These Taxi and Private Hire Vertical Terms and Conditions (“Additional Taxi and Private Hire Terms”) are expressly incorporated into and made an integral part of the General Terms and Conditions (Marketplace Supply/EU) or the General Terms and Conditions (Marketplace Supply/USA), as applicable, if Partner uses the Taxi and Private Hire Vertical.

A. Additional and Updated Definitions.

(1) “Driver” means any employee or subcontractor of Partner who has a vehicle assigned to it as part of Partner’s fleet and whom Partner utilizes for the provision of Mobility Services.

(2) “Driver Data” means all information, data and records of, applicable to, and/or relating to, the Driver that are available as part of the Mobility Products, including without limitation and as applicable, names, phone numbers, location information, routes, license plate number of vehicle assigned, vehicle model, Driver photo, and all communications, transactions and all other information associated with each Driver’s provision of Mobility Services, including such information, data and records uploaded into the Mobility Products by Partner.

 B. Amended Definitions.

The following definitions set forth in the General Terms and Conditions (Marketplace Supply/EU) or the General Terms and Conditions (Marketplace Supply/USA), as applicable, shall be amended and restated in their entirety as follows:

(1) “Consumer Data” means all information, data and records of, applicable to and/or relating to Consumer(s) available and/or provided to Partner as part of the Mobility Products and to the Drivers (as applicable), including without limitation and as applicable, names, phone numbers, location information, and any other information related thereto.

(2) “Data” means, collectively, all User Data, Driver Data and Consumer Data collected by using and/or available as part of the Mobility Marketplace or otherwise in connection thereto, as applicable, and/or data relating to a User, a Driver, the Consumer and/or the Mobility Services.

C.   Additional Mobility Products Terms and Conditions.

(1) HERE reserves the right to: (i) review the situations where, and the manner in which, Partner obtains acceptance to the collection of Data; (ii) require Partner to change the implementation of such acceptances; and (iii) acquire or require Partner to acquire additional consents from Users, Drivers or Consumers if deemed necessary, all at HERE's sole discretion.

D. Data Privacy and Data Processing.

Without limiting the generality of Section 5 of the General Terms and Conditions (Marketplace Supply/EU) or the General Terms and Conditions (Marketplace Supply/USA), as applicable, the following additional terms and conditions shall apply to Partner:

(1)   In the course of providing the Mobility Products to Partner pursuant to the Agreement, HERE Global B.V. (“HERE Global”) may process Driver Data and User Data on behalf of Partner and use and collect Consumer Data for its purposes. The parties agree that with regard to the processing of Driver Data and User Data, Partner is the data controller and HERE Global is a data processor, and with respect to Consumer Data, HERE Global is the data controller and Partner is the data processor; provided, that in the event the parties are deemed to be joint data controllers with regard to Consumer Data, User Data or Driver Data, as applicable, the parties shall apportion data protection compliance responsibilities between one another for purposes of compliance with the requirements of applicable data protection laws, rules or regulations in the country in which Partner provides the Mobility Services (“Data Protection Laws”). To the extent Data provided by Partner includes “personal data” or “personally identifiable information” (as defined under applicable Data Protection Laws), HERE’s processing of such Data shall be within a dedicated, logically segregated platform and limited to the following purposes: (i) the processing, use, storage, disclosure and disposal of such Data for purposes of matching Consumers with transportation supply providers (such as Partner) that are directly or indirectly connected to the Mobility Marketplace; and (ii) the processing of such Data such that it no longer relates to an identified or identifiable natural person or is rendered anonymous in such a way that a data subject is no longer identifiable (“De-Identified Data”), for purposes of utilizing such De-Identified Data in Mobility Products. Partner agrees and acknowledges that HERE may maintain, use and distribute such De-Identified Data derived from the Data for its own purposes and Partner agrees to include the relevant language and terms in its privacy policy, and inform the Users and the Drivers, and to the extent legally required, obtain legal and valid consent or establish another legal basis regarding such usage by HERE in accordance with Data Protection Laws. Partner shall comply with and shall be responsible for each User’s and Driver’s compliance with all applicable Data Protection Laws with respect to the applicable Data and information that is provided to or by, or made available to or by, Partner and/or is under its control. Partner shall provide each Driver with a copy of the notice set forth herein below as Annex 1 (“Driver Notice”) together with any and all legally required and otherwise appropriate instructions, warnings, notices and safety information and obtain such affirmative, informed and legally valid consents from each Driver and User as required by applicable laws and regulations prior to accessing and/or receiving Data with respect to each such User and Driver.

(2)      Partner shall, in its use or receipt of the Mobility Products, process Consumer Data in accordance with the requirements of applicable Data Protection Laws and Partner will ensure that its instructions for the processing of Data shall comply with applicable Data Protection Laws. Partner shall have sole responsibility for the accuracy, quality, and legality of the Data and the means by which Partner acquired the Data. Notwithstanding the foregoing, Partner acknowledges that Data may be stored and/or processed in a different country than where Mobility Services are provided. Data from a Partner in the European Economic Area (“EEA”) or Switzerland may only be exported or accessed by HERE or its subprocessors outside the EEA or Switzerland, if: (i) the recipient, or the country or territory in which it processes or accesses Data, ensures an adequate level of protection as determined by the European Commission; or (ii) Standard Contractual Clauses (as defined below) for the transfer of personal data to processors established in third countries apply.

(3)  To the extent Partner, in its use or receipt of the Mobility Products, does not have the ability to correct, amend, block or delete Data as required by applicable Data Protection Laws, HERE shall comply with any commercially reasonable request by Partner to facilitate such actions to the extent HERE is legally permitted and technically able to do so. HERE shall, to the extent legally permitted, promptly notify Partner if it receives a request from a User and/or a Driver for access to, correction, amendment or deletion of that person’s Data. HERE shall not respond to any such request without Partner’s prior written consent except to confirm that the request relates to Partner. HERE shall provide Partner with commercially reasonable cooperation and assistance in relation to handling of a request for access to that person’s Data, to the extent legally permitted and to the extent Partner does not have access to such Data through its use or receipt of the Mobility Products.

(4)     Partner authorizes HERE to subcontract the processing of Data to subprocessors, as required for the functioning of the Mobility Products under this Agreement. In case of any subprocessing, HERE shall enter into a written contract with its subprocessor which imposes at least equivalent obligations on the subprocessor as are imposed on HERE under this Agreement; such contract shall include a description of the technical and organizational measures, which the subprocessor has to implement in such a manner that the processing will meet the requirements of the applicable Data Protection Laws. If Partner requests, HERE will inform Partner of the name, address and role of each involved subprocessor. HERE´s use of subprocessors is at HERE´s sole discretion. HERE will notify Partner in advance (by email or by posting on a protected web portal) of any changes to the list of subprocessors in place on the Effective Date (except for emergency replacements or deletions of subprocessors without replacement). If Partner has a legitimate reason that relates to the subprocessor´s processing of personal data, Partner may object to HERE´s use of a subprocessor, by notifying HERE in writing within thirty days after receipt of HERE`s notice. If Partner objects to the use of the subprocessor, the parties will discuss a resolution in good faith. HERE may choose to: (i) refrain from using the subprocessor, or (ii) take the corrective steps requested by Partner as specified in its objection and use the subprocessor. If none of these options are reasonably possible and Partner continues to object for a legitimate reason, either party may terminate the Agreement on thirty days´ written notice. If Partner does not object within thirty days of receipt of the notice, Partner is deemed to have accepted the new subprocessor. Where legally required, HERE has entered into the unchanged version of the Standard Contractual Clauses for the transfer of personal data to processors established in third countries pursuant to Commission Decision 2010/87/EU (“Standard Contractual Clauses”) prior to the subprocessor´s processing of Data. Partner hereby accedes to the Standard Contractual Clauses between HERE and the subprocessor.

(5)    HERE shall ensure that its personnel and subprocessors engaged in the processing of Data and are informed of the confidential nature of the Data and have received appropriate training on their responsibilities and are subject to obligations of confidentiality and such obligations survive the termination of that persons’ or subcontractors’ engagement with HERE. HERE shall ensure that HERE and its Affiliates’ access to Data and is limited to those personnel who require such access to perform the Agreement. HERE has appointed a data protection officer where such appointment is required by Data Protection Laws who may be reached by email at privacy@here.com.

(6)     If HERE becomes aware of any unlawful access to any Data stored on HERE’s equipment or in HERE’s facilities, or unauthorized access to such equipment or facilities resulting in loss, disclosure, or alteration of Data for which notice is required under applicable Data Protection Laws (“Security Breach”), HERE will promptly: (a) notify Partner of the Security Breach; (b) investigate the Security Breach and provide Partner with information about the Security Breach; and (c) take reasonable steps designed to mitigate the effects and to minimize any damage resulting from the Security Breach. Partner agrees that an unsuccessful Security Breach attempt will not be subject to this Section. An unsuccessful Security Breach attempt is one that results in no unauthorized access to, or loss, disclosure or alteration of, Data or to any of HERE’s equipment or facilities storing Data, and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond IP addresses or headers) or similar incidents; and HERE’s obligation to report or respond to a Security Breach under this Paragraph 6 of this Section D is not and will not be construed as an acknowledgement by HERE of any fault or liability with respect to the Security Breach. Notification(s) of Security Breaches, if any, will be delivered to one or more of Partner’s business, technical or administrative contacts by any means HERE selects, including via email. It is Partner’s sole responsibility to ensure it maintains accurate contact information on HERE’s support systems at all times.

(7)  HERE shall comply with the requirements relating to the security of processing personal data as required by applicable Data Protection Laws. In particular, HERE shall implement and maintain appropriate technical and organizational measures ensuring a level of protection that is reasonable and sufficient in terms of the risks related to the processing and the nature of the involved personal data. A description of the technical and organizational measures, implemented by HERE, is set forth herein below as Annex 2 (“HERE Technical and Organizational Measures”).

(8)        Partner may audit HERE´s security practices relevant to personal data processed by HERE only if: (i) HERE has not provided sufficient evidence of its compliance with the technical and organizational measures through providing a certification as to compliance with ISO 27001 or other standards; (ii) a Security Breach has occurred; (iii) Partner has reasonable grounds to suspect that HERE is not in compliance with its obligations under this Section D; (iv) an audit is formally requested by Partner´s competent data protection authority; or (v) mandatory Data Protection Laws provides Partner with a direct audit right. Where Partner audits HERE´s environment upon reasonable advance notice of at least sixty days, HERE will reasonably support Partner in its auditing process. The Partner audit will be limited to once in a calendar year and limited to a maximum of one business day without disrupting HERE´s regular course of business. Partner and HERE will each bear their own audit costs.

(9)     HERE shall return Data to Partner and/or delete Data in accordance with HERE’s procedures and applicable Data Protection Laws and/or consistent with the terms of the Agreement; provided that HERE shall have no obligation to delete Data that has been de-identified.

(10) For the duration of this Agreement, Partner shall: (i) maintain and publish an adequate terms and privacy notice (“Partner Terms”) where applicable, that comply, in full, with Data Protection Laws, with respect to the Data collected and/or made available by Partner in connection with or in relation to the Mobility Products, (ii) receive the Users’, Consumers’ and Drivers’ consent (where legally required to do so) to the Partner Terms, in an active, clear and distinguished manner in accordance with applicable Data Protection Laws; and (iii) ensure that its privacy policy explains (a) what information Partner collects; (b) why Partner collects such information; (c) how Partner uses such information; (d) the delineation of roles between HERE and Partner as described in this Section D; and (e) how Users, Consumers and Drivers can access and update information. The Partner Terms shall also disclose to Users, Consumers and Drivers that Partner allows HERE to collect information as set forth in HERE’s applicable privacy policy, available at https://legal.here.com/en-gb/privacy. The Partner Terms shall be in compliance with applicable law and regulations, and the terms of this Agreement. The Partner Terms are an agreement between Partner and the Users, Consumers or Drivers (as applicable) and HERE has no obligation and/or liability with respect to the Partner Terms. Partner may not impose any terms on the Users, Consumers or Drivers that are inconsistent with the terms of this Agreement, and/or impose any liability on HERE unless otherwise set forth herein. To the extent any such conflict exists, the parties agree that HERE’s privacy policy shall prevail.

F. Additional Reports/Audit Terms and Conditions.

(1) The Partner Reports set forth in Section 5.1 of the General Terms and Conditions (Marketplace Supply/EU) or the General Terms and Conditions (Marketplace Supply/USA), as applicable, shall include the following: (i) the number of rides booked by Consumers and the number of rides actually taken by Consumers, (ii) the calculation of the Fees, (iii) the fee paid by the Consumer for each ride; and (iv) any additional reports as shall be mutually agreed upon by the parties.

Annex 1

Driver Notice

You are receiving this document (“Driver Notice”) because the entity that employs you (or contracts for your services, as applicable, your “Contracting Entity”) has entered into an agreement with HERE (“Company”) in order to participate in the Company’s Mobility Marketplace (“Marketplace”). The Marketplace enables transportation demand partners to be matched with transportation supply partners. You are being asked to participate as a driver that will provide transportation services in connection with the Marketplace.

PLEASE READ THIS DRIVER NOTICE CAREFULLY BEFORE TAKING ANY FURTHER ACTION REGARDING THE MARKETPLACE. IF YOU DO NOT AGREE TO THE TERMS AND CONDITIONS OF THE MARKETPLACE (E.G., THE TERMS OF USE AND THE PRIVACY NOTICE, WHICH YOU CAN FIND (https://legal.here.com/en-gb/terms/here-mobility-products-supplemental-t... and https://legal.here.com/en-gb/terms/here-mobility-products-supplemental-p...), YOU SHOULD PROMPTLY CONTACT YOUR CONTRACTING ENTITY TO INDICATE THAT YOU DO NOT WISH TO PROVIDE TRANSPORTATION SERVICES IN CONNECTION WITH THE MARKETPLACE.

1.              Participation in the Marketplace as a Driver.  In order to participate in the Marketplace, you simply need to continue providing transportation services as part of your engagement with the Contracting Entity, in the same way you currently do.   

1.1.   Continue to log all relevant ride information (e.g., pick-up and drop-off locations; pick-up and drop-off times; number of Consumers, etc.).

1.2.   Provide your logs to your Contracting Entity.

1.3.   Your Contracting Entity will input the relevant information into the Marketplace to facilitate matching riders with transportation services.

2.              Notice Regarding Privacy and Terms of Use. We are providing this Driver Notice to make you aware of the following:

2.1.  The Terms of Use and the Privacy Notice referenced above implicate your legal rights, so you should be sure to read and understand them. If you have any questions regarding them, please contact your Contracting Entity or the Company at the addresses below. 

2.2.  The information entered by your Contracting Entity into the Marketplace may identify you personally (e.g., your name, license number, phone number, vehicle identification number, license plate, recent locations, etc.), and such information will be available to third parties using the Marketplace.

2.3.  With respect to information uploaded into the Marketplace that may identify you personally (“Driver Personal Data”), your Contracting Entity is the data controller and the Company is the data processor for purposes of compliance with the requirements of applicable data protection laws in the country in which you provide transportation services (“Privacy Laws”). The Company’s processing of your Driver Personal Data shall be within a dedicated, logically segregated platform and limited to the following purposes: (i) the processing, use, storage, disclosure and disposal of such Driver Personal Data for purposes of matching riders with your transportation services;  and (ii) de-identifying your Driver Personal Data such that it no longer relates to you or is rendered anonymous in such a way that you are no longer identifiable (“Anonymous Data”), for purposes of utilizing such Anonymous Data in the Company’s other products. Notwithstanding the foregoing, in the event the Company and your Contracting Entity are deemed to be joint data controllers with regard to Driver Personal Data, the Company and your Contracting Entity shall apportion data protection compliance responsibilities between one another for purposes of compliance with applicable Privacy Laws.

Please direct any questions regarding the Marketplace or this Driver Notice, including questions related to privacy, to: support@heremobility.com.

Annex 2

HERE Technical and Organizational Measures

In order to protect personal rights while processing personal data on behalf of Partner, HERE has implemented the following technical and organizational measures (as may be amended from time to time by HERE, at its sole discretion, by providing Partner with written notice thereof):

SECURITY POLICIES AND MANAGEMENT

HERE has ensured that its senior management assigns security responsibilities and reviews the implementation of security within the organization. Senior management has nominated an individual responsible for the overall security, risk management, information security, privacy and controls for handling personal data.

HERE has established and demonstrated commitment to security through an organization-wide security policy (“Security Policy”). This Security Policy and related guidelines are communicated to all employees working on Partner engagement.

HERE has its own, dedicated information classification schema based on information sensitivity (for example, internal, confidential, and secret) and established measure to ensure that information ownership is defined at all times. This schema includes appropriate security controls to protect Partner information, personal data and assets, where applicable.

HERE conducts security risk assessments either for Partner engagement or as part of its normal business operations at least at an annual frequency, incorporating emerging threats, possible business impacts and probabilities of occurrence. HERE modifies the security related processes, procedures and guidelines based on the findings in such security risk assessments.

INDEPENDENT CERTIFICATIONS AND AUDIT RIGHTS

For the production systems which run the HERE services provided under the Agreement and during the term of the Agreement, HERE maintains applicable certifications based on ISO 27001. Upon Partner’s request or at least annually, HERE shall inform Partner about the applicable certifications and/or reports and provide a copy of such certifications and/or reports, including scope of such certifications (including any identified deficiencies), for Partner to review. Information and copies of such certifications and reports shall be confidential information of HERE.

SECURITY INCIDENT MANAGEMENT

HERE has established adequate issue and/or incident response procedures (or plans) and nominated persons to react and minimize in a timely fashion further damage caused by security or privacy issues, vulnerabilities and incidents. HERE notifies and escalates events related to unauthorized disclosure, modification or misuse of Partner´s personal data under the Agreement. HERE shall use agreed incident communications channels in communicating the incident(s) in a timely fashion. HERE shall attempt to mitigate the incident, related to Partner´s personal data, already at the time of noticing and shall report to Partner only such incidents which cannot be excluded from being identified as false alerts. HERE shall have competent people to conduct investigations.

EMERGENCY RESPONSE AND BUSINESS CONTINUITY

HERE has a documented and implemented up-to-date emergency response plan for provided services, focusing on the availability and integrity of the services in scope as well as on the safety of people, premises and assets. Where applicable and necessary, HERE has communicated this plan to its employees.

HERE has appropriate workaround solutions in place for delivering as per agreed applicable Service Level Agreement (SLA), if any. These measures shall be documented in form of a plan and tested as part of Business Continuity testing cycle of HERE.

PERSONNEL AND SUBCONTRACTOR SECURITY

HERE personnel, their subcontractors and their external service providers shall have valid, signed, written confidentiality obligations prior to accessing environments, where Partner’s personal data is processed. HERE shall ensure that there is a verifiable and auditable trail of confidentiality obligations at all times between Partner, HERE and their subcontractors and/or external service providers.

HERE ensures that there is an appropriate entry and exit procedure for personnel changes that includes granting and disabling of user access and returning of assets when terminating the employment with HERE or upon personnel changes related to Services provisioning targeted to Partner.

AWARENESS

HERE conducts security and privacy awareness trainings (or refresher sessions) during induction and thereafter at least annually to all relevant existing employees and new hires. HERE ensures that due emphasis is given to the handling of client confidentiality and specifically unlaunched product information and social media guidelines (and restrictions).

IT SECURITY

HERE has implemented appropriate access control and access rights management designed to ensure that data is only processed by a minimum number of authorized persons who have access to requisite data needed to perform their work-related duties (i.e., role-based access control with least privileges).

HERE maintains the following: processes for authorizing and terminating user access and subcontractor access, including emergency access termination procedure; password management policy including password complexity requirements, no common or shared user accounts in use, password aging where systems do not support use of password managers, and secure delivery of credentials to users; audit records of all existing user privileges, shall be retained and reviewed regularly to remove excess privileges, and processes which ensure segregation of duties.

HERE further maintains a sufficient audit trail and the use of access privileges (changes, who, what, when) is in place when dealing with sensitive (confidential or secret) information.

HERE collects logs pertaining to user access to Partner Data and stores such logs for at least three (3) months unless otherwise restricted by local legislation.

HERE has implemented reasonable and appropriate information security measures (e.g., hardening, patching, antivirus, IDS, etc.) to protect Partner Data against unauthorized or accidental access, use, disclosure, deletion, destruction, loss, alteration or amendment.

HERE only stores and processes Partner Data in an environment where requisite security controls have been implemented. HERE ensures that IT infrastructure and networks are designed and managed to protect IT systems, information, users and electronic communications.

HERE uses industry standard techniques to secure the connectivity between Partner and HERE against eavesdropping and alteration (including wireless access or remote connection), in solutions and services.