ClearSky Smart Fleet Data Processing Addendum

This Data Processing Addendum (“DPA”) is between JLG Industries, Inc. (“JLG,” “us,” “we,” or “our”), and the entity that JLG is providing the Data Services to pursuant to the ClearSky Smart Fleet Terms (“Customer” or “you”). JLG and Customer are each a “Party” and collectively the “Parties” to the DPA.

This DPA supplements and forms part of the ClearSky Smart Fleet Terms (the “Terms”) and shall be deemed as entered into on the date of Customer’s acceptance of the Terms (“Effective Date”).

The Parties agree to be bound by this DPA with effect from the Effective Date. We may amend this DPA from time to time due to changes in Applicable Data Protection Law or as otherwise determined by us in our commercially reasonable discretion. Any amendment will only become effective upon notification to you (by email or by posting on our website) and, if you do not agree to any such amendment, you should stop using our Data Services.

This DPA and its Exhibits will apply only to the extent that, as a result of it providing the Data Services to Customer, JLG stores and processes certain personal data of Customer, as described below.

1. Definitions

(a) “Affiliate” means an entity that a Party controls or is controlled by, or with which a Party is under common control. For purposes of this definition, “control” means ownership of more than fifty (50%) percent of the ordinary shares or equivalent ownership interest in an entity.

(b) “Exhibit” means the exhibits annexed to and forming an integral part of this DPA.

(c) “Applicable Data Protection Law” means all applicable laws including those arising under common law, statutes, codes, rules, regulations, directives, reporting or licensing requirements, decrees, orders, ordinances and other pronouncements that have the effect of law and that may from time to time apply to the Processing of Customer Data. For purposes of clarity, “Applicable Data Protection Law” includes but is not limited to Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 (“EU GDPR”); the Swiss Federal Data Protection Act ("Swiss DPA"); the United Kingdom (“UK”)’s Data Protection Act 2018 and the EU GDPR as transposed into United Kingdom law by virtue of Section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (“UK GDPR”).

(d) “Customer Data” means (i) any Personal Information concerning or relating to prospective, former and existing customers, clients, employees, contractors, or subcontractors of Customer held, maintained, received, produced or otherwise Processed by JLG; (ii) any Personal Information provided or made available by Customer, its employees, its customers, its clients, its contractors, or its subcontractors to JLG; (iii) any Personal Information stored on any Customer Systems to which JLG will have access in the performance of the Data Services, and (iv) any Personal Information derived from any of the foregoing.

(e) “Customer Systems” means any information system owned or leased by or operated on behalf of Customer, including servers, networks, virtual private networks, data stores, storage devices, computers, phone systems, applications, databases, and all other technological and computing resources owned or leased by or operated on behalf of Customer.

(f) “Authorized Users” means the JLG Personnel who have a specific need to access Customer Systems or Customer Data for the provision of the Data Services.

(g) “Controller” shall have the meaning assigned to it by Applicable Data Protection Law.

(h) “Data Subject” means an identified or identifiable natural person whose Personal Information is being Processed by JLG in the context of the Data Services; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, psychological, genetic, mental, economic, cultural or social identity of that person.

(i) “EEA” means European Economic Area, which consists of the member states of the European Union as well as Iceland, Liechtenstein, and Norway.

(j) “Information Security Incident” means any actual or reasonably suspected incident involving the accidental, unlawful or unauthorized destruction, loss, alteration, disclosure of or access to Customer Data.

(k) “Instruction(s)” has the same meaning given to that expression in Section 3.1.1 of this DPA.

(l) “Personal Information” means any information relating to a Data Subject.

(m) “Process,” “Processing” or “Processed” means any operation or set of operations which is performed upon Personal Information, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.

(n) “Processor” shall have the meaning assigned to it by Applicable Data Protection Law.

(o) “JLG Personnel” means the personnel of JLG, JLG’s Affiliates, JLG’s contractors and subcontractors, and the officers, partners, employees, agents, and subcontractors of each of the foregoing.

(p) “Restricted Data Transfer” means (i) where the EU GDPR applies, a transfer of Personal Information from the EEA to a country outside of the EEA which is not subject to an adequacy determination by the European Commission; ii) where the Swiss DPA applies, a transfer of Personal Information to a country outside of Switzerland which is not included on the list of adequate jurisdictions published by the Swiss Federal Data Protection and Information Commissioner; and (iii) where the UK GDPR applies, a transfer of Personal Information from the United Kingdom to any other country which is not subject to adequacy regulations adopted pursuant to Section 17A of the UK DPA 2018.

(q) “Data Services” means the services or functions JLG performs on behalf of Customer pursuant to the Terms.

(r) “Special Categories of Personal Information” means Personal Information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, Personal Information concerning health, sex life or sexual orientation, or criminal convictions and offenses and such other Personal Information as may be considered special categories of data under Applicable Data Protection Law, such as national identification numbers.

(s) “Standard Contractual Clauses” means (i) where the EU GDPR applies, the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the European Council (available as of June 2021), (the "EU SCCs"); (ii) where the Swiss DPA applies, the applicable standard data protection clauses issued, approved or recognized by the Swiss Federal Data Protection and Information Commissioner (the "Swiss SCCs"); (iii) where the UK GDPR applies, the applicable standard data protection clauses adopted pursuant to Article 46(2)(c) or (d) of the UK GDPR including the standard data protection clauses issued by the Information Commissioner under s119A(1) of the UK DPA 2018 as revised from time to time (the "UK Addendum"); and in each case as completed as described in Section 3.6 (International Data Transfers) below.

2. Duration of DPA

2.1 This DPA shall remain in force for the duration of the Data Services. Subject to the continuing obligations referenced in Section 7.4 below, this DPA shall terminate automatically with the termination or expiry of the Data Services.

3. Processing of Customer Data

3.1 General Obligations of JLG

3.1.1 To the extent that JLG Processes Customer Data, it shall do so in accordance with this DPA and Applicable Data Protection Law. In addition, when JLG Processes Customer Data on behalf of Customer as a Processor, it shall do so in compliance with Customer’s instructions as may be communicated in writing by Customer from time to time (“Instructions”), for the purposes described in Exhibit A.

3.1.2 JLG shall not be allowed to make copies or duplicates of Customer Data without the prior written consent of Customer, unless such copies or duplicates are necessary for the fulfilment of JLG’s obligations under this DPA or the Terms.

3.1.3 If JLG is of the opinion that an Instruction infringes Applicable Data Protection Law, JLG shall immediately notify Customer.

3.1.4 As the Data Services are not intended for use by or in connection with children under 18 years of age, JLG shall not knowingly collect Customer Data from children under 18.

3.1.5 JLG shall not share, sell, disclose, or otherwise Process Customer Data for purposes other than those outlined in the Terms and this DPA. However, JLG may, without restriction, Process anonymized information about users of the Data Services.

3.2 Confidentiality Duty

3.2.1 JLG shall keep Customer Data strictly confidential and may only disclose it to third parties with the prior written consent of Customer or as otherwise agreed in this DPA.

3.2.2 JLG shall ensure that JLG Personnel and Authorized Users engaged in the Processing of Personal Information are aware of Applicable Data Protection Law, comply with the obligations and restrictions of this DPA, and are subject to legally binding confidentiality obligations which survive the termination of their employment.

3.3 Data Subject Requests

3.3.1 JLG shall cooperate with Customer with respect to, and facilitate Customer’s authentication, investigation, processing, and resolution of, all enquiries, complaints, requests and claims of Data Subjects relating to data access, rectification, portability, restriction, erasure, objection or any other rights available to Data Subjects under Applicable Data Protection Law with respect to JLG’s Processing of Customer Data.

3.3.2 JLG shall notify Customer promptly if it receives any enquiry, complaint, request or claim from a Data Subject relating to JLG’s Processing of Customer Data. JLG shall not respond to any such Data Subject request without Customer’s prior written consent except to the extent required by Applicable Data Protection Law or necessary to confirm that the request relates to Customer Data.

3.4 Subcontracting

3.4.1 JLG shall be entitled to subcontract Processing of Customer Data under this DPA subject to compliance with the provisions in this Section 3.4.

3.4.2 All Processing by subcontractor shall be subject to a written DPA between JLG and the subcontractor that requires the subcontractor to comply with the same obligations and restrictions as provided for in this DPA, including express guarantees by the subcontractor to implement technical and organizational measures to ensure that Processing satisfies all requirements of Applicable Data Protection Law. JLG shall remain responsible for the Processing of Customer Data and for any acts and omissions of its subcontractors to the same extent as if such acts or omissions were performed by JLG.

3.4.3 For any proposed subcontractor, JLG shall disclose such proposed subcontractor to Customer at least thirty (30) business days in advance, and, at Customer’s request, provide the full legal name and company registration number of any subcontractor Affiliate or subcontractor and the geographic location(s) at which the proposed subcontractor will perform the Processing, and details of the volume of records and nature of the Processing that will be taking place. Customer can object to the engagement of any subcontractor in writing, and may terminate the Data Services if, in Customer’s reasonable discretion, JLG does not adequately and promptly address Customer’s objection.

3.4.4 JLG shall promptly inform Customer at least thirty (30) business days in advance of any changes concerning the addition or replacement of subcontractors which impact the Processing related to the provision of Data Services and provide Customer upon request with a copy of the subcontracting agreements with such subcontractors. JLG shall obtain Customer’s prior written consent to any such changes. Customer can object to any such change in writing, and may terminate the Data Services if, in Customer’s reasonable discretion, JLG does not adequately and promptly address Customer’s objection.

3.5 Return and Deletion

3.5.1 JLG shall retain Customer Data only for as long as required to perform the Data Services, or for such longer period required by Applicable Data Protection Law, or for such other period as Customer may reasonably request in writing.

3.5.2 At the expiration of such time period JLG shall, at Customer’s option, securely delete or return all Customer Data to Customer in accordance with Exhibit A, in each case unless otherwise permitted or required by Applicable Data Protection Law.

3.6 International Data Transfers

3.6.1 Customer authorizes JLG and its subcontractors to make international data transfers of Customer Data in accordance with this DPA and Applicable Data Protection Law.

3.6.2 Transfers outside of the EEA, the United Kingdom and Switzerland

3.6.2.1 The Parties agree that when a transfer of Customer Data from Customer (as "data exporter") to JLG (as "data importer") is a Restricted Data Transfer and Applicable Data Protection Law requires that appropriate safeguards are put in place, the Parties will be subject to the Standard Contractual Clauses, which will be deemed incorporated into and form a part of this DPA, as follows:

3.6.2.1.1 In relation to transfers of Customer Data protected by the EU GDPR, the EU SCCs will be completed as follows:

3.6.2.1.1.1 The clauses as set forth in Module Two (controller to processor) will apply only to the extent Customer is a controller and JLG is a processor with respect to the Processing;
3.6.2.1.1.2 The clauses as set forth in Module Three (processor to processor) will apply only to the extent Customer is a processor and JLG is a sub-processor with respect to the Processing;
3.6.2.1.1.3 The “data exporter” is the Customer or a Customer’s Affiliate established in the EEA, and the data exporter’s contact information is set forth below;
3.6.2.1.1.4 The “data importer” is JLG, and the data importer’s contact information is set forth below;
3.6.2.1.1.5 In Clause 7 of the EU SCCs, the optional docking clause will apply;
3.6.2.1.1.6   In Clause 9 of the EU SCCs, Option 2 will apply, and the time period for prior notice of subcontractor changes will be as set out in Section 3.4 of this DPA;
3.6.2.1.1.7   In Clause 11 of the EU SCCs, the optional language will not apply;
3.6.2.1.1.8   In Clause 13 of the EU SCCs and for purposes of Annex I.C of the Appendix to the EU SCCs, the competent supervisory authority will be the Dutch Data Protection Authority (DPA).
3.6.2.1.1.9   In Clause 17 of the EU SCCs, Option 1 will apply, and the EU SCCs will be governed by the law of the Netherlands;
3.6.2.1.1.10 In Clause 18 (b) of the EU SCCs, disputes will be resolved before the courts of the Netherlands; and
3.6.2.1.1.11 Annexes I and II of the Appendix to the EU SCCs are set forth in Exhibits A and B below.
3.6.2.1.1.12 Without prejudice to Clause 2 of the EU SCCs, and in order to ensure compliance with the conditions of Chapter V of the EU GDPR, the data exporter and data importer agree to be bound by the EU SCCs in the event and to the extent that the data importer’s Processing of Customer Data is considered to be subject to the EU GDPR (per Article 3(2) of the EU GDPR). In case of any inconsistency, conflict or contradiction between the EU SCCs and the obligations that the EU GDPR imposes on the data importer, the obligations imposed by the EU GDPR shall prevail.

3.6.2.1.2 In relation to transfers of Customer Data protected by the UK GDPR, the UK Addendum will apply to such transfers subject to the following:

3.6.2.1.2.1 The “data exporter” is the Customer or a Customer’s Affiliate established in the UK, and the data exporter’s contact information is set forth below;
3.6.2.1.2.2 The “data importer” is JLG, and the data importer’s contact information is set forth below;
3.6.2.1.2.3   Table 1 will be completed with the relevant information in Annex I set forth in Exhibit A;
3.6.2.1.2.4 Table 2 will be completed with the selected modules and clauses of the EU SCCs as identified in Section 3.6.2.1.1 of this DPA;
3.6.2.1.2.5   Table 3 will be completed with the relevant information from Annexes I and II set forth in Exhibits A and B below; and
3.6.2.1.2.6   In Table 4, the data exporter and data importer may end the UK Addendum in accordance with the terms of the UK Addendum.

3.6.2.1.3 In relation to transfers of Customer Data protected by the Swiss DPA, the EU SCCs will also apply to such transfers in accordance with Section 3.6.2.1.1 above, subject to the following:

3.6.2.1.3.1   Any references in the EU SCCs to "Regulation (EU) 2016/679" will be interpreted as references to the Swiss DPA;
3.6.2.1.3.2   Any references to "EU", "Union" and "Member State law" will be interpreted as references to Swiss law; and
3.6.2.1.3.3   Any references to the "competent supervisory authority" and "competent courts" will be interpreted as references to the relevant data protection authority and courts in Switzerland;
unless the EU SCCs as implemented above cannot be used to lawfully transfer Customer Data in compliance with the Swiss DPA, in which case the Swiss SCCs will instead be incorporated by reference and form an integral part of this DPA and will apply to such transfers. Where this is the case, the relevant Annexes or Appendices of the Swiss SCCs will be populated using the information contained in Exhibits A and B to this DPA (as applicable).

3.6.2.2 It is not the intention of either Party to contradict or restrict any of the provisions set forth in the Standard Contractual Clauses and, accordingly, if and to the extent the Standard Contractual Clauses conflict with the Terms or this DPA, the Standard Contractual Clauses will prevail to the extent of such conflict.

3.6.2.3 The Parties agree that they will reasonably cooperate with each other in the preparation of any transfer impact assessments, transfer risk assessments or similar assessments that are required in connection with the Parties’ use of the EU SCCs to support a Restricted Data Transfer.

3.6.2.4 By entering into this DPA, the Parties are deemed to be signing the relevant Standard Contractual Clauses and their Appendices and Annexes, which become applicable simultaneously with this DPA.

4. Technical and Organizational Security Measures

4.1 Information Security Standards

4.1.1   JLG shall implement appropriate technical and organizational measures to protect Customer Data against unauthorized or unlawful processing of Customer Data and against the loss or destruction of, or damage to, Customer Data in light of the relevant risks presented by the Processing. Such technical and organizational measures shall be set out in Exhibit B prior to JLG Processing Customer Data pursuant to this DPA.
4.1.2   Security measures shall include industry best practices and advanced safeguards, and in no case less than commercially reasonable safeguards, and shall ensure a level of security appropriate to the risk, taking into account, as appropriate:
a.   the pseudonymisation of Customer Data and encryption, at a level of 256-bit encryption or higher;
b.   the ability to ensure the ongoing confidentiality, integrity and availability, and resilience of Services and related Processing systems;
c.   the ability to restore the availability and access to Customer Data in the event of an Information Security Incident; and
d.   a process for regular testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of Processing.

4.1.3 JLG shall protect Customer Data on mobile information devices including but not limited to laptop computers, smart phones, tablets and other mobile devices, information carriers (e.g., memory sticks or portable hard-drives, etc.) by means of adequate encryption technology.

4.2 Information Security Incidents

4.2.1 JLG shall promptly notify any Information Security Incident to Customer, and in any event within forty-eight (48) hours after becoming aware of the Information Security Incident.

4.2.2   JLG agrees that, in addition to applicable requirements in Exhibit B, JLG’s notice to Customer of an Information Security Incident shall contain:
a.   categories and numbers of Data Subjects and categories and numbers of Customer Data records affected; and
b.   JLG’s assessment, through reasonable diligence, of the likely cause and consequences of the Information Security Incident.

4.2.3   In consultation with Customer, JLG shall take appropriate measures to secure Customer Data and limit any possible detrimental effect to Data Subjects in the event of an Information Security Incident.

4.2.4 JLG shall not disclose the occurrence of any Information Security Incident to any third party without first obtaining Customer’s written consent, except to the extent JLG is required by Applicable Data Protection Law to make such disclosure.

4.2.5 JLG agrees that Customer has the sole right to determine: (1) whether to provide notice of an Information Security Incident to any Data Subjects, regulators, consumer reporting agencies or other third parties; and (2) the content of such notice, whether any type of remediation may be offered to affected Data Subjects, and the nature and extent of any such remediation.

5. Oversight of JLG’s Activities

5.1 Cooperation Duty

5.1.1 JLG shall assist Customer in ensuring compliance with Applicable Data Protection Law.

5.1.2   In addition to other cooperation obligations arising from this DPA, JLG shall assist Customer with:
a.   Carrying out data protection impact assessments, where such assessments are required by Applicable Data Protection Law;
b.   Customer’s consultation with competent authorities before undertaking high-risk Processing activities, where such prior consultation is required by Applicable Data Protection Law;
c.   Addressing any claim, investigation, audit, suit or enforcement proceeding arising from or relating to JLG’s Processing of Customer Data.

5.2 Audits and Inspections

5.2.1 JLG shall provide Customer, upon written request, with all information necessary to demonstrate compliance with JLG’s obligations under this DPA. JLG shall facilitate and grant to Customer or an auditor designated by Customer reasonable access to all Processing facilities at which JLG is providing Services to Customer, to relevant JLG Personnel, and to computer systems, data and records relating to the Data Services for such purposes. JLG shall also respond promptly and thoroughly to any questionnaires or other requests for information that Customer provides to JLG regarding JLG’s information security systems, policies and practices in order to verify compliance with the requirements of this DPA.

5.2.2 Customer may perform such audits no more than once in any calendar year unless Customer has a reasonable suspicion of a breach or potential breach of this DPA by JLG, in which case Customer may perform an audit whenever required. Customer shall inform JLG prior to any inspection. Customer undertakes to carry out any inspection during normal working hours and without interfering with the course of JLG’s business. Without limitation, JLG understands that Customer’s audit requests may seek information related to servers, operating systems, applications, databases, network configuration data, network and application traffic, encryption algorithms being used, fraud detection and prevention controls, physical inspection of facilities, incident response procedures, and disaster recovery measures.

5.2.3 JLG shall respond in writing within thirty (30) business days to all recommendations from Customer resulting from such audits. JLG shall comply with all reasonable recommendations from Customer.

5.2.4 Customer and JLG may be subject to control or investigation by a competent authority. JLG shall notify Customer when it becomes aware that its Processing of Customer Data is subject to an investigation by a competent authority.

6. Customer’s Obligations

6.1.   Customer shall remain solely legally responsible for the collection, Processing, and use of Customer Data as well as for the safeguarding of the rights of affected third parties and with regard to claims asserted by such third parties. Customer warrants that it has complied and continues to comply with Applicable Data Protection Law, in particular that it has secured appropriate legal bases for the Processing of Customer Data by JLG as set out in this DPA and as envisaged by the Terms, and that it has provided the necessary notices to Data Subjects in connection with JLG’s Processing of Customer Data.
6.2.    Customer acknowledges and agrees that JLG relies solely on Customer for direction as to the extent to which JLG is entitled to Process Customer Data, and that therefore JLG cannot be held liable for any claim brought by Customer or a Data Subject arising from any action or omission by JLG to the extent that such action or omission resulted from Customer’s instructions.
6.3.   Customer agrees that it will indemnify and hold harmless JLG on demand from and against all claims, liabilities, costs, expenses, loss or damage (including consequential losses, loss of profit and loss of reputation and all interest, penalties and legal and other professional costs and expenses) incurred by JLG arising directly or indirectly from Customer’s breach of this DPA or any Applicable Data Protection Law.
6.4.   As the Data Services are not intended for use by or in connection with children under 18 years of age, Customer shall not allow or enable users under the age of 18 to make use of or provide any Personal Information through the Data Services.

7. Miscellaneous

7.1 Any amendments to this DPA shall be made in writing.

7.2 If any provision of this DPA is found by any court or administrative body of competent jurisdiction to be void, invalid, illegal or otherwise unenforceable, all other terms and provisions of this DPA shall nevertheless remain in full force and effect, and the invalidity or unenforceability of such provision will not adversely affect the enforceability of any other provision of this DPA. The Parties agree that in the place of the invalid provision, a legally binding provision shall apply which comes closest to what the Parties would have agreed if they had contemplated the partial invalidity.

7.3 This DPA is subject to the choice of law and forum identified in the Terms, except insofar as such choice conflicts with the mandatorily applicable laws.

7.4 The provisions of this DPA shall continue to apply for so long as Customer Data is Processed by or on behalf of JLG acting as Customer’s Processor, and shall continue beyond termination of the data Services until such time as such Personal Information is no longer Processed.

7.5 In the event that JLG fails to comply with this DPA and/or the Terms, Customer may terminate the DPA, effective immediately, at its sole option upon written notice to JLG without liability or further obligation to JLG and without prejudice to any other remedies under this DPA, at law or in equity.

8. Docking clause

8.1 An entity that is not a Party to this DPA may, with the agreement of the Parties, accede to this DPA at any time by acceding to the Terms.

8.2 Once it has acceded to the Terms, the acceding entity shall become a Party to this DPA and have the rights and obligations of Customer or JLG.

8.3 The acceding entity shall have no rights or obligation arising under this DPA for the period prior to becoming a Party.

EXHIBIT A

DESCRIPTION OF THE PROCESSING (INCLUDING TRANSFERS)

A. LIST OF PARTIES

Data exporter(s): The data exporter is JLG’s customer identified on an applicable Order Form for the ClearSky SmartFleet Data Services (“Customer”).

Address: Per the applicable Order Form
Contact person’s name, position and contact details: Per the applicable Order Form
Activities relevant to the data transferred under these Clauses: Per the applicable Order Form
Signature and date: Per the applicable Order Form
Role (controller/processor): Controller or processor

Data importer(s): The data importer is JLG Industries, Inc. (“JLG”).

B. DESCRIPTION OF PROCESSING/TRANSFER

Categories of data subjects whose personal data is transferred: Customer Data shall include personal data regarding Customer’s employees, independent contractors, and service providers.

Categories of personal data transferred: Customer Data which is provided through the Data Services by Customer or its Authorized Users shall include: name, postal address, billing address, work address, shipping address, e-mail address, telephone numbers, information Customer provided for other individuals (such as emergency contact information), driver’s license number, date of birth, gender, license plate numbers, information about the use of the Data Services, communication data, and information related to an individual’s use of Customer Assets, such as vehicle operation and use data, diagnostics, location data, or logs.

Sensitive data transferred (if applicable): The Parties do not anticipate special categories of personal data being Processed.

Frequency of the transfer: Customer Data shall be transferred on a continuous basis as long as Data Services are provided.

Nature of the processing: Customer shall determine the types of personal data it submits to JLG to Process on their behalf in the course of using the Data Services pursuant to the ClearSky SmartFleet Terms.

Purpose(s) of the data transfer and further processing: Customer Data shall be Processed to provide the Data Services to and as further described in the ClearSky SmartFleet Terms.

Period for which the personal data will be retained: Customer Data Processing will be for the duration described in the ClearSky SmartFleet Terms and for a reasonable period of time after the termination of the ClearSky SmartFleet Terms.

For transfers to (sub-) processors: Processor may engage sub-processors to provide Processing of Customer Data in the context of the Data Services in accordance with the instructions provided by the Parties.

C. COMPETENT SUPERVISORY AUTHORITY (IN EEA)

Dutch Data Protection Authority.

EXHIBIT B

TECHNICAL AND ORGANIZATIONAL MEASURES, INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Description of the technical and organizational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

- Technical and organizational measures to be set out in this Exhibit B prior to JLG Processing Data pursuant to this DPA.

Sign In

Create an account

ClearSky Smart Fleet Data Processing Addendum