VODAFONE GROUP ENTERPRISE LIMITED

DATA PROTECTION TERMS

These Data Protection Terms are current as of October steps to ensure that they: (a) are under a statutory or
23, 2018. contractual obligation of confidentiality; (b) are trained in
Vodafone’s policies relating to handling User Personal Data;
Data Protection - When Service Terms identify and (c) do not process User Personal Data except as
Vodafone is Data Controller instructed by Customer unless required to do so by Applicable
Vodafone may Process User Personal Data for the Law.
following purposes: (a) account relationship management; (b) Security: As required by Applicable Privacy Law,
sending bills; (c) order fulfilment / delivery; and (d) customer Vodafone shall: (a) provide appropriate technical and
service. organizational measures for a level of security appropriate to
As an electronic communications services provider, the risks that are presented by Processing; (b) comply with
Vodafone may Process Traffic Data for the following the security requirements contained in the Vodafone
purposes: (a) delivering User communications; (b) calculating information security policies based on ISO/IEC 27001:2013;
Charges for each User; (c) identifying and protecting against (c) provide Customer with such information, assistance and
threats to the Network/Services; and (d) internal use for co-operation as Customer may reasonably require to
development and improvement of Network/Services. establish compliance with the security measures contained in
Vodafone may disclose User Personal Data and Traffic Applicable Privacy Law; (d) notify Customer without undue
Data: (a) to Vodafone Group Companies or suppliers and/or delay of any unauthorised access to User Personal Data that
(b) if required by Applicable Law, court order, Privacy Vodafone becomes aware of and that results in loss,
Authority, or any Authority. unauthorised disclosure, or alteration to the User Personal
Data; (e) provide reasonable assistance to Customer in
Vodafone’s privacy notice can be found here: relation to any personal data breach notification that
https://www.vodafone.com/business/privacy-policy. Customer is required to make under Applicable Privacy Law;
Data Protection – When Service Terms identify and (f) provide Customer reasonable assistance, prior to any
Vodafone is Data Processor Processing: (A) with carrying out a privacy impact assessment
Processing User Personal Data: Vodafone may only of the Services; and (B) with a consultation of the relevant
Process User Personal Data for: (a) provision and monitoring Privacy Authority regarding Processing activities related to the
of the Service; or (b) any other purpose agreed between the Services. Further information on data security measures is
Parties in writing. Additional instructions from Customer found at https://www.vodafone.com/business/customer-
require prior written agreement and may be subject to security.
Charges. Audit: Where Customer has a right of audit and
De-identified data: Vodafone may use User Personal inspection under Applicable Privacy Law, Customer agrees to
Data to create statistical data and information about service exercise its right as follows:
usage and devices that does not identify a User. No more than once each calendar year,
Sub-Processors: Vodafone may engage Sub- Customer may request to review Vodafone’s security
Processors. Current Sub-Processors are listed at organization and the good practice and industry standards
https://www.vodafone.com/business/global-enterprise- contained in Vodafone’s information security policies. Any
subprocessors . If Vodafone adds a new Sub-Processor or audit may only relate to data protection compliance of the
replaces an existing Sub-Processor, Vodafone will either: (a) Services. If the Transfer Contract Clauses apply, nothing in
give Customer at least ten (10) Working Days’ prior notice, or this Clause amends or varies those standard clauses nor
(b) list the new or replacement Sub-Processor on Vodafone’s affects any data subject or Privacy Authority’s rights under
Privacy Page at least ten (10) Working Days before Vodafone those clauses.
permits the new or replacement Sub-Processor access to In connection with an audit, Vodafone shall
User Personal Data so that Customer has the opportunity to inform Customer if, in its opinion, any Customer instruction
reasonably object to the changes during the notice period. infringes Applicable Privacy Law; however, this requirement
Sub-Processor Obligations: Vodafone enters into does not affect Customer’s responsibility for ensuring its
binding agreements with its Sub-Processors that imposes instructions comply with Applicable Privacy Law.
upon the Sub-Processor substantially the same legal Customer is responsible for reviewing the
obligations for Processing activities as these General Terms. information Vodafone makes available and making an
If a Sub-Processor fails to fulfil its data protection obligations independent determination if the Services meet Customer’s
under the agreement, Vodafone remains liable to Customer requirements and legal obligations.
for the performance of that Sub-Processor’s obligations. Transfer of User Personal Data out of the European
Data retention: Vodafone may retain the User Personal Economic Area (“EEA”): Vodafone may Process or transfer
Data for as long as required to deliver the Service and will User Personal Data in countries outside the EEA that have
destroy or return (at Customer’s option) User Personal Data not been designated by the European Commission as
in its possession upon termination of the Agreement, unless ensuring an adequate level of protection under Applicable
Applicable Law prevents Vodafone from returning or Privacy Law only to the extent that: (a) it is Processed or
destroying it. If Customer opts for Vodafone to retain User transferred on terms substantially in accordance with the
Personal Data, it must be subject to a new hosting agreement. Transfer Contract Clauses; (b) the Processing or transfer of
Data Access: Vodafone limits access to User Personal User Personal Data does not put any Customer Group
Data to those persons necessary to meet Vodafone's Company in breach of its obligations under Applicable Privacy
obligations in relation to the Service and takes reasonable Law; or (c) it is required to do so by Applicable Law; in that

Vodafone Proprietary - C1 Public Vodafone Data Protection Terms Page 1 of 2

case, where required by Applicable Privacy Law Vodafone will Data Processor means the person that Processes data
inform Customer of that legal requirement before Processing, on behalf of the Data Controller.
unless prohibited by another Applicable Law. Equipment means the hardware and related software
Law enforcement: Vodafone: (a) may receive legally Customer must have to use the Service, including SIMs.
binding demands from a law enforcement Authority for the GDPR means General Data Protection Regulation (EU)
disclosure of, or other assistance in respect of, User Personal 2016/679 of the European Parliament and of the Council of 27
Data, or be required by Applicable Law to disclose User April 2016.
Personal Data to persons other than Customer (a “Demand”);
(b) is not in breach of any obligation to Customer in complying Privacy Authority means the Authority that enforces the
with a Demand to the extent legally bound; and (c) will notify Applicable Privacy Law in the relevant jurisdiction.
Customer as soon as reasonably possible of a Demand Process/Processed/Processing means obtaining,
unless otherwise prohibited. recording, or holding information or data or carrying out any
User Enquiries: When Customer is required under operation or set of operations on it.
Applicable Privacy Law to respond to enquiries or Service(s) means the services and Equipment provided
communications (including subject access requests) from by Vodafone under the Customer Agreement as described in
Users, and taking into account the nature of the Processing, the Service Terms.
Vodafone will: (a) pass on to Customer without undue delay Service Terms means the document named Service
any such enquiries or communications received from Users Terms that describes the Services to be delivered by
relating to their User Personal Data or its Processing; and (b) Vodafone under a Customer Agreement.
have reasonable technical and organizational measures to
assist Customer in fulfilment of those obligations under Sub-Processor means a sub-contractor that carries out
Applicable Privacy Law. Processing activities in the provision of the Services or fulfils
certain obligations of Vodafone under a Customer Agreement.
Definitions
Third Party Provider means a third party contracted by
Applicable Law means law, regulation, binding code of either Vodafone or Customer that provides a Service Element
practice, rule, order, or requirement of any relevant or that provides service that connects to the Service. Third
government or governmental agency, professional or Party Providers may include members of the Vodafone
regulatory Authority, each as relevant to: (a) Vodafone in the Group.
provision of the Service; and (b) Customer in the receipt of the
Service or the carrying out of its business. Traffic Data means any data Processed for the purpose
of the conveyance of a communication on an electronic
Applicable Privacy Law means Applicable Law communications network and for billing.
applicable to the Processing of Personal Data under the
Customer Agreement, including but not limited to the GDPR. Transfer Contract Clauses means the model contract
clauses set out in the European Commission’s Decision of 5
Authority means those governments, agencies, February 2010 under the Directive 95/46/EC on standard
professional, and regulatory authorities that supervise, contractual clauses for the transfer of Personal Data to
regulate, investigate, or enforce Applicable Law. Processors established in third countries, as may be
Customer Agreement means an agreement for amended or replaced from time to time.
purchase of Services signed by both Parties, including Local User means an end user of the Services who must be a
Agreements. permanent or temporary employee or sub-contractor of
Customer Group means Customer and any company Customer.
that controls, is controlled by, or is under common control with User Personal Data means any information that relates
Customer. For this purpose, control means having the to an identified or identifiable User.
beneficial ownership of more than 50% of the issued share
capital, or the legal power to direct the general management Vodafone Group means: (a) Vodafone Group Plc,
of the company in question, at or after the date of the Vodafone, and any company that Vodafone Group Plc owns
Customer Agreement (and Customer Group Company(ies) (directly or indirectly) 15% or more of the issued share capital;
or CGC has a corresponding meaning). and (b) any partner listed on the "Where we are" page at
www.vodafone.com (and Vodafone Group Company(ies) or
Data Controller means the person that determines the VGC has a corresponding meaning).
purposes and means of Processing the data.

Vodafone Proprietary - C1 Public Vodafone Data Protection Terms Page 2 of 2