Data Privacy

A.           This provision applies whenever Supplier will have access to any Personal Information that is provided to or accessible by Supplier or its agents, representatives, or subcontractors in connection with this agreement or any transactions hereunder. "Personal Information" means information relating to an identified or identifiable natural person, regardless of the medium in which the information is collected, processed, or transferred. The term includes information about a Lydall director, employee, contractor, contract laborer, customer, supplier, or other third party. The term includes information collected, processed, and/or transferred in any format, including but not limited to hard copy, electronic, video recording, and audio recording.

B.           Supplier shall:

1.  Comply with all applicable national, federal, state and provincial laws relating to data privacy, the protection of Personal Information, and the cross-border transfer of Personal Information or data, including, without limitation, the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), the laws and regulations of the European Union member states under the European Union Directive 95/46/EC (the "EU Directive"), the General Data Protection Regulation ("GDPR"), and any European Union law or regulation that may be enacted to replace the EU Directive or the GDPR.

2.  Only collect, access, use, or share Personal Information, or transfer Personal Information to authorized third parties, in performance of its obligations under this Agreement, in conformance with Lydall's instructions, or to comply with legal obligations.

3.  Not make any secondary or other use (e.g., for the purpose of direct marketing or data mining) of Personal Information except (i) as expressly authorized in writing by Lydall, or (ii) as required by law;

4.  Not share, transfer, disclose or provide access to Personal Information to any third party except to provide services under this Agreement or as required by law. If Supplier does share, transfer, disclose or provide access to Personal Information to a third party, it shall:

i.  Be responsible for the acts and omissions of any subcontractor or other third party, that processes (within the meaning of applicable data privacy laws) Personal Information on Supplier's behalf, in the same manner and to the same extent as it is responsible for its own acts and omissions with respect to such Personal Information;

ii.  Ensure such third party is bound by a written agreement that contains the same or equivalent obligations and protections as those set forth in this Agreement; and

iii.  Only share, transfer, disclose or provide access to a third party to the extent that such conduct is compliant with applicable law;

5.  Take commercially reasonable steps to ensure the reliability of Supplier's personnel who have access to the Personal Information and ensure that such access is on a need-to-know basis;

6.  Provide such information, assistance and cooperation as Lydall may reasonably require from time to time to establish Supplier's compliance with data privacy laws;

7.  Provide Lydall with commercially reasonably assistance in (i) deleting Personal Information upon request by the individual or his/her legal representative; (ii) providing appropriate privacy notices to individuals; and (iii) enabling individuals to opt-out of the collection and/or use of their Personal Information;

8.  Provide Lydall with the ability to purge Personal Information older than one year or such other time period agreed upon in writing by the parties; and

9.  Immediately advise Lydall in writing if it receives or learns of any: (i) complaint or allegation indicating a violation of data privacy laws regarding Personal Information; (ii) request from one or more individuals seeking to access, correct, or delete Personal Information; (iii) inquiry or complaint from one or more individuals relating to the collection, processing, use, or transfer of Personal Information; and (iv) any regulatory request for, subpoena, search warrant, or other legal, regulatory, administrative, or governmental process seeking Personal Information.  If Supplier learns of any such complaint, request, allegation, or inquiry, Supplier shall provide assistance to Lydall, fully cooperate with Lydall in investigating the matter, including but not limited to, providing the relevant information to Lydall, preparing a response, implementing a remedy, and/or cooperating in the conduct of and defending against any claim, court or regulatory proceedings. Lydall shall be responsible for communicating with individuals regarding their Personal Information unless Lydall authorizes Supplier to do so on its behalf. Supplier shall use commercially and legally reasonable efforts to limit the nature and scope of the required disclosure to the minimum amount of Personal Information required to comply with applicable law. Unless prevented by applicable law, Supplier shall provide Lydall with advance written notice of any such matters sufficient to allow Lydall to contest legal, regulatory, administrative, or other governmental processes.

10.  Provide written notice to Lydall as soon as possible and, in no instance in more than 48 hours of any actual or reasonably suspected incident of accidental or unlawful destruction or accidental loss, alteration, unauthorized or accidental disclosure of or access to Personal Information of which it becomes aware (a "Security Breach"); thereafter shall take all reasonable measures to contain and remedy the Security Breach, wherever possible; provide Lydall with information regarding the investigation and remediation of the Security Breach, unless restricted by law; not make any notification, announcement or publish or otherwise authorize any broadcast of any notice or information about a Security Breach (a "Security Breach Notice") without the prior written consent of and prior written approval by Lydall of the content, media and timing of the Security Breach Notice (if any), unless required to do so by law or court order; and even where required to do so by law or court order, make all reasonable efforts to coordinate with Lydall prior to providing any Security Breach Notice. Where the Security Breach involves data elements that could lead to identity theft and is on the Supplier's networks or systems or is the fault of the Supplier, Supplier will, at the request of Lydall pay for the costs of remediation, notification (including, where reasonably necessary, a call center), and provide the affected individuals with credit monitoring or other commercially-reasonable identity theft mitigation service for one year or such longer period as required by law or a government regulator.

11.  Obtain the prior written consent of any and all natural persons from whom Supplier collects Personal Information when required to do so by applicable data privacy Laws or as instructed by Lydall. In the event Supplier shall provide to Lydall any Personal Information, Supplier shall ensure that such personal information is provided consistent with applicable law, including, where required, obtaining consent or providing notice.

12.  Return or destroy (at Lydall's direction and option) Personal Information, unless and to the extent that: (i) such Personal Information is required by Supplier to discharge its obligations hereunder or under applicable law; or (ii) return or destruction is prohibited by applicable law. Absent contrary instructions and except as prohibited by law, Supplier shall immediately destroy all Personal Information after termination or completion of this Agreement after waiting 30 days to allow Lydall to request return of such Personal Information.

C.    If this Agreement involves the provision of services where the Supplier will (i) act as a Controller (as that term is defined in the EU Directive) and (ii) transfer Personal Information from any country in the European Economic Area ("EEA") to outside the EEA, then Lydall and Supplier agree that the terms of the Model Contract Clauses (also called the Standard Contractual Clauses) adopted by the European Commission in Decision 2004/915/EC (hereinafter the "Controller Model Clauses" or the "Model Clauses") are incorporated by reference as if set forth herein.

D.    If this Agreement involves the cross-border transfer of Personal Information from any country in the EEA to outside the EEA but the Supplier will not act as a Controller, then Lydall and Supplier agree that the terms of the Model Contract Clauses (also called the Standard Contractual Clauses) adopted by the European Commission in Decision 2010/87/EU (hereinafter the "Processor Model Clauses" or the "Model Clauses") are incorporated by reference as if set forth herein.

E.    Notwithstanding C. and D. above, Lydall and Supplier agree that:

1.  The Model Clauses may be incorporated in full text into this Agreement, or the parties may execute the Model Clauses as a separate stand-alone document.

2.  The stand-alone Model Clauses may be filed with regulators and/or used for any other legally permissible purpose and have the effect as if signed directly. If either party seeks to register the Model Clauses with a regulator and the regulator rejects the registration, the parties shall work together to modify the Model Clauses to address the regulator's requirements.

3.  If any of the terms of the Model Clauses conflict with any terms of this Agreement, the Model Clauses shall prevail.

4.  If Supplier engages any subcontractors that will access Personal Information covered by the Model Clauses, the Supplier shall ensure that transfers to the subcontractor comply with the Model Clauses.