DATA PROTECTION APPENDIX

1) Definitions:

a) “Agreed Purposes” means: (i) the fulfilment of Customer orders; (ii) customer service and complaint handling; and (iii) any other data sharing required in order for either SMARTIFY and/or the Seller to comply with their separate obligations under this Annex.

b) “Data Discloser” means a party that discloses Shared Personal Data to the other party.

c) “Data Protection”

d) “Legislation” means all applicable data protection and privacy legislation in force from time to time including the General Data Protection Regulation ((EU) 2016/679) (GDPR); the Data Protection Act 2018; the Privacy and Electronic Communications Regulations 2003 (SI 2003 No. 2426) as amended; any other applicable legislation relating to personal data and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of Personal Data (including, without limitation, the privacy of electronic communications); and the guidance and codes of practice issued by the relevant data protection or supervisory authority and applicable to a party. The terms “Controller”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Processing”, “Supervisory Authority” and “appropriate technical and organisational measures” shall have the meanings given to them in the Data Protection Legislation.

e) “Data Receiver” means a party that receives Shared Personal Data from the other party.

f) “Shared Personal Data” means the Customer data shared between SMARTIFY and the Seller.

2) SMARTIFY and the Seller:

a) each agree to comply with the Data Protection Legislation;

b) acknowledge and agree that they will each assume the role of separate and independent Controllers of the Shared Personal Data; and

c) acknowledge and agree that they will regularly disclose to each other Shared Personal Data collected by the Data Discloser for the Agreed Purposes.

3) The types of Personal Data to be shared between SMARTIFY and the Seller for the Agreed Purposes shall include Customer Personal Data, which shall consist of: (i) order details; (ii) query and complaint correspondence; (iii) contact details for the purpose of delivering marketing communications (if opted into by the Customer); (iv) Smartify usage analytics.

4) Transfers of the Shared Personal Data outside of the United Kingdom shall be subject to any applicable lawful transfer mechanism required by Data Protection Legislation from time to time. The Data Receiver shall notify the Data Discloser of the details of such onward Processing of the Shared Personal Data on request.

5) SMARTIFY and the Seller are each separately responsible for complying with their own respective obligations under the Data Protection Legislation and each party commits that it shall do so including, specifically: (a) independently determining the purpose and means of the Processing of the Shared Personal Data; (b) having in place a lawful basis for the Processing of Personal Data by it; (c) having in place and communicating relevant transparency information to Data Subjects; and (d) ensuring that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful Processing of Personal Data against accidental loss or destruction of or damage to Personal Data.

6) Each party shall notify the other party promptly and without undue delay in the event that it: (a) receives or becomes aware of any claim, complaint, query and/or exercise or purported exercise of proposed rights by a Data Subject under the Data Protection Legislation in relation to the Shared Personal Data in whole or in part; (b) receives or becomes aware of any investigation or enforcement activity by a Supervisory Authority or any other relevant regulator in relation to the Shared Personal Data in whole or in part; or (c) becomes aware of a suspected or actual Personal Data Breach affecting the Shared Personal Data in whole or in part.

7) Each party (the receiving party) shall provide reasonable and timely assistance, information and cooperation where requested by the other party (the requesting party) in respect of the collection and/or Processing of the Shared Personal Data under this Annex, including:

a) in respect of any matter which in the reasonable opinion of the requesting party is required for ensuring the requesting party’s continued compliance with the Data Protection Legislation;

b) in respect of any claim, complaint, query and/or exercise or purported exercise of rights by a Data Subject under the Data Protection Legislation or any notice, investigation or enforcement activity by a Supervisory Authority or any other relevant regulator, which relates to or is connected with the receiving party’s Processing of Shared Personal Data;

c) providing such information as the requesting party reasonably requires in relation to a suspected or actual Personal Data Breach of Shared Personal Data which relates to or is connected with the receiving party’s Processing of Shared Personal Data including:

i) describing the nature of the Personal Data Breach including, where possible, the categories and approximate number of: (a) affected data subjects; (b) data records; and (c) whether Personal Data was de-identified, pseudonymised, anonymised or encrypted;

ii) describing the likely consequences of the Personal Data Breach; and

iii) describing the measures taken or proposed to be taken by the receiving party to address the Personal Data Breach including where appropriate, to mitigate its adverse effects; and

d) providing the requesting party with such information as the requesting party reasonably requires for any records it is required to maintain under the Data Protection Legislation.