Data Protection Addendum

  1. BACKGROUND

1.1 Telit’s provision of the Services to Customer involves processing ‘personal data’ or ‘personal information’, as defined under applicable data protection and privacy laws. This Data Protection Addendum (the “Addendum”), seeks to regulate Telit’s processing of such data, and is incorporated by reference into the Cloud and Connectivity Services Terms and Conditions, including any of its constituent parts, referenced documents and mutually agreed Subsequent Orders made under it (the “Agreement”).

1.2 The Addendum consists of three parts:

(a) EU Data Security and Privacy Provisions, which apply to the extent specified in Section 2 below.

(b) California Privacy Provisions, which apply to the extent specified in Section 3 below.

(c) General Data Security and Privacy Provisions, which apply to the extent specified in Section 4 below.

1.3 In this Addendum, capitalized terms shall the same meaning as set out in the Agreement, unless otherwise defined within any of the parts comprising this Addendum.

1.4 In addition, for purposes of Annexes A and B, the following words shall have the following meanings:

(a)    “Data Protection Laws” shall mean the GDPR, its implementing legislation and all applicable laws and regulations relating to Personal Data and privacy that are enacted from time to time in any relevant jurisdiction, including (where applicable) relevant guidance and codes of practice issued by any competent authority.

(b)    “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 as applied, modified, added to, limited, widened, substituted, replaced or repealed by law or regulation (and references to any Article or provision of the Regulation shall be interpreted accordingly).

(c)    “Personal Data” shall mean any information relating to an identified or identifiable individual; an identifiable individual is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity (including Special Categories of Personal Data defined below and as listed in Article 9(1) of GDPR).

(d)    “Personal Data Breach” shall mean accidental, unauthorized, or unlawful destruction, loss, alteration, or disclosure of, or access to, Personal Data.

(e)    "Privacy Notice" shall mean Telit's EU Privacy Policy as such appears on its website at: https://www.telit.com/eu-privacy-policy/.

(f)    “Special Categories of Personal Data” shall mean Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, data concerning health or sex life and data consisting of information as to the commission or alleged commission of any offense or any proceedings for any offense or alleged offense or the disposal of such proceedings or the sentence of any court in such proceedings.

(g)    "Units" shall mean those modules (and the associated SIM Cards or Virtual Sims therein) used by the Customer or its End Users to receive the Services.

(h)    “Virtual SIM” shall mean such software and firmware incorporated into modules enabling communication without the necessity of a physical SIM Card.

 

To the extent applicable, the terms capitalized herein that are not otherwise defined shall have such meaning attributed to them by the GDPR.

  1. EU DATA SECURITY AND PRIVACY

2.1 Subject to Section 2.3 below, where the Telit entity or Customer entity that enters into this agreement is a Controller or a Processor established in the EU, Annexes A and B shall apply to the Processing of Personal Data, regardless of whether the Processing takes place in the Union or not.

2.2 Subject to Section 2.3 below, Annexes A and B also apply to the Processing of personal data of Data Subjects who are in the EU by a Controller or Processor not established in the Union, where the Processing activities are related to either the offering of goods or services to those Data Subject or to the monitoring of their behavior as far as their behavior takes place within the EU.

2.3 To the extent that the conditions set out in Section 2.1 and 2.2 above are met, then depending on the Services ordered by the Customer the Annexes shall apply as follows:

(a) where the Customer orders Connectivity Services – Annex A shall apply.

(b) where the Customer orders Platform Services and Products and/or Professional Services – Annex B shall apply.

Accordingly, if the Customer orders Connectivity as well as Cloud and/or Professional services, both Annex A and B shall apply.

  1. CALIFORNIA PRIVACY

3.1 To the extent that the Services involve processing personal information governed by the California Consumer Privacy Act of 2018 (CCPA) (Cal. Civ. Code §1798.100 et seq.).

3.2 Definitions. In Annex C, the following terms shall have the meaning attributed to the under the CCPA (Cal. Civ. Code §1798.140): ‘consumer’, ‘personal information’, ‘processing’, ‘selling’, ‘service provider’. Additionally, the term “Unit” shall have such meaning as specified in Section 1.4(g) above.

  1. GENERAL DATA SECURITY AND PRIVACY

To the extent that the Services involve processing personal information that is not covered by Annexes A, B, or C, then the provisions of Annex D shall apply.

 

ANNEX A: EU Connectivity

  1. DATA SECURITY AND PRIVACY

1.1 Telit may Process Personal Data related to the use and provision of the Services (the "Processed Data").

1.2 The Processed Data may include, but is not limited to, metrics, telemetry, traffic data sent from or received by the Units, the telephone number associated therewith, logs of calls sent from or received by the Units, text messages sent from or received by the Units, mobile network measurements related to the Units, Unit activity times and Unit location. The Processed Data further includes the content (“Content”) of transmissions made as part of the Services.

1.3 Processed Data is subject to the GDPR. Processed Data may be accessed, collected and obtained through third party providers (e.g. MNOs) and underlying platforms (e.g. CDP) (the "Third Party Providers").

1.4 Customer grants Telit a right to register with, engage and communicate with such Third Party Providers in Customer's name and on Customer's behalf and the Customer agrees to secure rights in the Processed Data (including all relevant consents) necessary for Telit to provide the Services. 

1.5 Telit may transfer, store and Process the Processed Data outside of the European Economic Area or outside the country in which the end-users of the Units are located and/or outside the country in which the Processed Data is collected (including in the USA, Italy, Israel or Ireland), and in jurisdictions which do not provide the same level of data protection as does the jurisdiction in which the Customer is incorporated or conducts business. 

1.6 Telit Processes the Processed Data for the following purposes:

  1. to provide the Services;

  1. conduct administrative and technical activities necessary to maintain and provide the Services and to improve and customize the Services;

  1. to bill and collect fees;

  1. enforce the Agreement;

  1. take any action in any case of dispute, or legal proceeding of any kind involving Customer, End Users, or other third parties, with respect to the Services;

  1. to prevent:

  1. fraud;

  1. misappropriation;

  1. infringements; and

  1. identity theft and other illegal activities and misuse of the Services.

1.7 If Telit is required, or reasonably believes it is required, by law, to share or disclose Processed Data, or if such sharing or disclosure is required pursuant to a subpoena, order, or decree, issued by a competent judicial or administrative authority, provided that, to the extent legally permitted, Telit will endeavor to give the Customer prompt notice of the requirement prior to such disclosure, to allow Customer, at Customer’s cost and expense, to intervene and protect its interests in the Processed Data.

1.8 Subject to applicable law, Telit may:

  1. retain the Processed Data for as long as Telit, in its discretion, deems necessary for its business or other legitimate purposes, and

  1. delete the Processed Data from systems under its possession or control, if Telit, in its discretion, determines that it no longer requires the Processed Data for its business or other legitimate purposes.

1.9 The Customer agrees that, other than expressly set out in the Agreement, Telit has no obligation to continue to hold, export or return the Processed Data and/or has no liability whatsoever for deletion of the Processed Data pursuant to this Addendum. 

  1. TELIT AS A DATA CONTROLLER

2.1 To the extent Telit acts as a Data Controller in respect of the Units (e.g., for billing and collecting fees, Customer usage data and Customer account data), the following terms in this Section 2 shall apply.

2.2 The Customer must notify Telit immediately if it becomes aware of or suspects an incident that may involve a Personal Data Breach.

2.3 The Customer and Telit each acknowledge that they have their respective obligations to relevant government authorities and, to individuals whose Personal Data they Process, to comply with applicable Data Protection Laws. The Customer and Telit each act as a Controller in their own right, in regard to their respective Processing of Personal Data.

2.4 Telit’s EU Privacy Notice describes Telit’s Processing activities as Controller of the Personal Data relating to Customer, individuals connected to Customer, and other business contacts, in accordance with GDPR requirements. In fulfilling Telit’s duties to relevant government authorities and to individuals whose Personal Data Telit Processes under applicable Data Protection Laws, Telit will Process Personal Data that Customer shares with Telit, or that Telit obtains from other sources on Customer’s behalf, only for the relevant purposes that are set out in Telit’s EU Privacy Notice or any supplemental notice that Telit may provide to Customer. For more detail, please refer to Telit’s EU Privacy Notice.

2.5 If Customer discloses or transfer Personal Data to Telit concerning individuals connected to Customer or otherwise relevant to the provision of the Services (including to Customer), it shall be Customer’s responsibility as the Controller of that data to transfer or otherwise disclose such Personal Data in compliance with GDPR requirements including (without limitation) by:

  1. transferring the Personal Data to Telit only as necessary for Telit to provide the Services;

  1. having a lawful basis for disclosing the Personal Data to Telit;

  1. providing all the information required to be provided by the GDPR, in the applicable circumstances (the "Required Information"), to the relevant individuals concerning the transfer of their Personal Data to Telit (including a link to the EU Privacy Notice published on Telit’s website: https://www.telit.com/eu-privacy-policy/); and

  1. assuming the primary responsibility for responding to Data Subject access requests in relation to Personal Data that Customer has shared with Telit.

2.6 Telit will cooperate with Customer, upon request and where reasonably possible, to ensure that the Required Information is made accessible to the relevant individuals, including End Users. Telit agrees to meet its own obligations to provide information directly to the individuals concerned, such as any customised privacy notice that Telit may issue to address a specific matter if required by particular circumstances. However, Customer acknowledges that in most cases, it would be impossible, or would require disproportionate effort for Telit to provide notice directly to all such individual third parties when Customer shares their Personal Data with Telit. Customer may also have obligations under the GDPR and Customer will reasonably cooperate with Telit with respect to any Personal Data that is shared between Telit and Customer in order to facilitate compliance with the relevant provisions of the GDPR.

  1. TELIT AS A DATA PROCESSOR

3.1 To the extent that Telit acts as a Data Processor in relation to the Content which is Personal Data, the following terms in this Section 3 shall apply.

3.2 Telit will act only on documented instructions from the Customer in relation to the Processing of Personal Data (including those set out in the Agreement) unless Processing is required by Data Protection Laws to which Telit is subject, in which case Telit shall to the extent permitted by such Data Protection Laws inform the Customer of that legal requirement before the relevant Processing of that data.

3.3 Telit shall ensure that all persons authorized to Process Personal Data in relation to the Services have committed themselves to confidentiality in respect of the data.

3.4 Telit shall assist the Customer, as far as is possible, in fulfilling the Customer’s obligation to respond to the requests of Data Subjects seeking to exercise their rights under the GDPR, in so far as such requests relate to the provision of the Services.

3.5 To ensure the security of the Personal Data that Telit Processes on the Customer’s behalf, and to safeguard the rights of Data Subjects, Telit has put in place and will maintain technical and organizational measures appropriate to the risks associated with the Services.

3.6 On receiving a written request, Telit shall assist the Customer in meeting the Customer’s GDPR obligations in relation to the following:

(a) the security of the Processing of Personal Data in relation to the Services;

(b) the notification of Personal Data breaches where required; and

(c) the conduct of data protection impact assessments, where necessary.

3.7 Upon termination of the Services and the Customer’s request, Telit shall either delete or return all Personal Data to the Customer, unless Telit is legally obliged to keep such data.

3.8 Upon Customer’s written request, Telit shall provide the Customer with information necessary to demonstrate Telit’s compliance with the obligations set out in this Section 3, and shall allow for and contribute to audits, including inspections, conducted by the Customer in relation to the Processing activities connected to the provision of the Services. The Customer’s right to audit will be limited to once in any twelve-month period and limited in time and scope to a maximum of two (2) business days and in the scope reasonably agreed in advance between the parties. Reasonable advance notice of at least sixty (60) days is required, unless a Data Protection Law requires earlier audit. Telit will use current certifications or other audit reports to minimise unnecessary and repetitive audits. The parties will each bear their own expenses of audit. If an audit determines that Telit has breached its obligations under the Agreement, Telit will promptly remedy the breach at its own cost.

3.9 Telit will promptly inform the Customer if Telit becomes aware of any Personal Data Breach that is confirmed or suspected with reasonable certainty involving Personal Data of the Customer.

3.10 Telit shall immediately inform the Customer if an instruction relating to this Section 3 would, in Telit’s opinion, infringe the GDPR or other Data Protection Laws of the EU or an EU Member State having jurisdiction over the Services.

3.11 Telit shall not engage any sub-Processors to assist in providing the Services, unless Telit has

entered into a written contract with the sub-Processor that obligates the sub-Processor to comply with all relevant obligations applicable to it under this Addendum.

3.12 A list of Telit’s existing sub-Processors, their roles, and the location of the Processing carried out by them is available online at https://www.telit.com/sub-processor-vendors/. Customer can sign-register online to receive advance notifications of changes to the list of sub-Processors. By entering into the Agreement, the Customer agrees that Telit may use these sub-Processors (as shall be updated from time to time) for the purposes of providing the Services.

3.13 Where Telit's use of a sub-Processor involves the transfer of Personal Data to countries outside of the EEA for which the EU Commission has not made an 'adequacy' decision for the purposes of cross-border data transfers pursuant to Article 45 of the GDPR, then Telit, acting on behalf of the Customer as the "data exporter", shall enter with the sub-Processor into appropriate standard data protection clauses pursuant to Articles 46(2)(c) and 46(5) of the GDPR. To this end, Customer authorizes Telit to enter into such standard data protection clauses on behalf of the Customer.

  1. Liability

4.1 Telit shall only be liable for Process where Telit has not complied with its obligations under this Annex A of the Addendum or where Telit has acted outside or contrary to lawful and agreed written instructions from the Customer.

ANNEX B: EU Platform Services and Products and Professional Services

  1. DATA SECURITY AND PRIVACY

1.1 Telit may Process Personal Data related to the use and provision of the Services (the "Processed Data").

1.2 The Processed Data may include, but is not limited to, metrics, telemetry, traffic data sent from or received by the Units, logs of call sent from or received by the Units, text messages sent from or received by the Units, other logs of the Platform Services and Products, mobile network measurements related to the Units, Unit activity times, Unit location and data stored on the Units.

1.3 Processed Data is subject to the GDPR. Processed Data may be collected and obtained through third party providers (e.g. MNOs) and underlying platforms (e.g. CDP) (the "Third Party Providers").

1.4 Customer grants Telit a right to register with, engage and communicate with such Third Party Providers in Customer's name and on Customer's behalf and the Customer agrees to secure rights in the Processed Data (including all relevant consents) necessary for Telit to provide the Services. 

1.5 If the Order Form of the Agreement specifies a geographical region in which the servers hosting and operating the Platform Services and Products shall be physically situated (a "Data Center Region"), then to the extent applicable to and supported in the Platform Services and Products offerings ordered by Telit, Telit will provide production, test, and backup environments for such Processed Data in the Data Center Region stated in the applicable the Order Form. Otherwise, Telit may transfer, store and Process the Processed Data outside of the European Economic Area or outside the country in which the End-users of the Units are located and/or outside the country in which the Processed Data is collected (including in the USA, Italy, Italy or Ireland), and in jurisdictions which do not provide the same level of data protection as does the jurisdiction in which the Customer is incorporated or conducts business. 

1.6 Telit Processes the Processed Data for the following purposes:

  1. to provide the Services;

  1. conduct administrative and technical activities necessary to maintain and provide the Services and to improve and customize the Services;

  1. to bill and collect fees;

  1. enforce the Agreement;

  1. take any action in any case of dispute, or legal proceeding of any kind involving Customer, End Users, or other third parties, with respect to the Services;

  1. to prevent:

  1. fraud;

  1. misappropriation;

  1. infringements; and

  1. identity theft and other illegal activities and misuse of the Services.

1.7 If Telit is required, or reasonably believes it is required, by law, to share or disclose Processed Data, or if such sharing or disclosure is required pursuant to a subpoena, order, or decree, issued by a competent judicial or administrative authority, provided that, to the extent legally permitted, Telit will endeavor to give the Customer prompt notice of the requirement prior to such disclosure, to allow Customer, at its cost and expense, to intervene and protect its interests in the Processed Data.

1.8 It is Customer’s responsibility as the Controller of the Personal Data it Processes through Telit to comply with the GDPR requirements including (without limitation) by:

  1. transferring the Personal Data to Telit only as necessary for Telit to provide the Services as a Processors;
  1. having a lawful basis for Processing the Personal Data through Telit;

  1. providing all the information required to be provided by the GDPR, in the applicable circumstances (the "Required Information"), to the relevant individuals concerning the Processing of their Personal Data; and

  1. Exercising responsibility for responding to Data Subject access requests in relation to Personal Data that Customer has Processed through Telit.

1.9 Neither Telit nor its licensors claim ownership of the Processed Data submitted for use with the Services. The Customer shall be the Data Controller and Telit the Data Processor, save in respect of Service security, performance and operability data, for which Telit is the Data Controller. Telit’s EU Privacy Notice describes Telit’s Processing activities as Controller, in accordance with GDPR requirements.

  1. TELIT AS A DATA PROCESSOR

2.1 Telit will act only on documented instructions from the Customer in relation to the Processing of Personal Data (including those set out in the Agreement) unless Processing is required by Data Protection Laws to which Telit is subject, in which case Telit shall to the extent permitted by such Data Protection Laws inform the Customer of that legal requirement before the relevant Processing of that data.

2.2 Telit shall ensure that all persons authorised to Process Personal Data in relation to the Services have committed themselves to confidentiality in respect of the data.

2.3 Telit shall assist the Customer, as far as is possible, in fulfilling the Customer’s obligation to respond to the requests of Data Subjects seeking to exercise their rights under the GDPR, in so far as they relate to the provision of the Services.

2.4 To ensure the security of the Personal Data that Telit Processes on the Customer’s behalf, and to safeguard the rights of Data Subjects, Telit have put in place and will maintain technical and organisational measures appropriate to the risks associated with the Services.

2.5 On receiving a written request, Telit shall assist the Customer in meeting the Customer’s GDPR obligations in relation to the following:

(a) the security of the Processing of Personal Data in relation to the Services;

(b) the notification of Personal Data breaches where required; and

(c) the conduct of data protection impact assessments, where necessary.

2.6 Upon termination of the Services and the Customer’s written request, Telit shall either delete or return all Personal Data to the Customer, unless Telit is legally obliged to keep such data.

2.7 Upon Customer’s written request, Telit shall provide the Customer with information necessary to demonstrate Telit’s compliance with the obligations set out in this Section 2, and shall allow for and contribute to audits, including inspections, conducted by the Customer in relation to the Processing activities connected to the provision of the Services. The Customer’s right to audit will be limited to once in any twelve-month period, and limited in time to a maximum of two (2) business days and in the scope reasonably agreed in advance between the parties. Reasonable advance notice of at least sixty (60) days is required, unless a Data Protection Law requires earlier audit. Telit will use current certifications or other audit reports to minimise unnecessary and repetitive audits. The parties will each bear their own expenses of audit. If an audit determines that Telit has breached its obligations under the Agreement, Telit will promptly remedy the breach at its own cost.

2.8 Telit will promptly inform the Customer if Telit becomes aware of any Personal Data Breach that is confirmed or suspected with reasonable certainty involving Personal Data of the Customer.

2.9 Telit shall immediately inform the Customer if an instruction relating to this Section 2 would, in Telit’s opinion, infringe the GDPR or other Data Protection Laws of the EU or an EU Member State having jurisdiction over the Agreement.

2.10 Telit shall not engage any sub-Processors to assist in providing the Services, unless Telit has:

(a) entered into a written contract with the sub-Processor that obligates the sub-Processor to comply with all relevant obligations applicable to Telit under this Addendum.

2.11 A list of Telit’s existing sub-Processors, their roles, and the location of the Processing carried out by them is available online at https://www.telit.com/sub-processor-vendors/. Customer can sign-register online to receive advance notifications of changes to the list of sub-Processors. By entering into the Agreement, the Customer agrees that Telit may use these sub-Processors (as shall be updated from time to time) for the purposes of providing the Services.

2.12 Where Telit's use of a sub-Processor involves the transfer of Personal Data to countries outside of the EEA for which the EU Commission has not made an 'adequacy' decision for the purposes of cross-border data transfers pursuant to Article 45 of the GDPR, then Telit, acting on behalf of the Customer as the "data exporter", shall enter with the sub-Processor into appropriate standard data protection clauses pursuant to Articles 46(2)(c) and 46(5) of the GDPR. To this end, Customer authorizes Telit to enter into such standard data protection clauses on behalf of the Customer.

  1. Liability

3.1 Telit shall only be liable Process where Telit has not complied with its obligations under this Annex B of the Addendum or where Telit has acted outside or contrary to lawful and agreed written instructions from the Customer.

 

ANNEX C: California Consumer Privacy Act (CCPA)

 

  1. SCOPE OF PROCESSING

1.1 Telit will, and Customer grants Telit a right to, collect, process, manipulate and retain information and data related to the use and provision of the Services (the "Processed Data"). Customer acknowledges and agrees that Processed Data may include, but is not limited to, metrics, telemetry, traffic data sent from or received by the Units, logs of call sent from or received by the Units, text messages sent from or received by the Units, other logs of the Platform Services and Products, mobile network measurements related to the Units, Unit activity times, Unit location and data stored on the Units. The parties acknowledge and agree that Processed Data may include personal information.

1.2 Processed Data may be collected and obtained through third party providers (e.g. MNOs) and underlying platforms (e.g. CDP) (the "Third Party Providers"). Customer grants Telit a right to register with, engage and communicate with such Third Party Providers in Customer's name and on Customer's behalf and the Customer agrees to secure rights in the Processed Data (including all relevant consents) necessary for Telit to provide the Services.

1.3 If the Order Form specifies a geographical region in which the servers hosting and operating the Platform Services and Products shall be physically situated (a "Data Center Region"), then to the extent applicable to and supported in the Platform Services and Products offerings ordered by Telit, Telit will provide production, test, and backup environments for such Processed Data in the Data Center Region stated in the applicable the Order Form. Otherwise, Telit may store and process the Processed Data elsewhere.

  1. CUSTOMER’S OBLIGATIONS

2.1 The Customer represents and warrants that it has obtained and will maintain valid, and further undertakes to provide Telit upon its request, copies of documents substantiating, any and all authorizations, permissions and informed consents, including those of individuals about whom the Processed Data may include personal information, as may be necessary under applicable laws and regulations, in order to allow Telit to lawfully collect, transfer, store, handle, retain, process and use the Processed Data in the manners and for the purposes set forth in this Annex C.

  1. TELIT’S OBLIGATIONS

3.1 The parties acknowledge and agree that Telit is a service provider. To that end, and unless otherwise required by law:.

  1. Telit is prohibited from retaining, using or disclosing Customer’s personal information for: (i) any purpose other than the purpose of properly performing, or for any commercial purpose other than as reasonably necessary to provide, the Services; (ii) ‘selling’ Customer’s personal information; and (iii) retaining, using or disclosing the Customer’s personal information outside of the direct business relationship between the parties. Telit certifies that it understands the restriction specified in this subsection and will comply with it.
  2. If Telit receives a request from a consumer about his or her personal information, Telit shall not comply with the request itself, and shall promptly inform the consumer that Telit’s basis for denying the request is that the Telit is merely a service provider that follows Customer’s instructions, and promptly inform the consumer that they should submit the request directly to the Customer and provide the consumer with the Customer’s contact information.
  1. SUBCONTRACTING

4.1 Customer authorizes Telit to subcontract any of its Service-related activities which include the processing of  personal information or requiring personal information to be processed by any Third Party Providers. Telit shall ensure that Third Party Providers are bound by obligations consistent with this Annex C. However, Telit has no responsibility for any actions taken by such Third Party Providers with respect to the Processed Data. Customer specifically waives any and all claims against Telit with respect to any actions (or failure to take action) of any Third Party Provider.

  1. RETURN OR DELETION OF INFORMATION

5.1 At the end of the term of the Agreement, if no subsequent further processing is required by Telit, Telit shall, at the choice of the Customer, either delete, destroy or return to Customer, the personal information that Telit and its third party suppliers process for Customer. The Customer agrees that Telit has no obligation to continue to hold, export or return the Processed Data and/or has no liability whatsoever for deletion of the Processed Data, after the end of the term of the Agreement.

  1. ASSISTANCE IN RESPONDING TO CONSUMER REQUESTS

6.1 Telit shall assist Customer by appropriate technical and organizational measures, insofar as possible, for the fulfilment of Customer’s obligation to respond to requests for exercising the consumer rights under the CCPA.

  1. DATA SECURITY

7.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Telit’s processing of personal information for Customer, as well as the nature of personal information processed for Customer, Telit shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure (including data breaches).

  1. LIABILITY

8.1 Telit shall only be liable for processing Customer’s personal information where Telit has not complied with its obligations under this Annex C.

  1. EXCLUSIONS

9.1 For the avoidance of doubt, this Annex C does not apply to Telit’s processing Customer’s personal information for any of the following:

  1. Administration of the contractual relationship with the Customer (including liaising with Customer’s staff, billing and collecting fees, enforcing the Agreement);
  2. Telit’s marketing activities to the Customer;
  3. Taking any action in any case of dispute, or legal proceeding of any kind involving Relevant Third Parties or relevant vendors, with respect to the Services;
  4. Compiling statistical and other information related to the performance, operation and use of the Services, and using data from the Services in aggregated form for security and operations management, to create statistical analyses, and for research and development purposes (collectively, "Service Analyses"). Telit may make Service Analyses publicly available, however, Service Analyses will not incorporate Processed Data in a form that could serve to identify Customer or any individual. Telit retains all intellectual property rights in Service Analyses;
  5. Where Telit is required, or reasonably believes it is required, by law, to share or disclose Customer’s personal information, such as, by way of example only, pursuant to a subpoena, order, or decree, issued by a competent judicial or administrative authority. Tto the extent legally permitted, Telit will endeavor to give the Customer prompt notice of the requirement prior to such disclosure, to allow Customer, at its cost and expense, to intervene and protect its interests in the personal information.

ANNEX D: General Data Security and Privacy

  1. SCOPE OF PROCESSING

1.1 Telit will, and Customer grants Telit a right to, collect, process, manipulate and retain information and data related to the use and provision of the Services (the "Processed Data"). Customer acknowledges and agrees that Processed Data may include, but is not limited to, metrics, telemetry, traffic data sent from or received by the devices used in the Connectivity Services or Platform Services and Products ("Units"), logs of call sent from or received by the Units, text messages sent from or received by the Units, other logs of the Platform Services and Products, mobile network measurements related to the Units, Unit activity times, Unit location and data stored on the Units. The parties acknowledge and agree that Processed Data may include information that relates to individuals (“Personal Information”).

1.2 Processed Data may be collected and obtained through third party providers (e.g. MNOs) and underlying platforms (e.g. CDP) (the "Third Party Providers"). Customer grants Telit a right to register with, engage and communicate with such Third Party Providers in Customer's name and on Customer's behalf and the Customer agrees to secure rights in the Processed Data (including all relevant consents) necessary for Telit to provide the Services.

1.3 If the Order Form specifies a geographical region in which the servers hosting and operating the Platform Services and Products shall be physically situated (a "Data Center Region"), then to the extent applicable to and supported in the Platform Services and Products offerings ordered by Telit, Telit will provide production, test, and backup environments for such Processed Data in the Data Center Region stated in the applicable the Order Form. Otherwise, Telit may store and process the Processed Data elsewhere.

  1. CUSTOMER’S OBLIGATIONS
    2.1 The Customer represents and warrants that it has obtained and will maintain valid, and further undertakes to provide Telit upon its request, copies of documents substantiating, any and all authorizations, permissions and informed consents, including those of individuals about whom the Processed Data may include Personal Information, as may be necessary under applicable laws and regulations, in order to allow Telit to lawfully collect, transfer, store, handle, retain, process and use the Processed Data in the manners and for the purposes set forth in this Annex C.
  1. TELIT’S OBLIGATIONS

3.1 Telit will only use the Processed Data as follows:

  1. To provide the Services, conduct administrative and technical activities necessary to maintain and provide the Services and to improve and customize the Services
  2. For administration of the contractual relationship with the Customer (including liaising with Customer’s staff, billing and collecting fees, enforcing the Agreement);
  3. For Telit’s marketing activities to the Customer;
  4. To take any action in any case of dispute, or legal proceeding of any kind involving Relevant Third Parties or relevant vendors, with respect to the Services;
  5. To compile statistical and other information related to the performance, operation and use of the Services, and using data from the Services in aggregated form for security and operations management, to create statistical analysis, and for research and development purposes (collectively, "Service Analyses"). Telit may make Service Analysis publicly available, however, Service Analysis will not incorporate Processed Data in a form that could serve to identify Customer or any individual. Telit retains all intellectual property rights in Service Analysis;
  6. Where Telit is required, or reasonably believes it is required, by law, to share or disclose Customer’s Processed Data, such as, by way of example only, pursuant to a subpoena, order, or decree, issued by a competent judicial or administrative authority. To the extent legally permitted, Telit will endeavor to give the Customer prompt notice of the requirement prior to such disclosure, to allow Customer, at its cost and expense, to intervene and protect its interests in the Processed Data.
  1. SUBCONTRACTING

4.1 Customer authorizes Telit to subcontract any of its Service-related activities consisting (partly) of the processing of the Processed Data or requiring Processed Data to be processed by any Third Party Providers. However, Telit has no responsibility for any actions taken by such Third Party Providers with respect to the Processed Data. Customer specifically waive any and all claims against Telit with respect to any actions (or failure to take action) of any Third Party Provider.

  1. RETURN OR DELETION OF INFORMATION

5.1 At the end of the term of the Agreement, if no subsequent further processing is required by Telit, Telit shall, at the choice of the Customer, either delete, destroy or return to Customer, the Processed Data that Telit and its third party suppliers process for Customer. The Customer agrees that Telit has no obligation to continue to hold, export or return the Processed Data and/or has no liability whatsoever for deletion of the Processed Data, after the end of the term of the Agreement.

  1. DATA SECURITY

6.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Telit’s processing of Processed Data for Customer, as well as the nature of Processed Data processed for Customer, Telit shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the Processed Data from unauthorized access, destruction, use, modification, or disclosure (including data breaches).

  1. LIABILITY

7.1 Telit shall only be liable for processing Customer’s Processed Data where Telit has not complied with its obligations under this Annex D.