Service Provider Data Protection Policy

This Policy sets forth the obligations of our service providers and contractors who receive or obtain personal information as a result of their relationship with UniGroup, C.A. and its subsidiaries.

1. Definitions.
“Business Purpose” shall have the meaning set forth in the Data Privacy Addendum or as defined in applicable law. If the Business Purpose is not set forth in a Data Privacy Addendum, the Business Purpose shall mean the provision of transportation services under the authority of UniGroup’s motor carrier subsidiaries.

“Service Provider” shall mean the person or entity identified on the Data Privacy Addendum to the extent such person or entity (i) processes Personal Information on behalf of UniGroup or its affiliates, (ii) receives Personal Information from or on behalf of UniGroup, or (iii) to whom UniGroup has made Personal Information available.

“Personal Information” shall mean any information relating to an identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, from that information in combination with other information. To the extent the term “Personal Information” or substantively similar term is defined under applicable law (including, without limitation, the California Consumer Privacy Act and implementing regulations “CCPA”), such definition shall govern.

2. Compliance with Applicable Law. Service Provider agrees that it will comply and will cooperate with UniGroup so that it may comply, with all applicable law pertaining to Personal Information, including, without limitation, the CCPA.

3. Restrictions on use of Personal Information. Service Provider warrants and undertakes only to process Personal Information as set forth in this Addendum and/or as otherwise lawfully instructed by UniGroup in writing, except where otherwise required by applicable law. Specifically, Service Provider shall not:

i. Sell or share the Personal Information;
ii. Retain, use or disclose the Personal Information for any purpose (including any commercial purpose) other than the Business Purpose;
iii. Retain, use or disclose the Personal Information outside of the direct business relationship between UniGroup and Service Provider; or
iv. Combine the Personal Information with personal information it receives from, or on behalf of, another person or persons, or collects from its own interaction with the consumer.

4. Safeguards. Service Provider shall ensure it implements and maintains reasonable security procedures and practices appropriate to the nature of the Personal Information to protect such Personal Information from unauthorized or illegal access, destruction, use, modification or disclosure.

5. Audit Rights. On reasonable notice, Service Provider agrees to provide UniGroup or its clients (or its or their appointed auditors) with all information UniGroup deems reasonably necessary for UniGroup to audit Service Provider’s compliance with this Policy.

6. Cooperation and Consumer Rights. Service Provider will promptly provide all assistance reasonably required by UniGroup to enable UniGroup to comply with applicable privacy law, including consumer requests or requests from governmental authorities. Additionally, Service Provider shall provide immediate notice of any consumer requests it receives pertaining to the Personal Information.

7. Subprocessors. If Service Provider engages any other person to assist it in processing Personal Information for the Business Purpose on behalf of UniGroup; or if any person engaged by Service Provider engages another person to assist in the processing of Personal Information for the Business Purpose, Service Provider shall notify UniGroup of the engagement, obtain UniGroup’s consent to such subprocessing, and the engagement shall be pursuant to a written contract binding the other person to observe all the requirements set forth in this Policy. Service Provider shall immediately cease using a particular subprocessor upon receiving written notice from UniGroup.

8. Notification in the Event of Non-compliance. Service provider will notify UniGroup immediately upon making a determination that Service Provider has violated the terms of this Policy or can no longer meet its obligations under this Policy. Service Provider grants UniGroup the right to remediate Service Provider’s unauthorized use of Personal Information, including the use of audits and certifications to verify compliance.

9. Deletion or Return of Data. Upon written notice from UniGroup to Service Provider, or upon the termination of the agreement by which this Policy is incorporated, Service Provider will destroy or return to UniGroup all Personal Information in its possession or control (including any Personal Information subcontracted to a third party for processing), unless any applicable law requires Service Provider to retain such Personal Information, in which case Service Provider shall maintain only that Personal Information it is required to maintain under applicable law for such period as applicable law requires.

10. Indemnity. Without limiting any indemnity obligations Service Provider may have under any other agreement, Service Provider will indemnify and hold harmless UniGroup, its affiliates, members and agents, and its and their officers, directors, and employees from and against any and all claims, liabilities, losses, expenses, and costs (including reasonable attorneys’ fees) that such party may suffer as a result of Service Provider’s non-compliance with the terms of this Policy.