Data Processing Agreement
Note: Below is the Data Protection Agreement we use at Savio. If you’d like an executable version please email sales@savio.io.
This Data Protection Agreement (“DPA”) is made and entered into as of the last signature date of the DPA as signed by both Parties by and between Customer (as set out in the Agreement) (the “Data Controller”); and the Provider (as set out in the Agreement) (the “Data Processor”)
Capitalized terms used but not defined in this DPA shall have the meanings set forth in the Agreement.
1. INTERPRETATION
The terms and expressions set out in this DPA shall have the following meanings:
“Agreement” means the agreement between the parties for purchase of the Data Processor’s Services.
“Data Controller”, “Data Processor” and “processing” shall have the meanings given to them in the Applicable Privacy Laws;
“Personal Data” means all data relating to individuals which is processed by the Data Processor on behalf of the Data Controller in accordance with this DPA;
“Applicable Privacy Law” means all privacy, data security, and data protection laws, directives, regulations, and rules in any jurisdiction; applicable to the Personal Data processed under this DPA including, without limitation to the extent applicable, the General Data Protection Regulation, Regulation (EU) 2016/679 (“GDPR”), the UK GDPR from December 31 st 2020 and the United Kingdom Data Protection Act of 2018 (together “UK Privacy Law”), the Swiss Federal Act on Data Protection (“or Service Provider, as applicable.“), the US States Data Laws (as defined herein);
“SCCs” means the Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021. To avoid doubt Modules 2 and 3 shall apply as set out in Section 8.2.
“Sub-processor” means any third party that Data Processor engages to Process Personal Data on behalf of Data Processor to provide the Services.
2. CATEGORIES OF PERSONAL DATA COVERED BY THE DPA
2.1. The categories of personal data covered in this DPA are set out in Annex I.
3. PROCESSING AND USE OF PERSONAL DATA
3.1. Data Processor is to process Personal Data received from the Data Controller (a) in compliance with instructions provided by the Data Controller as set out in this DPA (b) exclusively for the purpose of providing the Services established in the Agreement or (c) as otherwise notified in writing in accordance with the notice provisions in the Agreement by the Data Controller to the Data Processor during the term of the Agreement.
3.2. The Data Processor agrees to comply with any reasonable measures required by the Data Controller to ensure that its obligations under this DPA are satisfactorily performed in accordance with all applicable legislation from time to time in force.
3.3. All Personal Data provided to the Data Processor by the Data Controller or obtained by the Data Processor in the course of its work with the Data Controller is confidential
and may not be copied, disclosed or processed in any way without the express authority of the Data Controller.
3.4. The Data Processor shall at all times comply with the Applicable Privacy Laws and shall not perform its obligations under this DPA, or the Agreement, in such way as to cause the Data Controller to breach any of its applicable obligations under Applicable Privacy Laws.
4. SECURITY OF PERSONAL DATA
4.1. Data Processors agrees to implement and maintain an appropriate information security program with technical and organizational measures to protect the security of Personal Data to a level of security appropriate to the risk; in particular, against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure.
4.2. Data Processor, if so requested by the Data Controller, shall supply details of the technical and organizational systems in place to safeguard the security of the Personal Data held and to prevent unauthorized access.
4.3. All Personal Data provided to the Data Processor by the Data Controller or obtained by the Data Processor in the course of its work with the Data Controller is confidential and may not be copied, disclosed or processed in any way without the express authority of the Data Controller.
5. SUB-PROCESSORS AND EMPLOYEES
5.1. Where the Data Processor processes Personal Data on behalf of the Data Controller it shall take reasonable steps to ensure the reliability of all employees and Sub-processors.
5.2. Data Processor will take reasonable measures to inform and train its employees about relevant privacy legislation and data security and ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and ensure that all employees and Sub-processors are informed of the confidential nature of the Personal Data and are aware of Data Processor’s duties under this DPA and their personal duties and obligations under Applicable Privacy Law;
5.3. Data Controller approves the use of the Sub-processors set out in Annex III to the SCCs.
5.4. Data Processor shall not sub-contract its processing of Personal Data, or otherwise permit any third party to process Personal Data, without Data Controllers’ prior general authorization, which is hereby granted for the processing of Personal Data by (a) Sub- processors authorized to provide services under the Agreement in order to perform such services, and (b) Sub-contractors to the extent necessary, while providing ancillary administrative, infrastructure and other support services to Data Processor. Data Processor shall not disclose, transfer and/or grant access to Personal Data to a Sub-processor unless Data Processor: (i) executes a written agreement with such Sub-processor that contains substantially similar data protection obligations imposed on Data Processor by this DPA, including implementing appropriate technical and organizational measures; and (ii) remains liable for subcontractor’s failure to fulfil its obligations with respect to the processing of Personal Data as if Data Processor had failed to fulfill such obligations.
6. AUDIT. Data Processor agrees that, on reasonable, a minimum 30 days, prior notice and maximum once per calendar year, permit persons authorized by the Data Controller to access any premises on which Personal Data provided by the Data Controller to the Data Processor is processed and to inspect the Data Processor’s systems comply with this Agreement. Data Controller acknowledges that Data Processor’s obligations under this clause may be satisfied in whole or part by the provision to Data Controller of appropriate information; records; and certifications and audit reports issued by reputable independent third parties provided that there have been no material changes to the controls used by Data Processor since the certification or audit report was issued.
7. ACCESS TO PERSONAL DATA AND SECURITY INCIDENT
7.1. Data Processor shall notify the Data Controller if it receives a request from a data subject to have access to that person’s Personal Data or a complaint or request relating to the Data Controller’s obligations under the Applicable Privacy Laws.
7.2. Data Processor shall provide the Data Controller with full co-operation and assistance in relation to any complaint or request made, including by providing the Data Controller with full details of the complaint or request and complying with a data access request within the relevant timescale set out in the GDPR and in accordance with the Data Controller’s instructions;
7.3. If the Data Processor becomes aware of any unauthorised or unlawful processing of any Personal Data or that any Personal Data is lost or destroyed or has become damaged, corrupted or unusable or becomes aware of any security breach, the Data Processor shall, at its own expense, immediately notify (and in any event within 48 hours) Data Controller (“Notice”) and fully co-operate with the Data Controller and assist the Data Controller, in dealing with a security breach and in ensuring compliance with its obligations under Applicable Privacy Law with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators as soon as reasonably practicable.
7.4. The Notice shall include, to the extent available to the Data Processor at the time, a) a description of the nature of the incident, including where possible the categories and approximate number of data subjects concerned, b) a description of the likely consequences of the incident and c) a description of the measures taken or proposed to be taken by the Data Processor to address the incident.
8. INTERNATIONAL DATA TRANSFER.
8.1. To the extent any Personal Data is accessed by Data Processor, or transferred to Data Processor, the transfer(s) shall occur according to the requirements of the Applicable Privacy Law, including GDPR chapter V.
8.2. To the extent Personal Data includes personal data from the EU and EEA by entering into the Agreement and this DPA, the Parties are deemed to have signed the SCCs, including their annexes, attached hereto.
8.2.1. To the extent the SCCs are entered into, the following options for Module 2 of the SCCs shall be used:
8.2.2. Clause 7. The optional docking does not apply.
8.2.3. Clause 9. Use of sub-processors Option 2: General written authorization is selected and the minimum time period for prior notice of sub-processor changes shall be minimum 30 days.
8.2.4. Clause 11. The optional language does not apply.
8.2.5. Clause 17. Option 2 is selected and the Parties agree that this shall be the law of the Agreement.
8.2.6. Clause 18 (b). The Parties agree that any dispute arising from these Clauses shall be resolved by the courts of the country as agreed in the Agreement.
8.2.7. Clause 13. All square brackets in are hereby removed;
8.2.8. Annex I to this DPA contains the information required in Annex I of the SCCs;
8.2.9. Annex II to this DPA contains the information required in Annex II of the SCCs; and
8.2.10. Annex III to this DPA contains the information required in Annex III of the SCCs.
8.3. To the extent Personal data includes personal data from Switzerland clause 8.2 and the Switzerland Addendum applies.
8.4. To the extent Personal Data includes personal data from the UK the UK data transfer addendum applies.
8.5. US States Privacy Laws. If Data Controller or their data subjects are residents of California, Virginia, Colorado, Connecticut or Utah, please review the US States Privacy Laws Addendum for information regarding your privacy rights.
9. RETURN OR DISPOSAL. The Data Processor shall destroy or transfer all Personal Data to the Data Controller on the Data Controller’s request in the formats, at the times and in compliance with the requirements notified in writing by the Data Controller to the Data Processor. The Personal Data of the Data Controller shall be destroyed at the latest six (6) months after the expiry or termination of the Contract.
10. INDEMNIFICATION. To the extent applicable by Applicable Privacy Law, the Data Processor shall indemnify and keep indemnified the Data Controller against direct damages, claims, and losses incurred by the Data Controller which arise directly from the Data Processor’s data processing activities under this DPA. To the extent permissible by Applicable Privacy Law, the limitations of liability agreed between the Parties in the Agreement apply to this DPA.
11. GENERAL
11.1. Conflict. If there is a conflict between the provisions of the Agreement and this DPA, the provisions of this DPA shall prevail.
11.2. Governing law and dispute resolution. This DPA shall be governed by the laws governing the Agreement. All disputes arising out of or in connection with this DPA shall be finally settled by the dispute resolution body agreed in the Agreement.
11.3. Validity. This DPA shall be valid as long as the Agreement is in force.
ANNEX I
A. LIST OF PARTIES
Data exporter(s):
Name: The Customer, as defined in the Agreement
Address: …The address for the Customer as defined in the Agreement
Contact person’s name, position and contact details: …The contact person for the Customer as defined in the Agreement
Activities relevant to the data transferred under these Clauses: The use of the Services, as defined in the Agreement.
Data importer(s):
Name: Savio Technologies Inc.
Address: The address for the Service Provider as defined in the Agreement
Contact person’s name, position and contact details: The contact person for the Service Provider as defined in the Agreement
Activities relevant to the data transferred under these Clauses: As per the agreement between the parties.
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred
Data Controller's end-users that are authorized to use the Services.
Categories of personal data transferred
Name, username, email address, IP address, professional work title / designation.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
No sensitive data is transferred
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Continuous
Nature of the processing
Transfer, copying, use, deletion, correction, adjustment
Purpose(s) of the data transfer and further processing
Personal data will be transferred from Data Controller to Data Processor for Data Processor to provide a SaaS service.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
The duration of the Agreement.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
The Personal Data is transferred to Savio’s Sub-processors for the subject matter and nature of Processing specified in Annex 3. Personal Data will be Processed by Sub-processors for as long as such Sub-processor is obliged to do so pursuant to the Processing Instructions or in each case retained for as long as the Sub-processor is legally obligated to do so.
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13
In respect of the EU Standard Contractual Clauses:
Module 2: Transfer Controller to Processor
Module 3: Transfer Processor to Processor
Where Customer is the data exporter, the supervisory authority shall be the competent supervisory authority that has supervision over the Customer in accordance with Clause 13 of the EU Standard Contractual Clauses.
ANNEX II
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA\
The technical and organizational measures must be described in specific (and not generic) terms. See also the general comment on the first page of the Appendix, in particular on the need to clearly indicate which measures apply to each transfer/set of transfers.
I. Confidentiality: Physical access checks
The Data Processor shall ensure that no unauthorized persons have access to the server or archive rooms. This shall transpire through:
o Limited access lists
Datacenter and Cloud partners (where client data is stored):
o Limited access lists
o Secured doors
o Biometrics
o Locked cabinets containing hosted equipment
o Video recordings
o Escorted access only
II. Confidentiality: Entry controls
The Data Processor shall prevent the use of computer systems by unauthorized persons. This shall transpire through using multi authentication access controls.
III. Confidentiality: Access controls
The Data Processor warrants that those authorized to use a data processing system shall only be able to access the data that are subject to their access authorization and that personal data shall not be able to be read, copied, altered or removed during processing or use or after storage without authorization. This shall transpire through:
• Process by which granting access to a user requires peer review
• Reviewing access logs
IV. Confidentiality: Separation controls
The Data Processor warrants that data collected for different purposes can be processed separately. There is no need for physical separation; a logical separation of the data is sufficient. This shall transpire through:
• Logical separation for all clients
V. Integrity: Disclosure checks
The Data Processor warrants that personal data cannot be read, copied, altered or removed without authorization during the electronic transmission or transport or storage on data carriers, and that it shall be possible to verify and determine at which points personal data are to be transmitted by means of data transmission equipment. This shall transpire through:
• Encryption of data when in transit.
VI. Integrity: Input controls
The Data Processor warrants that it shall be possible to subsequently verify and determine whether and by whom personal data has been entered, altered or removed in data processing systems. This shall transpire through:
• Logging
VII. Availability and resilience: Availability checks
The Data Processor warrants that personal data shall be protected against accidental or intentional destruction or loss. This shall transpire through:
• Logging
• Least Privilege Access
• Backups
VIII. Availability and resilience: recoverability
The Data Processor warrants the ability to rapidly restore the availability of the personal data and the access to the data in the event of a physical or technical incident through the following measures:
• Disaster recovery and business continuity plans
IX. Evaluation: Data protection management
The Data Processor has implemented a process to regularly review and assess the effectiveness of the technical and organisational protection measures to warrant the security of the processing. This includes:
• Random checks of measures
ANNEX III
LIST OF SUB-PROCESSORS
EXPLANATORY NOTE:
This Annex must be completed in case of the specific authorisation of sub-processors (Clause 9(a), Option 1).
| Sub-Processor | Purpose | Types of Data Stored | Relevant Services | Data Location |
|---|---|---|---|---|
AWS, Inc. |
Data / Cloud storage |
Service Data |
All Services |
USA |
Intercom |
Support |
Customer data |
All Services |
USA |
Full Story |
Behavior analysis |
Customer data |
All Services |
USA |
Segment |
Analytics |
Customer data |
All Services |
USA |
Mouseflow |
Behavior analysis |
Customer data |
All Services |
USA |
Sendfox |
Customer data |
All Services |
USA |
Addendum for Transfers from Switzerland
- For the purposes of localizing the SCCs to Swiss law, the parties agree to the following:
(a). The parties adopt the GDPR standard for all data transfers, or the standard under Swiss law where higher.
(b). The parties agree that the references to provisions of the GDPR in the SCCs are to be understood as references to the corresponding provisions of the Swiss Federal Data Protection Act in the version applicable at the moment of initiation of any dispute.
(c). The term Member State where used in the SCCs also applies to Switzerland. In particular, this shall ensure that data subjects are not excluded from the possibility to sue for their rights in their place of habitual residence.
(d) Clause 13 and Annex I(C): The competent authorities under Clause 13, and in Annex I(C), are the Federal Data Protection and Information Commissioner and, concurrently, the EEA member state authority identified above.
(e) Clause 17: The Parties agree that the governing jurisdiction is the Member State in which the data exporter is established for claims under the GDPR and the substantive laws of Switzerland for claims under the Swiss Federal Data Protection Act.
(f) Clause 18:
● Any dispute arising from these Clauses shall be resolved by the courts of Zurich, Switzerland.
● A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence.
● The Parties agree to submit themselves to the jurisdiction of such courts.
(g) The parties agree to interpret the SCCs so that “data subjects” includes legal entities until the revised Swiss Federal Act on Data Protection enters into force.
Addendum For Transfers from The United Kingdom
1. For the purposes of localizing the SCCs to United Kingdom law, the parties agree to the following:
The parties agree that the SCCs are deemed amended to the extent necessary that they operate for transfers from the United Kingdom to a third country and provide appropriate safeguards for transfers according to Article 46 of the UK GDPR. Such amendments include changing references to the GDPR to the UK GDPR and changing references to EU Member States to the United Kingdom.
Part 1: Tables
Table 1: Parties
Start date: The date the DPA is signed.
The Parties: Exporter and Importer as per the Intercompany Agreement to which the Approved EU SCCs and this Addendum are appended.
Table 2: Selected SCCs, Modules and Selected Clauses
Addendum EU SCCs: The version of the Approved EU SCCs which this Addendum is appended to, detailed below, including the Appendix Information Date: SCC version released on June 4th 2021, as in force on July 1st 2022.
Table 3: Appendix Information
“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in the following Annexes to the Approved EU SCCs to which this Addendum is appended:
Annex 1A: List of Parties
Annex 1B: Description of Transfer
Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data
Annex III: List of Sub processors (Modules 2 and 3 only)
Table 4: Ending this Addendum when the Approved Addendum Changes
Ending this Addendum when the Approved Addendum changes: Which Parties may end this Addendum as set out in Section 19:
Importer
Exporter
Part 2: Mandatory Clauses
Entering into this Addendum
1. Each Party agrees to be bound by the terms and conditions set out in this Addendum, in exchange for the other Party also agreeing to be bound by this Addendum.
2. Although Annex 1A and Clause 7 of the Approved EU SCCs require signature by the Parties, for the purpose of making Restricted Transfers, the Parties may enter into this Addendum in any way that makes them legally binding on the Parties and allows data subjects to enforce their rights as set out in this Addendum. Entering into this Addendum will have the same effect as signing the Approved EU SCCs and any part of the Approved EU SCCs.
Interpretation of this Addendum
3. Where this Addendum uses terms that are defined in the Approved EU SCCs those terms shall have the same meaning as in the Approved EU SCCs. In addition, the following terms have the following meanings:
1. Addendum: This International Data Transfer Addendum which is made up of this Addendum incorporating the Addendum EU SCCs.
2. Addendum EU SCCs: The version(s) of the Approved EU SCCs to which this Addendum is appended, as set out in Table 2, including the Appendix Information.
3. Appendix Information: As set out in Table 3.
4. Appropriate Safeguards: The standard of protection over the personal data and of data subjects’ rights, which is required by UK Data Protection Laws when you are making a Restricted Transfer relying on standard data protection clauses under Article 46(2)(d) UK GDPR.
5. Approved Addendum: The template Addendum issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18.
6. Approved EU SCCs: The Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
7. ICO: The UK Information Commissioner.
8. Restricted Transfer: A transfer which is covered by Chapter V of the UK GDPR.
9. UK: The United Kingdom of Great Britain and Northern Ireland.
10. UK Data Protection Laws: All laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the UK Data Protection Act 2018.
11. UK GDPR: As defined in section 3 of the UK Data Protection Act 2018.
4. This Addendum must always be interpreted in a manner that is consistent with UK Data Protection Laws and so that it fulfils the Parties’ obligation to provide the Appropriate Safeguards.
5. If the provisions included in the Addendum EU SCCs amend the Approved SCCs in any way which is not permitted under the Approved EU SCCs or the Approved Addendum, such amendment(s) will not be incorporated in this Addendum and the equivalent provision of the Approved EU SCCs will take their place.
6. If there is any inconsistency or conflict between UK Data Protection Laws and this Addendum, UK Data Protection Laws applies.
7. If the meaning of this Addendum is unclear or there is more than one meaning, the meaning which most closely aligns with UK Data Protection Laws applies.
8. Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Addendum has been entered into.
Hierarchy
9. Although Clause 5 of the Approved EU SCCs sets out that the Approved EU SCCs prevail over all related agreements between the parties, the parties agree that, for Restricted Transfers, the hierarchy in Section 10 will prevail.
10. Where there is any inconsistency or conflict between the Approved Addendum and the Addendum EU SCCs (as applicable), the Approved Addendum overrides the Addendum EU SCCs, except where (and in so far as) the inconsistent or conflicting terms of the Addendum EU SCCs provides greater protection for data subjects, in which case those terms will override the Approved Addendum.
11. Where this Addendum incorporates Addendum EU SCCs which have been entered into to protect transfers subject to the General Data Protection Regulation (EU) 2016/679 then the Parties acknowledge that nothing in this Addendum impacts those Addendum EU SCCs.
Incorporation of and changes to the EU SCCs
12. This Addendum incorporates the Addendum EU SCCs which are amended to the extent necessary so that:
a. together they operate for data transfers made by the data exporter to the data importer, to the extent that UK Data Protection Laws apply to the data exporter’s processing when making that data transfer, and they provide Appropriate Safeguards for those data transfers;
b. Sections 9 to 11 override Clause 5 (Hierarchy) of the Addendum EU SCCs; and
c. this Addendum (including the Addendum EU SCCs incorporated into it) is (1) governed by the laws of England and Wales and (2) any dispute arising from it is resolved by the courts of England and Wales, in each case unless the laws and/or courts of Scotland or Northern Ireland have been expressly selected by the Parties.
13. Unless the Parties have agreed alternative amendments which meet the requirements of Section 12, the provisions of Section 15 will apply.
14. No amendments to the Approved EU SCCs other than to meet the requirements of Section 12 may be made.
15. The following amendments to the Addendum EU SCCs (for the purpose of Section 12) are made:
a. References to the “Clauses” means this Addendum, incorporating the Addendum EU SCCs;
b. In Clause 2, delete the words:
“and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679”;
c. Clause 6 (Description of the transfer(s)) is replaced with:
“The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.”;
d. Clause 8.7(i) of Module 1 is replaced with:
“it is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer”;
e. Clause 8.8(i) of Modules 2 and 3 is replaced with:
“the onward transfer is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer;”
f. References to “Regulation (EU) 2016/679”, “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)” and “that Regulation” are all replaced by “UK Data Protection Laws”. References to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK Data Protection Laws;
g. References to Regulation (EU) 2018/1725 are removed;
h. References to the “European Union”, “Union”, “EU”, “EU Member State”, “Member State” and “EU or Member State” are all replaced with the “UK”;
i. The reference to “Clause 12(c)(i)” at Clause 10(b)(i) of Module one, is replaced with “Clause 11(c)(i)”;
j. Clause 13(a) and Part C of Annex I are not used;
k. The “competent supervisory authority” and “supervisory authority” are both replaced with the “Information Commissioner”;
l. In Clause 16(e), subsection (i) is replaced with:
“the Secretary of State makes regulations pursuant to Section 17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply;”;
m. Clause 17 is replaced with:
“These Clauses are governed by the laws of England and Wales.”;
n. Clause 18 is replaced with:
“Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”; and
o. The footnotes to the Approved EU SCCs do not form part of the Addendum, except for footnotes 8, 9, 10 and 11.
Amendments to this Addendum
16. The Parties may agree to change Clauses 17 and/or 18 of the Addendum EU SCCs to refer to the laws and/or courts of Scotland or Northern Ireland.
17. If the Parties wish to change the format of the information included in Part 1: Tables of the Approved Addendum, they may do so by agreeing to the change in writing, provided that the change does not reduce the Appropriate Safeguards.
18. From time to time, the ICO may issue a revised Approved Addendum which:
a. makes reasonable and proportionate changes to the Approved Addendum, including correcting errors in the Approved Addendum; and/or
b. reflects changes to UK Data Protection Laws;
The revised Approved Addendum will specify the start date from which the changes to the Approved Addendum are effective and whether the Parties need to review this Addendum including the Appendix Information. This Addendum is automatically amended as set out in the revised Approved Addendum from the start date specified.
19. If the ICO issues a revised Approved Addendum under Section 18, if any Party selected in Table 4 “Ending the Addendum when the Approved Addendum changes”, will as a direct result of the changes in the Approved Addendum have a substantial, disproportionate and demonstrable increase in:
a. its direct costs of performing its obligations under the Addendum; and/or
b. its risk under the Addendum,
and in either case it has first taken reasonable steps to reduce those costs or risks so that it is not substantial and disproportionate, then that Party may end this Addendum at the end of a reasonable notice period, by providing written notice for that period to the other Party before the start date of the revised Approved Addendum.
20. The Parties do not need the consent of any third party to make changes to this Addendum, but any changes must be made in accordance with its terms.
US States Data Laws Addendum
This addendum (“US States Data Laws Addendum”) is entered into as of the date below, and is incorporated into and forms a part of the DPA.
This US States Data Laws Addendum sets forth the terms and conditions relating to compliance with:
a) The California Consumer Privacy Act of 2018 and any regulations, amendments and/or updates thereto including but not limited to as amended by the California Privacy Rights Act (collectively, the “CCPA”);
b) The Virginia Consumer Data Privacy Act and any regulations, amendments and/or updates thereto (the “VA Act”);
c) The Colorado Data Privacy Act and any regulations, amendments and/or updates thereto (the “CO Act”);
d) The Connecticut Act Concerning Personal Data Privacy and Online Monitoring and any regulations, amendments and/or updates thereto (the “CT Act”); and
e) The Utah Consumer Privacy Act and any regulations, amendments and/or updates thereto (the “UT Act”)
In the event of a conflict between this US States Data Laws Addendum and the DPA, this US States Data Laws Addendum will prevail.
1. CCPA. A. In addition to and without limiting any and/or all other provisions of this Addendum, for purposes of compliance with the CCPA, Service Provider agrees that:
a) Personal Information is being disclosed by Customer to Service Provider only for the limited and specified Processing Services identified by Customer and Service Provider shall not retain, use or disclose Personal Information for any other purpose.
b) Service Provider shall comply with the applicable obligations under the CCPA and provide the same level of privacy protection as required of businesses covered under the CCPA.
c) Customer shall have the right (but not the obligation) to take reasonable and appropriate steps to monitor Service Provider’s compliance with this Addendum to ensure that Service Provider is using the Personal Information in a manner consistent with the CCPA.
d) Service Provider shall immediately notify Customer in writing if it determines that it can no longer meet its obligations under the CCPA.
e) Customer shall have the right upon notice to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Information.
f) Service Provider shall not sell, share, retain, use, cache or disclose Personal Information outside of the direct relationship between Customer and Service Provider as set forth in this Addendum.
g) If Service Provider engages any sub-processors of Personal Information then Service Provider shall notify Customer of such engagement in writing and ensure (and confirm to Customer) that there is a written contract between Service Provider and the sub-processor that binds the sub-processor to all of the contractual requirements and obligations imposed on the Service Provider under the Agreement and/or this Addendum. Service Provider shall be responsible for any breach of this Addendum by its sub-processors as if such breach were a breach by Service Provider.
h) Service Provider is not permitted to use any Personal Information for its own operational purposes or on its own behalf (for example to improve or benchmark Service Provider’s services).
i) Upon Customer’s request, Service Provider shall delete or return all Personal Information to Customer as requested at the end of the performance of Processing Services, unless retention of the Personal Information is required by Laws and then only to the extent required.
j) If Customer provides any de-identified information to Service Provider, then Service Provider shall take reasonable measures to ensure that such information cannot be associated with an individual and shall publicly commit to maintain and use such information in de-identified form only and not attempt to re-identify the information.
k) Service Provider acknowledges and agrees that it fully understands and agrees with the obligations and restrictions set forth in this Addendum.
B. Customer shall be responsible for complying with its own obligations as a business to the extent applicable under the CCPA.
2. VA Act. A. In addition to and without limiting any and/or all other provisions of this Addendum, for purposes of compliance with the VA Act, Service Provider agrees that:
a) Service Provider is a “Processor” as such term is defined under the VA Act.
b) Customer is a “Controller” as such term is defined under the VA Act.
c) Customer hereby instructs Service Provider to process Personal Information solely for purposes of performing the Processing Services during the term of the Agreement and any applicable survival period for which Service Provider has obligations under such Agreement.
d) If Service Provider engages any sub-processors of Personal Information then Service Provider shall notify Customer of such engagement in writing and ensure that there is a written contract between Service Provider and the sub-processor that binds the sub-processor to substantially all of the contractual requirements and obligations imposed on the Service Provider under the Agreement and/or this Addendum. Service Provider shall be responsible for any breach of this Addendum by its sub-processors as if such breach were a breach by Service Provider
e) All employees and personnel of Service Provider must be subject to a written duty of confidentiality with respect to the Processing Services including but not limited to regarding the Personal Information and the processing thereof.
f) Upon Customer’s reasonable request, Service Provider shall cooperate with Customer and provide information in a timely manner to Customer to (i) enable Customer to conduct and document data protection assessments and cooperate with reasonable audits by Customer or a qualified independent auditor; (ii) demonstrate Service Provider’s compliance with its obligations under the VA Act; (iii) take appropriate technical and organizational measures to fulfil consumer rights requests made to Customer; and (iv) help meet Customer’s obligations in relation to any data security and/or data breach notification.
g) Upon Customer’s request, Service Provider shall delete or return all Personal Information to Customer as requested at the end of the performance of the Processing Services, unless retention of the Personal Information is required by Laws and then only to the extent required.
h) If Customer provides any de-identified information to Service Provider, then Service Provider shall take reasonable measures to ensure that such information cannot be associated with an individual and shall publicly commit to maintain and use such information in de-identified form only and not attempt to re-identify the information.
B. Customer shall be responsible for complying with its own obligations as a business to the extent applicable under the VA Act.
3. CO Act. A. In addition to and without limiting any and/or all other provisions of this Addendum, for purposes of compliance with the CO Act, Service Provider agrees that:
a) Service Provider is a “Processor” as such term is defined under the CO Act.
b) Customer is a “Controller” as such term is defined under the CO Act.
c) Customer hereby instructs Service Provider to process Personal Information solely for purposes of performing the Processing Services during the term of the Agreement and any applicable survival period for which Service Provider has obligations under such Agreement.
d) If Service Provider engages any sub-processors of Personal Information then Service Provider shall notify Customer of such engagement in writing, and ensure that there is a written contract between Service Provider and the sub-processor that binds the sub-processor to substantially all of the contractual requirements and obligations imposed on the Service Provider under the Agreement and/or this Addendum. Service Provider shall be responsible for any breach of this Addendum by its sub-processors as if such breach were a breach by Service Provider
e) All employees and personnel of Service Provider must be subject to a written duty of confidentiality with respect to the Processing Services including but not limited to regarding the Personal Information and the processing thereof.
f) Upon Customer’s request, Service Provider shall cooperate with Customer and provide information to Customer in a timely manner to (i) enable Customer to conduct and document data protection assessments and cooperate with reasonable audits by Customer or a qualified independent auditor; (ii) demonstrate Service Provider’s compliance with its obligations under the CO Act; (iii) take appropriate technical and organizational measures to fulfil consumer rights requests made to Customer; and (iv) help meet Customer’s obligations in relation to any data security and/or data breach notification.
g) Upon Customer’s request, Service Provider shall delete or return all Personal Information to Customer as requested at the end of the performance of the Processing Services, unless retention of the Personal Information is required by Laws and then only to the extent required.
h) If Customer provides any de-identified information to Service Provider, then Service Provider shall take reasonable measures to ensure that such information cannot be associated with an individual and shall publicly commit to maintain and use such information in de-identified form only and not attempt to re-identify the information.
B. Customer shall be responsible for complying with its own obligations as a business to the extent applicable under the CO Act.
4. CT Act. A. In addition to and without limiting any and/or all other provisions of this Addendum, for purposes of compliance with the CT Act, Service Provider agrees that:
a) Service Provider is a “Processor” as such term is defined under the CT Act.
b) Customer is a “Controller” as such term is defined under the CT Act.
c) Customer hereby instructs Service Provider to process Personal Information solely for purposes of performing the Processing Services during the term of the Agreement and any applicable survival period for which Service Provider has obligations under such Agreement.
d) If Service Provider engages any sub-processors of Personal Information then Service Provider shall notify Customer of such engagement in writing, and ensure that there is a written contract between Service Provider and the sub-processor that binds the sub-processor to substantially all of the contractual requirements and obligations imposed on the Service Provider under the Agreement and/or this Addendum. Service Provider shall be responsible for any breach of this Addendum by its sub-processors as if such breach were a breach by Service Provider
e) All employees and personnel of Service Provider must be subject to a written duty of confidentiality with respect to the Processing Services including but not limited to regarding the Personal Information and the processing thereof.
f) Upon Customer’s request, Service Provider shall cooperate with Customer and provide information to Customer in a timely manner to (i) enable Customer to conduct and document data protection assessments and cooperate with reasonable audits by Customer or a qualified independent auditor; (ii) demonstrate Service Provider’s compliance with its obligations under the CT Act; (iii) take appropriate technical and organizational measures to fulfil consumer rights requests made to Customer; and (iv) help meet Customer’s obligations in relation to any data security and/or data breach notification.
g) Upon Customer’s request, Service Provider shall delete or return all Personal Information to Customer as requested at the end of the performance of Processing Services, unless retention of the Personal Information is required by Laws and then only to the extent required.
h) If Customer provides any de-identified information to Service Provider, then Service Provider shall take reasonable measures to ensure that such information cannot be associated with an individual and shall publicly commit to maintain and use such information in de-identified form only and not attempt to re-identify the information.
B. Customer shall be responsible for complying with its own obligations as a business to the extent applicable under the CT Act.
5. UT Act. A. In addition to and without limiting any and/or all other provisions of this Addendum, for purposes of compliance with the UT Act, Service Provider agrees that:
a) Service Provider is a “Processor” as such term is defined under the UT Act.
b) Customer is a “Controller” as such term is defined under the UT Act.
c) Customer hereby instructs Service Provider to process Personal Information solely for purposes of performing the Processing Services during the term of the Agreement and any applicable survival period for which Service Provider has obligations under such Agreement.
d) If Service Provider engages any sub-processors of Personal Information then Service Provider shall notify Customer of such engagement in writing, and ensure that there is a written contract between Service Provider and the sub-processor that binds the sub-processor to substantially all of the contractual requirements and obligations imposed on the Service Provider under the Agreement and/or this Addendum. Service Provider shall be responsible for any breach of this Addendum by its sub-processors as if such breach were a breach by Service Provider
e) All employees and personnel of Service Provider must be subject to a written duty of confidentiality with respect to the Processing Services including but not limited to regarding the Personal Information and the processing thereof.
f) Service Provider shall, taking into account the nature of the processing and information available to the processor, by appropriate technical and organizational measures, insofar as reasonably
g) practicable, promptly assist Customer in a timely manner in meeting Customer’s obligations, including obligations related to the security of processing personal data and immediate written notification of a breach of security system as described in the UT Act.
h) Upon Customer’s request, Service Provider shall delete or return all Personal Information to Customer as requested at the end of the performance of Processing Services, unless retention of the Personal Information is required by Laws and then only to the extent required.
i) If Customer provides any de-identified information to Service Provider, then Service Provider shall take reasonable measures to ensure that such information cannot be associated with an individual and shall publicly commit to maintain and use such information in de-identified form only and not attempt to re-identify the information.
B. Customer shall be responsible for complying with its own obligations as a business to the extent applicable under the UT Act.