What compliance requirements must an Even Hotels franchisee adhere to regarding data security and privacy?

• (5) Data Privacy Laws. Licensee will: (i) comply with all applicable Data Privacy Laws; (ii) comply with all of IHG's requirements regarding data protection contained in the Standards or otherwise; (iii) refrain from any action or inaction that could cause IHG or its Affiliates to breach any of the Data Protection Laws; (iv) do and execute, or arrange to be done and executed, each act, document and thing necessary or desirable to keep IHG in compliance with any of the Data Protection Laws; (v) reimburse IHG for any and all costs incurred in connection with the breach by Licensee of such Data Privacy Laws or Brand Standards; (vi) immediately report to IHG the theft or loss of Personal Data or Guest Data; and (vii) permit IHG and its Affiliates to use any data or other information each of them gathers concerning Licensee, its Affiliates and/or the Hotel in connection with the establishment and operation of Brand System Hotels by IHG and its Affiliates. Licensee will implement commercially reasonable physical, administrative, and technical security controls for its processing of IHG Personal Data that are appropriate to the context and the risk of the Personal Data being processed.

• 7.2 Licensee shall be responsible for ensuring adequate security and backup procedures to avoid unauthorized access to, use of, or inadvertent loss of data and shall, in its discretion, determine appropriate security, which shall be no less than the standard of care in the industry. Without limiting Licensee's obligations set forth in subparts 7.1.1, 7.1.2 and 7.1.3 above, Licensee will comply with any additional security and data protection practice requirements that IHG will provide to Licensee in writing, which may be updated from time to time (the "Security Practices"). IHG may, in its sole discretion, amend the Security Practices at any time without prior notice (each, a "Security Practices Update"). A Security Practices Update may include additional terms and conditions, including the additional obligations of Licensee. Licensee will comply with any Security Practices Update within thirty (30) days following the date of the Security Practices Update and will comply with any changes to applicable laws, contractual obligations, and industry requirements (including PCI DSS and any successor standard) within the time period provided by such law or industry requirement.

Licensee represents, warrants, and covenants that any Licensee Personal Data transferred to IHG or its Affiliates for the purposes of this License has been collected, retained, used, and transmitted in compliance with applicable Data Privacy Laws.

During and after the License Term, Licensee shall have a non-exclusive, royalty-free license to use any Guest Data stored in the Hotel's property management system only for purposes of operating the Hotel; provided, that: (i) Licensee shall have no right to use the IHG Marketing Data except for the purpose of operating the Loyalty Program during the License Term, and Licensee must remove, or IHG and its Affiliates shall have the right, at Licensee's cost, to remove all IHG Marketing Data from the Hotel's property management system and other Hotel records upon expiration or termination of this License; (ii) Licensee shall retain, use and transmit (and procure that any agent or representative of Licensee that manages the Hotel after the termination of this License retain, use and transmit) such Guest Data only (a) in accordance with all Data Privacy Laws, and (b) to the extent permitted pursuant to any consents obtained from the relevant guests, employees or other individuals (the parties acknowledging that IHG provides no warranty or guaranty regarding any such consents); (iii) Licensee shall not sell or transfer the IHG Personal Data including, but not limited, to any Affiliate or other hotel of Licensee and will not combine IHG Personal Data with the Personal Data of any other hotel brand, company or operator; and (iv) Licensee may not use IHG Personal Data for any marketing purpose.

With respect to IHG Marketing Data, Licensee will act as IHG's processor and is prohibited from (x) "selling" or "sharing" it (as defined by Data Privacy Laws), (y) processing it for any purposes other than as expressly permitted by IHG, including any commercial purposes, or outside of

HotelKey will not retain, use, or disclose Personal Data outside of its direct business relationship with the Controllers or "sell" or "share" (as defined by the Privacy Laws) the Personal Data.

HotelKey will implement commercially reasonable physical, administrative, and technical security controls for its processing of Processed Data that are appropriate to the context and the risk of the Personal Data being processed that are designed to prevent the unlawful access or disclosure, unauthorized processing of, or accidental loss, destruction, damage, or alteration of the Personal Data.

Hotel will ensure all Designated Users comply with industry best practices to implement secure passwords, regularly change such passwords, and protect the security and privacy of their user logins and the PMS Data.

Hotel shall be solely responsible for any and all Claims and Losses (as each such term is defined below) relating to an unauthorized third party access to the PMS Solution and/or PMS Data that results or arises out of breach of the foregoing.

Source: Item 23 — RECEIPTS (FDD pages 99–438)