1. Nature of Data Processing.
The subject matter of the data processing, including the processing operations carried out by Supplier on behalf of Company and Company’s data processing instructions for Supplier, will be described in each SOW, Order, or equivalent document where Company orders services, or licenses software from, Supplier, which form integral parts of the Agreement.
2. Compliance with Laws.
The parties shall each comply with their respective obligations under all applicable laws, regulations, and other legal requirements relating to (i) privacy, data security, consumer protection, marketing, promotion, and text messaging, email, and other communications; and (ii) the use, collection, retention, storage, security, disclosure, transfer, disposal, and other processing of any Personal Data (“Privacy Laws”). With regard to EU Personal Data, the parties will comply with each of their respective obligations under the EU Data Protection Directive 95/46/EC (as amended), (the “Directive”), any subordinate legislation and regulation implementing the Directive which may apply (“Local Data Protection Laws”), and, as of 25 May 2018 and thereafter, the European Union Regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the “General Data Protection Regulation” or “GDPR”) and any subordinate legislation and regulation implementing the GDPR which may apply (collectively, with Privacy Laws, the “Data Protection Requirements”). Both parties warrant that if and to the extent legally required, they will obtain, and at all times maintain, a registration under the applicable Data Protection Requirements appropriate to the performance of their obligations under the Agreement.
3. Obligations of the Data Controller.
Company, in its capacity as a Data Controller, shall:
provide instruction to Supplier and determine the purposes and general means of Supplier’s processing of Personal Data on behalf of Company under the Agreement; and
comply with its personal data protection, data security and other obligations prescribed by Data Protection Requirements for Data Controllers by, without limitation, meeting its obligations under Data Protection Requirements to:
A. establish and maintain a procedure for the exercise of the rights of the individuals whose EU Personal Data are processed on behalf of Company;
B. process only data that have been lawfully and validly collected and ensure that such data will be relevant and proportionate to the respective uses; and
C. ensure compliance with the provisions of this Addendum by its personnel and by any person accessing or using Personal Data on its behalf.
By entering into this Addendum, Company instructs Supplier to process Customer Personal Data only in accordance with applicable law: (a) to provide the Services; (b) as authorised by the Agreement, including this Addendum; and (c) as further documented in any other written instructions given by Company and acknowledged in writing by Supplier as constituting instructions for purposes of this Addendum.
4. Obligations of the Data Processor.
Supplier, in its capacity as a Data Processor or subprocessor of Personal Data, shall:
A. process Personal Data solely for the purposes described in the Agreement and in compliance with the instructions received from Company and the Agreement and will not use or process the Personal Data for any other purpose. If Supplier cannot comply with these requirements, it will promptly inform Company, and Company is entitled to immediately terminate the Agreement or to take any other reasonable action, including the suspension of data processing operations;
B. inform Company immediately if, in Supplier’s opinion, an instruction from Company violates applicable Data Protection Requirements;
C. if Supplier is collecting Personal Data from individuals on behalf of Company, follow Company’s instructions with regard to such Personal Data collection (including with regard to the provision of notice and exercise of choice);
D. adopt and maintain appropriate security measures (including organizational and technical measures), at least equivalent to those taken by similarly situated companies that process similar types of EU Personal Data;
E. take all commercially reasonable steps to ensure that: (i) persons employed by it and (ii) other persons engaged to perform on Supplier’s behalf comply with the terms of the Agreement;
F. encrypt all Personal Data which is processed by Supplier to the extent required under the Data Protection Requirements;
G. ensure that its employees, authorized agents and any subprocessors are legally required in writing to comply with and acknowledge and respect the confidentiality of the Personal Data, including after the end of their employment, contract or at the end of their assignment;
H. if it intends to engage one or more third parties acting on its behalf (“subprocessor”) to help it to satisfy its obligations in accordance with this Addendum or to delegate all or part of the processing activities to such subprocessors, (i) obtain the prior consent of Company to such subcontracting, such consent to not be unreasonably withheld; (ii) remain responsible, and liable, to Company for the subprocessors’ acts and omissions with regard to data protection; and (iii) enter into contractual arrangements with such approved subprocessors requiring them to guarantee the same level of data protection compliance and information security to that provided for herein;
I. have a business continuity plan in the event Supplier ceases operations;
J. provide Company with its privacy and security policies; and
K. inform Company if an independent security review has been or will be conducted.
Supplier shall inform Company without delay if Supplier becomes aware of:
A. any non-compliance by Supplier or its employees with this Addendum or the Data Protection Requirements relating to the protection of Personal Data processed under this Addendum;
B. any legally binding request for disclosure of Personal Data by a law enforcement authority, unless otherwise prohibited, such as in order to preserve the confidentiality of an investigation by the law enforcement authorities;
C. any notice, inquiry or investigation by a Supervisory Authority with respect to Personal Data; or
D. any complaint or request (in particular, requests for access to, rectification or blocking of Personal Data) received directly from the data subjects. Supplier shall not respond to any such request without Company’s prior written authorization.
Supplier further agrees to notify Company of any suspected accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data (“Personal Data Breach”) by Supplier, subprocessors and/or any other third parties acting on Supplier’s behalf without undue delay and in any event within 24 hours of becoming aware of a Personal Data Breach.
Supplier shall reasonably assist Company without delay regarding:
A. any requests from data subjects in respect of access to or the rectification, erasure, restriction, portability, blocking or deletion of Personal Data. In the event that a data subject sends such a request directly to Supplier, Supplier will pass it on to Company without delay;
B. the investigation of Personal Data Breaches and the notification to the Supervisory Authority and data subjects in respect of such breaches; and
C. the preparation of data protection impact assessments and, where applicable, carrying out consultations with any Supervisory Authority.
If Supplier is required by Data Protection Requirements to process any Personal Data, Supplier shall inform Company of this requirement in advance of any processing, unless Supplier is legally prohibited from informing Company of such processing.
5. Audit; Certification.
If the relevant data protection Supervisory Authority is required by law or regulation to audit the data processing facilities from which Supplier processes Personal Data in order to ascertain and/or monitor compliance with Data Protection Requirements, then Supplier will cooperate with the audit. Company will reimburse Supplier for its reasonable expenses incurred to cooperate with such an audit. For the purposes of this section, “Supervisory Authority” has the same meaning as given by Article 28 of the Directive or, from 25 May 2018, Article 51 of the General Data Protection Regulation. In addition to, and not in substitution for, its obligations in section 11.7 of the Agreement, Supplier (i) must certify compliance with this Addendum in writing at least once every calendar year and (ii) shall make its data processing facilities used for activities falling within the scope of this Addendum available for audit by Company or another auditor approved by Company, upon Company’s reasonable request.
6. Data Transfers.
If Supplier is based outside or intends to transfer EU Personal Data outside the EEA and European Commission-approved countries, Supplier must provide at least the same level of privacy protection for EU Personal Data as required under the Standard Contractual Clauses (Processors) (“SCCs”) in the Annex to the European Commission Decision of February 5, 2010, Supplier may disclose EU Personal Data throughout the world to fulfil the purposes described above. This may include transferring EU Personal Data to other countries (including countries located outside the European Economic Area) that have different data protection regimes and which are not deemed to provide an adequate level of protection for EU Personal Data. To ensure that your EU Personal Data is sufficiently protected when transferred outside the EEA Supplier is self-certifying its compliance with the US Privacy Shield with the U.S. Department of Commerce.
7. Special Data Protection Procedures.
Company may from time to time provide Supplier with reasonable written guidelines, rules, and/or procedures for accessing, using, storing, and handling certain or all Company data, equipment, systems, or facilities (“Special Privacy and Data Protection Procedures”). Supplier will comply with all applicable Special Privacy and Data Protection Procedures when accessing Company data, equipment, systems, or facilities. Supplier will make Special Privacy and Data Protection Procedures available to all relevant Supplier Personnel and any subprocessors and will provide an appropriate level of supervision and training to relevant Supplier Personnel on the procedures required by the Special Privacy and Data Protection Procedures. Supplier has the right to adjust the fees charged hereunder to the extent that compliance with the Special Privacy and Data Protection Procedures imposes a materially increased effort or cost upon Supplier.
This Addendum shall remain in effect as long as Supplier carries out Personal Data processing operations on behalf of Company or until the termination of the Agreement and all associated SOWs (and all Personal Data has been returned or deleted in accordance with section 9 below).
9. Data Return and Deletion.
The parties agree that on the termination of the data processing services or upon Company’s reasonable request, Supplier and any subprocessors shall, at the choice of Company, return all the Personal Data and copies of such data to Company or securely destroy them and demonstrate to the satisfaction of Company that it has taken such measures, unless Data Protection Requirements prevent Supplier from returning or destroying all or part of the Personal Data disclosed. In such case, Supplier agrees to preserve the confidentiality of the Personal Data retained by it and that it will only actively process such Personal Data after such date in order to comply with the laws it is subject to.