Data Processing Agreement

 

 

 [DISCLAIMER: this document should be utilized solely as a reference/starting point, the entire content of the document should be reviewed internally and with legal counsel, and subsequently implemented as adopted.  This document does not constitute legal advice and does not guarantee compliance. In addition, any portions highlighted in yellow indicate that a decision should be made as to an option or that the highlighted language should be updated to reflect your internal processes, risk tolerance and company information.]

 

Data Processing Addendum

 

This Data Processing Addendum, including its schedules and the Standard Contractual Clauses (collectively, the "DPA") is entered into by and between the [CUSTOMER] contracting entity identified in the Agreement ("Customer") on behalf of itself and its Affiliates, and [VENDOR] ("Vendor") and shall be effective on the date both parties execute the DPA ("Effective Date"). 

The parties agree as follows:

Recitals

  • Vendor has entered into one or more purchase orders, contracts and/or agreements (the "Agreement") with Customer pursuant to which Vendor has agreed to provide certain services to Customer as more particularly described in the Agreement ("Services").
  • In delivering the Services under the Agreement, Vendor may process Personal Data controlled by Customer, and/or its customers, employees, contacts or partners.
  • As part of its privacy notices and its contractual arrangements, Customer has provided certain assurances to its customers, contacts, employees, partners and/or end-users to ensure the appropriate protection of all data, including Personal Data when Customer engages third-party vendors. Customer’s engagement of Vendor is conditional upon Vendor’s agreement to the terms and conditions of this DPA.
  • The parties are entering into this DPA to ensure that the processing by vendor of Personal Data provided to Vendor or collected by Vendor for Customer and/or on its behalf, is done in a manner compliant with Applicable Data Protection Law and its requirements regarding the collection, use and retention of Personal Data of data subjects.
  • This DPA is incorporated into and forms part of the Agreement. All capitalized words not defined in this DPA will have the meaning set forth in the Agreement.

  1. Definitions

    1. "Affiliate" means any entity that is directly or indirectly controlled by, controlling or under common control with an entity. “Control” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
    2. "Applicable Data Protection Law" means all worldwide data protection and privacy laws and regulations applicable to the Personal Data in question, including, where applicable, European Data Protection Law and all laws and regulations of the United States, including the CCPA.
    3. "CCPA" means Title 1.81.5 California Consumer Privacy Act of 2018 (California Civil Code §§ 1798.100–1798.199), including any amendments and its implementing regulations that become effective on or after the effective date of this DPA (as amended, superseded or replaced from time to time).
    4. "European Data Protection Law" means (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation) ("EU GDPR") (ii) the EU GDPR as saved into UK law by virtue of section 3 of the UK's European Union (Withdrawal) Act 2018 ("UK GDPR") and the UK Data Protection Act 2018 (together, "UK Data Protection Law"); (iii) the Swiss Federal Data Protection Act of 19 June 1992 and its corresponding ordinances ("Swiss DPA"); (iv) the e-Privacy Directive (the Directive 2002/58/EC); (v) any applicable data protection laws made under or pursuant to or that apply in conjunction with (i), (ii), (iii) or (iv) (in each case, as may be amended, superseded or replaced from time to time).
    5. "Europe" means the European Economic Area (the "EEA"), United Kingdom ("UK") and Switzerland.
    6. "Personal Data" means information relating to an identified or identifiable natural person ("data subject"). An identified or identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to their physical, physiological, genetic, mental, economic, cultural or social identity, including any data that is protected as "personal data", "personally identifiable information" or "personal information", under Applicable Data Protection Law and processed by Vendor in accordance with Section 2.1 of this DPA in connection with the Services, and as more particularly described in Schedules 1 and 2 of this DPA (as applicable).
    7. "Restricted Transfer" means: (i) where the EU GDPR applies, a transfer of personal data from the EEA to a country outside of the EEA which is not subject to an adequacy determination by the European Commission; (ii) where the UK GDPR applies, a transfer of personal data from the UK to any other country which is not based on adequacy regulations pursuant to Section 17A of the Data Protection Act 2018; and (iii) where the Swiss DPA applies, a transfer of personal data to a country outside of Switzerland which is not included on the list of adequate jurisdictions published by the Swiss Federal Data Protection and Information Commissioner.
    8. "Security Incident" means a personal data breach or any unauthorized access or breach of security leading to, or reasonably believed to have led to, the theft, accidental or unlawful destruction loss, alteration, unauthorized disclosure or access to any Personal Data processed by Vendor (and/or any processor or Sub-processor) under or in connection with the Agreement.
    9. "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses adopted by the European Commission in its Implementing Decision (EU) 2021/91 of 4 June 2021.
    10. "Sub-processor" means any third-party or service provider (including any Vendor Affiliates) engaged by Vendor in its role as a processor, which processes any Personal Data relating to this DPA and/or the Agreement. The term "Sub-processor" shall also include any third-party appointed by a Sub-processor to process any Personal Data relating to this DPA and/or the Agreement.
    11. "UK Addendum" means the "UK Addendum to the EU Standard Contractual Clauses" issued by the Information Commissioner's Office under s.119A(1) of the UK Data Protection Act 2018.
    12. The terms "controller", "processor" "supervisory authority", "personal data breach" and "processing"hall have the meaning given to them in European Data Protection Law and "process", "processes" and "processed" shall be interpreted accordingly. The terms "consumer", "personal information", "business", "sale" (including the terms “sell,” “selling,” “sold,” and other variations thereof) and "service provider" shall have the meaning given to them in the CCPA.

  2. Scope of this DPA and Relationship of the Parties

    1. Scope. This DPA applies where and only to the extent Vendor processes any Personal Data protected by Applicable Data Protection Law under the Agreement in the course of providing the Services pursuant to the Agreement as follows:
      1. Where and to the extent Customer is a controller or business (as applicable) and Vendor and/or each relevant Vendor Affiliate processes Personal Data as a processor or service provider (as applicable), Vendor shall be a processor or service provider (as applicable) of the Personal Data and this DPA shall apply accordingly;
      2. Where Customer is a processor or service provider of the Personal Data covered by this DPA on behalf of third-party controllers or businesses (“Third Party Controllers”), Vendor and/or each relevant Vendor Affiliate shall be a Sub-processor or service provider (as applicable) of the Personal Data and this DPA shall apply accordingly;
      3. Where and to the extent Customer is a controller or business (as applicable) and Vendor and/or each relevant Vendor Affiliate processes Personal Data as a controller or business (as applicable), Vendor will process such Personal Data in compliance with Applicable Data Protection Law, Sections 2, 3, 7.2, 7.3, 7.4, 7.5, 8, 10, and 11 of this DPA, and Schedules 2 and 3 of this DPA, to the extent applicable, only.
    2. Compliance with Law. Each party will comply with its obligations under Applicable Data Protection Law in respect of the Personal Data it processes under the Agreement and this DPA. If Applicable Data Protection Law and corresponding obligations related to the processing of Personal Data change, the parties shall discuss in good faith any necessary amendments to this DPA.
    3. California. The parties agree that: (i) Vendor shall not retain, use or disclose Personal Data for any purpose other than the permitted purposes under this DPA; (ii) Personal Data was not sold to Vendor and Vendor shall not sell Personal Data subject to the CCPA; and (iii) Vendor shall not retain, use or disclose Personal Data outside of the direct business relationship between Customer and Vendor. Vendor certifies that it understands the restrictions set out in this Section 2.3 and will comply with them.

  3. Vendor as a Controller

    1. Independent Controllers. Each party shall be individually and separately responsible for complying with the obligations that apply to it as a separate and independent controller under Applicable Data Protection Law and neither party shall be responsible for the other party's compliance with Applicable Data Protection Law.
    2. Vendor Controller Obligations. Vendor and each Vendor Affiliate shall:
      1. comply with all applicable European Data Protection Law when processing Personal Data;
      2. only Process the Personal Data: [(i) in order to perform its obligations under the Agreement; and (ii) solely to the extent permitted by applicable European Data Protection Law to the extent necessary for the following purposes: (a) ]; and,
      3. notify Customer [without undue delay / within 24 hours / within 48 hours / within 72 hours] upon becoming aware of a Security Incident and, where reasonably practicable, provide a copy of any proposed notification and consider in good faith any comments made by Customer before notifying any affected third party.

  4. Vendor Processing of Personal Data

    1. Vendor Processor Purposes for Processing. Vendor will at all times (and shall ensure that any of its Sub-processors as applicable): (i) process the Personal Data solely for the purposes defined in the Agreement ("Permitted Purpose"), particularly under Schedules 1 and 2 of this DPA, and only in accordance with Customer's documented lawful instructions; and (ii) not process the Personal Data for its own purposes or those of any third-party. Vendor shall not (a) sell or disclose Personal Data for monetary or other valuable consideration; (b) retain, use or disclose Personal Data for any purpose other than for the Permitted Purpose, including retaining, using or disclosing Personal Data for a commercial purpose other than performing the Services under the Agreement; or (iii) retain, use, or disclose Personal Data outside the direct business relationship between vendor and Customer.
    2. Reservation of Rights. Vendor shall not at any time acquire any ownership, license, rights, title, or other interest in or to Personal Data, all of which shall, as between Customer and Vendor, be and remain the proprietary and confidential information of Customer.
    3. Vendor Processor Obligations. In the event that Vendor or any of its authorized third parties, including its Sub-processors (as applicable), collects any Personal Data on behalf of Customer or furnishes or otherwise provides Personal Data to Customer in relation to the Services, then Vendor represents, warrants, and covenants that (i) it shall (and shall procure that any of its Sub-processors) do so in compliance with all Applicable Data Protection Law; and (ii) it has (and has ensured that its Sub-processors have) provided appropriate notice to individuals and obtained all necessary consents, approvals, and authorizations to provide such Personal Data to Customer in compliance with Applicable Data Protection Law and any instructions provided by Customer.
    4. Compliance with Applicable Data Protection Law. Each Party shall comply with its obligations under Applicable Data Protection Law with respect to any Personal Data it processes under this DPA and the Agreement.
    5. Third Party Controller Notices. Where Customer is itself a processor or service provider (as applicable) of the Personal Data acting on behalf of a Third Party Controller, Customer shall serve as the sole point of contact for Vendor and Vendor need not interact directly with (including to seek any authorizations directly from) any such Third Party Controller, other than through the regular provision of the Services to the extent required under the Agreement. Where Vendor would (including for the purposes of the SCCs) otherwise be required to provide information, assistance, cooperation, or other notification to such Third Party Controller, Vendor shall provide it solely to Customer.

  5. Sub-processing

    1. Authorized Sub-processors. Customer hereby provides a general authorization to Vendor in its role as a processor or service provider to engage Sub-processors to process Personal Data. The Sub-processors engaged by Vendor are listed in Schedule 4.
    2. Notice. Vendor shall notify Customer of any new engagement of a Sub-processor at least [thirty (30) days / fourteen (14) days / a reasonable time] before any such changes by sending an email to privacy@Customer.com, in order to allow Customer to raise any reasonable objections on grounds of data protection. If Customer objects to the addition or replacement of any Sub-processor on reasonable grounds relating to data protection and Vendor is unable to resolve such objection, Customer may terminate the Agreement [and Vendor shall refund Customer any prepaid unused fees under the Agreement following the effective date of termination].
    3. Sub-processor Requirements. To the extent Personal Data is subject to European Data Protection Law, Vendor shall:
      1. enter into a written agreement with each Sub-processor imposing data protection terms that require Sub-processor to protect Personal Data to the standard required by applicable European Data Protection Law and this DPA (including its Schedules);
      2. retain Sub-processors which present sufficient guarantees in terms of security and data protection in accordance with European Data Protection Law;
      3. ensure the Sub-processor processes Personal Data strictly for the Permitted Purpose;
      4. remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub-processor that cause Vendor to breach any of its obligations under this DPA.

  6. Cooperation and Individual Rights

    1. Notices and Requests. Vendor shall, taking into account the nature of the processing, reasonably cooperate with Customer to enable Customer (or its Third Party Controller) to respond to any requests, complaints or other communications from data subjects, consumers, governmental and regulatory or judicial bodies relating to the processing of the Personal Data under the Agreement, including requests from data subjects seeking to exercise their rights under Applicable Data Protection Law. In the event that any such request, complaint or communication is made directly to Vendor, Vendor shall [promptly / immediately] notify Customer in writing at privacy@Customer.com (or such contact notified to Vendor) and shall not respond to such communication without Customer's express authorization.
    2. Government or Regulatory Requests. If Vendor becomes aware that any government agency or authority (including law enforcement or national security) requests access to the Personal Data (whether on a voluntary basis or through a subpoena or court order), Vendor shall: (i) [immediately / promptly] notify Customer by email; (ii) inform the government agency that Vendor is a processor of the data and is not authorized to disclose the data, and that Vendor will need to immediately notify Customer regarding the request; (iii) attempt to redirect the agency to request the data directly from Customer; (iv) reasonably cooperate with all instructions of Customer, including if Customer (or its Third Party Controller) wishes to limit, challenge or protect against disclosure; and (v) not provide access to the data unless and until authorized by Customer in writing. Vendor shall not be required to comply with the obligations under Section 6.2(i) to (v) in full if it is under a legal prohibition or mandatory legal compulsion that prevents it from complying. Vendor shall use reasonable and lawful efforts to challenge any such prohibition or compulsion, and Vendor shall only disclose the Personal Data to the extent it is legally required to do so and in accordance with applicable lawful process. In no event shall Vendor knowingly disclose the Personal Data in a massive, disproportionate, and indiscriminate manner that goes beyond what is necessary in a democratic society.
    3. DPIA Assistance. Vendor will assist Customer (or its Third Party Controller) to conduct a data protection impact assessment and, at Customer's reasonable request, consult with applicable data protection authorities in respect of any proposed processing activity that present a high risk to data subjects.
    4. Customer Requests. Vendor will promptly deal with all inquiries from Customer relating to its processing of the Personal Data under the Agreement including making available all information necessary to demonstrate its compliance with Applicable Data Protection Law and this DPA.

  7. Security and Audits

    1. Security Audit Standards. Vendor shall maintain records in accordance with [ISO 27001, 27018 or similar applicable Information Security Management System ("ISMS") standards, PCI, SOC 1, Type II, SOC 2, Type II, ISO 27001, ISO 27017, ISO 27018, ISO 31000 and other certifications as appropriate]. Upon request, Vendor shall provide copies of relevant external compliance certifications, audit report summaries and/or other documentation reasonably required by Customer to verify Vendor's compliance with this DPA. Vendor shall also respond to Customer security questionnaires and meet by teleconference or in person to address any follow up questions.
    2. Security Measures. Taking into account the state of the art, the costs of implementation, and the nature, scope context and purposes of the Processing as well as the risk of varying likelihood and severity to the rights and freedoms of natural persons, Vendor shall implement and maintain appropriate technical and organizational security measures designed to protect Personal Data (including but not limited to Security Incidents) and to preserve the security and confidentiality of Personal Data. Such measures will include, at minimum, those measures described in Schedule 3 of this DPA ("Security Measures";). Vendor shall ensure that any person who is authorized by Vendor to process Personal Data shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty), including to ensure that the authorized person processes any Personal Data only for the purpose of delivering the Services under the Agreement to Customer.
    3. Updates to Security Measures. Vendor shall regularly and periodically determine whether upgrades, additions or modifications of applicable controls or Security Measures are required to meet the obligations under this DPA, including upon actual or constructive knowledge of relevant changes in technology and internal and external threats to Personal Data and the Services. For clarity, Customer acknowledges that the Security Measures are subject to technical progress and development and that Vendor may update and/or modify the Security Measures from time to time, provided that such updates and/or modifications do not result in the degradation of the overall security of the Personal Data and continue to exceed the measures described in Schedule 3.
    4. Data Access. Vendor shall ensure that any person who processes Personal Data on Vendor's behalf: (a) is required to protect and process all Personal Data in a manner consistent with the terms of the Agreement and this DPA; and (b) will receive appropriate training by Vendor regarding the protection of Personal Data prior to receiving access to Personal Data.
    5. Security Incident Response. Upon becoming aware of a Security Incident, Vendor shall notify Customer without undue delay in accordance with Section 3.2.3 and shall provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by Customer, including the type of data affected, the identity of affected person(s), and steps taken to mitigate the Security Incident as soon as such information becomes known or available to Vendor. Vendor shall keep and maintain a record of every Security Incident and provide a copy of such records to Customer promptly upon request.
    6. Security Audits. On written request from Customer, Vendor shall provide written responses (which may include audit report summaries/extracts) to all reasonable requests for information made by Customer related to the Vendor’s processing of Personal Data necessary to confirm Vendor's compliance with this DPA, provided that Customer shall not exercise this right more than once in any 12 month rolling period. Notwithstanding the foregoing, Customer (or its appointed representatives) may also exercise such audit right of Vendor's operations and facilities in the event Customer is expressly requested or required to provide this information to a data protection authority, Vendor has experienced a Security Incident, or as may be required under Applicable Data Protection Law. Such inspections shall take place during normal business hours and be subject to reasonable prior notice.

  8. International Transfers

    1. Processing Locations. Customer acknowledges and agrees that Vendor may transfer and process Personal Data to and in the United States and anywhere else in the world where Vendor, its Affiliates or its Sub-processors maintain data processing operations. Vendor shall at all times ensure such transfers are made in compliance with the requirements of Applicable Data Protection Law and this DPA.
    2. European Data Transfers. Vendor shall not transfer, whether by direct or onwards transfer, any Personal Data under this DPA that is protected by European Data Protection Laws ("European Data") in or to any country, territory or recipient not recognized as providing an adequate level of protection for Personal Data (within the meaning of European Data Protection Law) (a "non-Adequate Country"), unless it first takes all such measures as are necessary to ensure the transfer is in compliance with European Data Protection Law.
    3. Standard Contractual Clauses. The parties agree that where Customer transfers (directly or via onward transfer) European Data to Vendor located in a non-Adequate Country, the parties agree to be subject to the Standard Contractual Clauses, which shall be automatically incorporated by reference and form an integral part of this DPA, as follows:
      1. Vendor as a Processor or Sub-processor. In relation to European Data that is protected by the EU GDPR and is processed in accordance with Sections 2.1.1 and 2.1.2 of this DPA, the SCCs shall apply completed as follows:
        1. Module Two (Section 2.1.1) or Three (Section 2.1.2) will apply;
        2. in Clause 7, the optional docking clause will apply;
        3. in Clause 9, Option 2 will apply, and the time period for prior notice of Sub-processor changes is identified in Section 5 above;
        4. in Clause 11, the optional language will not apply;
        5. in Clause 17, Option 1 will apply, and the SCCs will be governed by [confirm Member State] law;
        6. in Clause 18(b), disputes shall be resolved before the courts of [confirm Member State];
        7. Annex I of the SCCs shall be deemed completed with the information set out in Schedule 1 of this DPA; and
        8. Subject to Sections 7.2 and 7.3 of this DPA, Annex II of the SCCs shall be deemed completed with the information set out in Schedule 3 to this DPA;
      2. Vendor as a Controller. In relation to European Data that is protected by the EU GDPR and is processed in accordance with Section 2.1.3 of this DPA, the SCCs shall apply completed as follows:
        1. Module One will apply;
        2. in Clause 7, the optional docking clause will apply;
        3. in Clause 11, the optional language will not apply;
        4. in Clause 17, Option 1 will apply, and the SCCs will be governed by [confirm Member State] law;
        5. in Clause 18(b), disputes shall be resolved before the courts of [confirm Member State];
        6. Annex I of the SCCs shall be deemed completed with the information set out in Schedule 2 of this DPA; and
        7. Subject to Sections 7.2 and 7.3 of this DPA, Annex II of the SCCs shall be deemed completed with the information set out in Schedule 3 to this DPA.
      3. UK Transfer Mechanism. In relation to European Data that is protected by the UK GDPR, the SCCs: (i) shall apply as completed in accordance with Sections 8.3.1 and 8.3.2 above; and (ii) shall be deemed amended as specified by the UK Addendum attached as Schedule 5, which shall deemed executed by the parties and incorporated into and form an integral part of this DPA. Any conflict between the terms of the SCCs and the UK Addendum shall be resolved in accordance with Section 10 and Section 11 of the UK Addendum.
      4. Swiss Transfer Mechanism. To the extent the European Data is subject to the Swiss DPA, Vendor agrees to process such European Data in compliance with the SCCs, which are incorporated herein in full by reference and form an integral part of this DPA in accordance with Sections 8.3.1 and 8.3.2 and the following modifications:
        1. references to "Regulation (EU) 2016/679" shall be interpreted as references to the Swiss DPA;
        2. references to specific Articles of "Regulation (EU) 2016/679" shall be replaced with the equivalent article or section of the Swiss DPA;
        3. references to "EU", "Union" and "Member State" shall be replaced with references to "Switzerland";
        4. Clause 13(a) and Part C of Annex II shall not be used and the "competent supervisory authority" shall be the Swiss Federal Data Protection and Information Commissioner;
        5. references to the "competent supervisory authority" and "competent courts" shall be replaced with references to the "Swiss Federal Data Protection and Information Commissioner" and "applicable courts of Switzerland";
        6. in Clause 17, the SCCs shall be governed by the laws of Switzerland;
        7. in Clause 18(b), disputes shall be resolved before the courts of Switzerland; and
        8. viii. the SCCs shall also protect the data of legal entities until the entry into force of the revised Swiss Federal Data Protection Act.
      5. Additional Measures. Vendor agrees to implement and maintain any additional contractual, technical or organisational measures to supplement the safeguards under the SCCs which are required from time to time by Customer or the Third Party Controller in order to protect the European Data, so long as such safeguards are consistent with requirements under European Data Protection Law. If Vendor is unable to implement and maintain such supplementary measures, Customer may immediately terminate the Agreement (in whole or in part) without penalty.
    4. Alternative Transfer Mechanism. Vendor shall promptly notify Customer in the event that a data protection authority and/or Applicable Data Protection Law no longer permits the lawful transfer of Personal Data to Vendor pursuant to the terms of this DPA and/or requires that the parties adopt an alternative transfer solution that complies with Applicable Data Protection Law, then without prejudice to any other right or remedy available to Customer, Vendor shall work with Customer and promptly take all reasonable and appropriate steps Customer may deem necessary to ensure such processing or transfer is in compliance with Applicable Data Protection Law.

  9. Deletion & Return of Data

    1. Deletion & Return. Upon Customer's request, or upon termination or expiry of this DPA or Agreement, whichever happens first, Vendor shall (and shall procure that any Sub-processor shall): (a) securely destroy (upon written instructions of Customer) or return to Customer all Personal Data (including copies) in its possession or control (including any Personal Data processed by its Sub-processors and in back-up) in accordance with Schedule 1 of this DPA. This requirement shall not apply to the extent that Vendor is required by any applicable law to retain some or all of the Personal Data, in which event Vendor shall, on ongoing basis, isolate and protect the security and confidentiality of such Personal Data and prevent any further processing except to the extent required by such law and shall destroy or return to Customer all other Personal data; and/or immediately cease processing all Personal Data.

  10. Limitation of Liability

    1. Limitation of Liability. This DPA is fully subject to any limitations of liability set forth in the Agreement. Notwithstanding the foregoing, nothing in this DPA is intended to limit the parties’ direct liability towards data subjects or applicable supervisory data protection authorities where such liability cannot be limited by applicable law.

  11. General

    1. Disclosures. Vendor acknowledges that Customer may disclose this DPA and any relevant privacy provisions in the Agreement to the US Department of Commerce, the Federal Trade Commission, European data protection authority, or any other US or EU judicial or regulatory body upon their request.
    2. Survival. The obligations placed upon the Vendor under this DPA (including, to the extent applicable, the Standard Contractual Clauses) shall survive so long as Vendor and/or its Sub-processors process Personal Data on behalf of Customer. The provisions contained in this DPA and its attachments, exhibits and schedules that by their context are intended to survive termination or expiration will survive. The accrued rights and liabilities of the parties, as well as any express or implied obligations of the parties shall survive termination of this DPA.
    3. Governing Law. This DPA is governed by the law which governs the Agreement and any dispute between the parties is to be handled as set out in the Agreement, unless required otherwise by Applicable Data Protection Law or the Standard Contractual Clauses.
    4. Order of Precedence. It is not the intention of either party to contradict or restrict any of the provisions set forth in the SCCs and, accordingly, if and to the extent the SCCs conflict with any provision of the Agreement (including this DPA), the SCCs shall prevail to the extent of such conflict.
    5. Modifications. This DPA may not be modified except by a subsequent written instrument signed by both parties.
    6. Severability. If any part of this DPA is held unenforceable, the DPA will be interpreted with the unenforceable portion of the DPA deleted, and the validity of all remaining parts will not be affected.
    7. Conflicts. Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. In the event of any conflict between this DPA and any data privacy provisions set out in any Agreement, the parties agree that the terms of this DPA shall prevail.
    8. Customer Entities. Each corporate entity of Customer has the right to enforce all the provisions of this DPA.

IN WITNESS WHEREOF, the parties have caused this DPA to be executed by their authorized representative effective as at the last date given below.

[Customer Entity]          

[VENDOR]

By: ________________________________

By: ________________________________

Name: _____________________________

Name: _____________________________

Title: _______________________________

Title: ______________________________

Date: _______________________________

Date: _____________________________

 

 

 


 

SCHEDULE 1 (C2P AND P2P TRANSFERS)

Description of Processing Activities / Transfer

Annex 1(A) List of Parties: 

Data Exporter

Data Importer

Name: Customer

Name: Vendor is the party identified as the Vendor in the Agreement and this DPA

Address: 

Address: As set out in the Agreement

Contact person's name, position and contact details: Legal Department, privacy@Customer.com

Contact person's name, position and contact details: [complete]

Activities relevant to the transfer: See Annex 1(B) below

Activities relevant to the transfer: See Annex 1(B) below 

Role: Controller or processor

Role: Processor

 

 

Annex 1(B) Description of transfer:

 

Description 

Categories of data subjects:

Employees – past, present, potential, and future staff (including volunteers, agents, interns, and temporary workers) of Customer

Spouses and dependents – past, present, potential, and future spouses and |dependents of employees of Customer

Business partners, suppliers and vendors – past, present, potential and future advisors, consultants, suppliers, contractors, subcontractors, and other professionals engaged by Customer and related staff

Customers – past, present, potential, and future business customers of Customer

Customer Contacts – past, present, potential, and future subscribers and other contacts of Customer customers

Visitors – past, present, potential, and future prospects, customers, or others who visit Customer online properties

Other – please specify:

Categories of personal data: 

Customer Customer data (name, username, email address, online identifiers such as IP address)

Customer Customer Contact data (email addresses, device identifiers)

Customer Customer financial information (credit card details, account details, payment information)

Customer Employee data (job title, company name, grade, geographic location, employee performance and evaluation data, discipline information, previous roles, benefits information such as leave requests, health insurance company)

Customer Employee IT information (account or portal log on and/or registration details, usage data, location data)

Other – please specify:

Sensitive data:

Yes

No

If yes, please specify:

If sensitive data, the applied restrictions or safeguards

 N/A 

See Schedule 3 for applied restrictions and safeguards

Frequency of the transfer:

Continuous

One-off

The transfer may occur on a continuous or one-off basis depending on the Services provided by Vendor.

Purpose, nature and subject matter of processing:

Vendor is a processor or sub-processor to Customer and will Process Personal Data as necessary to perform the Services pursuant to the Agreement and as further instructed by Customer in its use of the Services.

Duration of the processing:

The duration of the data processing under this DPA is until the termination of the Agreement in accordance with its terms plus the period from the expiry of the Agreement until deletion of the Personal Data in accordance with the terms of the Agreement and the DPA.

Retention period (or, if not possible to determine, the criteria used to determine that period):

Upon Customer's request, or upon termination or expiry of this DPA or the Agreement, whichever happens first, Vendor shall (and shall procure that any Sub-processor shall) securely destroy all Personal Data (including any Personal Data processed by its Sub-processors, copies and any back-ups) in its possession or control in accordance with the Agreement and the DPA (or upon written instructions of Customer), save that this requirement shall not apply to the extent Vendor is required by applicable law to retain some or all of the Personal Data, which data Vendor shall securely isolate and protect and prevent any further processing and destroy in accordance with applicable law. 

Annex 1(C) Competent supervisory authority:

The competent supervisory authority, in accordance with Clause 13 of the SCCs will be determined in accordance with European Data Protection Law.
 

SCHEDULE 1 (C2C TRANSFERS)

Description of Processing Activities / Transfer

Annex 1(A) List of Parties: 

Data Exporter

Data Importer

Name: Customer 

Name: Vendor is the party identified as the Vendor in the Agreement and this DPA.

Address:

Address: As set out in the Agreement

Contact person's name, position and contact details: Legal Department, privacy@Customer.com

Contact Person's name, position and contact details: [complete] 

Activities relevant to the transfer: See Annex 1(B) below

Activities relevant to the transfer: See Annex 1(B) below 

Role: Controller

Role: Controller

 

 

Annex 1(B) Description of Transfer:

 

Description 

Categories of data subjects:

Employees – past, present, potential, and future staff (including volunteers, agents, interns, and temporary workers) of Customer

Spouses and dependents – past, present, potential, and future spouses and dependents of employees of Customer

Business partners, suppliers and vendors – past, present, potential and future advisors, consultants, suppliers, contractors, subcontractors, and other professionals engaged by Customer and related staff

Customers – past, present, potential, and future business customers of Customer

Customer Contacts – past, present, potential, and future subscribers and other contacts of Customer customers

Visitors – past, present, potential, and future prospects, customers, or others who visit Customer online properties

Other – please specify:

Categories of personal data: 

Customer Customer data (name, username, email address, online identifiers such as IP address)

Customer Customer Contact data (email addresses, device identifiers)

Customer Customer financial information (credit card details, account details, payment information)

Customer Employee data (job title, company name, grade, geographic location, employee performance and evaluation data, discipline information, previous roles, benefits information such as leave requests, health insurance company)

Customer Employee IT information (account or portal log on and/or registration details, usage data, location data)

Other – please specify:

Sensitive data:

Yes

No

If yes, please specify:

If sensitive data, the applied restrictions or safeguards

N/A 

See Schedule 3 for applied restrictions and safeguards

Frequency of the transfer:

Continuous

One-off

The transfer may occur on a continuous or one-off basis depending on the Services provided by Vendor.

Purpose, nature and subject matter of processing:

Only as described in Section 3.2.2 of this DPA.

Retention period (or, if not possible to determine, the criteria used to determine that period):

Vendor will not, and will not permit any third party, to retain the Personal Data for longer than the period during which Vendor has a legitimate need to retain the Personal Data in accordance with the DPA and in compliance with Applicable Data Protection Law.

 

 

Annex 1(C) Competent supervisory authority:

The competent supervisory authority, in accordance with Clause 13 of the SCCs will be determined in accordance with European Data Protection Law.
 

SCHEDULE 3

Technical and Organizational Measures

Vendor shall implement the following minimum technical and organizational measures (including any relevant certifications) to ensure an appropriate level of security taking into account the nature, scope, context and purposes of the processing, and the risks for the rights and freedoms of natural persons:

 

Type of measure

Implemented measure

1. Measures of encryption of personal data

 

2. Measures for ensuring ongoing confidentiality, integrity and resilience of processing systems and services

 

3. Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

 

4. Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing

 

5. Measures for user identification and authorisation

 

6. Measures for the protection of Data during storage

 

7. Measures for ensuring physical security of locations at which personal data are processed

 

8. Measures for ensuring events logging

 

9. Measures for ensuring system configuration, including default configuration

 

10. Measures for internal IT and IT security governance and management

 

11. Measures for certification/assurance of processes and products

 

12. Measures for ensuring data minimisation and accountability

 

13. Measures for ensuring data quality

 

14. Measures for ensuring limited data retention

 

15. Measures for allowing data portability and ensuring erasure

 



 

SCHEDULE 4

List of Vendor's Sub-processors

[Vendor to list all Sub-processors here (including any and all Vendor affiliates accessing/processing the Personal Data).]

Name (full legal name)

Description of processing:

Place of processing: 

     
     
     

 

 



 

SCHEDULE 5

UK Addendum 

This Schedule 5 forms part of this DPA and applies in accordance with Section 8.3.3 (UK Transfer Mechanism) of the DPA. 

 

Start Date

 

The date of the Agreement

Parties

Exporter 

Importer 

Parties’ details

Name: Customer, Inc. ("Customer")

 

Address:

Contact person’s name, position and contact details: Legal Department, privacy@Customer.com

Name: The entity identified as the Vendor in the Agreement and this DPA

Address: As set out in the Contract(s) and this DPA

Contact person’s name, position and contact details: [complete]

 

Addendum SCCs

 

The Approved SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the approved SCCs brought into effect for the purposes of this Addendum: See Section 8.3.3 of the DPA

 

Appendix Information

See Schedules 1 and 2 to this DPA

 

Ending this Addendum when the Approved Addendum changes 

Neither Party

 

Mandatory Clauses 

Part 2: Mandatory Clauses of the UK Addendum, as it is revised under Section 18 of those Mandatory Clauses