• Supplier hosts the Supplier Data
• The Data Supplier receives and processes End User Data in its capacity as an independent controller
• End User Data includes personal data
• The Data Supplier is located in Ontario in Canada
• The Data Supplier is located outside of the EEA and the UK
• Commercial organisations in Canada which are subject to the Canadian Personal Information Protection and Electronic Documents Act (“PIPEDA”) are deemed to offer an adequate level of data protection by the European Commission.
• Ontario as a province of Canada is subject to PIPEDA and therefore businesses within Ontario are deemed to be adequate by the European Commission.

The Supplier Data used to provide the Canada Credit (Fintrac) Dataset is supplied by Equifax Canada (“Equifax”) and includes consumer credit information about Canadian data subjects. GBG is obliged under the terms of its agreement with Equifax to ensure that all End Users agree to comply with the following licensing provisions:

1. DEFINITIONS
1.1. In these Additional Terms, the following definitions shall apply, in addition to the definitions set out in the General Terms:
“End User Data” means any data provided to GBG by the End User for processing in accordance with the terms of the Agreement including where relevant any Personal Data.
“End User Information Form” means the information form containing details of the End User’s business, including, but not limited to, contact information and nature of the End User’s business.
“Permitted Purpose” means identity verification for fraud and/or regulatory purposes subject to the restrictions contained at clause 2 of these Additional Terms.

2. USE OF THE DATASET
2.1. Before accessing this Dataset, the End user must make the individual aware of the intended use of this Dataset and provide any notice to an individual that is required by Privacy and Data Protection Requirements before providing End User Data to GBG.
2.2. The End User covenants and agrees that it is the owner of the End User Data and that it has the authority to provide the End User Data in order to receive this Dataset and the Supplier Data and/or Output Material.
2.3. The End User shall not use this Dataset for personal reasons.
2.4. The End User must agree to only use this Dataset for their direct business and in a manner that complies with applicable laws, including Canadian federal and provincial laws.
2.5. The End User agrees that it will not:
(a) Resell, transfer, distribute or otherwise give any third party access to the Dataset;
(b) Assert any intellectual property right claim or other interest in the Dataset;
(c) Assign or otherwise transfer any of its rights to use this Dataset
2.6. The End User may agree that it will:
(a) keep all information, data and documentation relating to this Dataset, including any account codes and passwords used to access this Dataset secure and confidential;
(b) comply with the obligations set out in clause 5.2 of these Additional Terms
(c) securely destroy or delete information received as a result of this Dataset when it no longer has a need to keep it;
(d) allow GBG to conduct an audit to confirm the End User is in compliance in accordance with the Agreement.
(e) provide GBG with any relevant information and documents that GBG requests to respond to any question, investigation or audit by Equifax under GBG’s agreement with Equifax;
(f) give GBG prompt notice of any change that occurs from time to time in the information it provided on its End User Information Form;
(g) comply with any changes made and notified to the GBG upon at least 10 days notice, to these Additional Terms from time to time as a condition of its continued use of this Dataset;
(h) acknowledge that this Dataset is not guaranteed to be error-free or uninterrupted;
(i) acknowledge that these Additional Terms may change from time to time to comply with applicable law.
(j) consent to Equifax and / or GBG sharing any non-personal information (as defined under Applicable Law) about the End User's use of the Services with the other.
2.7. The End User warrants that it will not use this Dataset for any reason outside the Permitted Purpose.

3. DUE DILLIGENCE
3.1. Prior to granting the End User access to this Dataset, GBG must carry out a comprehensive membership review of the End User as well as a site inspection of the principal place of business of the End User to determine whether the End Users are appropriately verified and credentialed.
3.2. The End User acknowledges and agrees that access to this Dataset is dependent on the completion of a satisfactory security audit and questionnaire that demonstrates compliance with these terms in accordance with clause 3.1.

4. SERVICE LEVELS
4.1. Notwithstanding the Service Levels in the Agreement, the End User acknowledges and accepts that:
(a) Equifax performs regular maintenance on their systems and may utilise all their published maintenance windows during which the use of the Dataset may be unavailable. The maintenance windows are as set out below in Eastern Time (ET)
• Monday: 12:30 am to 4:30 am ET
• Tuesday to Saturday: 3.30am to 4.00am ET
• Sunday 2.30am to 6.30 am ET
(b) Equifax provides no specific resolution times for incidents that affects their services therefore the service resolution times as part of GBG’s Standard Support Services do not apply for this Dataset.

5. DATA PROTECTION AND COMPLIANCE WITH RELEVANT LAWS
5.1. The End User warrants that it shall comply with Canadian privacy laws, consumer reporting legislation and any other applicable acts, regulations, judicial actions and/or orders of an administrative tribunal, as now or as become effective throughout the term of the Agreement.
5.2. The End User acknowledges and accepts that where the End User is subject to Proceeds of Crime (Money Laundering) and Terrorist Financing Act of Canada (PCMLTFA), the Customer Audit Trail does not retain all the reporting requirements under PCMLTFA and the End User is solely responsible for complying with reporting requirements under PCMLFTA. Thus, the End User shall record and store the response codes provided in connection with the Service in accordance with the requirements set out under PCMLTFA
5.3. The End User acknowledges and accepts that GBG is not a reporting entity for the purposes of PCMLTFA and has no liability whatsoever in connection with the End User’s failure to comply with clause 5.2.
5.4. The End User shall have a lawfully compliant privacy notice at the point at which it collects personal data from the data subject/individual. The End User’s privacy notice shall provide the necessary information that a reasonable data subject/individual would require to understand the nature, purpose, and consequence of the collection, use and disclosure of their personal data. The End User warrants and represents that its privacy notice includes all of the required information it is obligated to incorporate under PIPEDA, including but not limited to the following:
(a) The personal data it is collecting;
(b) How it will use the personal data that it is collecting;
(c) Who it will disclose the personal data to;
(d) Why it is disclosing the personal data to other parties; and
(e) The risks of harm or other consequences
5.5. Should the End User utilize batch processing as part of the Service, then the End User warrants and represents that it was and continues to be compliant with the requirements set out at clause 5.4 above at the point of collection of personal data from the data subject/individual.
5.6. The End User shall fully indemnify GBG against all liabilities, costs, expenses, damages and losses incurred by GBG as a result of the End User’s failure to comply with clause 5.4 and 5.5 of these Additional Terms. Liability in relation to this indemnity shall be uncapped.
5.7. The Supplier Data used to provide you with this Dataset is hosted by Equifax in Canada. In order to deliver this Dataset Equifax shall receive and process End User Data in its capacity as a controller.
5.8. Equifax is located in Ontario which is subject to PIPEDA therefore the Parties acknowledge that businesses within Ontario are deemed to offer an adequate level of data protection for personal data by the European Commission. On this basis, the Parties acknowledge that End User Data can be safely transferred to Equifax for processing without further data export safeguards.