• Supplier hosts the Supplier Data
• Supplier is a Sub-processor of Client Information
• Client Information includes Personal Data
• The Sub-processor is located in New Zealand
• The Sub-processor is located outside of the EEA
• Supplier uses further Sub-processors based in China
• Where GDPR applies to the End User, the End User must rely on a derogation to transfer Client Information to the Sub-processor who uses further Sub-processors based outside of the EEA in accordance with Article 49 GDPR

The Supplier Data that GBG uses to provide China National ID & Bank Card data is supplied by GBG’s Data Supplier, Data Zoo. GBG is obliged under the terms of its agreement with Data Zoo to ensure that all End Users agree to comply with the following provisions:

1. END USER OBLIGATIONS
1.1. The End User must not use the Supplier Data to validate, verify or update an existing database that is not part of this Agreement.
1.2. The End User shall only use the Supplier Data for the bona fide lawful business purposes of verifying age and/or identity of individuals with whom the End User has an existing or prospective business relationship. The Client Information must be genuine customer information belonging to the End User or existing or prospective customers of the End User and not derived wholly or substantially from a third party’s directory, list or other compilation and that the End User has through its own efforts collected and arranged the names, addresses and associated telephone numbers within the Client Information.
1.3. The End User must ensure that it has a lawful basis in order to verify that Data Subject through the Service. The End User must also ensure that it maintains, and can produce upon request, evidence of the lawful basis should Data Zoo or GBG require this in order to verify the End User’s compliance with its use of the Service.
1.4 The End User agrees to indemnify GBG against any claims arising against GBG as a result of any unlawful or unauthorised use of the Supplier Data or products by the End User subject to the following caveats:
(a) GBG makes no statement prejudicial to the End User
(b) Such claim is not caused by or contributed to by acts of GBG
(c) The End User is promptly notified in writing of the details of the claim;
(d) The End User has sole control of the defence of such claim and all related settlement negotiations
(e) GBG gives the End User all reasonable assistance at the End User’s expense in connection with it,
(f) GBG takes all steps to mitigate the losses, costs, damages, liabilities, fees and expenses it may incur and
(g) The End User shall not in any circumstances be liable for any loss of profits, goodwill or any type of special, indirect or consequential loss, even if reasonably foreseeable, or clearly anticipated.

2. DATA PROTECTION AND COMPLIANCE WITH RELEVANT LAWS
2.1 The Supplier Data used to provide this element of the Service is hosted by Data Zoo. In order to perform the Services, the Data Zoo shall act as Sub-processor of Client Information (including any Personal Data supplied) for the sole purpose of delivering this element of the Service. The End User authorises GBG to appoint Data Zoo as Sub-Processor for the purposes specified in this clause 2.1.
2.2 Data Zoo is based in New Zealand and uses further Sub-processors based in China, which are located outside of the EEA. Where GDPR applies to the End User, the End User acknowledges that prior to submitting Client Information to GBG for processing it shall determine, and is solely liable for ensuring that it can rely on a derogation to transfer Client Information to the Sub-processor based outside of the EEA in accordance with Article 49 GDPR.