What is the Circle K franchisee's responsibility regarding data privacy and security policies established by the franchisor?

FRANCHISE RELATIONSHIP IS EXCLUSIVELY WITH FRANCHISEE. NOTHING IN THIS AGREEMENT MAY BE CONSTRUED AS CREATING ANY FRANCHISE OR FRANCHISE RELATIONSHIP WITH THE KEY INDIVIDUAL OR ANY OWNER OF A CORPORATE/ENTITY FRANCHISEE.

9.6 Customer Data.

• (a) Franchisor owns all Customer Information (as defined below) and may use the Customer Information as it deems appropriate (subject to applicable law), including disclosing it to vendors. Franchisee may only use Customer Information for the purpose of operating the Store to the extent permitted under this Agreement, including the Business Systems Manuals, during the term hereof and subject to such restrictions as Franchisor may from time to time impose and in compliance with all data privacy, security and other applicable laws. "Customer Information" means any contact information (including name, address, phone and fax numbers, and e-mail addresses), sales and payment history, and all other information about any customer, including any personal information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household. As used in this Agreement, the term "customer" refers to any person or entity (i) included on any marketing or customer lists that Franchisee develops or uses; (ii) who has purchased or purchases products or services at the Store; or (iii) whom Franchisee has solicited to purchase any products or services at the Store. Franchisor may use the Customer Information as it deems appropriate, including sharing it with its Affiliates.

• (b) Without limiting the foregoing, Franchisee agrees to comply with applicable law in connection with its collection, storage, disclosure and its use and Franchisor's use of such Customer Information, including complying with all laws and regulations relating to data protection, privacy and security, including data breach response requirements ("Privacy Laws"), as well as data privacy and security policies, procedures and other requirements Franchisor may periodically establish. Some laws require Franchisee to obtain consent to collect, store, disclose, and use (collectively "process") personal information. Franchisee is responsible for obtaining appropriate Customer consent to ensure Franchisee and Franchisor may process Customer Information as outlined in this Agreement. Franchisee must notify Franchisor immediately of any suspected data breach at or in connection with the Store. Franchisee must fully cooperate with Franchisor and its counsel in determining the most effective way to meet Franchisor's standards and policies pertaining to Privacy Laws within the bounds of applicable law. Franchisee is responsible for any financial losses it incurs or remedial actions that it must take as a result of breach of security or unauthorized access to Customer Information in Franchisee's control or possession.

• (c) If any federal or state Privacy Law, including the California Consumer Privacy Act, as revised by the California Consumer Privacy Rights Act , Cal. Civ. Code § 1798.100, et seq. (collectively, "CCPA") and any related regulations, applies to the operation of the Store, whenever and to the extent Franchisee operates as a "Service Provider" or "Contractor" under the CCPA, a data processor, or in a similar capacity under any federal or state Privacy Law, Franchisee represents and warrants that:

  • (1) Except for the purpose of operating the Store and in accordance with the Business Systems Manuals, Franchisee will not retain, use, combine or disclose any Customer Information;

• (2) Franchisee will not sell, share, make available or otherwise disclose any Customer Information to any third party for valuable consideration or for the purpose of performing cross-context behavioral advertising;

• (3) Franchisee will not retain, use, or disclose Customer Information outside of the direct business relationship between Franchisee and Franchisor;

• (4) Franchisee will delete any Customer Information upon Franchisor's request unless Franchisee can prove that such request is subject to an exception under applicable law;

• (5) If Franchisee receives a Customer Information data request (e.g. a request to delete Customer Information) directly from a consumer (e.g., a California resident under the CCPA or CPRA, or a resident of another jurisdiction under other applicable Privacy Law), Franchisee shall inform Franchisor of that request within one business day and cooperate with Franchisor to ensure that the consumer receives an appropriate and timely acknowledgement and response;

• (6) Franchisee will implement reasonable security procedures and practices appropriate to the Customer Information it collects, retains, uses or discloses, in order to protect it from unauthorized or illegal access, including following minimum requirements that may be set forth in the Business Systems Manuals;

• (7) Franchisee will cooperate with Franchisor if Franchisor seeks to ensure that Franchisee has collected, retained, used, or disclosed Customer Information consistent with Privacy Laws and this Agreement, including but not limited to providing Franchisor with requested compliance documents, or allowing Franchisor to assess, audit, or test Franchisee's privacy and security controls at least annually;

• (8) Franchisee will cooperate with Franchisor to stop or remediate any unauthorized use of Customer Information, including verifying that Franchisee no longer retains or processes any personal information that a consumer has asked Franchisee or Franchisor to delete under applicable Privacy Laws; and

• (9) Franchisee will notify Franchisor immediately if Franchisee determines it cannot meet its obligations under Privacy Laws or this Agreement regarding its collection, retention, use, or disclosure of Customer Information.

• (d) Franchisee certifies that it understands the restrictions in Paragraphs (1) (9) of section 9.6(c) and will comply with them. Franchisee also acknowledges and agrees that Franchisor may modify these restrictions from time to time by written notice to Franchisee, by issuing updates to Franchisor's standards and policies pertaining to Privacy Laws, including by adding other similar restrictions that may be required under other state or federal Privacy Laws, and Franchisee agrees to comply with the same. Franchisee also agrees to execute any addenda that Franchisor may determine are required to conform this Agreement to new or changed Privacy Laws.

To the extent that Franchisee engages a third party to collect, use, sell, share, store, disclose, analyze, delete, modify, or to otherwise perform any processing of Customer Information for the purpose of operating the Store (a "Subprocessor"), Franchisee will notify Franchisor of such engagement, which shall be governed by a written contract that includes the same restrictions as in Paragraphs (1) – (9) of section 9.6(c) and imposes reasonable confidentiality obligations and privacy and security controls on the Subprocessor.

• <span id="page-182-0"

Source: Item 22 — CONTRACTS (FDD page 100)