What policies must a Camp Margaritaville franchisee develop and maintain regarding Guest Profile Data?

• (xv) policies and procedures regarding the collection, storage, use, processing and transfer of personal data (which includes information that identifies or is capable of identifying an individual), payment card data, or other financial data and information, including any data privacy or data security compliance programs, any payment card industry data security standards, together with any related audit or certification requirements, and all other applicable data protection and privacy laws and regulations;

• (xiii) delivering to Franchisor or otherwise providing Franchisor access to the Guest Profile Data as described in Section 4.05;

• (xiv) record retention policies and programs;

• (b) Data and Consumer Protection Laws.

Franchisee represents, warrants and covenants that it is familiar with the requirements of, and that it has been, is and will continue at all times to be, in compliance with all consumer protection, data protection, privacy and cybersecurity laws that may be applicable to the Resort, the Camp Margaritaville System, Franchisor or Franchisee, including but not limited to the Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) ("GDPR"), the California Consumer Privacy Act of 2018 (as amended by the California Privacy Rights Act of 2020) ("CCPA"), the Virginia Consumer Data Protection Act ("CDPA"), the Colorado Privacy Act ("CPA"), the Utah Consumer Privacy Act ("UCPA"), the Connecticut Personal Data Privacy and Online Monitoring Act ("CPDPA"), the Telephone Consumer Protection Act of 1991 ("TCPA"), the Controlling the Assault of Non-Solicited Pornography and Marketing Act (the "CAN-SPAM Act"), the Telemarketing Sales Rule ("TSR") and the Junk Fax Prevention Act, any regulations related thereto, and similar federal, state and local privacy-related and telemarketing-related laws, rules, regulations and ordinances ("Data Protection Laws").

Franchisee grants Franchisor the right to take reasonable and appropriate steps to ensure all Guest Profile Data is being processed in accordance with Data Protection Laws.

Franchisee must promptly inform Franchisor if Franchisee determines that it can no longer meet its obligations under Data Protection Laws.

• (d) Information Practices Complaints.

Franchisee shall promptly notify Franchisor of any complaint relating to the processing of Guest Profile Data, including allegations that the processing infringes on an individual's rights.

Franchisee shall cooperate with Franchisor and provide all documents and information reasonably requested in order for Franchisor to assess and, if determined by Franchisor that a response is needed, to respond to the complaint.

• (e) Protection of Data.

Franchisee shall and shall cause Franchisee Agents to implement, maintain and enforce reasonable administrative, electronic, technical, physical, logical, and other security measures and safeguards consistent with (a) industry frameworks and guidelines (e.g., the NIST Cybersecurity Framework or CIS Controls); (b) any applicable Franchisor policies (c) the information security policies of Franchisee; and (d) Applicable Laws in order to: (i) prevent unauthorized access, use or disclosure of the Guest Profile Data and Confidential Information of Franchisor (including during storage, transmission and disposal); (ii) protect against any anticipated threats or hazards to the security or integrity of the Guest Profile D

Source: Item 23 — RECEIPTS (FDD pages 72–406)