority over Bank (A) in connection with an examination of Bank; or (B) pursuant to a specific requirement to provide such Cardholder Data by such Governmental Authority or pursuant to compulsory legal process; provided that Bank seeks the full protection of confidential treatment for any disclosed Cardholder Data to the fullest extent available under Applicable Law governing such disclosure, and with respect to clause (B), to the extent permitted by Applicable Law, Bank (1) provides at least ten (10) Business Days’ ' prior notice of such proposed disclosure to NMG Pier 1 if reasonably possible under the circumstances, and (2) seeks to redact the Cardholder Data to the fullest extent possible under Applicable Law governing such disclosure; or
(iv) to the extent permitted in the Risk Management Policies and Operating Procedures, to any consumer reporting agency in accordance with the federal Fair Credit Reporting Act.
(e) To the extent Bank has access to the following information in accordance with the provisions of this Agreement and subject to Applicable Law and the Program Privacy Policy, Bank shall transmit to the NMG Companies at such times as may be requested by NMG and in formats agreed to by the Parties in advance from time to time:
(i) for any customer who has applied for an NMG Credit Card, regardless of the marketing channel of such application: (A) the customer’s name, address, email address, telephone number, social security number and all other information supplied on the application or prescreened response submitted by the customer; (B) an indication of whether or not the customer has been approved for an NMG Credit Card; and (C) if the customer has been approved for an NMG Credit Card or Non-Card Payment Plan, the NMG Credit Card or Non-Card Payment Plan issued (or to be issued) to such customer;
(ii) for each Cardholder, joint-Cardholder and authorized buyer, (1) such person’s name, address, email address, telephone number, social security number and Account number; (2) any reported change to any of the foregoing information; (3) transaction and experience data; and (4) any such other Cardholder Data as the NMG Companies may reasonably request;
(iii) the Cardholder’s name and account number for any Account that is delinquent;
(iv) the Cardholder’s name and account number for any Account that has been closed; and
(v) the Cardholder Data for all categories of information available on the NMG Companies’ credit Systems as of the date hereof. Notwithstanding the foregoing, no Party hereto shall be required to provide any information on a personally identifiable basis if the provision of such personally identifiable information would cause such Party to be considered a “consumer reporting agency” for purposes of the Fair Credit Reporting Act.
(f) Bank shall cooperate with the NMG Companies Pier 1 to provide NMG Pier 1 and its Affiliates with the maximum ability permissible under Applicable Law and the Program Privacy Policy to receive, use and disclose the Cardholder Data, including, as necessary or appropriate, through use of consents or opt-out provisions, in each case as directed by the NMG CompaniesPier 1. Without limiting the foregoing, NMG Pier 1 and each of its Affiliates may receive, use and disclose the Cardholder Data in compliance with Applicable Law and the Program Privacy Policy (i) for purposes of promoting the Program or promoting NMG Pier 1 Goods and Services, (ii) as otherwise necessary to carry out its obligations under this Agreement, and (iii) as otherwise permitted by Applicable Law. Notwithstanding the foregoing, no Party hereto shall be required to provide any information on a personally identifiable basis if the provision of such personally identifiable information would cause such Party to be considered a "consumer reporting agency" for purposes of the Fair Credit Reporting Act.
(gf) The NMG Companies may use the Cardholder Data in compliance with Applicable Law and the Program Privacy Policy. Each of the NMG Companies may disclose the Cardholder Data in compliance with Applicable Law and the Program Privacy Policy solely:
(i) to its existing subcontractors as of the Effective Date and to authorized subcontractors that enter into agreements with an NMG Company after the Effective Date (“Future Subcontractors”) in connection with If Pier 1 or a permitted use of such Cardholder Data under this Section 6.2, provided that each such existing subcontractor and Future Subcontractor agrees in a written agreement satisfactory to NMG and Bank to maintain all such Cardholder Data as strictly confidential in perpetuity and not to use or disclose such information to any Person other than an NMG Company or Bank, except as required by Applicable Law or any Governmental Authority (after giving the NMG Companies prior notice and an opportunity to defend against such disclosure); provided, further, that each such existing subcontractor and Future Subcontractor maintains, and agrees in writing to maintain, an information security program that is designed to meet all requirements of Applicable Law, including, at a minimum, maintenance of an information security program that is designed to: (w) ensure the security and confidentiality of the Cardholder Data; (x) protect against any anticipated threats or hazards to the security or integrity of the Cardholder Data; (y) protect against unauthorized access to or use of the Cardholder Data; and (z) ensure the proper disposal of Cardholder Data; and provided, further, that each such existing subcontractor and Future Subcontractor agrees to notify promptly Bank and the NMG Companies of any unauthorized disclosure, use, or disposal of, or access to, Cardholder Data and to cooperate with Bank and the NMG Companies in any investigation thereof and remedial action with respect thereto;
(ii) to its Affiliates, and its and such Affiliates’ employees, attorneys and accountants with a need to know such Cardholder Data in connection with a permitted use of such Cardholder Data under this Section 6.2; provided that (A) any such Person is bound by terms substantially similar to this Section 6.2 as a condition of employment or of access to Cardholder Data or by professional obligations imposing comparable terms; and (B) the NMG Companies shall be responsible for the compliance by each such Person with the terms of this Section 6.2; or
(iii) to any Governmental Authority with authority over such NMG Company (A) in connection with an examination of such NMG Company; or (B) pursuant to a specific requirement to provide such Cardholder Data by such Governmental Authority or pursuant to compulsory legal process; provided that such NMG Company seeks the full protection of confidential treatment for any disclosed Cardholder Data to the extent available under Applicable Law governing such disclosure, and with respect to clause (B), to the extent permitted by Applicable Law, such NMG Company (1) provides at least ten (10) Business Days’ prior notice of such proposed disclosure to Bank if reasonably possible under the circumstances, and (2) seeks to redact the Cardholder Data to the fullest extent possible under Applicable Law governing such disclosure.
(h) With respect to the sharing, use and disclosure of the Cardholder Data following the termination of this Agreement:
(i) the rights and obligations of the Parties under this Section 6.2 shall continue through any Termination Period;
(ii) if NMG Nominated Purchaser exercises its rights under Section 17.216.2, Bank shall transfer its right, title and interest in the Cardholder Data to NMG Pier 1 or its Nominated Purchaser as part of such transaction, and Bank’s 's right to use and disclose the Cardholder Data shall terminate upon the termination of the Termination Period; and
(iii) if NMG provides notice that it shall not exercise its rights under Section 17.2, NMG and its Affiliates’ right to use and disclose the Cardholder Data hereunder shall terminate upon the termination of the Termination Periodthis Agreement.
Appears in 1 contract
Sources: Credit Card Program Agreement (Pier 1 Imports Inc/De)
Cardholder Data. (a) As among the Parties hereto, the Cardholder Data shall be the property of and exclusively owned by CEBA Bank.
(b) The Program Privacy Policy applicable privacy notice provided to Cardholders pursuant to the Cardholder Data is attached as Schedule 6.2 hereto. Any modifications to ▇▇▇▇▇-▇▇▇▇▇-▇▇▇▇▇▇ Act constituting part of the Program Privacy Policy shall be approved by in the Management Committee, provided that form attached hereto as Schedule 6.2(b). Any changes to such privacy notice or to the Program Privacy Policy described therein shall comply be made only in accordance with Applicable Law at all timesArticle III.
(c) Bank shall not use, or permit to be used, the Cardholder Data, except as provided in this Section 6.2. Bank may use the Cardholder Data in compliance with Applicable Law and the Program Privacy Policy solely (i) for purposes of soliciting soliciting, marketing or marketing servicing (in each case, solely as directed by the NMG FDS Companies or the Management Operating Committee) or servicing customers listed in the Cardholder Data for NMG FDS Credit Cards, Approved Ancillary Products, and any other products and services approved by the Management Operating Committee, (ii) as otherwise necessary to carry out its obligations or exercise its rights hereunderhereunder (including its rights to use such information as contemplated by Section 16.4), or (iii) as required by Applicable Law. Bank has no rights to use the Cardholder Data for marketing purposes except as expressly provided herein.
(d) Bank shall not disclose, or permit to be disclosed, the Cardholder Data, except as provided in this Section 6.2. Bank shall not, directly or indirectly, sell or otherwise transfer any right in or to the Cardholder Data other than to NMG FDS or any of its AffiliatesAffiliates or to a Nominated Purchaser pursuant to Section 16.2. Bank may disclose the Cardholder Data in compliance with Applicable Law and the Program Privacy Policy solely:
(i) to its authorized subcontractors in connection with a permitted use of such Cardholder Data under this Section 6.2, provided that each such authorized subcontractor agrees in a written agreement satisfactory to NMG and Bank writing to maintain all such Cardholder Data as strictly confidential in perpetuity and not to use or disclose such information to any Person other than Bank or an NMG FDS Company, except as required by Applicable Law or any Governmental Authority (after giving Bank and the NMG FDS Companies prior notice and an opportunity to defend against such disclosure); provided, further, that each such authorized subcontractor maintains, and agrees in writing to maintain, an information security program that is designed to meet all requirements the objectives of Applicable Lawthe Guidelines, including, at a minimum, maintenance of an information security program that is designed to: (w) ensure the security and confidentiality of the Cardholder Data; (x) protect against any anticipated threats or hazards to the security or integrity of the Cardholder Data; (y) protect against unauthorized access to or modification, destruction, disclosure or use of the Cardholder Data; and (z) ensure the proper disposal of Cardholder Data; and provided, further, that each such authorized subcontractor agrees to notify promptly Bank and the NMG FDS Companies of any unauthorized disclosure, use, or disposal of, or access to, Cardholder Data and to cooperate with Bank and the NMG FDS Companies in any investigation thereof and remedial action with respect thereto;
(ii) to its Affiliates, and its and such Affiliates’ ' employees, attorneys and accountants with a need to know such Cardholder Data in connection with a permitted use of such Cardholder Data under this Section 6.2; provided that (A) any such Person is bound by terms substantially similar to this Section 6.2 as a condition of employment or of access to Cardholder Data or by professional obligations imposing comparable terms; and (B) Bank shall be responsible for the compliance by each such Person with the terms of this Section 6.2;; or
(iii) to any Governmental Authority with authority over Bank (A) in connection with an examination of Bank; or (B) pursuant to a specific requirement to provide such Cardholder Data by such Governmental Authority or pursuant to compulsory legal process; provided that Bank seeks the full protection of confidential treatment for any disclosed Cardholder Data to the extent available under Applicable Law governing such disclosure, and with respect to clause (B), to the extent permitted by Applicable Law, Bank (1) provides at least ten (10) Business Days’ ' prior notice of such proposed disclosure to NMG FDS if reasonably possible under the circumstances, and (2) seeks to redact the Cardholder Data to the fullest extent possible under Applicable Law governing such disclosure; or
(iv) to the extent permitted in the Risk Management Policies and Operating Procedures, to any consumer reporting agency in accordance with the federal Fair Credit Reporting Act.
(e) To the extent Bank has access to the following information in accordance with the provisions of this Agreement and subject Subject to Applicable Law and the Program Privacy Policy, Bank shall transmit to the NMG FDS Companies at such times as may be requested on a real-time basis throughout each day by NMG and a secure data feed into FDS Systems designated by FDS from time to time, in formats agreed to by the Parties in advance from time to time:
(i) for any customer who has applied for an NMG FDS Credit Card, regardless of the marketing channel of such application: (A) the customer’s 's name, address, email address, telephone number, social security number and all other information supplied on the application or prescreened response submitted by the customer; (B) an indication of whether or not the customer has been approved for an NMG FDS Credit Card; and (C) if the customer has been approved for an NMG FDS Credit Card, the FDS Credit Card or Non-Card Payment Plan, the NMG Credit Card or Non-Card Payment Plan issued (or to be issued) to such customercustomer (i.e., specify the type of FDS Credit Card and the FDS Licensed ▇▇▇▇ to be used on such FDS Credit Card);
(ii) for each Cardholder, joint-Cardholder and authorized buyer, (1A) such person’s 's name, address, email address, telephone number, social security number and Account number; (2B) any reported change to any of the foregoing information; (3C) transaction and experience data; and (4D) any such other Cardholder Data as the NMG FDS Companies may reasonably request;
(iii) the Cardholder’s 's name and account number for any Account that is delinquent;
(iv) the Cardholder’s 's name and account number for any Account that has been closed; and
(v) the Cardholder Data for all categories of information available on the NMG FDS Companies’ ' credit Systems as of the date hereof. Notwithstanding the foregoing, no Party hereto shall be required to provide any information on a personally identifiable basis if the provision of such personally identifiable information would cause such Party to be considered a “consumer reporting agency” for purposes of the Fair Credit Reporting Act.
(f) Subject to Applicable Law and the Program Privacy Policy, Bank shall transmit by a secure data feed into FedCustomer (or other FDS Systems designated by FDS from time to time), in a format agreed to by the Parties, on an as billed basis, all information contained in the Billing Statements and all other Cardholder Data for all categories of information available on FedCustomer as of the date hereof (including, for each Cardholder, joint-Cardholder and authorized buyer, name, address, email address, telephone number, information as to creditworthiness and changes to any of the foregoing information).
(g) Bank shall reasonably cooperate with the NMG FDS Companies to provide NMG FDS and its Affiliates with the maximum ability permissible under Applicable Law and the Program Privacy Policy to receive, use and disclose the Cardholder Data, including, as reasonably necessary or appropriate, through use of consents consents, opt-in provisions or opt-out provisions, in each case as directed by the NMG FDS Companies. Without limiting the foregoing, NMG FDS and each of its Affiliates may receive, use and disclose the Cardholder Data in compliance with Applicable Law and the Program Privacy Policy (i) for purposes of promoting the Program or promoting NMG FDS Goods and Services, (ii) as otherwise necessary to carry out its obligations under this Agreement, and (iii) as otherwise permitted by Applicable Law.
(gh) The NMG FDS Companies may use the Cardholder Data in compliance with Applicable Law and the Program Privacy Policy. Each of the NMG FDS Companies may disclose the Cardholder Data in compliance with Applicable Law and the Program Privacy Policy solely:
(i) to its existing subcontractors as of the Effective Date and to authorized subcontractors that enter into agreements with an NMG FDS Company after the Effective Date (“"Future Subcontractors”") in connection with a permitted use of such Cardholder Data under this Section 6.2, provided that each such existing subcontractor and Future Subcontractor agrees in a written agreement satisfactory to NMG and Bank writing to maintain all such Cardholder Data as strictly confidential in perpetuity and not to use or disclose such information to any Person other than an NMG FDS Company or Bank, except as required by Applicable Law or any Governmental Authority (after giving the NMG FDS Companies prior notice and an opportunity to defend against such disclosure); provided, further, that each such existing subcontractor and Future Subcontractor maintains, and agrees in writing to maintain, an information security program that is designed to meet all requirements the objectives of Applicable Lawthe Guidelines, including, at a minimum, maintenance of an information security program that is designed to: (w) ensure the security and confidentiality of the Cardholder Data; (x) protect against any anticipated threats or hazards to the security or integrity of the Cardholder Data; (y) protect against unauthorized access to or modification, destruction, disclosure or use of the Cardholder Data; and (z) ensure the proper disposal of Cardholder Data; and provided, further, that each such existing subcontractor and Future Subcontractor agrees to notify promptly Bank and the NMG FDS Companies of any unauthorized disclosure, use, or disposal of, or access to, Cardholder Data and to cooperate with Bank and the NMG FDS Companies in any investigation thereof and remedial action with respect thereto;
(ii) to its Affiliates, and its and such Affiliates’ ' employees, attorneys and accountants with a need to know such Cardholder Data in connection with a permitted use of such Cardholder Data under this Section 6.2; provided that (A) any such Person is bound by terms substantially similar to this Section 6.2 as a condition of employment or of access to Cardholder Data or by professional obligations imposing comparable terms; and (B) the NMG FDS Companies shall be responsible for the compliance by each such Person with the terms of this Section 6.2; or
(iii) to any Governmental Authority with authority over such NMG FDS Company (A) in connection with an examination of such NMG FDS Company; or (B) pursuant to a specific requirement to provide such Cardholder Data by such Governmental Authority or pursuant to compulsory legal process; provided that such NMG FDS Company seeks the full protection of confidential treatment for any disclosed Cardholder Data to the extent available under Applicable Law governing such disclosure, and with respect to clause (B), to the extent permitted by Applicable Law, such NMG FDS Company (1) provides at least ten (10) Business Days’ ' prior notice of such proposed disclosure to Bank if reasonably possible under the circumstances, and (2) seeks to redact the Cardholder Data to the fullest extent possible under Applicable Law governing such disclosure.
(hi) With respect to the sharing, use and disclosure of the Cardholder Data following the termination of this Agreement:
(i) the rights and obligations of the Parties under this Section 6.2 shall continue through any Termination Period;
(ii) if NMG FDS exercises its rights under Section 17.216.2, Bank shall transfer its right, title and interest in the Cardholder Data to NMG FDS or its Nominated Purchaser as part of such transaction, and Bank’s 's right to use and disclose the Cardholder Data shall terminate upon the termination of the Termination Period; and
(iii) if NMG FDS provides notice that it shall not exercise its rights under Section 17.216.2, NMG FDS and its Affiliates’ ' right to use and disclose the Cardholder Data hereunder shall terminate upon the termination of the Termination Period.
Appears in 1 contract
Sources: Credit Card Program Agreement (Federated Department Stores Inc /De/)
Cardholder Data. (a) As among the Parties heretobetween Bank and Bon-Ton, subject to Section 2.16, the Cardholder Data shall be the property of and exclusively owned by Bank.
(b) The Program Privacy Policy applicable to . Bon-Ton acknowledges and agrees that it has no proprietary interest in the Cardholder Data is attached as Schedule 6.2 heretoData. Any modifications to the Program Privacy Policy shall be approved by the Management Committee, provided that the Program Privacy Policy shall comply with Applicable Law at all times.
(c) Bank shall not use, or permit to be used, the Cardholder Data, except as provided in this Section 6.2. Bank may use the Cardholder Data in compliance with this Agreement, Applicable Law and the privacy policy adopted by Bon-Ton and Bank for the Program ("Program Privacy Policy solely (i) for purposes of soliciting or marketing (in each case, solely as directed by the NMG Companies or the Management Committee) or servicing customers listed in the Cardholder Data for NMG Credit Cards, Approved Ancillary Products, and any other products and services approved by the Management Committee, (ii) as otherwise necessary to carry out its obligations or exercise its rights hereunder, or (iii) as required by Applicable LawPolicy"). Bank has no rights to use the Cardholder Data for marketing purposes except as expressly provided herein.
(db) Bank shall not disclose, or permit to be disclosed, the Cardholder Data, except as provided in this Section 6.2. Bank shall not, directly or indirectly, sell or otherwise transfer any right in or to the Cardholder Data other than to NMG or any of its AffiliatesData. Bank may disclose the Cardholder Data in compliance with Applicable Law and the Program Privacy Policy solely:
(i) to its authorized subcontractors in connection with a permitted use of such Cardholder Data under this Section 6.2Data, provided that each such authorized subcontractor agrees in a written agreement satisfactory to NMG and Bank to maintain all such Cardholder Data as strictly confidential and not to use or disclose such information to any Person other than Bank or an NMG Company, except as required by Applicable Law or any Governmental Authority (after giving Bank and the NMG Companies prior notice and an opportunity to defend against such disclosure); provided, further, that each such authorized subcontractor maintains, and agrees in writing to maintain, an information security program that is designed to meet all requirements of Applicable Law, including, at a minimum, maintenance of an information security program that is designed to: (w) ensure the security and confidentiality of the Cardholder Data; (x) protect against any anticipated threats or hazards to the security or integrity of the Cardholder Data; (y) protect against unauthorized access to or use of the Cardholder Data; and (z) ensure the proper disposal of Cardholder Data; and provided, further, that each such authorized subcontractor agrees to notify promptly Bank and the NMG Companies of any unauthorized disclosure, usebe bound by this Section 2.15, or disposal of, or access to, Cardholder Data and to cooperate a comparable contractual commitment with Bank and the NMG Companies in any investigation thereof and remedial action with respect theretosame effect;
(ii) to its Affiliates, Affiliates and its and such Affiliates’ ' employees, agents, attorneys and accountants with a need to know such Cardholder Data in connection with a permitted use of such Cardholder Data under this Section 6.2Section; provided that (A) any such Person is bound by terms substantially similar to this Section 6.2 as a condition of employment or of access to Cardholder Data or by professional obligations imposing comparable terms; and (B) Bank shall be responsible for the compliance by of each such Person with the terms of this Section 6.2;Section; or
(iii) to any Governmental Authority governmental authority with authority over Bank (A) in connection with an examination of Bank; or (B) pursuant to a specific requirement to provide such Cardholder Data by such Governmental Authority or pursuant to compulsory legal process; provided that Bank seeks the full protection of confidential treatment for any disclosed Cardholder Data to the fullest extent available under Applicable Law governing such disclosure, and with respect to clause (B), to the extent permitted by Applicable Law, Bank (1) provides at least ten (10) Business Days’ prior notice of such proposed disclosure to NMG if reasonably possible under the circumstances, and (2) seeks to redact the Cardholder Data to the fullest extent possible under Applicable Law governing such disclosure; or
(iv) to the extent permitted in the Risk Management Policies and Operating Procedures, to any consumer reporting agency in accordance with the federal Fair Credit Reporting Act.
(ec) To the extent Bank has access to the following information in accordance with the provisions of this Agreement and subject Subject to Applicable Law and the Program Privacy Policy, Bank shall transmit report to the NMG Companies at Bon-Ton on a Monthly basis, or such times shorter period as may be requested by NMG and reflected on Schedule 2.7(g) in formats a format agreed to by the Parties parties in advance from time to timeadvance:
(i) for any customer who has applied for an NMG Credit a Card, regardless of the marketing channel of such application: (A) , the customer’s 's name, address, email addressaddress (if applicable), telephone number, social security number and all other commercially reasonable information supplied on the application or prescreened response submitted by the customer; (B) an indication of whether or not the customer has been approved for an NMG Credit Card; and (C) if the customer has been approved for an NMG Credit Card or Non-Card Payment Plan, the NMG Credit Card or Non-Card Payment Plan issued (or to be issued) to such customer;and
(ii) for each any Cardholder, joint-Cardholder and authorized buyer, (1) such person’s the Cardholder's name, address, email address, telephone number, social security number and Account number; (2) any reported change to any of the foregoing information; (3) transaction and experience data; and (4) any such other Cardholder Data as the NMG Companies may reasonably request;
(iii) the Cardholder’s name and account number for any Account that is delinquent;
(iv) the Cardholder’s name and account number for any Account that has been closed; and
(v) the Cardholder Data for all categories of information available on the NMG Companies’ credit Systems as of the date hereof. Notwithstanding the foregoing, no Party hereto shall be required to provide any information on a personally identifiable basis if the provision of such personally identifiable information would cause such Party to be considered a “consumer reporting agency” for purposes of the Fair Credit Reporting Act.
(f) Bank shall cooperate with the NMG Companies to provide NMG and its Affiliates with the maximum ability permissible under Applicable Law and the Program Privacy Policy to receive, use and disclose the Cardholder Data, including, as necessary or appropriate, through use of consents or opt-out provisions, in each case as directed by the NMG Companies. Without limiting the foregoing, NMG and each of its Affiliates may receive, use and disclose the Cardholder Data in compliance with Applicable Law and the Program Privacy Policy (i) for purposes of promoting the Program or promoting NMG Goods and Services, (ii) as otherwise necessary to carry out its obligations under this Agreement, and (iii) as otherwise permitted by Applicable Law.
(g) The NMG Companies may use the Cardholder Data in compliance with Applicable Law and the Program Privacy Policy. Each of the NMG Companies may disclose the Cardholder Data in compliance with Applicable Law and the Program Privacy Policy solely:
(i) to its existing subcontractors as of the Effective Date and to authorized subcontractors that enter into agreements with an NMG Company after the Effective Date (“Future Subcontractors”) in connection with a permitted use of such Cardholder Data under this Section 6.2, provided that each such existing subcontractor and Future Subcontractor agrees in a written agreement satisfactory to NMG and Bank to maintain all such Cardholder Data as strictly confidential in perpetuity and not to use or disclose such information to any Person other than an NMG Company or Bank, except as required by Applicable Law or any Governmental Authority (after giving the NMG Companies prior notice and an opportunity to defend against such disclosure); provided, further, that each such existing subcontractor and Future Subcontractor maintains, and agrees in writing to maintain, an information security program that is designed to meet all requirements of Applicable Law, including, at a minimum, maintenance of an information security program that is designed to: (w) ensure the security and confidentiality of the Cardholder Data; (x) protect against any anticipated threats or hazards to the security or integrity of the Cardholder Data; (y) protect against unauthorized access to or use of the Cardholder Data; and (z) ensure the proper disposal of Cardholder Data; and provided, further, that each such existing subcontractor and Future Subcontractor agrees to notify promptly Bank and the NMG Companies of any unauthorized disclosure, use, or disposal of, or access to, Cardholder Data and to cooperate with Bank and the NMG Companies in any investigation thereof and remedial action with respect thereto;
(ii) to its Affiliates, and its and such Affiliates’ employees, attorneys and accountants with a need to know such Cardholder Data in connection with a permitted use of such Cardholder Data under this Section 6.2; provided that (A) any such Person is bound by terms substantially similar to this Section 6.2 as a condition of employment or of access to Cardholder Data or by professional obligations imposing comparable terms; and (B) the NMG Companies shall be responsible for the compliance by each such Person with the terms of this Section 6.2; or
(iii) to any Governmental Authority with authority over such NMG Company (A) in connection with an examination of such NMG Company; or (B) pursuant to a specific requirement to provide such Cardholder Data by such Governmental Authority or pursuant to compulsory legal process; provided that such NMG Company seeks the full protection of confidential treatment for any disclosed Cardholder Data to the extent available under Applicable Law governing such disclosure, and with respect to clause (B), to the extent permitted by Applicable Law, such NMG Company (1) provides at least ten (10) Business Days’ prior notice of such proposed disclosure to Bank if reasonably possible under the circumstances, and (2) seeks to redact the Cardholder Data to the fullest extent possible under Applicable Law governing such disclosure.
(h) With respect to the sharing, use and disclosure of the Cardholder Data following the termination of this Agreement:
(i) the rights and obligations of the Parties under this Section 6.2 shall continue through any Termination Period;
(ii) if NMG exercises its rights under Section 17.2, Bank shall transfer its right, title and interest in the Cardholder Data to NMG or its Nominated Purchaser as part of such transaction, and Bank’s right to use and disclose the Cardholder Data shall terminate upon the termination of the Termination Period; and
(iii) if NMG provides notice that it shall not exercise its rights under Section 17.2, NMG and its Affiliates’ right to use and disclose the Cardholder Data hereunder shall terminate upon the termination of the Termination Period.
Appears in 1 contract
Cardholder Data. (a) As among between the Parties hereto, the Cardholder Data shall be the property of and exclusively owned by the Bank.
(b) The Program Privacy Policy applicable to the Cardholder Data is attached as Schedule 6.2 6.2(b) hereto. Any modifications to the Program Privacy Policy shall be approved by the Management Committeeboth Parties, provided that without limiting the Bank’s obligations pursuant to Section 4.6(b), the Bank shall have the sole right to effect such changes to the Program Privacy Policy to ensure that the Program Privacy Policy shall comply with Applicable Law at all times.
(c) Bank shall not use, or permit to be used, the Cardholder Data, except as provided in this Section 6.2. The Bank may use the Cardholder Data in compliance with Applicable Law and the Program Privacy Policy solely (i) for purposes of soliciting or and marketing (in each case, solely as directed by compliance with the NMG Companies or the Management Committee) or servicing provisions of this Agreement customers listed in the Cardholder Data for NMG Company Credit Cards, Approved Ancillary Products, and any other mutually agreed products and services approved as agreed by the Management CommitteeParties pursuant to the terms hereof, (ii) as otherwise necessary to carry out its obligations or exercise its rights hereunder, or (iii) as required by Applicable Law, regulatory examinations and internal auditing, internal risk assessment and internal management functions or (iv) for purposes of performing analysis and modeling, provided, however, that Cardholder Data used for analysis and modeling other than with respect to the Program shall be non-personally identifiable information, shall be aggregated with data from other portfolios, and shall not be used in connection with or for the benefit of any credit program that is or may be offered by the Bank on behalf of or in association with any Scheduled Retailer. The Bank has no rights to to, and shall not, in any event, use the Cardholder Data for marketing or any other purposes except as expressly provided herein. Without limiting the foregoing, each Party acknowledges that the Bank may gather information from Persons Active.15844721.1 independent of the Program and without use of any information obtained in connection with or as a result of this Agreement or its relationship with the Company, including from Persons who may or may not also be Cardholders. The Bank and its Affiliates have the rights to use and disclose such information independent of whether such information constitutes Cardholder Data or Shopper Data under this Agreement.
(d) Bank shall not disclose, or permit to be disclosed, the Cardholder Data, except as provided in this Section 6.2. The Bank shall not, directly or indirectly, sell disclose, sell, transfer, or otherwise transfer any right in rent (or permit others to do same), the Cardholder Data other than to NMG or any of its Affiliates. Data, except that the Bank may disclose the Cardholder Data may, in compliance with Applicable Law and the Program Privacy Policy Policy, disclose Cardholder Data solely:
(i) to its Service Providers authorized subcontractors in accordance with this Agreement solely on a “need to know” basis in connection with a permitted use of such the Cardholder Data under this pursuant to Section 6.26.2(c), provided that each such authorized subcontractor Service Provider agrees in a written agreement satisfactory that obligates the Service Provider to NMG adhere to requirements at least as restrictive as those set forth herein with regard to the confidentiality and Bank to maintain all such Cardholder Data as strictly confidential and not to use or disclose such information to any Person other than Bank or an NMG Company, except as required by Applicable Law or any Governmental Authority (after giving Bank and the NMG Companies prior notice and an opportunity to defend against such disclosure); provided, further, that each such authorized subcontractor maintainsof, and agrees in writing to maintain, an information security program that is designed to meet all requirements of Applicable Law, including, at a minimum, maintenance of an information security program that is designed to: (w) ensure protecting the security and confidentiality of the Cardholder Data; (x) protect against any anticipated threats or hazards to the security or integrity of the Cardholder Data; (y) protect against unauthorized access to or use of of, the Cardholder Data; and (z) ensure the proper disposal of Cardholder Data; and provided, further, that Bank shall be responsible for the compliance by each such authorized subcontractor agrees to notify promptly Bank and Person with the NMG Companies terms of any unauthorized disclosure, use, or disposal of, or access to, Cardholder Data and to cooperate with Bank and the NMG Companies in any investigation thereof and remedial action with respect theretothis Section 6.2;
(ii) to its Affiliates, Affiliates and its and such Affiliates’ employees, attorneys and accountants with their Representatives solely on a “need to know such Cardholder Data know” basis in connection with a permitted use of such the Cardholder Data under this pursuant to Section 6.26.2(c); provided that (A) any such Person is bound by terms substantially similar to this Section 6.2 as a condition the Bank communicates the confidential nature of employment or of access to the Cardholder Data to such Persons, such Persons are bound (by agreement or by their professional obligations imposing comparable terms; responsibilities) to maintain the confidentiality of the Cardholder Data in accordance with the provisions of this Agreement, and (B) the Bank shall be responsible for the compliance by each such Person with the terms of this Section 6.2;
(iii) to any Governmental Authority with authority over the Bank or its Affiliates or their respective Service Providers (A) in connection with an examination of Bankthe Bank or its Affiliates or their respective Service Providers; or (B) pursuant to a specific requirement to provide such Cardholder Data by such Governmental Authority or pursuant to compulsory legal process; provided that the Bank seeks the full protection of confidential treatment for any disclosed Cardholder Data to the extent available under Applicable Law governing such disclosure, and with respect to clause (B), to the extent permitted by Applicable Law, the Bank (1) provides at least ten (10) Business Days’ prior notice of such proposed disclosure to NMG the Company if reasonably possible under the circumstances, and (2) seeks to redact the Cardholder Data to the fullest extent possible under Applicable Law governing such disclosure; or;
(iv) to the extent permitted provided for in the Risk Management Policies and Operating Procedures, to any consumer reporting agency in accordance with the federal Fair Credit Reporting Act; or
(v) to a potential third-party purchaser with respect to any Cardholder Indebtedness that is eligible for sale pursuant to this Agreement, or to a trustee in connection with a securitization transaction to the extent permitted under this Agreement.
(e) To The Bank shall not, directly or indirectly, sell, or otherwise transfer any right in or to the Cardholder Data, except to the extent Bank has access necessary in connection with a sale of Active.15844721.1 Cardholder Indebtedness or Accounts otherwise permitted hereunder; provided that the transferee thereof enters into a confidentiality agreement affording protections substantially similar to the following information in accordance with the confidentiality and use provisions of this Agreement with such modifications as are customary in connection with the intent and subject permitted purposes of the transfer.
(f) Subject to Applicable Law and the Program Privacy Policy, the Bank shall provide the Company with reasonable access, through the Bank’s data analysts, to the Cardholder Data obtained by the Bank in connection with the Program, which includes the items listed below and any other items mutually agreed by the Parties. In addition, subject to Applicable Law, and as reasonably requested by the Company, the Bank shall provide the Company with an updated copy of the master file or such elements thereof as may be requested by the Company. Subject to Applicable Law and the Program Privacy Policy, the Bank shall transmit to the NMG Companies at such times as may be requested Company on a real-time basis throughout each day by NMG and a secure data feed into Company Systems designated by the Company from time to time, in formats agreed to by the Parties in advance from time to timetime the information obtained by the Bank in connection with the Program:
(i) for any customer who has applied for an NMG a Company Credit Card, regardless of the marketing channel of such applicationApplication: (A) the customer’s name, address, email address, telephone numbernumber (including cellular), social security number and all other information supplied on the application Application or prescreened response submitted by the customer (excluding the customer’s social security number and credit bureau scores); (B) an indication of whether or not the customer has been approved for an NMG a Company Credit Card; and (C) if the customer has been approved for an NMG a Company Credit Card, the Company Credit Card or Non-Card Payment Plan, the NMG Credit Card or Non-Card Payment Plan issued (or to be issued) to such customer;
(ii) for each Cardholder, Cardholder and joint-Cardholder and for each authorized buyeruser (to the extent the Bank has access thereto and is permitted to share such information), (1A) such person’s name, address, email address, telephone number, number (including cellular) and Account number (excluding the customer’s social security number and Account numbercredit bureau scores); (2B) any reported change to any of the foregoing information; (3C) transaction and experience data; and (4D) any such other Cardholder Data as the NMG Companies Parties may reasonably requestmutually agree;
(iii) the Cardholder’s name and account number for any Account that is delinquent;
(iv) the Cardholder’s name and account number for any Account that has been closed; and
(v) the Cardholder Data for all categories of information made available on to the NMG Companies’ credit Systems Company by GE as of the date hereof (as identified by the Company and GE prior to the date hereof); and
(iv) analytical output that the Bank has derived or may derive from the Bank’s database that might enhance the Company’s understanding of its customers and that the Company reasonably believes could be used to improve the marketing of the Company or the Program. Notwithstanding the foregoing, no Party hereto shall be required to provide any information on a personally identifiable basis if the provision of such personally identifiable information would cause such Party to be considered a “consumer reporting agency” for purposes of the Fair Credit Reporting Act.. Active.15844721.1
(fg) The Bank shall cooperate with the NMG Companies Company to provide NMG the Company and its Affiliates with the maximum ability permissible under Applicable Law and the Program Privacy Policy to receive, receive and use and disclose the Cardholder Data, including, as necessary or appropriate, through use of consents consents, opt-in provisions or opt-out provisions, in each case as directed requested by the NMG CompaniesCompany for purposes permitted hereunder. Without limiting the foregoing, NMG the Company and each of its Affiliates may receive, receive and use and disclose the Cardholder Data in compliance with Applicable Law and the Program Privacy Policy solely:
(i) for purposes of promoting the Program or promoting NMG Goods and Services, and
(ii) as otherwise necessary to carry out its obligations under this Agreement, and (iii) as otherwise permitted by Applicable Law.
(gh) The NMG Companies may use Company shall not, directly or indirectly, disclose, sell, transfer or rent (or permit others to do the same) Cardholder Data in compliance with Applicable Law and to any third party without the Program Privacy Policy. Each prior written permission of the NMG Companies Bank, except as provided in this Section 6.2(h). The Company may disclose the Cardholder Data in compliance with Applicable Law and the Program Privacy Policy solely:
(i) to its existing subcontractors as of the Effective Date and Service Providers authorized in accordance with this Agreement solely on a “need to authorized subcontractors that enter into agreements with an NMG Company after the Effective Date (“Future Subcontractors”) know” basis in connection with a permitted use of such the Cardholder Data under this pursuant to Section 6.26.2(g), provided that each such existing subcontractor and Future Subcontractor Service Provider agrees in a written agreement satisfactory that obligates the Service Provider to NMG adhere to requirements at least as restrictive as those set forth herein with regard to the confidentiality and Bank to maintain all such Cardholder Data as strictly confidential in perpetuity and not to use or disclose such information to any Person other than an NMG Company or Bank, except as required by Applicable Law or any Governmental Authority (after giving the NMG Companies prior notice and an opportunity to defend against such disclosure); provided, further, that each such existing subcontractor and Future Subcontractor maintainsof, and agrees in writing to maintain, an information security program that is designed to meet all requirements of Applicable Law, including, at a minimum, maintenance of an information security program that is designed to: (w) ensure protecting the security and confidentiality of the Cardholder Data; (x) protect against any anticipated threats or hazards to the security or integrity of the Cardholder Data; (y) protect against unauthorized access to or use of of, the Cardholder Data; and (z) ensure the proper disposal Company shall be responsible for the compliance of Cardholder Data; and provided, further, that each such existing subcontractor and Future Subcontractor agrees to notify promptly Bank and Service Provider with the NMG Companies terms of any unauthorized disclosure, use, or disposal of, or access to, Cardholder Data and to cooperate with Bank and the NMG Companies in any investigation thereof and remedial action with respect thereto;this Section 6.2
(ii) to its Affiliates, Affiliates and its and such Affiliates’ employees, attorneys and accountants with their Representatives solely on a “need to know such Cardholder Data know” basis in connection with a permitted use of such the Cardholder Data under this pursuant to Section 6.26.2(g); provided that (A) any such Person is bound by terms substantially similar to this Section 6.2 as a condition the Company communicates the confidential nature of employment or of access to the Cardholder Data to such Persons, such Persons are bound (by agreement or by their professional obligations imposing comparable terms; responsibilities) to maintain the confidentiality of the Cardholder Data in accordance with the provisions of this Agreement, and (B) the NMG Companies Company shall be responsible for the compliance by each such Person with the terms of this Section 6.2; or;
(iii) to any Governmental Authority with authority over such NMG the Company or its Affiliates (A) in connection with an examination of such NMG Companythe Company or its Affiliates; or (B) pursuant to a specific requirement to provide such Cardholder Data by such Governmental Authority or pursuant to compulsory legal process; provided that such NMG the Company seeks the full protection of confidential treatment for any disclosed Cardholder Data to the extent available under Applicable Law governing such disclosure, and with respect to clause (B), to the extent permitted by Applicable Law, such NMG the Company (1) provides at least ten (10) Business Days’ prior notice of such proposed disclosure to the Bank if reasonably possible under the circumstances, and (2) seeks to redact the Cardholder Data to the fullest extent possible under Applicable Law governing such disclosure; or
(iv) to a prospective Nominated Purchaser at the time, under the circumstances Active.15844721.1 and in accordance with the procedures set forth in Section 17.2(e).
(hi) With respect to the sharing, use and disclosure of the Cardholder Data following the termination of this Agreement:
(i) the rights and obligations of the Parties under this Section 6.2 shall continue through any Termination PeriodPeriod and, if applicable, any interim servicing period pursuant to Section 17.2(h);
(ii) if NMG the Company exercises its purchase rights under Section 17.2, the Bank shall transfer its right, title and interest in the Cardholder Data to NMG the Company or its Nominated Purchaser as part of such transaction, and the Bank’s right to use and disclose the Cardholder Data shall terminate upon the termination of the Termination Period, except for such use and disclosure as is necessary to comply with Applicable Law and except for such internal use as may be necessary to comply with the Bank’s disaster recovery requirements or normal audit requirements. Promptly following the Termination Period, the Bank shall return or destroy all Cardholder Data and shall certify such return or destruction to the Company upon request; provided, however, that, if the Bank is obligated to retain any Cardholder Data pursuant to requirements of Applicable Law or the Bank’s disaster recovery plan or record retention or audit requirements, the Bank shall maintain the strict confidentiality and security of such Cardholder Data and shall not use such Cardholder Data for any other purpose; and
(iii) if NMG the Company provides notice that it shall not exercise its purchase rights under Section 17.217.2 or otherwise fails to exercise such purchase rights, NMG and its Affiliates’ the Company’s right to use and disclose the Cardholder Data hereunder shall terminate upon (it being understood that nothing herein shall restrict the termination Company’s right to use and disclose the Shopper Data following the Termination Date; provided, however the Company may not deliver any marketing or promotions to any Shopper on the basis that such Shopper is or was also a Cardholder), and the restrictions hereunder on the Bank’s use and disclosure of Cardholder Data shall terminate, except that in no event may the Bank disclose Cardholder Data to any retailer or use Cardholder Data in any way for the benefit of any Scheduled Retailer, or in any manner inconsistent with the limitations on the Bank’s rights pursuant to Section 17.3. The foregoing provisions shall in no way be construed as to extend the Bank’s rights to use the Company Licensed Marks, the Company’s name or any Intellectual Property of the Termination PeriodCompany, all of which rights shall be expressly limited as set forth in Article X and shall terminate as set forth in Section 17.3(c).
Appears in 1 contract
Cardholder Data. (a) As among the Parties heretobetween Bank and Company, the Cardholder Data shall be the property of and exclusively owned by Bank. In its capacity as servicer, Company shall maintain all Cardholder Data and shall provide Bank with full access to Cardholder Data.
(b) The Program Privacy Policy initial privacy notice applicable to the Cardholder Data is attached as Schedule 6.2 hereto6.2(b), which shall be separate from the privacy notice(s) that Bank maintains for its other portfolios. Bank shall cooperate with Company to provide Company the maximum ability permissible under Applicable Law and Network Rules to use and disclose Cardholder Data, including, as necessary or appropriate, through the Program Privacy Notice and/or the use of disclosures, consents, opt-in provisions or opt-out provisions. Any modifications to the Program Privacy Policy Notice shall be approved by the Management Committeeboth parties, provided that the Program Privacy Policy Notice at all times shall (i) comply with Applicable Law at all timesand (ii) provide Company access to and the right to use Cardholder Data to the fullest extent permitted by Applicable Law and Network Rules, including for its business purposes.
(c) Bank shall not use, or permit to be used, the Cardholder Data, except as provided in this Section 6.2. Bank may use the Cardholder Data and any other information derived from the Cardholder Data in compliance with Applicable Law Law, the Network Rules and the Program Privacy Policy solely Notice, solely: (i) as necessary to exercise its rights or carry out its obligations hereunder; (ii) for purposes of soliciting promoting the Program or marketing (in each case, solely as directed by the NMG Companies promoting Goods and/or Services available for purchase on an Account at or the Management Committee) or servicing customers listed in the Cardholder Data for NMG Credit Cards, Approved Ancillary Products, and through any other products and services approved by the Management Committee, (ii) as otherwise necessary to carry out its obligations or exercise its rights hereunder, or Company Channel; (iii) for purposes of performing analysis and modeling, provided, however, that Cardholder Data used for analysis and modeling other than with respect to the Program shall be Non-Personally Identifiable Information, shall be aggregated with data from other portfolios, and shall not be used in connection with or for the benefit of any co-branded or private label credit program that is or may be offered by Bank on behalf of or in association with any Competing Retailer; or (iv) as required by necessary or appropriate for purposes of compliance with Applicable Law, regulatory examination, internal auditing functions, risk assessment or management functions, Network Rules or as otherwise set forth in 12 CFR 40.15(a)(1)-(7). Bank has no rights to shall not use the Cardholder Data for marketing or any other purposes except as expressly provided herein. Notwithstanding the foregoing, each party acknowledges that Bank may independently gather information from individuals independent of the Program, including from Persons who may or may not also be Cardholders, and that Bank and its Affiliates may have rights to use and disclose such information independent of whether such information also constitutes Cardholder Data or Company Guest Data under this Agreement; provided, however, except as expressly permitted pursuant to this Agreement, Bank and its Affiliates may not, in any event, take into account that a Person is a Cardholder or intentionally target for solicitation such customers through the use of the Cardholder Data. Bank shall not commingle Cardholder Data into any Bank marketing database except as provided in this Section 6.2(c).
(d) Bank shall not disclose, or permit to be disclosed, the Cardholder Data, except as provided in this Section 6.2. Bank shall not, directly or indirectly, sell or otherwise transfer any right in or to the Cardholder Data other than to NMG or any of its Affiliates. Bank may disclose the Cardholder Data in compliance with Applicable Law and Law, the Network Rules, the Program Privacy Policy Notice and the Credit Card Agreement, solely:
(i) to its authorized subcontractors (including Company in its capacity as servicer) in connection with a permitted use of such Cardholder Data under this Section 6.2, ; provided that (A) each such authorized subcontractor agrees in a written agreement satisfactory is subject to NMG and Bank an obligation to maintain all such the confidential status of Cardholder Data at least as strictly confidential restrictive as that set forth herein, and not to use or disclose (B) Bank shall be responsible for the compliance of each such information to any Person subcontractor (other than Bank or an NMG Company, except Company in its capacity as required by Applicable Law servicer or any Governmental Authority (after giving Bank and subcontractor of Company in such capacity) with the NMG Companies prior notice and an opportunity to defend against such disclosure); provided, further, that each such authorized subcontractor maintains, and agrees in writing to maintain, an information security program that is designed to meet all requirements terms of Applicable Law, including, at a minimum, maintenance of an information security program that is designed to: (w) ensure the security and confidentiality of the Cardholder Data; (x) protect against any anticipated threats or hazards to the security or integrity of the Cardholder Data; (y) protect against unauthorized access to or use of the Cardholder Data; and (z) ensure the proper disposal of Cardholder Data; and provided, further, that each such authorized subcontractor agrees to notify promptly Bank and the NMG Companies of any unauthorized disclosure, use, or disposal of, or access to, Cardholder Data and to cooperate with Bank and the NMG Companies in any investigation thereof and remedial action with respect thereto;this Section.
(ii) to its Affiliates, and its and such Affiliates’ to employees, attorneys agents, attorneys, auditors and accountants of Bank and its Affiliates, with a need to know such Cardholder Data in connection with a permitted use of such Cardholder Data under this Section 6.2Section; provided that (A) any each such Person is bound by terms substantially similar subject to this Section 6.2 as a condition an obligation to maintain the confidential status of employment or of access to Cardholder Data or by professional obligations imposing comparable terms; at least as restrictive as that set forth herein, and (B) Bank shall be responsible for the compliance by of each such Person with the terms of this Section 6.2Section;
(iii) to a potential third-party purchaser with respect to any written off Cardholder Indebtedness or otherwise to the extent permitted under this Agreement, or to a trustee in connection with a securitization transaction to the extent permitted under this Agreement; or
(iv) to any Governmental Authority with asserting authority over Bank or any of its Affiliates (A) in connection with an examination of BankBank or any such Affiliate; or (B) pursuant to a specific requirement to provide such Cardholder Data by such Governmental Authority or pursuant to compulsory legal process, provided, however, that Bank shall seek the full protection of confidential treatment for any disclosed Cardholder Data to the extent available under Applicable Law governing such disclosure and with respect to clause (B) Bank shall provide reasonable advance notice to Company to the extent reasonably practicable under the circumstances.
(e) Bank shall not, directly or indirectly, sell, or otherwise transfer any right in or to the Cardholder Data, except (i) with respect to any written off Cardholder Indebtedness, (ii) to any potential third-party purchaser to the extent permitted hereunder, and (iii) to a trustee in connection with a securitization transaction related to the Accounts to the extent permitted hereunder, provided that, such trustee shall be bound by a confidentiality agreement affording protections substantially similar to the confidentiality and use provisions of this Agreement with such modifications as may be customary for confidentiality agreements in connection with such securitizations (and any material modifications shall be submitted for approval of Company, which approval shall not be unreasonably delayed, conditioned or withheld).
(f) Subject to Applicable Law, Bank shall provide the information below to Company on a daily basis:
(i) [*]
(ii) [*]
(iii) [*]
(iv) [*] To the extent that Company, as servicer for Bank, has access to the information Bank is obligated to provide under this Section 6.2(f), the parties acknowledge and agree that Bank shall be deemed to have fulfilled its obligation hereunder.
(g) Company shall not use, or permit to be used, Cardholder Data, except as provided in this Section 6.2(g) and subject to the other provisions and procedures of this Agreement, including ARTICLE V and Section 3.5. Company may use the Cardholder Data and any other information derived from the Cardholder Data in compliance with Applicable Law, the Network Rules and the Program Privacy Notice (i) for purposes of promoting the Program or promoting Goods and/or Services available for purchase on an Account at or through any Company Channel, (ii) for all commercially reasonable purposes in the same manner as Company uses Company Guest Data, (iii) as otherwise necessary to carry out its obligations under this Agreement, and (iv) as otherwise permitted by Applicable Law, the Network Rules and the Program Privacy Notice. Company shall maintain protocols regarding Cardholder Data intended to ensure that (i) Cardholder Data is logically isolated (and accordingly always separately identifiable) from Company’s other data and (ii) the use and disclosure of Cardholder Data is limited as provided by Applicable Law and this Agreement.
(h) Company shall not disclose, or permit to be disclosed, the Cardholder Data, except as provided in this Section 6.2(h). Company may disclose the Cardholder Data in compliance with Applicable Law, the Network Rules, the Program Privacy Notice and the Credit Card Agreement, solely:
(i) to its subcontractors in connection with a permitted use of such Cardholder Data under this Section 6.2; provided that Bank (A) each such subcontractor is subject to an obligation to maintain the confidential status of Cardholder Data at least as restrictive as that set forth herein, and (B) Company shall be responsible for the compliance of each such subcontractor with the terms of this Section;
(ii) to its Affiliates, and to employees, agents, attorneys, auditors and accountants of Company or its Affiliates, with a need to know such Cardholder Data in connection with a permitted use of such Cardholder Data under this Section; provided that (A) each such Person is subject to an obligation to maintain the confidential status of Cardholder Data at least as restrictive as that set forth herein, and (B) Company shall be responsible for the compliance of each such Person with the terms of this Section;
(iii) to any Governmental Authority asserting authority over Company (A) in connection with an examination of Company; or (B) pursuant to a specific requirement to provide for such Cardholder Data by such Governmental Authority or pursuant to compulsory legal process; provided, however, that Company seeks the full protection of confidential treatment for any such disclosed Cardholder Data to the extent available under Applicable Law governing such disclosure, and with respect to clause (B), Company shall provide reasonable advance notice to Bank to the extent permitted by Applicable Law, Bank (1) provides at least ten (10) Business Days’ prior notice of such proposed disclosure to NMG if reasonably possible practicable under the circumstances, and (2) seeks to redact the Cardholder Data to the fullest extent possible under Applicable Law governing such disclosure; or
(iv) to the extent permitted in the Risk Management Policies and Operating Procedures, to any consumer reporting agency in accordance with the federal Fair Credit Reporting Act.
(e) To the extent Bank has access to the following information in accordance with the provisions of this Agreement and subject to Applicable Law and the Program Privacy Policy, Bank shall transmit to the NMG Companies at such times as may be requested by NMG and in formats agreed to by the Parties in advance from time to time:
(i) for any customer who has applied for an NMG Credit Card, regardless of the marketing channel of such application: (A) the customer’s name, address, email address, telephone number, social security number and all other information supplied on the application or prescreened response submitted by the customer; (B) an indication of whether or not the customer has been approved for an NMG Credit Card; and (C) if the customer has been approved for an NMG Credit Card or Non-Card Payment Plan, the NMG Credit Card or Non-Card Payment Plan issued (or to be issued) to such customer;
(ii) for each Cardholder, joint-Cardholder and authorized buyer, (1) such person’s name, address, email address, telephone number, social security number and Account number; (2) any reported change to any of the foregoing information; (3) transaction and experience data; and (4) any such other Cardholder Data as the NMG Companies may reasonably request;
(iii) the Cardholder’s name and account number for any Account that is delinquent;
(iv) the Cardholder’s name and account number for any Account that has been closed; and
(v) the Cardholder Data for all categories of information available on the NMG Companies’ credit Systems as of the date hereof. Notwithstanding the foregoing, no Party hereto shall be required to provide any information on a personally identifiable basis if the provision of such personally identifiable information would cause such Party to be considered a “consumer reporting agency” for purposes of the Fair Credit Reporting Act.
(f) Bank shall cooperate with the NMG Companies to provide NMG and its Affiliates with the maximum ability permissible under Applicable Law and the Program Privacy Policy to receive, use and disclose the Cardholder Data, including, as necessary or appropriate, through use of consents or opt-out provisions, in each case as directed by the NMG Companies. Without limiting the foregoing, NMG and each of its Affiliates may receive, use and disclose the Cardholder Data in compliance with Applicable Law and the Program Privacy Policy (i) for purposes of promoting the Program or promoting NMG Goods and Services, (ii) as otherwise necessary to carry out its obligations under this Agreement, and (iii) as otherwise permitted by Applicable Law, the Program Privacy Notice and the Network Rules (and subject to any other applicable provisions of this Agreement, including ARTICLE V and Section 3.5); provided that, for the avoidance of doubt, the parties agree that Company shall not disclose, or permit to be disclosed, any Cardholder Data (or information derived therefrom) to a prospective Nominated Purchaser except at the time, under the circumstances and in accordance with the procedures set forth in Section 15.2(h).
(gi) The NMG Companies may With respect to use the and disclosure of Cardholder Data in compliance with Applicable Law and following expiration or termination of this Agreement, the Program Privacy Policy. Each of the NMG Companies may disclose the Cardholder Data in compliance with Applicable Law and the Program Privacy Policy solelyfollowing shall apply:
(i) to its existing subcontractors as of the Effective Date and to authorized subcontractors that enter into agreements with an NMG Company after the Effective Date (“Future Subcontractors”) in connection with a permitted use of such Cardholder Data under this Section 6.2, provided that each such existing subcontractor and Future Subcontractor agrees in a written agreement satisfactory to NMG and Bank to maintain all such Cardholder Data as strictly confidential in perpetuity and not to use or disclose such information to any Person other than an NMG Company or Bank, except as required by Applicable Law or any Governmental Authority (after giving the NMG Companies prior notice and an opportunity to defend against such disclosure); provided, further, that each such existing subcontractor and Future Subcontractor maintains, and agrees in writing to maintain, an information security program that is designed to meet all requirements of Applicable Law, including, at a minimum, maintenance of an information security program that is designed to: (w) ensure the security and confidentiality of the Cardholder Data; (x) protect against any anticipated threats or hazards to the security or integrity of the Cardholder Data; (y) protect against unauthorized access to or use of the Cardholder Data; and (z) ensure the proper disposal of Cardholder Data; and provided, further, that each such existing subcontractor and Future Subcontractor agrees to notify promptly Bank and the NMG Companies of any unauthorized disclosure, use, or disposal of, or access to, Cardholder Data and to cooperate with Bank and the NMG Companies in any investigation thereof and remedial action with respect thereto;
(ii) to its Affiliates, and its and such Affiliates’ employees, attorneys and accountants with a need to know such Cardholder Data in connection with a permitted use of such Cardholder Data under this Section 6.2; provided that (A) any such Person is bound by terms substantially similar to this Section 6.2 as a condition of employment or of access to Cardholder Data or by professional obligations imposing comparable terms; and (B) the NMG Companies shall be responsible for the compliance by each such Person with the terms of this Section 6.2; or
(iii) to any Governmental Authority with authority over such NMG Company (A) in connection with an examination of such NMG Company; or (B) pursuant to a specific requirement to provide such Cardholder Data by such Governmental Authority or pursuant to compulsory legal process; provided that such NMG Company seeks the full protection of confidential treatment for any disclosed Cardholder Data to the extent available under Applicable Law governing such disclosure, and with respect to clause (B), to the extent permitted by Applicable Law, such NMG Company (1) provides at least ten (10) Business Days’ prior notice of such proposed disclosure to Bank if reasonably possible under the circumstances, and (2) seeks to redact the Cardholder Data to the fullest extent possible under Applicable Law governing such disclosure.
(h) With respect to the sharing, use and disclosure of the Cardholder Data following the termination of this Agreement:
(i) the The rights and obligations of the Parties parties under this Section 6.2 shall continue through any the Termination Date and, if applicable, the end of the Interim Servicing Period;.
(ii) if NMG If Company exercises its rights under Section 17.215.2, Bank shall transfer its right, title and interest in the Cardholder Data to NMG Company or its Nominated Purchaser as part of such transaction, and (subject to Bank’s documentation retention or other obligations under Applicable Law) Bank’s right to use and disclose the Cardholder Data shall terminate upon the termination of on the Termination Period; andDate.
(iii) if NMG provides notice that it shall If Company does not exercise its rights Purchase Option under Section 17.215.2, NMG and its Affiliates’ Company’s right to use and disclose the Cardholder Data hereunder shall terminate only to the extent required by Applicable Law.
(j) The parties shall reasonably cooperate to use, disclose and share Non-Personally Identifiable Information regarding the Program, as mutually agreed upon the termination from time to time to, among other things, monitor Program performance, comply with funding requirements (e.g. rating agency and master trust filing requirements) and support planning and financial reporting processes.
(k) Nothing in this Section 6.2 shall restrict Company’s use of the Termination PeriodCompany Guest Data.
Appears in 1 contract
Cardholder Data. (a) As among the Parties heretobetween Bank and Dillard's, the Cardholder Data shall be the property of and exclusively owned by Bank. Dillard's acknowledges and agrees that it has no proprietary interest in the Cardholder Data.
(b) The Program Privacy Policy Bank's privacy policy applicable to the Cardholder Data is attached as Schedule 6.2 heretothe Program Privacy Policy. Any modifications to the Program Privacy Policy shall be approved by the Management Marketing Committee, provided that the Program Privacy Policy shall comply with Applicable Law at all times.
(c) Bank shall not use, or permit to be used, the Cardholder Data, except as provided in this Section 6.24.11. Bank may use the Cardholder Data in compliance with Applicable Law and the Program Privacy Policy solely (i) for purposes of soliciting or marketing (in each case, solely as directed by the NMG Companies or the Management Committee) or servicing customers listed in the Cardholder Data for NMG Private Label Credit Cards, Approved Ancillary ProductsEnhancement Products listed in Schedule 4.11, and any other products and services approved by the Management Marketing Committee, (ii) as otherwise necessary to carry out its obligations or exercise its rights hereunder, or (iii) as required by Applicable Law. Bank has no rights to use the Cardholder Data for marketing purposes except as expressly provided herein.
(d) Bank shall not disclose, or permit to be disclosed, the Cardholder Data, except as provided in this Section 6.24.11. Bank shall not, directly or indirectly, sell or otherwise transfer any right in or to the Cardholder Data other than to NMG or any of its AffiliatesData. Bank may disclose the Cardholder Data in compliance with Applicable Law and the Program Privacy Policy solely:
(i) to its authorized subcontractors in connection with a permitted use of such Cardholder Data under this Section 6.24.11, provided that each such authorized subcontractor agrees in a written agreement satisfactory to NMG and Bank to maintain all such Cardholder Data as strictly confidential and not to use or disclose such information to any Person other than Bank or an NMG Company, except as required by Applicable Law or any Governmental Authority (after giving Bank and the NMG Companies prior notice and an opportunity to defend against such disclosure); provided, further, that each such authorized subcontractor maintains, and agrees in writing to maintain, an information security program that is designed to meet all requirements of Applicable Law, including, at a minimum, maintenance of an information security program that is designed to: (w) ensure the security and confidentiality of the Cardholder Data; (x) protect against any anticipated threats or hazards to the security or integrity of the Cardholder Data; (y) protect against unauthorized access to or use of the Cardholder Data; and (z) ensure the proper disposal of Cardholder Data; and provided, further, that each such authorized subcontractor agrees to notify promptly Bank and the NMG Companies of any unauthorized disclosure, usebe bound by this Section 4.11, or disposal of, or access to, Cardholder Data and to cooperate a comparable contractual commitment with Bank and the NMG Companies in any investigation thereof and remedial action with respect theretosame effect;
(ii) to its Affiliates, Affiliates and its and such Affiliates’ ' employees, agents, attorneys and accountants with a need to know such Cardholder Data in connection with a permitted use of such Cardholder Data under this Section 6.2Section; provided that (A) any such Person is bound by terms substantially similar to this Section 6.2 as a condition of employment or of access to Cardholder Data or by professional obligations imposing comparable terms; and (B) Bank shall be responsible for the compliance by of each such Person with the terms of this Section 6.2;Section; or
(iii) to any Governmental Authority with authority over Bank (A) in connection with an examination of Bank; or (B) pursuant to a specific requirement to provide such Cardholder Data by such Governmental Authority or pursuant to compulsory legal process; provided that Bank seeks the full protection of confidential treatment for any disclosed Cardholder Data to the extent available under Applicable Law governing such disclosure, and with respect to clause (B), to the extent permitted by Applicable Law, Bank (1) provides at least ten (10) 10 Business Days’ ' prior notice of such proposed disclosure to NMG Dillard's if reasonably possible under the circumstances, circumstances and (2) seeks to redact the Cardholder Data to the fullest extent possible under Applicable Law governing such disclosure; or
(iv) to the extent permitted in the Risk Management Policies and Operating Procedures, to any consumer reporting agency in accordance with the federal Fair Credit Reporting Act.
(e) To the extent Bank has access to the following information in accordance with the provisions of this Agreement and subject Subject to Applicable Law and the Program Privacy Policy, Bank shall transmit report to the NMG Companies at such times as may be requested by NMG and Dillard's on a weekly basis, in formats a format agreed to by the Parties parties in advance from time to time:advance,
(i) for any customer who has applied for an NMG a Credit Card, had the opportunity to make an opt out choice, was not approved for a Credit Card and did not opt out, regardless of the marketing channel of such application: (A) , the customer’s 's name, address, email address, telephone number, social security number and all other commercially reasonable information supplied on the application or prescreened response submitted by the customer; (B) an indication of whether or not the customer has been approved for an NMG Credit Card; and (C) if the customer has been approved for an NMG Credit Card or Non-Card Payment Plan, the NMG Credit Card or Non-Card Payment Plan issued (or to be issued) to such customer;.
(ii) for each any Cardholder, joint-Cardholder and authorized buyer, (1) such person’s the Cardholder's name, address, email address, telephone number, social security number and Account number; (2) any reported change to any of the foregoing information; (3) transaction and experience data; and (4) any such other Cardholder Data as the NMG Companies may reasonably request;
(iii) the Cardholder’s name and account number for any Account that is delinquent;
(iv) the Cardholder’s name and account number for any Account that has been closed; and
(v) the Cardholder Data for all categories of information available on the NMG Companies’ credit Systems as of the date hereof. Notwithstanding the foregoing, no Party hereto shall be required to provide any information on a personally identifiable basis if the provision of such personally identifiable information would cause such Party to be considered a “consumer reporting agency” for purposes of the Fair Credit Reporting Act.
(f) Bank shall cooperate with the NMG Companies to provide NMG and its Affiliates with the maximum ability permissible under Applicable Law and the Program Privacy Policy to receive, use and disclose the Cardholder Data, including, as necessary or appropriate, through use of consents or opt-out provisions, in each case as directed by the NMG Companies. Without limiting the foregoing, NMG and each of its Affiliates may receive, use and disclose the Cardholder Data in compliance with Applicable Law and the Program Privacy Policy (i) for purposes of promoting the Program or promoting NMG Goods and Services, (ii) as otherwise necessary to carry out its obligations under this Agreement, and (iii) as otherwise permitted by Applicable Law.
(g) The NMG Companies may use the Cardholder Data in compliance with Applicable Law and the Program Privacy Policy. Each of the NMG Companies may disclose the Cardholder Data in compliance with Applicable Law and the Program Privacy Policy solely:
(i) to its existing subcontractors as of the Effective Date and to authorized subcontractors that enter into agreements with an NMG Company after the Effective Date (“Future Subcontractors”) in connection with a permitted use of such Cardholder Data under this Section 6.2, provided that each such existing subcontractor and Future Subcontractor agrees in a written agreement satisfactory to NMG and Bank to maintain all such Cardholder Data as strictly confidential in perpetuity and not to use or disclose such information to any Person other than an NMG Company or Bank, except as required by Applicable Law or any Governmental Authority (after giving the NMG Companies prior notice and an opportunity to defend against such disclosure); provided, further, that each such existing subcontractor and Future Subcontractor maintains, and agrees in writing to maintain, an information security program that is designed to meet all requirements of Applicable Law, including, at a minimum, maintenance of an information security program that is designed to: (w) ensure the security and confidentiality of the Cardholder Data; (x) protect against any anticipated threats or hazards to the security or integrity of the Cardholder Data; (y) protect against unauthorized access to or use of the Cardholder Data; and (z) ensure the proper disposal of Cardholder Data; and provided, further, that each such existing subcontractor and Future Subcontractor agrees to notify promptly Bank and the NMG Companies of any unauthorized disclosure, use, or disposal of, or access to, Cardholder Data and to cooperate with Bank and the NMG Companies in any investigation thereof and remedial action with respect thereto;
(ii) to its Affiliates, and its and such Affiliates’ employees, attorneys and accountants with a need to know such Cardholder Data in connection with a permitted use of such Cardholder Data under this Section 6.2; provided that (A) any such Person is bound by terms substantially similar to this Section 6.2 as a condition of employment or of access to Cardholder Data or by professional obligations imposing comparable terms; and (B) the NMG Companies shall be responsible for the compliance by each such Person with the terms of this Section 6.2; or
(iii) to any Governmental Authority with authority over such NMG Company (A) in connection with an examination of such NMG Company; or (B) pursuant to a specific requirement to provide such Cardholder Data by such Governmental Authority or pursuant to compulsory legal process; provided that such NMG Company seeks the full protection of confidential treatment for any disclosed Cardholder Data to the extent available under Applicable Law governing such disclosure, and with respect to clause (B), to the extent permitted by Applicable Law, such NMG Company (1) provides at least ten (10) Business Days’ prior notice of such proposed disclosure to Bank if reasonably possible under the circumstances, and (2) seeks to redact the Cardholder Data to the fullest extent possible under Applicable Law governing such disclosure.
(h) With respect to the sharing, use and disclosure of the Cardholder Data following the termination of this Agreement:
(i) the rights and obligations of the Parties under this Section 6.2 shall continue through any Termination Period;
(ii) if NMG exercises its rights under Section 17.2, Bank shall transfer its right, title and interest in the Cardholder Data to NMG or its Nominated Purchaser as part of such transaction, and Bank’s right to use and disclose the Cardholder Data shall terminate upon the termination of the Termination Period; and
(iii) if NMG provides notice that it shall not exercise its rights under Section 17.2, NMG and its Affiliates’ right to use and disclose the Cardholder Data hereunder shall terminate upon the termination of the Termination Period.
Appears in 1 contract
Sources: Private Label Credit Card Program Agreement (Dillards Inc)
Cardholder Data. (a) As among the Parties heretobetween Bank and Company, the Cardholder Data shall be the property of and exclusively owned by Bank. In its capacity as servicer, Company shall maintain all Cardholder Data and shall provide Bank with full access to Cardholder Data.
(b) The Program Privacy Policy initial privacy notice applicable to the Cardholder Data is attached as Schedule 6.2 hereto6.2(b), which shall be separate from the privacy notice(s) that Bank maintains for its other portfolios. Bank shall cooperate with Company to provide Company the maximum ability permissible under Applicable Law and Network Rules to use and disclose Cardholder Data, including, as necessary or appropriate, through the Program Privacy Notice and/or the use of disclosures, consents, opt-in provisions or opt-out provisions. Any modifications to the Program Privacy Policy Notice shall be approved by the Management Committeeboth parties, provided that the Program Privacy Policy Notice at all times shall (i) comply with Applicable Law at all timesand (ii) provide Company access to and the right to use Cardholder Data to the fullest extent permitted by Applicable Law and Network Rules, including for its business purposes.
(c) Bank shall not use, or permit to be used, the Cardholder Data, except as provided in this Section 6.2. Bank may use the Cardholder Data and any other information derived from the Cardholder Data in compliance with Applicable Law Law, the Network Rules and the Program Privacy Policy solely Notice, solely: (i) as necessary to exercise its rights or carry out its obligations hereunder; (ii) for purposes of soliciting promoting the Program or marketing (in each case, solely as directed by the NMG Companies promoting Goods and/or Services available for purchase on an Account at or the Management Committee) or servicing customers listed in the Cardholder Data for NMG Credit Cards, Approved Ancillary Products, and through any other products and services approved by the Management Committee, (ii) as otherwise necessary to carry out its obligations or exercise its rights hereunder, or Company Channel; (iii) for purposes of performing analysis and modeling, provided, however, that Cardholder Data used for analysis and modeling other than with respect to the Program shall be Non-Personally Identifiable Information, shall be aggregated with data from other portfolios, and shall not be used in connection with or for the benefit of any co-branded or private label credit program that is or may be offered by Bank on behalf of or in association with any Competing Retailer; or (iv) as required by necessary or appropriate for purposes of compliance with Applicable Law, regulatory examination, internal auditing functions, risk assessment or management functions, Network Rules or as otherwise set forth in 12 CFR 40.15(a)(1)-(7). Bank has no rights to shall not use the Cardholder Data for marketing or any other purposes except as expressly provided herein. Notwithstanding the foregoing, each party acknowledges that Bank may independently gather information from individuals independent of the Program, including from Persons who may or may not also be Cardholders, and that Bank and its Affiliates may have rights to use and disclose such information independent of whether such information also constitutes Cardholder Data or Company Guest Data under this Agreement; provided, however, except as expressly permitted pursuant to this Agreement, Bank and its Affiliates may not, in any event, take into account that a Person is a Cardholder or intentionally target for solicitation such customers through the use of the Cardholder Data. Bank shall not commingle Cardholder Data into any Bank marketing database except as provided in this Section 6.2(c).
(d) Bank shall not disclose, or permit to be disclosed, the Cardholder Data, except as provided in this Section 6.2. Bank shall not, directly or indirectly, sell or otherwise transfer any right in or to the Cardholder Data other than to NMG or any of its Affiliates. Bank may disclose the Cardholder Data in compliance with Applicable Law and Law, the Network Rules, the Program Privacy Policy Notice and the Credit Card Agreement, solely:
(i) to its authorized subcontractors (including Company in its capacity as servicer) in connection with a permitted use of such Cardholder Data under this Section 6.2, ; provided that (A) each such authorized subcontractor agrees in a written agreement satisfactory is subject to NMG and Bank an obligation to maintain all such the confidential status of Cardholder Data at least as strictly confidential restrictive as that set forth herein, and not to use or disclose (B) Bank shall be responsible for the compliance of each such information to any Person subcontractor (other than Bank or an NMG Company, except Company in its capacity as required by Applicable Law servicer or any Governmental Authority (after giving Bank and subcontractor of Company in such capacity) with the NMG Companies prior notice and an opportunity to defend against such disclosure); provided, further, that each such authorized subcontractor maintains, and agrees in writing to maintain, an information security program that is designed to meet all requirements terms of Applicable Law, including, at a minimum, maintenance of an information security program that is designed to: (w) ensure the security and confidentiality of the Cardholder Data; (x) protect against any anticipated threats or hazards to the security or integrity of the Cardholder Data; (y) protect against unauthorized access to or use of the Cardholder Data; and (z) ensure the proper disposal of Cardholder Data; and provided, further, that each such authorized subcontractor agrees to notify promptly Bank and the NMG Companies of any unauthorized disclosure, use, or disposal of, or access to, Cardholder Data and to cooperate with Bank and the NMG Companies in any investigation thereof and remedial action with respect thereto;this Section.
(ii) to its Affiliates, and its and such Affiliates’ to employees, attorneys agents, attorneys, auditors and accountants of Bank and its Affiliates, with a need to know such Cardholder Data in connection with a permitted use of such Cardholder Data under this Section 6.2Section; provided that (A) any each such Person is bound by terms substantially similar subject to this Section 6.2 as a condition an obligation to maintain the confidential status of employment or of access to Cardholder Data or by professional obligations imposing comparable terms; at least as restrictive as that set forth herein, and (B) Bank shall be responsible for the compliance by of each such Person with the terms of this Section 6.2Section;
(iii) to a potential third-party purchaser with respect to any written off Cardholder Indebtedness or otherwise to the extent permitted under this Agreement, or to a trustee in connection with a securitization transaction to the extent permitted under this Agreement; or
(iv) to any Governmental Authority with asserting authority over Bank or any of its Affiliates (A) in connection with an examination of BankBank or any such Affiliate; or (B) pursuant to a specific requirement to provide such Cardholder Data by such Governmental Authority or pursuant to compulsory legal process, provided, however, that Bank shall seek the full protection of confidential treatment for any disclosed Cardholder Data to the extent available under Applicable Law governing such disclosure and with respect to clause (B) Bank shall provide reasonable advance notice to Company to the extent reasonably practicable under the circumstances.
(e) Bank shall not, directly or indirectly, sell, or otherwise transfer any right in or to the Cardholder Data, except (i) with respect to any written off Cardholder Indebtedness, (ii) to any potential third-party purchaser to the extent permitted hereunder, and (iii) to a trustee in connection with a securitization transaction related to the Accounts to the extent permitted hereunder, provided that, such trustee shall be bound by a confidentiality agreement affording protections substantially similar to the confidentiality and use provisions of this Agreement with such modifications as may be customary for confidentiality agreements in connection with such securitizations (and any material modifications shall be submitted for approval of Company, which approval shall not be unreasonably delayed, conditioned or withheld).
(f) Subject to Applicable Law, Bank shall provide the information below to Company on a daily basis:
(i) [***]
(ii) [***] 57
(iii) [***]
(iv) [***] To the extent that Company, as servicer for Bank, has access to the information Bank is obligated to provide under this Section 6.2(f), the parties acknowledge and agree that Bank shall be deemed to have fulfilled its obligation hereunder.
(g) Company shall not use, or permit to be used, Cardholder Data, except as provided in this Section 6.2(g) and subject to the other provisions and procedures of this Agreement, including ARTICLE V and Section 3.5. Company may use the Cardholder Data and any other information derived from the Cardholder Data in compliance with Applicable Law, the Network Rules and the Program Privacy Notice (i) for purposes of promoting the Program or promoting Goods and/or Services available for purchase on an Account at or through any Company Channel, (ii) for all commercially reasonable purposes in the same manner as Company uses Company Guest Data, (iii) as otherwise necessary to carry out its obligations under this Agreement, and (iv) as otherwise permitted by Applicable Law, the Network Rules and the Program Privacy Notice. Company shall maintain protocols regarding Cardholder Data intended to ensure that (i) Cardholder Data is logically isolated (and accordingly always separately identifiable) from Company’s other data and (ii) the use and disclosure of Cardholder Data is limited as provided by Applicable Law and this Agreement.
(h) Company shall not disclose, or permit to be disclosed, the Cardholder Data, except as provided in this Section 6.2(h). Company may disclose the Cardholder Data in compliance with Applicable Law, the Network Rules, the Program Privacy Notice and the Credit Card Agreement, solely:
(i) to its subcontractors in connection with a permitted use of such Cardholder Data under this Section 6.2; provided that Bank (A) each such subcontractor is subject to an obligation to maintain the confidential status of Cardholder Data at least as restrictive as that set forth herein, and (B) Company shall be responsible for the compliance of each such subcontractor with the terms of this Section;
(ii) to its Affiliates, and to employees, agents, attorneys, auditors and accountants of Company or its Affiliates, with a need to know such Cardholder Data in connection with a permitted use of such Cardholder Data under this Section; provided that (A) each such Person is subject to an obligation to maintain the confidential status of Cardholder Data at least as restrictive as that set forth herein, and (B) Company shall be responsible for the compliance of each such Person with the terms of this Section;
(iii) to any Governmental Authority asserting authority over Company (A) in connection with an examination of Company; or (B) pursuant to a specific requirement to provide for such Cardholder Data by such Governmental Authority or pursuant to compulsory legal process; provided, however, that Company seeks the full protection of confidential treatment for any such disclosed Cardholder Data to the extent available under Applicable Law governing such disclosure, and with respect to clause (B), Company shall provide reasonable advance notice to Bank to the extent permitted by Applicable Law, Bank (1) provides at least ten (10) Business Days’ prior notice of such proposed disclosure to NMG if reasonably possible practicable under the circumstances, and (2) seeks to redact the Cardholder Data to the fullest extent possible under Applicable Law governing such disclosure; or
(iv) to the extent permitted in the Risk Management Policies and Operating Procedures, to any consumer reporting agency in accordance with the federal Fair Credit Reporting Act.
(e) To the extent Bank has access to the following information in accordance with the provisions of this Agreement and subject to Applicable Law and the Program Privacy Policy, Bank shall transmit to the NMG Companies at such times as may be requested by NMG and in formats agreed to by the Parties in advance from time to time:
(i) for any customer who has applied for an NMG Credit Card, regardless of the marketing channel of such application: (A) the customer’s name, address, email address, telephone number, social security number and all other information supplied on the application or prescreened response submitted by the customer; (B) an indication of whether or not the customer has been approved for an NMG Credit Card; and (C) if the customer has been approved for an NMG Credit Card or Non-Card Payment Plan, the NMG Credit Card or Non-Card Payment Plan issued (or to be issued) to such customer;
(ii) for each Cardholder, joint-Cardholder and authorized buyer, (1) such person’s name, address, email address, telephone number, social security number and Account number; (2) any reported change to any of the foregoing information; (3) transaction and experience data; and (4) any such other Cardholder Data as the NMG Companies may reasonably request;
(iii) the Cardholder’s name and account number for any Account that is delinquent;
(iv) the Cardholder’s name and account number for any Account that has been closed; and
(v) the Cardholder Data for all categories of information available on the NMG Companies’ credit Systems as of the date hereof. Notwithstanding the foregoing, no Party hereto shall be required to provide any information on a personally identifiable basis if the provision of such personally identifiable information would cause such Party to be considered a “consumer reporting agency” for purposes of the Fair Credit Reporting Act.
(f) Bank shall cooperate with the NMG Companies to provide NMG and its Affiliates with the maximum ability permissible under Applicable Law and the Program Privacy Policy to receive, use and disclose the Cardholder Data, including, as necessary or appropriate, through use of consents or opt-out provisions, in each case as directed by the NMG Companies. Without limiting the foregoing, NMG and each of its Affiliates may receive, use and disclose the Cardholder Data in compliance with Applicable Law and the Program Privacy Policy (i) for purposes of promoting the Program or promoting NMG Goods and Services, (ii) as otherwise necessary to carry out its obligations under this Agreement, and (iii) as otherwise permitted by Applicable Law, the Program Privacy Notice and the Network Rules (and subject to any other applicable provisions of this Agreement, including ARTICLE V and Section 3.5); provided that, for the avoidance of doubt, the parties agree that Company shall not disclose, or permit to be disclosed, any Cardholder Data (or information derived therefrom) to a prospective Nominated Purchaser except at the time, under the circumstances and in accordance with the procedures set forth in Section 15.2(h).
(gi) The NMG Companies may With respect to use the and disclosure of Cardholder Data in compliance with Applicable Law and following expiration or termination of this Agreement, the Program Privacy Policy. Each of the NMG Companies may disclose the Cardholder Data in compliance with Applicable Law and the Program Privacy Policy solelyfollowing shall apply:
(i) to its existing subcontractors as of the Effective Date and to authorized subcontractors that enter into agreements with an NMG Company after the Effective Date (“Future Subcontractors”) in connection with a permitted use of such Cardholder Data under this Section 6.2, provided that each such existing subcontractor and Future Subcontractor agrees in a written agreement satisfactory to NMG and Bank to maintain all such Cardholder Data as strictly confidential in perpetuity and not to use or disclose such information to any Person other than an NMG Company or Bank, except as required by Applicable Law or any Governmental Authority (after giving the NMG Companies prior notice and an opportunity to defend against such disclosure); provided, further, that each such existing subcontractor and Future Subcontractor maintains, and agrees in writing to maintain, an information security program that is designed to meet all requirements of Applicable Law, including, at a minimum, maintenance of an information security program that is designed to: (w) ensure the security and confidentiality of the Cardholder Data; (x) protect against any anticipated threats or hazards to the security or integrity of the Cardholder Data; (y) protect against unauthorized access to or use of the Cardholder Data; and (z) ensure the proper disposal of Cardholder Data; and provided, further, that each such existing subcontractor and Future Subcontractor agrees to notify promptly Bank and the NMG Companies of any unauthorized disclosure, use, or disposal of, or access to, Cardholder Data and to cooperate with Bank and the NMG Companies in any investigation thereof and remedial action with respect thereto;
(ii) to its Affiliates, and its and such Affiliates’ employees, attorneys and accountants with a need to know such Cardholder Data in connection with a permitted use of such Cardholder Data under this Section 6.2; provided that (A) any such Person is bound by terms substantially similar to this Section 6.2 as a condition of employment or of access to Cardholder Data or by professional obligations imposing comparable terms; and (B) the NMG Companies shall be responsible for the compliance by each such Person with the terms of this Section 6.2; or
(iii) to any Governmental Authority with authority over such NMG Company (A) in connection with an examination of such NMG Company; or (B) pursuant to a specific requirement to provide such Cardholder Data by such Governmental Authority or pursuant to compulsory legal process; provided that such NMG Company seeks the full protection of confidential treatment for any disclosed Cardholder Data to the extent available under Applicable Law governing such disclosure, and with respect to clause (B), to the extent permitted by Applicable Law, such NMG Company (1) provides at least ten (10) Business Days’ prior notice of such proposed disclosure to Bank if reasonably possible under the circumstances, and (2) seeks to redact the Cardholder Data to the fullest extent possible under Applicable Law governing such disclosure.
(h) With respect to the sharing, use and disclosure of the Cardholder Data following the termination of this Agreement:
(i) the The rights and obligations of the Parties parties under this Section 6.2 shall continue through any the Termination Date and, if applicable, the end of the Interim Servicing Period;.
(ii) if NMG If Company exercises its rights under Section 17.215.2, Bank shall transfer its right, title and interest in the Cardholder Data to NMG Company or its Nominated Purchaser as part of such transaction, and (subject to Bank’s documentation retention or other obligations under Applicable Law) Bank’s right to use and disclose the Cardholder Data shall terminate upon the termination of on the Termination Period; andDate.
(iii) if NMG provides notice that it shall If Company does not exercise its rights Purchase Option under Section 17.215.2, NMG and its Affiliates’ Company’s right to use and disclose the Cardholder Data hereunder shall terminate only to the extent required by Applicable Law.
(j) The parties shall reasonably cooperate to use, disclose and share Non-Personally Identifiable Information regarding the Program, as mutually agreed upon the termination from time to time to, among other things, monitor Program performance, comply with funding requirements (e.g. rating agency and master trust filing requirements) and support planning and financial reporting processes.
(k) Nothing in this Section 6.2 shall restrict Company’s use of the Termination PeriodCompany Guest Data.
Appears in 1 contract
Cardholder Data. (a) As among the Parties hereto, the Cardholder Data shall be the property of and exclusively owned by the Bank.
(b) The Program Privacy Policy applicable to the Cardholder Data is attached as Schedule 6.2 6.2(b) hereto. Any modifications to the Program Privacy Policy shall be approved by the Management Committee, provided that the Program Privacy Policy Operating Committee in accordance with Section 3.2 and shall comply with Applicable Law at all times.
(c) Bank shall not use, or permit to be used, the Cardholder Data, except as provided in this Section 6.2. The Bank may use the Cardholder Data in compliance with Applicable Law and the Program Privacy Policy solely (i) for purposes of soliciting soliciting, marketing or marketing servicing (in each case, solely as directed by the NMG Companies Company or the Management Operating Committee) or servicing customers listed in the Cardholder Data for NMG Company Credit Cards, Approved Ancillary Products, and any other products and services approved by the Management Operating Committee, (ii) as otherwise necessary to carry out its obligations or exercise its rights hereunder, or (iii) as required by Applicable Law, or (iv) for purposes of performing analysis and modeling, provided, however, that Cardholder Data used for analysis and modeling other than with respect to the Program shall be non-personally identifiable information, shall be aggregated with data from other portfolios, and shall not be used in connection with or for the benefit of any co-branded or private label credit program that is or may be offered by Bank on behalf of or in association with any retailer. The Bank has no rights to to, and shall not, in any event,use the Cardholder Data for marketing or any other purposes except as expressly provided hereinin this Section 6.2(c).
(d) Bank shall not disclose, or permit to be disclosed, the Cardholder Data, except as provided in this Section 6.2. The Bank shall not, directly or indirectly, sell disclose, sell, transfer, or otherwise transfer any right in rent (or permit others to do same), the Cardholder Data other than to NMG or any of its Affiliates. Bank may disclose the Cardholder Data Data, except in compliance with Applicable Law and the Program Privacy Policy solely:
(i) to its Service Providers authorized subcontractors in accordance with this Agreement solely on a “need to know” basis in connection with a permitted use of such the Cardholder Data under this pursuant to Section 6.26.2(c), provided that each such authorized subcontractor Service Provider agrees in a written agreement satisfactory to NMG and Bank to (a) maintain all such Cardholder Data as strictly confidential and not to use or disclose such information to any Person other than the Bank or an NMG the Company, except as required by Applicable Law or any Governmental Authority (after giving the Bank and the NMG Companies Company prior notice and an opportunity to defend against such disclosure); provided, further, that each such authorized subcontractor maintains, and agrees in writing to maintain, (b) maintain an information security program that is designed to meet all requirements of Applicable Law, including, at a minimum, maintenance of an information security program that is designed to: (w) ensure the security and confidentiality of the Cardholder Data; (x) protect against any anticipated threats or hazards to the security or integrity of the Cardholder Data; (y) protect against unauthorized access to or use of the Cardholder Data; and (z) ensure the proper disposal of Cardholder Data; and provided, further, that each such authorized subcontractor agrees to notify promptly Bank and the NMG Companies of any unauthorized disclosure, use, or disposal of, or access to, Cardholder Data and to cooperate with Bank and the NMG Companies all requirements set forth in any investigation thereof and remedial action with respect theretoSection 6.1(b);
(ii) to its Affiliates, Affiliates and its and such Affiliates’ employees, attorneys and accountants with their Representatives on a “need to know such Cardholder Data know” basis in connection with a permitted use of such the Cardholder Data under this pursuant to Section 6.26.2(c); provided that (A) any such Person is bound by terms substantially similar to this Section 6.2 as a condition the Bank communicates the confidential nature of employment or of access to the Cardholder Data to such Persons, such Persons are bound (by agreement or by their professional obligations imposing comparable terms; responsibilities) to maintain the confidentiality of the Cardholder Data in accordance with the provisions of this Agreement, and (B) the Bank shall be responsible for the compliance by each such Person with the terms of this Section 6.2;; 001549-0001-13793-Active.14250169.10
(iii) to any Governmental Authority with authority over the Bank (A) in connection with an examination of the Bank; or (B) pursuant to a specific requirement to provide such Cardholder Data by such Governmental Authority or pursuant to compulsory legal process; provided that the Bank seeks the full protection of confidential treatment for any disclosed Cardholder Data to the extent available under Applicable Law governing such disclosure, and with respect to clause (B), to the extent permitted by Applicable Law, the Bank (1) provides at least ten (10) Business Days’ ' prior notice of such proposed disclosure to NMG the Company if reasonably possible under the circumstances, and (2) seeks to redact the Cardholder Data to the fullest extent possible under Applicable Law governing such disclosure; or
(iv) to the extent permitted in the Risk Management Policies and Operating Procedures, to any consumer reporting agency in accordance with the federal Fair Credit Reporting Act.
(e) To Subject to Applicable Law and the extent Privacy Policy, the Bank has access shall provide the Company with reasonable access, through the Bank's data analysts, to all Cardholder Data obtained by the following information Bank in accordance connection with the provisions Program, which includes at least the items listed below. In addition, subject to Applicable Law, and as reasonably requested by Company, the Bank shall provide Company with an updated copy of this Agreement and subject the master file or such elements thereof as may be requested by Company. Subject to Applicable Law and the Program Privacy Policy, the Bank shall transmit to the NMG Companies at such times as may be requested Company on a real-time basis throughout each day by NMG and a secure data feed into Company Systems designated by the Company from time to time, in formats agreed to by the Parties in advance from time to time:
(i) for any customer who has applied for an NMG a Company Credit Card, regardless of the marketing channel of such application: (A) the customer’s 's name, address, email address, telephone number, social security number and all other information supplied on the application or prescreened response submitted by the customer; and (B) an indication of whether or not the customer has been approved for an NMG Credit Card; and (C) if the customer has been approved for an NMG a Company Credit Card, the Company Credit Card or Non-Card Payment Plan, the NMG Credit Card or Non-Card Payment Plan Account identification number issued (or to be issued) to such customer;
(ii) for each Cardholder, joint-Cardholder and authorized buyer, (1) such person’s 's name, address, email address, telephone number, social security number and Account identification number; (2) any reported change to any of the foregoing information; (3) transaction and experience data; and (4) any such other Cardholder Data as the NMG Companies Company may reasonably request;
(iii) the Cardholder’s 's name and account number for any Account that is delinquent;
(iv) the Cardholder’s name and account identification number for any Account that has been closed; and;
(viv) the Cardholder Data for all categories of information available on to the NMG Companies’ credit Systems Company as of the date hereofhereof prior to giving effect to this Agreement; and
(v) analytical output that the Bank or any of its Affiliates has derived or may derive from their databases that might enhance the Company's understanding of its customers and that the Company reasonably believes could be used to improve the marketing of the Company or the Program. Notwithstanding the foregoing, no Party hereto shall be required to provide any information on a personally identifiable basis if the provision of such personally identifiable information would cause such Party to be considered a “consumer reporting agency” for purposes of the Fair Credit Reporting Act.
(f) The Bank shall cooperate with the NMG Companies Company to provide NMG the Company and its Affiliates with the maximum ability permissible under Applicable Law and the Program Privacy Policy to receive, use and disclose the Cardholder Data, including, as necessary or appropriate, through use of consents consents, opt-in provisions or opt-out provisions, in each case as directed by the NMG CompaniesCompany. Without limiting the foregoing, NMG the Company and each of its Affiliates may receive, use and disclose the Cardholder Data in compliance with Applicable Law and the Program Privacy Policy (i) for purposes of promoting the Program or promoting NMG Goods and Services, (ii) for all commercially reasonable purposes in the same manner as Shopper Data, (iii) as otherwise necessary to carry out its obligations under this Agreement, and (iiiiv) as otherwise permitted by Applicable Law.. 001549-0001-13793-Active.14250169.10
(g) The NMG Companies may use the Cardholder Data in compliance with Applicable Law and the Program Privacy Policy. Each of the NMG Companies Company may disclose the Cardholder Data in compliance with Applicable Law and the Program Privacy Policy solely:
(i) to its existing subcontractors as of the Effective Date and Service Providers authorized in accordance with this Agreement solely on a “need to authorized subcontractors that enter into agreements with an NMG Company after the Effective Date (“Future Subcontractors”) know” basis in connection with a permitted use of such the Cardholder Data under this pursuant to Section 6.26.2(f), provided that each such existing subcontractor and Future Subcontractor Service Provider agrees in a written agreement reasonably satisfactory to NMG and Bank the Company to (a) maintain all such Cardholder Data as strictly confidential in perpetuity and not to use or disclose such information to any Person other than an NMG Company the Bank or Bankthe Company, except as required by Applicable Law or any Governmental Authority (after giving the NMG Companies Bank and the Company prior notice and an opportunity to defend against such disclosure); provided, further, that each such existing subcontractor and Future Subcontractor maintains, and agrees in writing to maintain, (b) maintain an information security program that is designed to meet all requirements of Applicable Law, including, at a minimum, maintenance of an information security program that is designed to: (w) ensure the security and confidentiality of the Cardholder Data; (x) protect against any anticipated threats or hazards to the security or integrity of the Cardholder Data; (y) protect against unauthorized access to or use of the Cardholder Dataall requirements set forth in Section 6.1(b); and (zc) ensure the proper disposal of Cardholder Data; and provided, further, that each such existing subcontractor and Future Subcontractor agrees to notify promptly the Bank and the NMG Companies Company of any unauthorized disclosure, use, or disposal of, or access to, Cardholder Data and to cooperate with the Bank and the NMG Companies Company in any investigation thereof and remedial action with respect thereto;; and provided, further, that the Company shall be responsible for the compliance of each such Service Provider with the terms of this Section 6.2
(ii) to its Affiliates, Affiliates and its and such Affiliates’ employees, attorneys and accountants with their Representatives on a “need to know such Cardholder Data know” basis in connection with a permitted use of such the Cardholder Data under this pursuant to Section 6.26.2(f); provided that (A) any such Person is bound by terms substantially similar to this Section 6.2 as a condition the Company communicates the confidential nature of employment or of access to the Cardholder Data to such Persons, such Persons are bound (by agreement or by their professional obligations imposing comparable terms; responsibilities) to maintain the confidentiality of the Cardholder Data in accordance with the provisions of this Agreement, and (B) the NMG Companies Company shall be responsible for the compliance by each such Person with the terms of this Section 6.2; or;
(iii) to any Governmental Authority with authority over such NMG the Company (A) in connection with an examination of such NMG the Company; or (B) pursuant to a specific requirement to provide such Cardholder Data by such Governmental Authority or pursuant to compulsory legal process; provided that such NMG the Company seeks the full protection of confidential treatment for any disclosed Cardholder Data to the extent available under Applicable Law governing such disclosure, and with respect to clause (B), to the extent permitted by Applicable Law, such NMG the Company (1) provides at least ten (10) Business Days’ ' prior notice of such proposed disclosure to the Bank if reasonably possible under the circumstances, and (2) seeks to redact the Cardholder Data to the fullest extent possible under Applicable Law governing such disclosure; or
(iv) as otherwise permitted by Applicable Law and the Privacy Policy.
(h) With respect to the sharing, use and disclosure of the Cardholder Data following the termination of this Agreement:
(i) the rights and obligations of the Parties under this Section 6.2 shall continue through any Termination PeriodPeriod and, if applicable, any interim servicing period pursuant to Section 17.2(h);
(ii) if NMG the Company exercises its purchase rights under Section 17.2, the Bank shall transfer its right, title and interest in the Cardholder Data to NMG the Company or its Nominated Purchaser as part of such transaction, and the Bank’s 's right to use and disclose the Cardholder Data shall terminate upon the termination of the Termination Period and, promptly following such termination of the Termination Period, the Bank shall return or destroy all Cardholder Data and shall certify such return or destruction to the Company upon request; provided, however, that, if the Bank is obligated to retain any Cardholder Data pursuant to requirements of Applicable Law or the Bank's disaster recovery plan, the Bank shall maintain the strict confidentiality and security of such Cardholder Data and shall not use such Cardholder Data for any other purpose; and
(iii) if NMG the Company provides notice that it shall not exercise its purchase rights under Section 17.2, NMG and its Affiliates’ the Company's right to use and disclose the Cardholder Data hereunder shall terminate upon only to the termination extent required by Applicable Law, and the restrictions hereunder on the Bank's use and disclosure of Cardholder Data shall terminate, except that in no event may the Bank disclose Cardholder Data to any retailer or use Cardholder Data in any way for the benefit of any retailer or retail credit card program or in any manner inconsistent with the limitations on the 001549-0001-13793-Active.14250169.10 Bank's rights to dispose of the Termination PeriodProgram Assets pursuant to Section 17.4. The foregoing provisions shall in no way be construed as to extend the Bank's rights to use the Company Licensed Marks, the Company's name or any intellectual property of the Company, all of which rights shall be expressly limited as set forth in Article X and shall terminate as set forth in Section 17.4(c).
Appears in 1 contract
Sources: Credit Card Program Agreement (Coldwater Creek Inc)
Cardholder Data. (a) As among the Parties hereto, the Cardholder Data shall be the property of and exclusively owned by Bank.
(b) The Program Privacy Policy applicable to the Cardholder Data is attached as Schedule 6.2 hereto. Any modifications to the Program Privacy Policy shall be approved by the Management Committee, provided that the Program Privacy Policy shall comply with Applicable Law at all times.
(c) Bank shall not use, or permit to be used, the Cardholder Data, except as provided in this Section 6.2. Bank may use the Cardholder Data in compliance with Applicable Law and the Program Privacy Policy solely (i) for purposes of soliciting or marketing (in each case, solely as directed by the NMG Companies or the Management Committee) or servicing customers listed in the Cardholder Data for NMG Credit Cards, Approved Ancillary Products, and any other products and services approved by the Management Committee, (ii) as otherwise necessary to carry out its obligations or exercise its rights hereunder, or (iii) as required by Applicable Law. Bank has no rights to use the Cardholder Data for marketing purposes except as expressly provided herein.
(d) Bank shall not disclose, or permit to be disclosed, the Cardholder Data, except as provided in this Section 6.2. Bank shall not, directly or indirectly, sell or otherwise transfer any right in or to the Cardholder Data other than to NMG or any of its Affiliates. Bank may disclose the Cardholder Data in compliance with Applicable Law and the Program Privacy Policy solely:
(i) to its authorized subcontractors in connection with a permitted use of such Cardholder Data under this Section 6.2, provided that each such authorized subcontractor agrees in a written agreement satisfactory to NMG and Bank to maintain all such Cardholder Data as strictly confidential and not to use or disclose such information to any Person other than Bank or an NMG Company, except as required by Applicable Law or any Governmental Authority (after giving Bank and the NMG Companies prior notice and an opportunity to defend against such disclosure); provided, further, that each such authorized subcontractor maintains, and agrees in writing to maintain, an information security program that is designed to meet all requirements of Applicable Law, including, at a minimum, maintenance of an information security program that is designed to: (w) ensure the security and confidentiality of the Cardholder Data; (x) protect against any anticipated threats or hazards to the security or integrity of the Cardholder Data; (y) protect against unauthorized access to or use of the Cardholder Data; and (z) ensure the proper disposal of Cardholder Data; and provided, further, that each such authorized subcontractor agrees to notify promptly Bank and the NMG Companies of any unauthorized disclosure, use, or disposal of, or access to, Cardholder Data and to cooperate with Bank and the NMG Companies in any investigation thereof and remedial action with respect thereto;
(ii) to its Affiliates, and its and such Affiliates’ employees, attorneys and accountants with a need to know such Cardholder Data in connection with a permitted use of such Cardholder Data under this Section 6.2; provided that (A) any such Person is bound by terms substantially similar to this Section 6.2 as a condition of employment or of access to Cardholder Data or by professional obligations imposing comparable terms; and (B) Bank shall be responsible for the compliance by each such Person with the terms of this Section 6.2;
(iii) to any Governmental Authority with authority over Bank (A) in connection with an examination of Bank; or (B) pursuant to a specific requirement to provide such Cardholder Data by such Governmental Authority or pursuant to compulsory legal process; provided that Bank seeks the full protection of confidential treatment for any disclosed Cardholder Data to the extent available under Applicable Law governing such disclosure, and with respect to clause (B), to the extent permitted by Applicable Law, Bank (1) provides at least ten (10) Business Days’ prior notice of such proposed disclosure to NMG if reasonably possible under the circumstances, and (2) seeks to redact the Cardholder Data to the fullest extent possible under Applicable Law governing such disclosure; or
(iv) to the extent permitted in the Risk Management Policies and Operating Procedures, to any consumer reporting agency in accordance with the federal Fair Credit Reporting Act.
(e) To the extent Bank has access to the following information in accordance with the provisions of this Agreement and subject to Applicable Law and the Program Privacy Policy, Bank shall transmit to the NMG Companies at such times as may be requested by NMG and in formats agreed to by the Parties in advance from time to time:
(i) for any customer who has applied for an NMG Credit Card, regardless of the marketing channel of such application: (A) the customer’s name, address, email address, telephone number, social security number and all other information supplied on the application or prescreened response submitted by the customer; (B) an indication of whether or not the customer has been approved for an NMG Credit Card; and (C) if the customer has been approved for an NMG Credit Card or Non-Card Payment Plan, the NMG Credit Card or Non-Card Payment Plan issued (or to be issued) to such customer;
(ii) for each Cardholder, joint-Cardholder and authorized buyer, (1) such person’s name, address, email address, telephone number, social security number and Account number; (2) any reported change to any of the foregoing information; (3) transaction and experience data; and (4) any such other Cardholder Data as the NMG Companies may reasonably request;
(iii) the Cardholder’s name and account number for any Account that is delinquent;
(iv) the Cardholder’s name and account number for any Account that has been closed; and
(v) the Cardholder Data for all categories of information available on the NMG Companies’ credit Systems as of the date hereof. Notwithstanding the foregoing, no Party hereto shall be required to provide any information on a personally identifiable basis if the provision of such personally identifiable information would cause such Party to be considered a “consumer reporting agency” for purposes of the Fair Credit Reporting Act.
(f) Bank shall cooperate with the NMG Companies to provide NMG and its Affiliates with the maximum ability permissible under Applicable Law and the Program Privacy Policy to receive, use and disclose the Cardholder Data, including, as necessary or appropriate, through use of consents or opt-out provisions, in each case as directed by the NMG Companies. Without limiting the foregoing, NMG and each of its Affiliates may receive, use and disclose the Cardholder Data in compliance with Applicable Law and the Program Privacy Policy (i) for purposes of promoting the Program or promoting NMG Goods and Services, (ii) as otherwise necessary to carry out its obligations under this Agreement, and (iii) as otherwise permitted by Applicable Law.
(g) The NMG Companies may use the Cardholder Data in compliance with Applicable Law and the Program Privacy Policy. Each of the NMG Companies may disclose the Cardholder Data in compliance with Applicable Law and the Program Privacy Policy solely:
(i) to its existing subcontractors as of the Effective Date and to authorized subcontractors that enter into agreements with an NMG Company after the Effective Date (“Future Subcontractors”) in connection with a permitted use of such Cardholder Data under this Section 6.2, provided that each such existing subcontractor and Future Subcontractor agrees in a written agreement satisfactory to NMG and Bank to maintain all such Cardholder Data as strictly confidential in perpetuity and not to use or disclose such information to any Person other than an NMG Company or Bank, except as required by Applicable Law or any Governmental Authority (after giving the NMG Companies prior notice and an opportunity to defend against such disclosure); provided, further, that each such existing subcontractor and Future Subcontractor maintains, and agrees in writing to maintain, an information security program that is designed to meet all requirements of Applicable Law, including, at a minimum, maintenance of an information security program that is designed to: (w) ensure the security and confidentiality of the Cardholder Data; (x) protect against any anticipated threats or hazards to the security or integrity of the Cardholder Data; (y) protect against unauthorized access to or use of the Cardholder Data; and (z) ensure the proper disposal of Cardholder Data; and provided, further, that each such existing subcontractor and Future Subcontractor agrees to notify promptly Bank and the NMG Companies of any unauthorized disclosure, use, or disposal of, or access to, Cardholder Data and to cooperate with Bank and the NMG Companies in any investigation thereof and remedial action with respect thereto;
(ii) to its Affiliates, and its and such Affiliates’ employees, attorneys and accountants with a need to know such Cardholder Data in connection with a permitted use of such Cardholder Data under this Section 6.2; provided that (A) any such Person is bound by terms substantially similar to this Section 6.2 as a condition of employment or of access to Cardholder Data or by professional obligations imposing comparable terms; and (B) the NMG Companies shall be responsible for the compliance by each such Person with the terms of this Section 6.2; or
(iii) to any Governmental Authority with authority over such NMG Company (A) in connection with an examination of such NMG Company; or (B) pursuant to a specific requirement to provide such Cardholder Data by such Governmental Authority or pursuant to compulsory legal process; provided that such NMG Company seeks the full protection of confidential treatment for any disclosed Cardholder Data to the extent available under Applicable Law governing such disclosure, and with respect to clause (B), to the extent permitted by Applicable Law, such NMG Company (1) provides at least ten (10) Business Days’ prior notice of such proposed disclosure to Bank if reasonably possible under the circumstances, and (2) seeks to redact the Cardholder Data to the fullest extent possible under Applicable Law governing such disclosure.
(h) With respect to the sharing, use and disclosure of the Cardholder Data following the termination of this Agreement:
(i) the rights and obligations of the Parties under this Section 6.2 shall continue through any Termination Period;
(ii) if NMG exercises its rights under Section 17.2, Bank shall transfer its right, title and interest in the Cardholder Data to NMG or its Nominated Purchaser as part of such transaction, and Bank’s right to use and disclose the Cardholder Data shall terminate upon the termination of the Termination Period; and
(iii) if NMG provides notice that it shall not exercise its rights under Section 17.2, NMG and its Affiliates’ right to use and disclose the Cardholder Data hereunder shall terminate upon the termination of the Termination Period.
Appears in 1 contract
Sources: Credit Card Program Agreement (Neiman Marcus Group Inc)
Cardholder Data. (a) As among the Parties heretobetween Bank and Company, the Cardholder Data shall be the property of Bank; provided, however, that if any particular Cardholder Data shall also constitute Shopper Data, Company shall be permitted to use such Shopper Data in accordance with the provisions of this Agreement applicable to Shopper Data and exclusively owned by Bank.
without regard to any additional restrictions that may be applicable to Cardholder Data, and that Shopper Data shall be the property of Company in accordance with Section 6.3. For avoidance of doubt, some data can constitute both Cardholder Data and Shopper Data for purposes of this Agreement, in which case Bank shall have a property interest and use rights in such data as Cardholder Data under Section 6.2 and Company shall have a property interest and use rights in that same data as Shopper Data under Section 6.3. In addition, in its capacity as servicer, Company shall maintain all Cardholder Data and shall provide Bank with full access to Cardholder Data; provided that such access shall be through reports and data feeds consistent with Company’s data security policies but shall not include access to Company’s Systems beyond the ability to view data to the extent provided pursuant to Section 4.10 and Section 4.18(d). (b) The initial Program Privacy Policy Notice applicable to the Cardholder Data is attached as Schedule 6.2 hereto. Any modifications to the Program Privacy Policy 6.2(b), which shall be approved by separate and distinct from the Management Committee, provided that the Program Privacy Policy shall comply with Applicable Law at all times.
(cprivacy notice(s) Bank shall not use, or permit to be used, the Cardholder Data, except as provided in this Section 6.2. Bank may use the Cardholder Data in compliance with Applicable Law and the Program Privacy Policy solely (i) for purposes of soliciting or marketing (in each case, solely as directed by the NMG Companies or the Management Committee) or servicing customers listed in the Cardholder Data for NMG Credit Cards, Approved Ancillary Products, and any other products and services approved by the Management Committee, (ii) as otherwise necessary to carry out its obligations or exercise its rights hereunder, or (iii) as required by Applicable Law. Bank has no rights to use the Cardholder Data for marketing purposes except as expressly provided herein.
(d) Bank shall not disclose, or permit to be disclosed, the Cardholder Data, except as provided in this Section 6.2. Bank shall not, directly or indirectly, sell or otherwise transfer any right in or to the Cardholder Data other than to NMG or any of its Affiliates. Bank may disclose the Cardholder Data in compliance with Applicable Law and the Program Privacy Policy solely:
(i) to its authorized subcontractors in connection with a permitted use of such Cardholder Data under this Section 6.2, provided that each such authorized subcontractor agrees in a written agreement satisfactory to NMG and Bank to maintain all such Cardholder Data as strictly confidential and not to use or disclose such information to any Person other than Bank or an NMG Company, except as required by Applicable Law or any Governmental Authority (after giving Bank and the NMG Companies prior notice and an opportunity to defend against such disclosure); provided, further, that each such authorized subcontractor maintains, and agrees in writing to maintain, an information security program that is designed to meet all requirements of Applicable Law, including, at a minimum, maintenance of an information security program that is designed to: (w) ensure the security and confidentiality of the Cardholder Data; (x) protect against any anticipated threats or hazards to the security or integrity of the Cardholder Data; (y) protect against unauthorized access to or use of the Cardholder Data; and (z) ensure the proper disposal of Cardholder Data; and provided, further, that each such authorized subcontractor agrees to notify promptly Bank and the NMG Companies of any unauthorized disclosure, use, or disposal of, or access to, Cardholder Data and to cooperate with Bank and the NMG Companies in any investigation thereof and remedial action with respect thereto;
(ii) to its Affiliates, and its and such Affiliates’ employees, attorneys and accountants with a need to know such Cardholder Data in connection with a permitted use of such Cardholder Data under this Section 6.2; provided that (A) any such Person is bound by terms substantially similar to this Section 6.2 as a condition of employment or of access to Cardholder Data or by professional obligations imposing comparable terms; and (B) Bank shall be responsible for the compliance by each such Person with the terms of this Section 6.2;
(iii) to any Governmental Authority with authority over Bank (A) in connection with an examination of Bank; or (B) pursuant to a specific requirement to provide such Cardholder Data by such Governmental Authority or pursuant to compulsory legal process; provided that Bank seeks the full protection of confidential treatment * 48 maintains for any disclosed Cardholder Data to the extent available under Applicable Law governing such disclosure, and with respect to clause (B), to the extent permitted by Applicable Law, Bank (1) provides at least ten (10) Business Days’ prior notice of such proposed disclosure to NMG if reasonably possible under the circumstances, and (2) seeks to redact the Cardholder Data to the fullest extent possible under Applicable Law governing such disclosure; or
(iv) to the extent permitted in the Risk Management Policies and Operating Procedures, to any consumer reporting agency in accordance with the federal Fair Credit Reporting Act.
(e) To the extent Bank has access to the following information in accordance with the provisions of this Agreement and subject to Applicable Law and the Program Privacy Policy, Bank shall transmit to the NMG Companies at such times as may be requested by NMG and in formats agreed to by the Parties in advance from time to time:
(i) for any customer who has applied for an NMG Credit Card, regardless of the marketing channel of such application: (A) the customer’s name, address, email address, telephone number, social security number and all its other information supplied on the application or prescreened response submitted by the customer; (B) an indication of whether or not the customer has been approved for an NMG Credit Card; and (C) if the customer has been approved for an NMG Credit Card or Non-Card Payment Plan, the NMG Credit Card or Non-Card Payment Plan issued (or to be issued) to such customer;
(ii) for each Cardholder, joint-Cardholder and authorized buyer, (1) such person’s name, address, email address, telephone number, social security number and Account number; (2) any reported change to any of the foregoing information; (3) transaction and experience data; and (4) any such other Cardholder Data as the NMG Companies may reasonably request;
(iii) the Cardholder’s name and account number for any Account that is delinquent;
(iv) the Cardholder’s name and account number for any Account that has been closed; and
(v) the Cardholder Data for all categories of information available on the NMG Companies’ credit Systems as of the date hereofportfolios. Notwithstanding the foregoing, no Party hereto shall be required to provide any information on a personally identifiable basis if the provision of such personally identifiable information would cause such Party to be considered a “consumer reporting agency” for purposes of the Fair Credit Reporting Act.
(f) Bank shall cooperate with the NMG Companies Company to provide NMG and its Affiliates with Company the maximum ability permissible under Applicable Law and the Program Privacy Policy Notice to receiveobtain, use and disclose the Shopper Data and Cardholder Data, including, including through the sharing of such data as necessary or appropriate, permitted pursuant the Program Privacy Notice and through the use of consents disclosures, consents, opt-in provisions or opt-out provisions, in each case as directed by the NMG Companies. Without limiting the foregoing, NMG and each of its Affiliates may receive, use and disclose the Cardholder Data in compliance with Applicable Law and Any modifications to the Program Privacy Policy Notice shall be approved by both parties, provided that (i) for purposes modifications required by a change in Applicable Law following the Effective Date shall be approved and incorporated in accordance with the provisions of promoting the Program or promoting NMG Goods Section 4.8 and Services, (ii) as otherwise necessary to carry out its obligations under this Agreement, and (iii) as otherwise permitted by Applicable Law.
(g) The NMG Companies may use the Cardholder Data in compliance with Applicable Law and the Program Privacy Policy. Each of the NMG Companies may disclose the Cardholder Data in compliance with Applicable Law and the Program Privacy Policy solely:
(i) to its existing subcontractors as of the Effective Date and to authorized subcontractors that enter into agreements with an NMG Company after the Effective Date (“Future Subcontractors”) in connection with a permitted use of such Cardholder Data under this Section 6.2, provided that each such existing subcontractor and Future Subcontractor agrees in a written agreement satisfactory to NMG and Bank to maintain all such Cardholder Data as strictly confidential in perpetuity and shall not to use or disclose such information unreasonably object to any Person other than an NMG Company or Bank, except as required modifications thereto permissible by Applicable Law or any Governmental Authority (after giving the NMG Companies prior notice that shall broaden Company’s ability to receive and an opportunity to defend against such disclosure); provided, further, that each such existing subcontractor and Future Subcontractor maintains, and agrees in writing to maintain, an information security program that is designed to meet all requirements of Applicable Law, including, at a minimum, maintenance of an information security program that is designed to: (w) ensure the security and confidentiality of the Cardholder Data; (x) protect against any anticipated threats or hazards to the security or integrity of the Cardholder Data; (y) protect against unauthorized access to or use of the Cardholder Data; and (z) ensure the proper disposal of Cardholder Data; and provided, further, that each such existing subcontractor and Future Subcontractor agrees to notify promptly Bank and the NMG Companies of any unauthorized disclosure, use, or disposal of, or access to, Cardholder Data and to cooperate with Bank and the NMG Companies in any investigation thereof and remedial action with respect thereto;
(ii) to its Affiliates, and its and such Affiliates’ employees, attorneys and accountants with a need to know such Cardholder Data in connection with a permitted use of such Cardholder Data under this Section 6.2; provided that (A) any such Person is bound by terms substantially similar to this Section 6.2 as a condition of employment or of access to Cardholder Data or by professional obligations imposing comparable terms; and (B) the NMG Companies shall be responsible for the compliance by each such Person with the terms of this Section 6.2; or
(iii) to any Governmental Authority with authority over such NMG Company (A) in connection with an examination of such NMG Company; or (B) pursuant to a specific requirement to provide such Cardholder Data by such Governmental Authority or pursuant to compulsory legal process; provided that such NMG Company seeks the full protection of confidential treatment for any disclosed Cardholder Data to the extent available under Applicable Law governing such disclosure, and with respect to clause (B), to the extent permitted by Applicable Law, such NMG Company (1) provides at least ten (10) Business Days’ prior notice of such proposed disclosure to Bank if reasonably possible under the circumstances, and (2) seeks to redact the Cardholder Data to the fullest extent possible under Applicable Law governing such disclosureobtained from Bank.
(h) With respect to the sharing, use and disclosure of the Cardholder Data following the termination of this Agreement:
(i) the rights and obligations of the Parties under this Section 6.2 shall continue through any Termination Period;
(ii) if NMG exercises its rights under Section 17.2, Bank shall transfer its right, title and interest in the Cardholder Data to NMG or its Nominated Purchaser as part of such transaction, and Bank’s right to use and disclose the Cardholder Data shall terminate upon the termination of the Termination Period; and
(iii) if NMG provides notice that it shall not exercise its rights under Section 17.2, NMG and its Affiliates’ right to use and disclose the Cardholder Data hereunder shall terminate upon the termination of the Termination Period.
Appears in 1 contract
Sources: Credit Card Program Agreement
Cardholder Data. (a) As among the Parties heretoWithout limiting Sun Country’s rights under Section 16.2, the as between Bank and Sun Country, Cardholder Data shall be the property of and exclusively owned by Bank. Bank shall maintain all Cardholder Data, including the Program master file.
(b) The Parties acknowledge and agree that it is their intention to establish and maintain a Program Privacy Policy applicable that provides Sun Country the maximum access to, and rights to the use and disclose, Cardholder Data that is attached as Schedule 6.2 heretopermitted by Applicable Law. Any modifications to Bank shall ensure that (i) the Program Privacy Policy shall be approved by the Management Committee, provided that the Program Privacy Policy shall comply complies with Applicable Law at all times, including following any such modifications and (ii) the Program Privacy Policy shall at all times provide Sun Country the maximum access to, and rights to use and disclose, Cardholder Data not prohibited by Applicable Law, including following any such modifications.
(c) Bank shall not use, or permit to be used, the Cardholder Data, except as provided in this Section 6.2. Bank may use the Cardholder Data solely in compliance with Applicable Law and the Program Privacy Policy solely Policy: (i) for purposes of soliciting or marketing (in each case, solely as directed by the NMG Companies or the Management Committee) or servicing customers listed in the Cardholder Data for NMG Credit Cards, Approved Ancillary Products, to exercise Bank’s rights and any other products and services approved by the Management Committee, (ii) as otherwise necessary to carry out its obligations or exercise its rights hereunder; (ii) to develop strategies and models for marketing, fraud, collections and risk-management; or (iii) as required by Applicable Law. for internal Bank has no rights to use the Cardholder Data for marketing purposes except as expressly provided hereinanalytics and related reporting; [*].
(d) Other than to Sun Country as provided herein, Bank shall not disclose, or permit to be disclosed, the Cardholder Data, except as provided in this Section 6.2. Without limiting the provisions of Section 16.2, Bank shall not, directly or indirectly, sell or otherwise transfer any right in or to the Cardholder Data other than to NMG or any of its AffiliatesData. Bank may disclose the Cardholder Data in compliance with Applicable Law and Law, the Program Privacy Policy Policy, and the Credit Card Agreement, solely:
(i) to its authorized subcontractors in connection with a permitted use of such Cardholder Data under this Section 6.2, ; provided that (A) each such authorized subcontractor agrees in a written agreement satisfactory to NMG and Bank to maintain all such Cardholder Data as strictly confidential and not to use or disclose such information to any Person other than Bank or an NMG Company, except as required by Applicable Law or any Governmental Authority (after giving Bank and the NMG Companies prior notice and an opportunity to defend against such disclosure); provided, further, that each such authorized subcontractor maintains, and agrees in writing to maintain, an information security program that is designed to meet all requirements of Applicable Law, including, at a minimum, maintenance of an information security program that is designed to: (w) ensure the security and confidentiality of the Cardholder Data; (x) protect against any anticipated threats or hazards to the security or integrity of the Cardholder Data; (y) protect against unauthorized access to or use of the Cardholder Data; and (z) ensure the proper disposal of Cardholder Data; and provided, further, that each such authorized subcontractor agrees to notify promptly Bank and the NMG Companies of any unauthorized disclosure, usebe bound by this Section 6.2, or disposal ofa comparable contractual commitment with the same effect, or access to, Cardholder Data and to cooperate (B) Bank shall be responsible for the compliance of each such subcontractor with Bank and the NMG Companies in any investigation thereof and remedial action with respect theretoterms of this Section;
(ii) to its Affiliates, Affiliates and Bank’s and its and such Affiliates’ employees, agents, attorneys and accountants with a need to know such Cardholder Data in connection with a permitted use of such Cardholder Data under this Section 6.2Section; provided that (A) any such Person is bound by terms substantially similar to this Section 6.2 as a condition of employment or of access to such Cardholder Data or by professional obligations imposing comparable terms; and (B) Bank shall be responsible for the compliance by of each such Person with the terms of this Section 6.2;; or
(iii) to any Governmental Authority with authority over Bank Bank: (A) in connection with an examination of Bank; or (B) pursuant to a specific requirement to provide such Cardholder Data by such Governmental Authority or pursuant to compulsory legal process; provided that Bank seeks the full protection of confidential treatment for any disclosed Cardholder Data to the extent available under Applicable Law governing such disclosure, and with respect to clause (B), to the extent permitted by Applicable Law, Bank (1) provides at least ten (10) Business Days’ prior notice of such proposed disclosure to NMG Sun Country if reasonably possible under the circumstances, and (2) seeks to redact the such Cardholder Data to the fullest extent possible under Applicable Law governing such disclosure; or
, and (iv3) Bank does not oppose any action by Sun Country to object or intervene in any legal proceeding in which production of Cardholder Data is compelled so long as Sun Country’s interests are not contrary to the extent permitted interests of Bank in the Risk Management Policies and Operating Proceduresconnection with such Governmental Authority inquiry, to any consumer reporting agency in accordance with the federal Fair Credit Reporting Actas reasonably determined by Bank.
(e) To the extent Bank has access to the following information in accordance with the provisions of this Agreement and subject Subject to Applicable Law and the Program Privacy Policy, Bank shall transmit to provide Sun Country at no cost with the NMG Companies at such times as may be requested by NMG information set forth on Schedule 6.2(e) and in formats agreed to by accordance with the Parties in advance from time to time:
(i) for any customer who has applied for an NMG Credit Card, regardless of the marketing channel of such application: (A) the customer’s name, address, email address, telephone number, social security number and all other information supplied on the application or prescreened response submitted by the customer; (B) an indication of whether or not the customer has been approved for an NMG Credit Card; and (C) if the customer has been approved for an NMG Credit Card or Non-Card Payment Plan, the NMG Credit Card or Non-Card Payment Plan issued (or to be issued) to such customer;
(ii) for each Cardholder, joint-Cardholder and authorized buyer, (1) such person’s name, address, email address, telephone number, social security number and Account number; (2) any reported change to any of the foregoing information; (3) transaction and experience data; and (4) any such other Cardholder Data as the NMG Companies may reasonably request;
(iii) the Cardholder’s name and account number for any Account that is delinquent;
(iv) the Cardholder’s name and account number for any Account that has been closed; and
(v) the Cardholder Data for all categories of information available on the NMG Companies’ credit Systems as of the date hereoffrequency set forth therein. Notwithstanding the foregoing, the Parties acknowledge that it is their intent that Sun Country not receive information that subjects Sun Country to any Payment Card Industry Data Security Standards applicable to a financial institution. In addition, Bank shall provide to Sun Country at no Party hereto cost such additional Cardholder Data as Sun Country may reasonably request, subject to [*] Indicates portions omitted pursuant to a request for confidential treatment filed separately with the Commission. Bank approval which will not be unreasonably withheld or delayed. With respect to all such Cardholder Data Bank provides to Sun Country, Bank shall be required also provide Sun Country with details sufficient to provide any information on inform Sun Country as to whether (i) Cardholders reside in states subject to Regulation P, and whether such Cardholders had a personally identifiable basis if the provision of reasonable opportunity to opt-out under Regulation P but have not opted-out, (ii) Cardholders reside in states providing opt-out, and whether such personally identifiable information would cause Cardholders had a reasonable opportunity to opt-out but have not opted-out, and (iii) Cardholders reside in states requiring opt-in and whether such Party to be considered a “consumer reporting agency” for purposes of the Fair Credit Reporting ActCardholders have provided such opt-ins as further set forth in Schedule 6.2(e).
(f) Bank shall cooperate with the NMG Companies use commercially reasonable efforts to provide NMG and its Affiliates with Sun Country the maximum ability permissible under Applicable Law to use and disclose Cardholder Data (including Cardholder information and purchasing data as mutually agreed to by the Parties but in no event less than portfolio aggregate information that includes spend in the top 25 MCCs) for any purpose permitted by Applicable Law, including through the Program Privacy Policy to receive, use and disclose and/or the Cardholder Data, including, as necessary or appropriate, through use of consents consents, opt-in provisions, or opt-out provisions.
(g) Sun Country may, in each case as directed by the NMG Companies. Without limiting the foregoing, NMG and each of may permit its Affiliates may receiveto, use and disclose the Cardholder Data in compliance with Applicable Law and the Program Privacy Policy Law: (i) for purposes of promoting the Program or promoting NMG Goods goods and Servicesservices sold by or through Sun Country, (ii) as otherwise necessary to exercise its rights and carry out its obligations under this Agreement, ; and (iii) as otherwise permitted required by Applicable Law.
(gh) The NMG Companies may use the Cardholder Data in compliance with Applicable Law and the Program Privacy Policy. Each of the NMG Companies Sun Country may disclose the Cardholder Data in compliance with Applicable Law and the Program Privacy Policy solely:
(i) to its existing subcontractors as of the Effective Date and to authorized subcontractors that enter into agreements with an NMG Company after the Effective Date (“Future Subcontractors”) in connection with a permitted use of such Cardholder Data under this Section 6.2, ; provided that that: (A) each such existing subcontractor agrees to be bound by this Section 6.2, or a comparable contractual commitment with the same effect, and Future Subcontractor agrees in a written agreement satisfactory to NMG and Bank to maintain all such Cardholder Data as strictly confidential in perpetuity and not to use or disclose such information to any Person other than an NMG Company or Bank, except as required by Applicable Law or any Governmental Authority (after giving B) Sun Country shall be responsible for the NMG Companies prior notice and an opportunity to defend against such disclosure); provided, further, that compliance of each such existing subcontractor and Future Subcontractor maintains, and agrees in writing to maintain, an information security program that is designed to meet all requirements with the terms of Applicable Law, including, at a minimum, maintenance of an information security program that is designed to: (w) ensure the security and confidentiality of the Cardholder Data; (x) protect against any anticipated threats or hazards to the security or integrity of the Cardholder Data; (y) protect against unauthorized access to or use of the Cardholder Data; and (z) ensure the proper disposal of Cardholder Data; and provided, further, that each such existing subcontractor and Future Subcontractor agrees to notify promptly Bank and the NMG Companies of any unauthorized disclosure, use, or disposal of, or access to, Cardholder Data and to cooperate with Bank and the NMG Companies in any investigation thereof and remedial action with respect theretothis Section 6.2;
(ii) to its Affiliates, Affiliates and Sun Country’s and its and such Affiliates’ employees, agents, attorneys and accountants with a need to know such Cardholder Data in connection with a permitted use of such Cardholder Data under this Section 6.2Section; provided that that: (A) any such Person is bound by terms substantially similar to this Section 6.2 as a condition of employment or of access to such Cardholder Data or by professional obligations imposing comparable terms; and (B) the NMG Companies Sun Country shall be responsible for the compliance by of each such Person with the terms of this Section 6.2; or;
(iii) to any Governmental Authority with authority over such NMG Company Sun Country: (A) in connection with an examination of such NMG CompanySun Country; or (B) pursuant to a specific requirement to provide such Cardholder Data by such Governmental Authority or pursuant to compulsory legal process; provided that such NMG Company Sun Country seeks the full protection of confidential treatment for any such disclosed Cardholder Data to the extent available under Applicable Law governing such disclosure, and with respect to clause (B), to the extent permitted by Applicable Law, such NMG Company Sun Country (1) provides at least ten (10) Business Days’ prior notice of such proposed disclosure to Bank if reasonably possible under the circumstances, and (2) seeks to redact the such Cardholder Data to the fullest extent possible under Applicable Law governing such disclosure, and (3) Sun Country does not oppose any action by Bank to object or intervene in any legal proceeding in which production of Cardholder Data is compelled so long as Bank’s interests are not contrary to the interests of Sun Country in connection with such Governmental Authority inquiry, as reasonably determined by Sun Country.
(hi) With respect to the sharing, use and disclosure of the Cardholder Data following the termination of this Agreement:
(i) the rights and obligations of the Parties under this Section 6.2 shall continue through any Termination Period;
(ii) if NMG If Sun Country exercises its rights Purchase Option under Section 17.216.2, Bank shall transfer its right, title title, and interest in the Cardholder Data to NMG Sun Country or its Nominated Purchaser Purchasers as part of such purchase transaction, and Bank’s right to use and disclose the Cardholder Data shall terminate as of the Program Purchase Date, except as necessary to perform Bank’s obligations pursuant to Section 16.2(i) and to comply with requirements of Applicable Law or a Governmental Authority. [*] Indicates portions omitted pursuant to a request for confidential treatment filed separately with the Commission.
(ii) If Sun Country does not exercise its Purchase Option under Section 16.2 or the Nominated Purchasers and Bank do not consummate the purchase transaction in connection with Sun Country’s exercise of its Purchase Option, upon the termination of the Termination Period; and
(iii) if NMG provides notice that it this Agreement, Sun Country shall not exercise its rights under Section 17.2, NMG and its Affiliates’ right to use and disclose the any Cardholder Data hereunder shall terminate upon in the twelve (12) months following the termination of the Termination Periodthis Agreement to solicit Cardholders for a Credit Card.
Appears in 1 contract
Sources: Credit Card Program Agreement (Sun Country Airlines Holdings, Inc.)
Cardholder Data. (a) As among the Parties hereto, the Cardholder Data shall be the property of and exclusively owned by CEBA Bank.
(b) The Program Privacy Policy applicable privacy notice provided to Cardholders pursuant to the Cardholder Data is attached as Schedule 6.2 hereto. Any modifications to ▇▇▇▇▇-▇▇▇▇▇-▇▇▇▇▇▇ Act constituting part of the Program Privacy Policy shall be approved by in the Management Committee, provided that form attached hereto as Schedule 6.2(b). Any changes to such privacy notice or to the Program Privacy Policy described therein shall comply be made only in accordance with Applicable Law at all timesArticle III.
(c) Bank shall not use, or permit to be used, the Cardholder Data, except as provided in this Section 6.2. Bank may use the Cardholder Data in compliance with Applicable Law and the Program Privacy Policy solely (i) for purposes of soliciting soliciting, marketing or marketing servicing (in each case, solely as directed by the NMG FDS Companies or the Management Operating Committee) or servicing customers listed in the Cardholder Data for NMG FDS Credit Cards, Approved Ancillary Products, and any other products and services approved by the Management Operating Committee, (ii) as otherwise necessary to carry out its obligations or exercise its rights hereunderhereunder (including its rights to use such information as contemplated by Section 16.4), or (iii) as required by Applicable Law. Bank has no rights to use the Cardholder Data for marketing purposes except as expressly provided herein.
(d) Bank shall not disclose, or permit to be disclosed, the Cardholder Data, except as provided in this Section 6.2. Bank shall not, directly or indirectly, sell or otherwise transfer any right in or to the Cardholder Data other than to NMG FDS or any of its AffiliatesAffiliates or to a Nominated Purchaser pursuant to Section 16.2. Bank may disclose the Cardholder Data in compliance with Applicable Law and the Program Privacy Policy solely:
(i) to its authorized subcontractors in connection with a permitted use of such Cardholder Data under this Section 6.2, provided that each such authorized subcontractor agrees in a written agreement satisfactory to NMG and Bank writing to maintain all such Cardholder Data as strictly confidential in perpetuity and not to use or disclose such information to any Person other than Bank or an NMG FDS Company, except as required by Applicable Law or any Governmental Authority (after giving Bank and the NMG FDS Companies prior notice and an opportunity to defend against such disclosure); provided, further, that each such authorized subcontractor maintains, and agrees in writing to maintain, an information security program that is designed to meet all requirements the objectives of Applicable Lawthe Guidelines, including, at a minimum, maintenance of an information security program that is designed to: (w) ensure the security and confidentiality of the Cardholder Data; (x) protect against any anticipated threats or hazards to the security or integrity of the Cardholder Data; (y) protect against unauthorized access to or modification, destruction, disclosure or use of the Cardholder Data; and (z) ensure the proper disposal of Cardholder Data; and provided, further, that each such authorized subcontractor agrees to notify promptly Bank and the NMG FDS Companies of any unauthorized disclosure, use, or disposal of, or access to, Cardholder Data and to cooperate with Bank and the NMG FDS Companies in any investigation thereof and remedial action with respect thereto;
(ii) to its Affiliates, and its and such Affiliates’ employees, attorneys and accountants with a need to know such Cardholder Data in connection with a permitted use of such Cardholder Data under this Section 6.2; provided that (A) any such Person is bound by terms substantially similar to this Section 6.2 as a condition of employment or of access to Cardholder Data or by professional obligations imposing comparable terms; and (B) Bank shall be responsible for the compliance by each such Person with the terms of this Section 6.2;; or
(iii) to any Governmental Authority with authority over Bank (A) in connection with an examination of Bank; or (B) pursuant to a specific requirement to provide such Cardholder Data by such Governmental Authority or pursuant to compulsory legal process; provided that Bank seeks the full protection of confidential treatment for any disclosed Cardholder Data to the extent available under Applicable Law governing such disclosure, and with respect to clause (B), to the extent permitted by Applicable Law, Bank (1) provides at least ten (10) Business Days’ prior notice of such proposed disclosure to NMG FDS if reasonably possible under the circumstances, and (2) seeks to redact the Cardholder Data to the fullest extent possible under Applicable Law governing such disclosure; or
(iv) to the extent permitted in the Risk Management Policies and Operating Procedures, to any consumer reporting agency in accordance with the federal Fair Credit Reporting Act.
(e) To the extent Bank has access to the following information in accordance with the provisions of this Agreement and subject Subject to Applicable Law and the Program Privacy Policy, Bank shall transmit to the NMG FDS Companies at such times as may be requested on a real-time basis throughout each day by NMG and a secure data feed into FDS Systems designated by FDS from time to time, in formats agreed to by the Parties in advance from time to time:
(i) for any customer who has applied for an NMG FDS Credit Card, regardless of the marketing channel of such application: (A) the customer’s name, address, email address, telephone number, social security number and all other information supplied on the application or prescreened response submitted by the customer; (B) an indication of whether or not the customer has been approved for an NMG FDS Credit Card; and (C) if the customer has been approved for an NMG FDS Credit Card, the FDS Credit Card or Non-Card Payment Plan, the NMG Credit Card or Non-Card Payment Plan issued (or to be issued) to such customercustomer (i.e., specify the type of FDS Credit Card and the FDS Licensed ▇▇▇▇ to be used on such FDS Credit Card);
(ii) for each Cardholder, joint-Cardholder and authorized buyer, (1A) such person’s name, address, email address, telephone number, social security number and Account number; (2B) any reported change to any of the foregoing information; (3C) transaction and experience data; and (4D) any such other Cardholder Data as the NMG FDS Companies may reasonably request;
(iii) the Cardholder’s name and account number for any Account that is delinquent;
(iv) the Cardholder’s name and account number for any Account that has been closed; and
(v) the Cardholder Data for all categories of information available on the NMG FDS Companies’ credit Systems as of the date hereof. Notwithstanding the foregoing, no Party hereto shall be required to provide any information on a personally identifiable basis if the provision of such personally identifiable information would cause such Party to be considered a “consumer reporting agency” for purposes of the Fair Credit Reporting Act.
(f) Subject to Applicable Law and the Program Privacy Policy, Bank shall transmit by a secure data feed into FedCustomer (or other FDS Systems designated by FDS from time to time), in a format agreed to by the Parties, on an as billed basis, all information contained in the Billing Statements and all other Cardholder Data for all categories of information available on FedCustomer as of the date hereof (including, for each Cardholder, joint-Cardholder and authorized buyer, name, address, email address, telephone number, information as to creditworthiness and changes to any of the foregoing information).
(g) Bank shall reasonably cooperate with the NMG FDS Companies to provide NMG FDS and its Affiliates with the maximum ability permissible under Applicable Law and the Program Privacy Policy to receive, use and disclose the Cardholder Data, including, as reasonably necessary or appropriate, through use of consents consents, opt-in provisions or opt-out provisions, in each case as directed by the NMG FDS Companies. Without limiting the foregoing, NMG FDS and each of its Affiliates may receive, use and disclose the Cardholder Data in compliance with Applicable Law and the Program Privacy Policy (i) for purposes of promoting the Program or promoting NMG FDS Goods and Services, (ii) as otherwise necessary to carry out its obligations under this Agreement, and (iii) as otherwise permitted by Applicable Law.
(gh) The NMG FDS Companies may use the Cardholder Data in compliance with Applicable Law and the Program Privacy Policy. Each of the NMG FDS Companies may disclose the Cardholder Data in compliance with Applicable Law and the Program Privacy Policy solely:
(i) to its existing subcontractors as of the Effective Date and to authorized subcontractors that enter into agreements with an NMG FDS Company after the Effective Date (“Future Subcontractors”) in connection with a permitted use of such Cardholder Data under this Section 6.2, provided that each such existing subcontractor and Future Subcontractor agrees in a written agreement satisfactory to NMG and Bank writing to maintain all such Cardholder Data as strictly confidential in perpetuity and not to use or disclose such information to any Person other than an NMG FDS Company or Bank, except as required by Applicable Law or any Governmental Authority (after giving the NMG FDS Companies prior notice and an opportunity to defend against such disclosure); provided, further, that each such existing subcontractor and Future Subcontractor maintains, and agrees in writing to maintain, an information security program that is designed to meet all requirements the objectives of Applicable Lawthe Guidelines, including, at a minimum, maintenance of an information security program that is designed to: (w) ensure the security and confidentiality of the Cardholder Data; (x) protect against any anticipated threats or hazards to the security or integrity of the Cardholder Data; (y) protect against unauthorized access to or modification, destruction, disclosure or use of the Cardholder Data; and (z) ensure the proper disposal of Cardholder Data; and provided, further, that each such existing subcontractor and Future Subcontractor agrees to notify promptly Bank and the NMG FDS Companies of any unauthorized disclosure, use, or disposal of, or access to, Cardholder Data and to cooperate with Bank and the NMG FDS Companies in any investigation thereof and remedial action with respect thereto;
(ii) to its Affiliates, and its and such Affiliates’ employees, attorneys and accountants with a need to know such Cardholder Data in connection with a permitted use of such Cardholder Data under this Section 6.2; provided that (A) any such Person is bound by terms substantially similar to this Section 6.2 as a condition of employment or of access to Cardholder Data or by professional obligations imposing comparable terms; and (B) the NMG FDS Companies shall be responsible for the compliance by each such Person with the terms of this Section 6.2; or
(iii) to any Governmental Authority with authority over such NMG FDS Company (A) in connection with an examination of such NMG FDS Company; or (B) pursuant to a specific requirement to provide such Cardholder Data by such Governmental Authority or pursuant to compulsory legal process; provided that such NMG FDS Company seeks the full protection of confidential treatment for any disclosed Cardholder Data to the extent available under Applicable Law governing such disclosure, and with respect to clause (B), to the extent permitted by Applicable Law, such NMG FDS Company (1) provides at least ten (10) Business Days’ prior notice of such proposed disclosure to Bank if reasonably possible under the circumstances, and (2) seeks to redact the Cardholder Data to the fullest extent possible under Applicable Law governing such disclosure.
(hi) With respect to the sharing, use and disclosure of the Cardholder Data following the termination of this Agreement:
(i) the rights and obligations of the Parties under this Section 6.2 shall continue through any Termination Period;
(ii) if NMG FDS exercises its rights under Section 17.216.2, Bank shall transfer its right, title and interest in the Cardholder Data to NMG FDS or its Nominated Purchaser as part of such transaction, and Bank’s right to use and disclose the Cardholder Data shall terminate upon the termination of the Termination Period; and
(iii) if NMG FDS provides notice that it shall not exercise its rights under Section 17.216.2, NMG FDS and its Affiliates’ right to use and disclose the Cardholder Data hereunder shall terminate upon the termination of the Termination Period.
Appears in 1 contract