Canadian Privacy Addendum

PRIVACY SCHEDULE

CUSTODY, CONTROL AND ADMINISTRATION OF PERSONAL INFORMATION

1. Background

Client is subject to the provisions of Applicable Privacy Law relating to the collection, use, disclosure and security of Personal Information. Client and CD Newco, LLC dba Curve Dental (the “Service Provider”) have entered into Terms of Service and Order Form (the “Agreement”) that may involve collection, use, processing, sharing, disclosure, storage, security, destruction and management or administration of Personal Information with or by the Service Provider. The purpose of this schedule (“Schedule”) is to ensure that the Service Provider maintains adequate care of and security controls over the Personal Information and that the Parties comply with the requirements of Applicable Privacy Law. 

2. Definitions

In this Schedule, the following terms have the following meanings:

“Applicable Law” means all present and future laws, statutes, ordinances, regulations, judgement, orders, rules, directions of any court or governmental authority that are enforceable in Canada, and includes Applicable Privacy Law;

“Applicable Privacy Law” means any privacy legislation that may be applicable in the circumstances, which may include the Personal Information Protection and Electronic Documents Act (“PIPEDA”), provincial legislation deemed substantially similar to PIPEDA and/or provincial health information legislation;

“Commissioner” means the Information and Privacy Commissioner as applicable;

“Conflicting Foreign Order” means any order, subpoena, directive, ruling, judgment, injunction, award or decree, decision, request or other requirement issued from a foreign court, agency of a foreign state or other authority outside Canada or any foreign legislation the compliance with which would or could potentially breach Applicable Privacy Law;

“Confidentiality Agreement” means a standard agreement between the Service Provider and its Personnel, signed as part of the Service Provider’s operating procedures, requiring that Personnel comply with the requirements of Applicable Privacy Law, and other Applicable Law, in a manner which is intended to ensure compliance by the Service Provider and its Personnel under this Schedule;

“Contact Information” means information to enable an individual at a place of business to be contacted and includes the name, position name or title, business telephone number, business address and business email of the individual;

“Excluded Information” or “Excluded Records” means information, documents or recorded information that (a) relate solely to the Service Provider’s internal administration, finances, management, or labour and employment matters, unless they contain Personal Information about an individual other than Personnel or other third parties with whom the Service Provider has dealings unrelated to the subject matter of the Agreement; or (b) Client confirms in writing are excluded from the application of this Schedule;

“Material Breach” includes, without limitation, (i) non-compliance by the Service Provider with any provision of this Schedule relating to or resulting from the collection, use, disclosure, storage, disposal or destruction of any Personal Information or Records in contravention of Applicable Privacy Law and/or this Schedule; and (ii) non-compliance by the Service Provider to take reasonable steps to cure any contravention of Applicable Privacy Law and/or this Schedule to the satisfaction of Client within 30 days after written notice is given to the Service Provider describing the breach in reasonable detail or otherwise within 30 days of the Service Provider becoming aware of the breach;

“Permitted Purpose” means access to Records or Personal Information that is necessary for provision of the Services (as defined in the Agreement);

“Personal Health Information” means personal health information about an individual as defined by Applicable Privacy Law;

“Personal Information” means recorded information about an identifiable individual, excluding Contact Information and Excluded Information, that is collected or created by the Service Provider or otherwise obtained or held by or accessible to the Service Provider as a result of the Agreement or any previous agreement between Client and the Service Provider dealing with the same subject matter as the Agreement, and specifically includes Personal Health Information;

“Personnel” means any employees, officers, directors, contractors, subcontractors, associates, representatives or other persons engaged by the Service Provider for the purposes of fulfilling the Service Provider’s obligations under the Agreement;

“Privacy Representative” means the designate of the Service Provider or Client with responsibility for compliance with Applicable Privacy Law and this Schedule; and

“Record” includes books, documents, maps, drawings, photographs, letters, vouchers, papers and any other thing on which Personal Information is recorded or stored by graphic, electronic, mechanical or other means which are collected or produced by the Service Provider in the course of delivering Services or otherwise performing its obligations under the Agreement, but does not include Excluded Records.

3. Service Provider Subject to Applicable Privacy Law

a. The Service Provider agrees that, in relation to the collection, use, processing, sharing, disclosure, storage, security, destruction and management or administration of Personal Information and Records, it is subject to and will comply with the requirements of Applicable Privacy Law and this Schedule, including any applicable order or security requirements prescribed by the Commissioner or a court. The Service Provider will ensure that it and its Personnel are familiar with its and their obligations under Applicable Privacy Law.

b. The Service Provider acknowledges that Personal Health Information may be disclosed to the Service Provider for the sole purpose of performing the Services. The Service Provider shall exercise all reasonable precautions to protect Personal Health Information from unauthorized access, disclosure, copying, use or modification, storage and retention and, in any event, treat any information which is Personal Health Information in accordance with Applicable Privacy Law. In particular, the use of Personal Health Information must be restricted to the purposes and activities as outlined in Applicable Privacy Law.

c. The Service Provider agrees that if it is a “service provider”, “information manager”, “information management service provider” or “agent” as defined in Applicable Privacy Law, as a result of the type of Services that it is providing to Client under the Agreement, the Service Provider agrees to comply with its obligations under Applicable Privacy Law in that regard.

d. The Service Provider agrees to maintain a privacy policy in compliance with Applicable Privacy Law.

e. The Service Provider specifically assumes all responsibility for the Personnel and for the breach by any one or more of them of any provision of Applicable Privacy Law or this Schedule.

4. Control of and Rights in the Record(s) and Consent

The Parties acknowledge and agree that as between Client and the Service Provider:

a. All right, title, interest and control in and to all Records shall remain with Client. No proprietary right or other interest respecting the Records, other than as expressly set out herein, is granted to the Service Provider under this Schedule or the Agreement, by implication or otherwise. The Service Provider is granted temporary access to the Personal Information on the terms and conditions of this Schedule, for the sole and express purpose of performing the Services and for no other use or purpose. Where the Service Provider provides services under contract with one or more other parties in which such other parties also assert control over the same or overlapping Records, Client will work with such other parties to resolve each other’s rights and obligations with respect to such Records and the Service Provider will not be considered to be in breach of this Schedule by reason of its inability to provide unfettered control over the Records to Client.

b. It is the responsibility of Client to identify and have directly or indirectly obtained any consent from, or given any notice to, individuals as required under Applicable Privacy Laws, for the Service Provider’s collection, use, processing, sharing, disclosure, storage, security, destruction, management or administration of Personal Information. If Client requires the Service Provider to collect Personal Information on its behalf pursuant to this Section, Client will identify to the Service Provider any requirements of Applicable Privacy Law regarding collection of the Personal Information.

5. Collection, Use & Disclosure of Personal Information

a. The Service Provider will only collect, use and disclose Personal Information on behalf of Client as necessary for the performance of the Services or as otherwise authorized by Client in writing or required or authorized by Applicable Law.

b. The Service Provider will ensure that neither it nor its Personnel collects, creates, copies, reproduces, uses, stores, discloses or provides access to any Personal Information except in compliance with this Schedule and Applicable Privacy Law and for purposes directly related to or necessary for the performance of the Services or as otherwise required by Applicable Law.

6. Referral of Requests for Access or Correction

If the Service Provider receives a request under Applicable Privacy Law for access to or correction of Personal Information from a person other than Client, the Service Provider will promptly advise the person to make the request to Client and provide the name and contact information for Client’s Privacy Representative, and the Service Provider shall notify Client of any such request.

7. Cooperation in Responding to Requests for Access

Where Client communicates to the Service Provider that it has received a request for access to Personal Information, the Service Provider will locate and supply to Client any and all Records in its custody that fall within the scope of the request. The Service Provider will comply with this obligation within a reasonable period that allows Client to comply with its obligations under Applicable Privacy Law.

8. Accuracy and Correction of Personal Information

If the Service Provider engages in the collection, maintenance or updating of Personal Information or the creation of Records on behalf of Client under the Agreement, the Service Provider will make every reasonable effort to ensure the accuracy and completeness of such Personal Information generally and as required by Applicable Privacy Law.

9. Protection & Security of Personal Information

The Service Provider must protect Personal Information to ensure compliance with Applicable Privacy Law, by making reasonable security arrangements against such risks as theft, loss or unauthorized access, collection, use, disclosure or disposal.

10. Access by Personnel

The Service Provider will ensure that its Personnel are granted access to the Personal Information only where such access is necessary for the performance of the Services, and subject to the following terms:

a. Prior to access, the Service Provider has entered into its standard Confidentiality Agreement with its Personnel or the Service Provider’s Personnel has expressly agreed to comply with the Service Provider’s internal documents acknowledging the obligations of protecting Personal Information pursuant to this Schedule and Applicable Privacy Law;

b. The Service Provider will revoke the access rights of any person who engages in the unauthorized collection, use or disclosure of Personal Information or otherwise breaches the Confidentiality Agreement or Applicable Privacy Law; and

c. The Service Provider will ensure Personnel with access to Personal Information are familiar and comply with the obligations of the Service Provider under this Schedule and Applicable Privacy Law.

11. Subcontractors

The Service Provider acknowledges that if it uses subcontractors to perform any services for Client that it will require subcontractor to be bound by terms equivalent to this Schedule and Applicable Privacy Law.

12. Access and Storage Outside of Canada

Client hereby acknowledges and consents that Personal information and Records may be collected, used, processed, shared, disclosed, stored, secured, destroyed, managed or administered from outside of Canada by the Service Provider using cloud computing of other information technology infrastructure selected by the Service Provider and managed using third parties, and that Client has provided all required notices and information and/or obtained all required consents and approvals for such collection, use, processing, sharing, disclosure, storage, security, destruction, management and administration outside of Canada.

13. Notice of Demands for Disclosure

If the Service Provider or anyone to whom the Service Provider transmits Personal Information pursuant to a Permitted Purpose becomes legally compelled or otherwise receives a demand to disclose Personal Information other than permitted by Applicable Privacy Law, including without limitation pursuant to any Conflicting Foreign Order, unless prohibited by law, the Service Provider will not do so unless and until: (i) Client has been notified of such requirement; (ii) the parties have appeared before a Canadian Court; and (iii) the Canadian Court has ordered the disclosure. The Service Provider is responsible to ensure that it obtains such contractual rights or makes other such arrangements with its Personnel or such other third parties to whom it may grant access to Personal Information as may be necessary to enable it to comply with the provisions of this Section. Nothing in this Schedule will be interpreted or construed to prohibit the Service Provider from complying with any valid court order made under the laws of Canada applicable in the Province.

14. Aggregate and De-identified Data

Notwithstanding the provisions of this Schedule, Service Provider retains the right to use and disclose aggregated and De-Identified Data in any manner. “De-Identified Data” means information (or any portion thereof) that has been the subject of reasonable efforts to de-identify, aggregate and/or anonymize such data with the result that no individual, entity or particular Record can be identified, such that it is no longer Personal Information as defined in Applicable Privacy Laws.

15. Privacy Representative

The Service Provider will appoint a Privacy Representative and such person will have sufficient authority to make decisions and execute documents on behalf of the Service Provider as may be required from time to time for the administration of this Schedule. The Service Provider shall promptly provide Client the name and contact details of its Privacy Representative and shall notify Client of any change of its Privacy Representative.

16. Notice of Breach and Corrective Action

a. The Service Provider will provide Client with prompt written notice of any actual or anticipated Material Breach, including full particulars of such breach.

b. The Service Provider will cooperate with Client in preventing the occurrence or recurrence of any breach of this Schedule or Applicable Privacy Law, including, if requested to do so: by preparing a written proposal to address or prevent further occurrences within the Service Provider’s systems.

17. Inspection, Investigation & Cooperation

a. Upon reasonable request by Client, the Service Provider will provide information to a Commissioner pertaining to the Service Provider’s handling of Personal Information demonstrating that the Service Provider is compliant with this Schedule, the Agreement and Applicable Privacy Law, including:

I. the Service Provider’s privacy policy; and
II. information regarding any complaints against the Service Provider to a Commissioner.

b. The Service Provider will reasonably cooperate at Client’s cost with Client in the event of any audit, investigation, inquiry, complaint, suit or other legal proceeding regarding any actual or alleged breach of Applicable Privacy Law or this Schedule, for a Material Breach.

18. Default & Termination

Notwithstanding anything in the Agreement to the contrary, the Service Provider and Client hereby agree that a Material Breach by the Service Provider will give rise to a right on the part of Client to terminate the Agreement immediately upon written notice.

19. Return or Destruction of the Record Upon Request

a. Except as otherwise specified in the Agreement, the Service Provider will retain the Personal Information and Records until it is provided with a written direction from Client regarding its return or destruction.

b. Upon the expiry or earlier termination of the Agreement or, at any time upon the written request of Client, the Service Provider will promptly: (i) return or deliver all Records, including any copies thereof, to Client; or (ii) destroy, according to Client`s instructions, all documents or other Records, including any copies thereof, in any form or format whatsoever in the Service Provider’s possession constituting or based upon Personal Information.

c. After a request is made under this Section, the Service Provider will not retain any Records for any purpose without the prior written consent of Client. If, for any reason, the Service Provider fails to return or destroy any Record in accordance with this Section, the Service Provider’s obligations pursuant to this Schedule will continue in full force and effect.

20. General

a. The parties acknowledge and agree that either party may disclose the Agreement or portions thereof as may be required pursuant to Applicable Privacy Law.

b. If a provision of this Schedule or the Agreement conflicts with a requirement of Applicable Privacy Law, the conflicting provision of the Agreement (or direction) will be inoperative to the extent of the conflict.

c. Unless otherwise expressly provided in the Agreement, if a provision of this Schedule is inconsistent or conflicts with a provision of the Agreement, the conflicting or inconsistent provision in the Agreement will be inoperative to the extent of the conflict.

d. The Service Provider’s obligations under this Schedule will continue despite the expiry or earlier termination of the Agreement until such time as the Personal Information and Records are returned to Client or securely destroyed in accordance with this Schedule.

e. Except as otherwise provided in this Schedule, no amendments to this Schedule will be effective unless made in writing and agreed to by the parties.