For Even Hotels, what is HotelKey's role regarding Hotel Personal Data?

al data, personal information, or personally identifying information (as such terms are defined in the applicable Privacy Laws), processed pursuant to or in connection with this Agreement.

• 1.2.8. "PMS Personal Data" means that Personal Data in the PMS Data that is processed by the PMS Solution.
• 1.2.9. "Privacy Laws" means to the extent applicable (a) the EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council ("GDPR") and laws implementing or supplementing the GDPR in each Member State of the European Economic Area from time to time; (b) the GDPR as transposed into United Kingdom national law by operation of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019, together with other data protection or privacy legislation in force from time to time in the United Kingdom; (c) all applicable United States federal or state privacy and data protection laws; (d) the Canada Personal Information Protection and Electronic Documents Act; and (e) any other analogous federal, national, state, provincial, or emirate privacy legislation in force from time to time, including where applicable, statues, regulations, rules, decisions, guidelines, guidance notes and codes of practice issued from time to time by courts, any supervisory authority, and other applicable authorities.
• 1.2.10. "Processor" and "Subprocessor" have the same meaning as in applicable Privacy Laws.

2.0 Role of the Parties

2.1. The Parties acknowledge and agree that Hotel is an independent Controller of the Hotel Personal Data and sole Controller of the Excluded Personal Data. IHG is an independent Controller of the

• IHG Personal Data to the fullest extent permitted by the Privacy Laws; IHG is the sole Controller of the IHG Marketing Data. IHG and Hotel will be responsible for its compliance with the Privacy Laws with respect to its Personal Data.
• 2.2. If IHG or Hotel receives a request from an individual or authorized representative relating to the processing of Personal Data by another Party, the recipient will direct the individual/representative to submit their request directly to the respective Controller.
• 2.3. HotelKey is the Processor of Hotel where it is processing the PMS Personal Data to provide Hotel with the PMS Solution and Subprocessor of Hotel with respect to IHG Marketing Data.
• 2.4. IHG may provide certain additional services to Hotel in relation to the PMS. To the extent such services involve processing of Personal Data, IHG shall Process such Personal Data as Processor of Hotel under the terms of the relevant Hotel Franchise Agreement or Hotel Management Agreement or any additional terms agreed between IHG and Hotel.
• 2.5. HotelKey may act as Processor for IHG. The relationship between HotelKey and IHG is as set out in a separate agreement between HotelKey and IHG.

3.0 Processor

• 3.1. The provisions in this Section 3.0 apply to HotelKey as the Processor of the Hotel Personal Data and, where applicable, Subprocessor for the Hotel of the IHG Marketing Data to the extent this is included in the PMS Solution.
• 3.2. HotelKey will process Personal Data on behalf of Hotel for the purposes described in the Agreement, as set forth on Attachment 2-A, or as otherwise instructed. HotelKey will not retain, use, or disclose the Personal Data from the Controller for any commercial purpose other than (a) for the limited and specific purposes of providing the services under the Agreement; (b) using the Personal Data for the operational purposes permitted by the Privacy Laws; and (c) using the Personal Data to comply with its legal obligations. HotelKey will not retain, use, or disclose Personal Data outside of its direct business relationship with the Controllers or "sell" or "share" (as defined by the Privacy Laws) the Personal Data. If HotelKey is required by applicable Law to disclose the Personal Data to any entity other than a Party to this Agreement, HotelKey shall to the extent permitted by applicable Law inform Hotel and IHG of that legal requirement before the relevant disclosure of that Personal Data.
• 3.3. HotelKey will implement commercially reasonable physical, administrative, and technical security controls for its processing of Processed Data that are appropriate to the context and the risk of the Personal Data being processed that are designed to prevent the unlawful access or disclosure, unauthorized processing of, or accidental loss, destruction, damage, or alteration of the Personal Data.
• 3.4. HotelKey agrees not to combine Personal Data with other personal data that it receives from another entity or that it collects itself.
• 3.5. HotelKey grants to Hotel the right, upon prior written notice, to (a) take reasonable and appropriate steps to ensure that HotelKey's processing of Personal Data is consistent with Controllers' respective obligations under the Privacy Laws and (b) reasonably request that HotelKey stop and remediate any unauthorized use of Personal Data. If the information and steps requested under this clause is addressed in a SOC, ISO, NIST, PCI DSS or similar audit report issued by a qualified third party auditor within the prior 12 months and HotelKey provides such report with confirmation that there have been no material changes in the controls audited, then Hotel agrees to access such audit report in lieu of requesting further information or requesting additional steps to be taken under this clause.
• 3.6. Hotel specifically authorizes HotelKey to use the Subprocessors listed in Attachment 2-A. If HotelKey wishes to make changes to the list of Subprocessors, HotelKey shall notify Hotel in advance of the proposed change and thereby give Hotel an opportunity to object to the change.

Source: Item 23 — RECEIPTS (FDD pages 99–438)