AODocs Data Processing Agreement

Last update: 28 May 2024

  1. The customer agreeing to these terms (“Customer”), and Altirnao Inc. (“Supplier”), have entered into an agreement under which Supplier has agreed to provide certain Services, which may be amended from time to time (the “Agreement“).
  2. This Data Processing Agreement and its appendices (the “DPA”), which is between Supplier and Customer (each, a “Party”, and together, “the Parties”), forms part of the Agreement and is the Parties’ agreement related to Supplier’s processing of Customer Personal Data. This DPA might be updated from time to time and will be effective and replace any previously applicable data processing agreement as from the Effective Date (as defined below). To the extent of any conflict or inconsistency between the terms of this DPA and the remainder of the Agreement, the terms of this DPA will govern. Definitions are provided in Section 27.
  3. The Parties acknowledge and agree that (a) under the Data Protection Legislation, Supplier is a Data Processor of Customer Personal Data listed in Appendix 1, (b) Customer subscribing to Supplier’s Services may be a Data Controller or Data Processor, as applicable, of Customer Personal Data and (c) each Party will comply with the obligations applicable to it under the Data Protection Legislation with respect to the Processing of that Customer Personal Data. However, Supplier is not responsible for compliance with any laws or regulations applicable to Customer or Customer’s industry. Supplier is not responsible for determining whether Customer’s data includes information subject to any specific law or regulation.
  4. Details on categories of data processed and data subjects concerned, Processing operations, location of Processing, and purpose and duration of Processing are provided in Appendix 1.
  5. Duration. This DPA will take effect on the Effective Date and, notwithstanding expiry of the Term, remains in effect until, and automatically expire upon, deletion of all Customer Personal Data by Supplier as described in this DPA.
  6. Scope. The Parties acknowledge and agree that the Data Protection Legislation will apply to the Processing of Customer Personal Data if: (a) the Processing is carried out in the context of the activities of an establishment of Customer in the territory of the EEA/Switzerland/ the United Kingdom; and/or (b) the Customer Personal Data relates to Data Subjects who are in the EEA/ Switzerland/ the United Kingdom and the Processing relates to the offering of goods or services in the EEA/ Switzerland/ the United Kingdom or the monitoring of their behaviour in the EEA/ Switzerland/ the United Kingdom.
  7. Non-European Data Protection Legislation. The Parties acknowledge and agree that Non-European Data Protection Legislation may also apply to the Processing of Customer Personal Data. Except to the extent this DPA states otherwise, the terms of this DPA will apply irrespective of whether the  Data Protection Legislation or Non-European Data Protection Legislation applies to the Processing of Customer Personal Data by Supplier. If Non-European Data Protection Legislation applies to either Party’s Processing of Customer Personal Data, the Parties acknowledge and agree that the relevant Party will comply with any obligations applicable to it under that legislation with respect to the Processing of that Customer Personal Data.
  8. Third-party Data Controller. If the Data Protection Legislation applies to the Processing of Customer Personal Data and Customer is a Data Processor acting under the instructions of a third-party Data Controller, Customer warrants to Supplier that Customer’s instructions and actions with respect to that Customer Personal Data, including its appointment as Data Processor  have been authorized by the Third Party Data Controller and shall provide evidence thereof.
  9. Customer’s Instructions. By entering into this DPA, Customer instructs Supplier to Process Customer Personal Data only in accordance with the Data Protection Legislation and/or Non-European Data Protection Legislation, as applicable: (a) to provide the Services and related technical support and analytics; (b) as further specified by Customer or required by Customer’s use of the Services and related technical support; (c) as documented in the form of the Agreement, including this DPA; and (d) as further documented in any other legitimate and written instructions given by Customer and acknowledged by Supplier as constituting instructions for purposes of this DPA. As from the Effective Date, Supplier will comply with the Customer’s instructions provided in this Section, including with regard to Personal Data transfers, in accordance with Section 21. Supplier shall not process, transfer, modify, amend or alter Customer Personal Data or disclose or permit the disclosure of the Customer Personal Data to any third-party other than in accordance with the Customer’s instructions (whether in the Agreement or otherwise) unless (i) EU law or EU Member State law to which Processor is subject requires other Processing of Customer Personal Data by Supplier, in which case Supplier will inform Customer prior to implement the Processing (unless that law prohibits Processor from doing so on important grounds of public interest) via the Notification Email Address or (ii) a law enforcement authority requires disclosure of Customer Personal Data by Supplier, in which case Supplier agrees to inform the Customer of any notice, inquiry or investigation by such Supervisory Authority with respect to Customer Personal Data. Supplier also agrees to immediately inform the Customer if, in its opinion, an instruction infringes the applicable Data Protection Legislation. Customer represents, warrants and covenants that it has and shall maintain throughout the term all necessary rights, consents and authorizations to provide the Customer Data to Supplier and to authorize Supplier to use, disclose, retain and otherwise process that Customer Data as contemplated by this DPA.
  10. Deletion During Term. Supplier will enable Customer to delete Customer Personal Data during the Term in a manner consistent with the functionality of the Services. If Customer or an End User uses the Services to delete any Customer Personal Data during the Term and the Customer Personal Data cannot be recovered by Customer or an End User, this use will constitute a Customer’s Instruction to Supplier to delete the relevant Customer Personal Data from Supplier’s Systems in accordance with applicable Data Protection Legislation. Supplier will comply with this instruction as soon as reasonably practicable and within a maximum period of ninety (90) days, unless EU or EU Member State law requires or justifies that such Customer Personal Data be retained by Supplier for a longer period of time. By way of exception, Supplier and/or its Subprocessors may continue to process information derived from Customer Data that has been aggregated or stored in a manner that does not identify individuals or customers to improve Supplier and/or its Subprocessors’ systems and services.
  11. Deletion on Term Expiry. Subject to Section 12 (Deferred Deletion Instructions), upon expiry of the Term, Customer shall instruct Supplier to delete all Customer Personal Data (including existing copies) from Supplier’s Systems in accordance with applicable Data Protection Legislation. Processor will comply with this Instruction as soon as reasonably practicable and within a maximum period of 90 days, unless EU or EU Member State law requires or justifies that such Customer Personal Data be retained by Processor for a longer period of time. Without prejudice to Section 20 (Data Subjects Rights and Requests) Customer acknowledges and agrees that Customer will be responsible for exporting, before the Term expires, any Customer Data it wishes to retain afterwards. By way of exception, Supplier and/or its Subprocessors may continue to process information derived from Customer Data that has been aggregated or stored in a manner that does not identify individuals or customers to improve Supplier and/or its Subprocessors’ systems and services.
  12. Deferred Deletion Instruction. To the extent any Customer Personal Data covered by the deletion instruction described in Section 11 (Deletion on Term Expiry) is also processed, when the Term under Section 11 expires, in relation to an agreement between Customer and Supplier having a continuing Term, such deletion instruction will only take effect with respect to such Customer Personal Data when the continuing Term expires. For clarity, in the event of a Deferred Deletion Instruction, this DPA will continue to apply to such Customer Personal Data until its deletion by Supplier.
  13. Supplier Security Measure. Supplier will implement and maintain technical and organizational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access as described in Appendix 2 (the “Security Measures”). As described in Appendix 2, the Security Measures include measures to help ensure ongoing confidentiality, integrity, availability and resilience of Supplier’s Systems, restore timely access to Customer Personal Data following a Data Incident and regular testing of effectiveness. Supplier may update or modify the Security Measures in Appendix 2 from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services or Supplier’s Systems. Customer acknowledges that Customer Data will be hosted in a Third-Party Service Provider data centers, by Third-Party Service Provider and/or one or more of its affiliated entities (collectively, “Third-Party Service Providers”) (and not by the Supplier) and, as a consequence, that most of the technical and organisational security measures relating to the Customer Personal Data (as notably referred to in Appendix 2) will be provided by the applicable Third-Party Service Provider under its own liability. Accordingly, and notwithstanding any other provision in the Agreement, the Supplier disclaims any and all responsibility in relation to any acts and/or omission of Third-Party Service Provider, including notably (without limitation) for such Third-Party Service Provider’s technical and organisational security measures as listed for information purposes only and without any representation in Appendix 2. Customer agrees to disclaim Supplier’s liability, in the event of any non-compliance of the Third-Party Service Provider under the applicable agreement.
  14. Security Compliance by Processor. Supplier will take appropriate steps to ensure compliance with the Security Measures by its employees, contractors, agents and Subprocessors to the extent applicable to their scope of performance, including ensuring that all persons authorized to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and that such personnel has undertaken appropriate training in accordance with the Data Protection Legislation.
  15. Processor Security Assistance. Customer agrees that Supplier will (taking into account the nature of the Processing of Customer Personal Data and the information available to Supplier) assist Customer in ensuring compliance with Customer’s obligations in respect of security of Customer Personal Data and Customer Personal Data breaches, in particular in the event of a Data Incident, including if applicable Customer’s obligations pursuant to Articles 32 to 34 (inclusive) of the GDPR, by: (a) implementing and maintaining the Security Measures in accordance with Section 13 (Supplier’s Security Measures); (b) complying with the terms of Section 16 (Data Incidents).
  16. Data Incidents. If Supplier becomes aware of a Data Incident, Supplier will: (a) notify Customer of the Data Incident promptly and without undue delay; and (b) promptly take reasonable steps to minimize harm and secure Customer Personal Data. Notifications will describe, to the extent possible, details of the Data Incident, including steps taken to mitigate the potential risks and steps Supplier recommends Customer to take to address the Data Incident. Notification(s) of any Data Incident(s) will be delivered to the Notification Email Address or, at Supplier’s discretion, by direct communication (for example, by phone call or an in-person meeting). Customer is solely responsible for ensuring that the Notification Email Address is current and valid at any time. Supplier will not assess the contents of Customer Data in order to identify information subject to any specific legal requirements. Customer is solely responsible for complying with notification obligations provided by Data Protection Legislation or Non-European Data Protection Legislation, as applicable to Customer, and fulfilling any third party notification obligations related to any Data Incident(s). Supplier’s notification of or response to a Data Incident under this Section 16 (Data Incidents) will not be construed as an acknowledgement by Supplier of any fault or liability with respect to the Data Incident. Customer must notify Supplier promptly about any possible misuse of its accounts or authentication credentials or any Data Incident related to the Services.
  17. Customer’s Security Responsibilities and Assessment. Customer agrees that, without prejudice to Supplier’s obligations under Sections 13-15 (Supplier’s Security Measures, Security Compliance by Processor, Processor Security Assistance) and Section 16 (Data Incidents): (a) Customer is solely responsible for its use of the Services, including: (i) making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of the Customer Data; (ii) securing the account authentication credentials, systems and devices Customer uses to access the Services; and (iii) backing up Customer Data; and (b) Supplier has no obligation to protect Customer Data that Customer elects to store or transfer outside of Processor’s and its Subprocessors’ systems (for example, offline or on-premise storage, or Customer’s Third-Party Service Provider). Customer is solely responsible for evaluating whether the Services, the Security Measures and Supplier’s commitments under Sections 13-17 meet Customer’s needs, including with respect to any security obligations of Customer under the Data Protection Legislation and/or Non-European Data Protection Legislation, as applicable. Customer acknowledges and agrees that (taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the Processing of Customer Personal Data as well as the risks to individuals) the Security Measures implemented and maintained by Supplier as set out in Section 13 (Supplier’s Security Measures) and Appendix 2 provide a level of security appropriate to the risk in respect of the Customer Data. Customer is responsible for implementing and maintaining privacy protections and security measures for components that Customer provides and/or controls.
  18. Audits of compliance. If the Data Protection Legislation applies to the Processing of Customer Personal Data, and to the extent Customer’s audit requirements under the Data Protection Legislation cannot reasonably be satisfied through audit reports, documentation or compliance information Supplier makes generally available to its customers, Supplier will allow Customer or an independent auditor appointed by Customer to conduct audits (including inspections), no more than once per calendar year, on at least thirty (30) days’ written notice to Supplier, to verify Supplier’s compliance with its obligations relating to Customer Personal Data under this DPA. Supplier will contribute to such audits as described in this Section 18 (Audits of Compliance). If Customer decides to conduct an audit as described above, then Customer shall bear all costs and expenses connected therewith, including but not limited to the auditors’ fees, costs of transport, legal fees. If Customer has entered into SCCs as described in Section 21 (Personal Data Transfer), Supplier will, without prejudice to any audit rights of a Supervisory Authority under such SCCs, allow Customer or an independent auditor appointed by Customer to conduct audits as described in the SCCs. In any event, any audit mandated by Customer pursuant to this Section 18 shall not impair or otherwise trouble Supplier’s usual course of business.
  19. Impact Assessments and Consultations. Customer agrees that Supplier will (taking into account the nature of the Processing and the information available to Processor) provide Customer with reasonable assistance in ensuring compliance with any obligations of Customer relating to Customer Personal Data in respect of data protection impact assessments and prior consultation, including if applicable Customer’s obligations pursuant to Articles 35 and 36 of the GDPR, to the extent necessary information is available to Supplier.
  20. Data Subject Rights and Requests. During the Term, Supplier will, in a manner consistent with the functionality of the Services, enable Customer to access, rectify and restrict Processing of Customer Personal Data, or erase Customer Personal Data, as applicable, including via the deletion functionality provided by Supplier as described in Section 10 (Deletion During Term), and to export Customer Personal Data, as required by Data Protection Legislation and/or Non-European Data Protection Legislation, as applicable. During the Term, if Supplier receives any request from a Data Subject in relation to Customer Personal Data, Supplier will advise the Data Subject to submit his/her request to Customer or directly report such request to Customer using the Notification Email Address or any other communication channel, and Customer will be responsible for responding to any such request including, where necessary, by using the functionality of the Services. Customer agrees that (taking into account the nature of the Processing of Customer Personal Data) Supplier will provide Customer with reasonable assistance in fulfilling any obligation to respond to requests by Data Subjects, including if applicable Customer’s obligation to respond to requests for exercising the Data Subject’s rights laid down in Chapter III of the GDPR, by complying with the commitments set out in this Section 20, to the extent Supplier is able to respond to such requests. Customer shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Supplier.
  21. Personal Data Transfer. Customer acknowledges and agrees that Supplier may, subject to this Section 21 (Personal Data Transfer), store and process Customer Data in the United States and any other country outside the EEA in which Supplier or Subprocessors maintain facilities. If the storage and/or Processing of Customer Personal Data involves a Restricted Transfer, Supplier and Customer hereby agree to enter into the applicable SCCs enclosed in Appendix 4 or Appendix 5, as applicableand such terms are hereby incorporated by reference into this DPA. To the extent there is any conflict between any term of the SCCs and any other part of this DPA or the Agreement, the term of the SCCs shall prevail. Any Restricted Transfers shall be made in accordance with such SCCs. Supplier will impose under a written agreement the same obligations on the Subprocessors, if any, as are imposed on the Processor under this DPA and the SCCs. Where the Subprocessor fails to fulfill its data protection obligations under such written agreement, the Supplier shall remain fully liable to the Customer for the performance of the Subprocessor’s obligations under such agreement. In addition, where provision of the Services involves a Restricted Transfer from the Supplier to a Subprocessor located outside EU, Customer (on behalf of itself and its relevant Affiliates) mandates Supplier, which mandate Supplier hereby accepts, to promptly enter, on Customer’s own name and behalf as Data Exporter (Subprocessor being the Data Importer), into a Personal Data processing agreement with any Subprocessor engaged by Supplier in such Restricted Transfer, before such Subprocessor first Processes Customer Personal Data, so as to ensure that any such Restricted Transfer complies with the Data Protection Legislation. Such Personal Data processing agreement shall (a) meet the conditions set out in Article 28 of the GDPR and offer at least the same level of protection for Customer Personal Data as those set out in this DPA and (b) incorporate SCCs. When Supplier uses Third Party Service Provider cloud platform to host and/or provide the Services, information about the locations of Supplier’s Third Party Service Providers’ data centers is available at the Third Party Service Providers’ pages specifying servers locations and may be updated by the Third Party Service Provider from time to time. If Customer has entered into SCCs as described in this Section 21 (Personal Data Transfer), Supplier will, notwithstanding any term to the contrary in the Agreement, ensure that any disclosure of Customer Personal Data, and any notifications relating to any such disclosures, will be made in accordance with such SCCs. If, at any time, a Supervisory Authority or a court with competent jurisdiction over a Party mandates that transfers from Controllers and/or Processors in the EU or the UK to Processors established outside the EU or the UK must be subject to specific additional safeguards (including but not limited to specific technical and organisational measures), the Parties shall work together in good faith to implement such safeguards and ensure that any transfer of Customer Personal Data is conducted with the benefit of such additional safeguards. In the same manner, if any Supervisory Authority adopts revised standard contractual clauses for the matters addressed in this DPA and Customer notifies Supplier that it wishes to incorporate any element of those standard contractual clauses into this DPA, Supplier and Customer may agree to amend this DPA to incorporate any proposed changes as reasonably required by the newly adopted standard contractual clauses. In the event that the SCCs enclosed in Appendix 4 and Appendix 5 are deemed to no longer be a valid transfer mechanism to legitimise Restricted Transfers, Supplier and Customer may agree to amend this DPA in order to establish a legitimate transfer of Customer Personal Data outside the EEA. For clarity, Supplier does not control or limit the regions from which Customer or Customer’s End Users may access or move Customer Data.
  22. Subprocessors. Customer hereby specifically authorizes the engagement of Supplier’s Affiliates as Subprocessors pursuant to the Agreement and for the Term. In addition, Customer hereby generally authorizes the engagement of any other third parties as Subprocessors (“Third Party  Subprocessors”), subject to Supplier’s compliance with this Section 22. Customer hereby authorizes all Subprocessors listed in Appendix 3, as applicable. If Customer has entered into SCCs as described in Section 21 (Personal Data Transfer), the above authorizations will constitute Customer’s prior written consent to the subcontracting by Supplier of the Processing of Customer Personal Data if such consent is required under the SCCs and Data Protection Legislation and/or Non-European Data Protection Legislation, as applicable. Information about Subprocessors is available in Appendix 3 and may be updated by Supplier from time to time in accordance with this DPA. Subject to the remaining provisions of the Agreement, including this DPA, when engaging any Subprocessor, Supplier will: (a) ensure via a written legal instrument or contract that: (i) the Subprocessor only accesses and processes Customer Personal Data to the extent required to perform the obligations subcontracted to it, and does so in accordance with the Agreement (including this DPA) and any SCCs entered into as described in Section 21 (Personal Data Transfer), as applicable; and (ii) if the GDPR applies to the Processing of Customer Personal Data, the data protection obligations set out in Article 28(3) of the GDPR, as described in this DPA, are mandated by said legal instrument or contract on the Subprocessor; and (b) remain fully liable for all obligations subcontracted to, and all acts and omissions of the Subprocessor only with respect to the Processing of Customer Personal Data. When any Third-Party Subprocessor not listed in Appendix 3 at the Effective Date is engaged during the Term, Supplier will, at least thirty (30) days before the new Third-Party Subprocessor processes any Customer Personal Data, inform Customer of the engagement (including the name and location of the relevant Third-Party Subprocessor and the activities it will perform) by sending an email to the Notification Email Address. Customer may object to any new Third-Party Subprocessor by terminating the Agreement immediately upon written notice to Supplier, provided that Customer sends such notice within thirty (30) days of being informed of the engagement of the Third-Party Subprocessor. This termination right is Customer’s sole and exclusive remedy if Customer objects to any new Third-Party Subprocessor.
  23. Processing Records. Customer acknowledges that Supplier is required under the GDPR to: (a) collect and maintain records of certain information, including the name and contact details of any Data Processor and/or Data Controller on behalf of which Processor is acting and, where applicable, of such Data Processor’s or Data Controller’s local representative and data protection officer, as well as the categories of Processing carried out on behalf of each Data Controller, where possible a general description of the technical and organisational security measures; and (b) make such information available to the Supervisory Authorities. Customer represents and warrants that Customer will supply such information to Supplier and keep it accurate and up-to-date.
  24. California Consumer Privacy Act (CCPA). To the extent that the CCPA applies to the collection, retention, use, and disclosure of Customer’s Personal Information (as defined in the CCPA) to provide the Services to Customer pursuant to the Agreement, the Parties acknowledge and agree that Supplier does not receive any Personal Information from Customer (“Customer Personal Information”) as consideration for the Services or other items provided by Supplier to Customer. Except as expressly set forth in the Agreement, Supplier shall not (a) have, derive or exercise any rights or benefits regarding Customer Personal Information, (b) Sell Customer Personal Information, or (c) collect, retain, share or use Customer Personal Information except as necessary for the sole purpose of performing the Services or as otherwise permitted under the CCPA. Supplier agrees to refrain from taking any action that would cause any transfers of Customer Personal Information, either to Supplier or from Supplier, to qualify as a Sale of Personal Information under the CCPA. Supplier understands and will comply with the restrictions set forth in this Section and the applicable requirements of the CCPA. For the purposes of this Section, Supplier is a Service Provider and the terms “Personal Information”, “Sell”, “Sale”, and “Service Provider” shall have the same meaning as in the CCPA. If any US authority adopts revised CCPA provisions for the matters addressed in this DPA and Customer notifies Supplier that it wishes to incorporate any element of those revised provisions into this DPA, Supplier and Customer may agree to amend this DPA to incorporate any proposed changes as reasonably required by the newly adopted provisions.
  25. Agreed Liability Limitation. Supplier’s liability for breach of any terms and conditions under this DPA, including non-compliance with Data Protection Legislation, shall be subject to the liability limitations and exclusions agreed in the Agreement to which this DPA is part.
  26. Miscellaneous.
  27. Neither the rights nor the obligations of any Party may be assigned in whole or in part without the prior written consent of the other Party, provided, however, that this DPA may be transferred or assigned in the event of a restructuring or change of control affecting a Party hereto.
  28. In the event of any dispute arising between the Parties in connection with this DPA, the Parties shall negotiate in good faith to resolve their dispute. If the dispute cannot be resolved by good faith negotiations by the Parties, both parties hereby irrevocably submit any disputes under this DPA to the jurisdiction of the courts located in Luxembourg, Luxembourg.
  29. This DPA is governed by the laws of Luxembourg, without reference to its rules governing conflicts of laws.
  30. Should any provision of this DPA be deemed invalid or unenforceable by a competent court, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
  31. Any amendments to this DPA shall be made in writing, otherwise being null and void.
  32. Definitions. Capitalized terms used but not defined in this DPA have the meanings given in the Agreement. In this DPA, unless stated otherwise:
    “Affiliate” means any entity controlling, controlled by, or under common control with a Party, where “control” is defined as: (a) the ownership of at least fifty percent (50%) of the equity or beneficial interests of the entity; (b) the right to vote for or appoint a majority of the board of directors or other governing body of the entity; or (c) the power to exercise a controlling influence over the management or policies of the entity.

    Agreement” means the Services Agreement entered into between the Supplier and the Customer for the provision of Services by the Supplier to Customer.

    Customer Data” means data submitted, stored, sent or received via the Services by Customer, its Affiliates or End Users. Customer Data may also include Personal Data sent or otherwise made available by Customer to Supplier and/or Supplier’s Affiliates where Customer uses Supplier Affiliates Solutions.

    Customer Personal Data” means Personal Data contained within the Customer Data, as described in Appendix 1.

    Data Incident” means a breach of Supplier’s security measures leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data on systems managed by or otherwise controlled by Supplier. “Data Incidents” will not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.

    Data Protection Legislation” means, as applicable: (a) the GDPR; and/or (b) the Federal Data Protection Act of 25 September 2020 (Switzerland); and/or (c) the applicable data protection laws of the United Kingdom, as well as any data protection laws substantially amending, replacing or superseding the GDPR, the Federal Data Protection Act of Switzerland, the applicable data protection laws of the United Kingdom and/or other applicable European Union Member state domestic data protection or national/federal or state/provincial privacy legislation in force, including where applicable, statutes, decisions, guidelines, guidance notes, codes of practice, codes of conduct and data protection certification mechanisms issued from time to time by competent court or Supervisory Authority, relating to the Processing of personal data and privacy.

    Effective Date” means the date on which Customer and Supplier agreed to this DPA.

    EEA” means the European Economic Area as well as, for the purposes of this DPA, Switzerland and the United Kingdom.

    End User” means natural persons authorized by Customer to access or use the Services, including Customer and Customer’s Affiliate personnel, employee, agent or contractor.

    GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

    Non-European Data Protection Legislation” means any national/federal or state/provincial/emirate data protection or privacy legislation, other than the Data Protection Legislation.

    Notification Email Address(es)” means the email address(es) designated by Customer to receive certain notifications from Supplier.

    Restricted Transfer” means (a) a transfer of Customer Personal Data from Customer to Supplier or Subprocessor, or (b) an onward transfer of Customer Personal Data from Supplier or Subprocessor to (or between two establishments of) Supplier or Subprocessor, in each case, being a transfer to a country outside the EEA, where such transfer would be prohibited by Data Protection Legislation in the absence of SCCs or other legal instruments required by Data Protection Legislation.

    Standard Contractual Clauses” or “SCCs” means the standard data protection clauses for the transfer of personal data to third countries located outside EEA which do not ensure an adequate level of data protection, as (i) approved by the European Commission in the Implementing Decision (EU) 2021/914 of 4 June 2021 “on standard contractual clauses for the transfer of personal data to third countries pursuant to GDPR” for Restricted Transfers related to EU data subjects, as amended, replaced or superseded by any set of clauses approved by the European Commission, and as (ii) issued by the Information Commissioner’s Office in accordance with S119A(1) of the Data Protection Act 2018 for Restricted Transfers related to UK data subjects and approved by the UK Parliament. The SCCs are enclosed as Appendix 4 for Restricted Transfers related to EU data subjects and enclosed in Appendix 5 for Restricted Transfers related to UK data subjects. Both appendices are part of this DPA when applicable.

    Supplier’s Systems” means the computing and storage infrastructure contracted by Supplier to run the Services and to store the Customer Data. For the avoidance of doubt, Supplier’s Systems do not include Third-Party Service Provider Solution used by Customer and contracted by Customer, nor any of the Third Party Offerings.

    Subprocessor(s)” means third parties authorized by Processor under this DPA to have logical access to and process Customer Data on behalf of Customer in order to provide parts of the Services and related technical support, including Supplier’s Affiliates.

    Security Measures” has the meaning given in Section 13 (Supplier Security Measures).

    Services” means the services that have been purchased by the Customer pursuant to the Agreement and any applicable Order Form and/or Statement of Work, which may include AODocs and any update or replacement thereof and technical support provided by Supplier to Customer from time to time according to the terms of the Agreement. The Services do not include (i) Supplier Affiliates Solution that may have been separately licensed by Customer, (ii) any Third Party Offerings that may have been separately licensed by Customer, nor (iii) the Third-Party Service Provider Solution used by Customer.

    Supplier Affiliates Solution” means any solution of software provided by one or more Supplier’s Affiliates, which supplements and/or are necessary to provide the Services performed by Supplier, that have either been (i) licensed by Customer from a Supplier’s Affiliate or (ii) licensed by Customer from Supplier.

    Term” means the period from the Effective Date until the end of Supplier’s provision of the Services to Customer under the Agreement, including, if applicable, any period during which provision of the Services may be suspended and any post-termination period during which Supplier may continue providing the Services to Customer for transitional purposes.

    Third-Party Service Provider Solution” means any solution or software on which all or part of the Services are performed by the Supplier, that have been separately licensed by Customer, as the case may be, from an unaffiliated Third-Party Service Provider. Third Party Service Providers Solutions may notably include Google, Microsoft and/or Meta solutions or software.

    The terms “Personal Data”, “Data Subject”, “Processing”, “Data Controller”, “Data Processor” and “Supervisory Authority” as used in this DPA have the meanings given to them in the GDPR, and the terms “Data Importer” and “Data Exporter” have the meanings given to them in the SCCs, in each case irrespective of whether the Data Protection Legislation or Non-European Data Protection Legislation applies.

 

Appendix 1 – Customer Personal Data Processing Details

Subject MatterSupplier’s provision of the Services and related technical support to Customer.

Categories of Data Subjects

Categories of Data Subjects whose Personal Data will be Processed by Service Provider

Data Subjects whose Personal Data is provided to Supplier via the Services, by (or at the direction of) Customer or by End Users, including (a) End Users (including Customer’s employees and contractors); (b) Customer’s own customers, suppliers and subcontractors (and each of their personnel); and (c)  any other person whose Personal Data is transmitted via the Services, including individuals collaborating and communicating with End Users.

Categories of data

Personal Data that will be Processed by Supplier

Personal Data that will be Processed by Supplier includes data submitted, stored, sent or received by Customer, its Affiliates or End Users via the Services, including third party services to which Customer grants access to Supplier, and may include the following categories of data: user IDs, first and last names, work contact details, location data, gender or title, age or date of birth, event attendance, email, textual information used in documents and document titles, description and other metadata, text and images to be displayed by the Services, audit log information, system log information and other data.

As the case may be, subject to the relevant Agreement, special categories of personal data may be submitted, stored, sent or received by Customer, its Affiliates or End Users via the Services.

Location of Processing Operations

Locations where the Personal Data will be Processed by Supplier

Personal Data submitted, stored, sent or received by Customer, its Affiliates or End Users via the Services may be processed at Supplier’s locations situated in:

Europe

USA

With respect to the AODocs US instance (described in Appendix 3) and for support tickets resolution and professional services only, Personal Data might be accessed at our agents’ locations, which include territories outside the US and EU.

Purposes

Purposes for which the Personal Data will be Processed by Supplier

Supplier will process Customer Personal Data identified above for the purposes of providing the Services and related technical support to Customer, to provide insights, reporting, analytics and platform abuse, trust and safety monitoring, for the defense of its rights and to comply with any legally binding request for disclosure of Customer Data by a law enforcement authority, in accordance with this DPA.

Duration of Processing

The length of time for which Processing activities will be carried out Supplier

The applicable Term plus the period from expiry of such Term until deletion of all Customer Personal Data by Supplier in accordance with this DPA.

 

Appendix 2 – Security Measures

1. As from the Effective Date, Supplier will implement and maintain the Security Measures set out in this Appendix 2 to this DPA. Supplier may update or modify such Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Supplier’s System and of the Services.

2. Regular tests, assessments and evaluations of the effectiveness of technical and organisational measures in order to ensure the security of the processing

In order to provide Customer with best in class security, privacy, and compliance controls, Supplier undergoes independent third-party audits regularly. Supplier is SOC 2 Type II certified. SOC (System and Organization Controls) are audits designed for service providers storing consumer data in the cloud. It verifies that Supplier has appropriate protection, procedures and policies in place for security, availability, processing, confidentiality, integrity and privacy of customer data. SOC auditors regularly assess AODocs platform, infrastructure, and operations and conduct penetration and vulnerability tests on a regular basis. Supplier also reviews new features for security and privacy impact before release to improve privacy by design.

3. Serverless architecture

AODocs serverless architecture means that Supplier does not run its own network (routers, load balancers, DNS servers) or physical servers. Supplier chose to partner with Google and rely on their Platform as a Service: Google Cloud Platform (GCP).

All Supplier’s applications operate on GCP as their back end using mainly the following services:

App Engine (serverless application engine)

Cloud Datastore (NoSQL document database built for automatic scaling, high performance)

Cloud Storage (worldwide, extendable, highly durable object storage)

BigQuery (serverless, highly scalable cloud data warehouse)

Cloud Logging (logging, monitoring and alerting)

PubSub (fully-managed real-time messaging service)

Cloud Run (serverless, compute to run containers)

Google Kubernetes Engine (container orchestration system)

Google Cloud Platform provides state of the art services with security at its core. All servers are updated on a regular basis to ensure we have the latest security patches installed. All networks are protected from intrusions using advanced defense mechanisms.

 

4. Strong security culture

Each team member undergoes an extensive background check, to the extent permissible by applicable local law, as well as comprehensive training on data security and privacy protocols and receives yearly training on the topics of data privacy and security. Supplier staff does not access any of Customer Personal Data unless Customer requests assistance for support purposes. All information, data and documents exchanged with Supplier support staff in this context is subject to strict confidentiality procedures and will not be disclosed. Supplier personnel is required to execute a confidentiality agreement and must acknowledge receipt of, and compliance with, Supplier’s confidentiality and privacy policies. Supplier personnel are required to conduct themselves in a manner consistent with the company’s guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards.Supplier personnel accessing Supplier’s Systems are authenticated via their Google Workspace (formerly G Suite) account, protected by the same physical, networking and organizational measures as described in this Appendix. Information resources are protected by the use of access control systems. Access to confidential information is only given to Supplier personnel on a need to know basis. Supplier employees are given the minimum necessary to perform their job responsibilities. The authorisation profile is defined by separating the tasks and area of responsibility, in order to restrict employees’ access to the only data strictly necessary for fulfilling their responsibilities.

 

5. Data Encryption

Whenever Customer sends or retrieves data from the Service, the communication is always secured through HTTPS encryption, using state of the art ciphers.

Next to encrypting data in transit, Supplier also encrypts all data at rest. Supplier databases are encrypted, from the moment it receives Customer Personal Data until Supplier deletes it.

With respect to data stored in Supplier’s Google Cloud Platform (including Google Cloud Datastore and Google Cloud Storage): such data is encrypted at rest and in transit.

For encryption at rest, Service is entirely relying on Google Cloud Platform native “Encryption by default” option. Data at Google is broken up into encrypted chunks for storage using the Advanced Encryption Standard (AES). Google is entirely managing the encryption keys, and key encryption keys.

For encryption in transit, since Service architecture is entirely relying on APIs, even from within its backend, all the data transit is performed over encrypted connections. By default, Service relies on Google’s implementation of Transport Layer Security (TLS) which enforces TLS 1.2 at least or QUIC.

Additionally, we enforce Strict-Transport-Security in all responses that our applications send.

With respect to Customer Files Content which is stored on Customer’s Cloud Storage, encryption mechanisms are provided by the relevant Customer’s Cloud Storage provider, under Customer’s responsibility. “Customer Files Content” means  data stored, sent or received by the Customer and its authorized Users in the form of files attached to AODocs Documents. “Customer’s Cloud Storage” means, as applicable, Google Drive, Google Cloud Storage, Azure Blob Storage or any other third-party cloud storage supported by AODocs).

6. Subprocessors

While Supplier conducts the majority of data processing activities required to provide the Service itself, Supplier does engage some third-party subprocessors to assist in supporting the Service. Each subprocessor goes through a rigorous selection process to ensure it has the required technical expertise and can deliver the appropriate level of security and privacy. Supplier has data processing agreements in place with each of its subprocessors.

7. Data Privacy Officer

The Data Privacy Officer of the Supplier can be contacted at: legal@aodocs.com

 

Appendix 3 – Subprocessors

The list of Subprocessors is available at the following link: https://www.aodocs.com/subprocessors/

 

Appendix 4  

European Commission Implementing Decision (EU) 2021/914 of 4 June 2021

on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679

This Appendix 4 applies to Restricted Transfers related to EU data subjects and includes 2 Modules:

Module 2 of the SCCs  applicable to Restricted Transfers of Customer Personal Data, whereby Customer acts as data controller and Supplier acts as data processor; and

Module 3 of the SCCs is applicable to Restricted Transfers of Customer Personal Data, whereby Customer acts as a data processor and Supplier also acts as data processor.

MODULE 2 

Controller to Processor 

This Module 2 of the SCCs is applicable to the Restricted Transfers of Customer Personal Data whereby Customer acts as a controller and Supplier acts as a processor. 

SECTION I 

Clause 1 

Purpose and scope  

(a) The purpose of these standard contractual clauses is to ensure compliance with the  requirements of Regulation (EU) 2016/679 of the European Parliament and of the  Council of 27 April 2016 on the protection of natural persons with regard to the  processing of personal data and on the free movement of such data (General Data  Protection Regulation)1for the transfer of personal data to a third country.

(b) The Parties:

(i) the natural or legal person(s), public authority/ies, agency/ies or other body/ies  (hereinafter “entity/ies”) transferring the personal data, as listed in Annex I.A.  (hereinafter each “data exporter”), and

(ii) the entity/ies in a third country receiving the personal data from the data  exporter, directly or indirectly via another entity also Party to these Clauses, as  listed in Annex I.A. (hereinafter each “data importer”)

have agreed to these standard contractual clauses (hereinafter: “Clauses”).

(c) These Clauses apply with respect to the transfer of personal data as specified in  Annex I.B.

(d) The Appendix to these Clauses containing the Annexes referred to therein forms an  integral part of these Clauses.

 

Clause 2 

Effect and invariability of the Clauses 

 

(a) These Clauses set out appropriate safeguards, including enforceable data subject  rights and effective legal remedies, pursuant to Article 46(1) and Article 46 (2)(c) of  Regulation (EU) 2016/679 and, with respect to data transfers from controllers to  processors and/or processors to processors, standard contractual clauses pursuant to  Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix.  This does not prevent the Parties from including the standard contractual clauses laid  down in these Clauses in a wider contract and/or to add other clauses or additional  safeguards, provided that they do not contradict, directly or indirectly, these Clauses  or prejudice the fundamental rights or freedoms of data subjects.

(b) These Clauses are without prejudice to obligations to which the data exporter is  subject by virtue of Regulation (EU) 2016/679.

Clause 3 

Third-party beneficiaries 

(a) Data subjects may invoke and enforce these Clauses, as third-party beneficiaries,  against the data exporter and/or data importer, with the following exceptions:

(i) Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;

(ii) Clause  8.1(b), 8.9(a), (c), (d) and (e)

(iii) Clause 9(a), (c), (d) and (e)

(iv) Clause 12(a), (d) and (f);

(v) Clause 13;

(vi) Clause 15.1(c), (d) and (e);

(vii) Clause 16(e);

(viii) Clause 18(a) and (b).

(b) Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU)  2016/679.

Clause 4 

Interpretation 

(a) Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those  terms shall have the same meaning as in that Regulation.

(b) These Clauses shall be read and interpreted in the light of the provisions of  Regulation (EU) 2016/679.

(c) These Clauses shall not be interpreted in a way that conflicts with rights and  obligations provided for in Regulation (EU) 2016/679.

Clause 5 

Hierarchy 

In the event of a contradiction between these Clauses and the provisions of related agreements  between the Parties, existing at the time these Clauses are agreed or entered into thereafter,  these Clauses shall prevail.

Clause 6 

Description of the transfer(s) 

The details of the transfer(s), and in particular the categories of personal data that are  transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.

Clause 7

Docking clause 

(a) An entity that is not a Party to these Clauses may, with the agreement of the Parties,  accede to these Clauses at any time, either as a data exporter or as a data importer, by  completing the Appendix and signing Annex I.A.

(b) Once it has completed the Appendix and signed Annex I.A, the acceding entity shall  become a Party to these Clauses and have the rights and obligations of a data  exporter or data importer in accordance with its designation in Annex I.A.

(c) The acceding entity shall have no rights or obligations arising under these Clauses  from the period prior to becoming a Party.

SECTION II – OBLIGATIONS OF THE PARTIES 

Clause 8 

Data protection safeguards 

The data exporter warrants that it has used reasonable efforts to determine that the data  importer is able, through the implementation of appropriate technical and organisational  measures, to satisfy its obligations under these Clauses.

8.1 Instructions 

(a) The data importer shall process the personal data only on documented instructions  from the data exporter. The data exporter may give such instructions throughout the  duration of the contract.

(b) The data importer shall immediately inform the data exporter if it is unable to follow  those instructions.

8.2 Purpose limitation 

The data importer shall process the personal data only for the specific purpose(s) of the  transfer, as set out in Annex I.B, unless on further instructions from the data exporter.

8.3 Transparency  

On request, the data exporter shall make a copy of these Clauses, including the Appendix as  completed by the Parties, available to the data subject free of charge. To the extent necessary  to protect business secrets or other confidential information, including the measures described  in Annex II and personal data, the data exporter may redact part of the text of the Appendix to  these Clauses prior to sharing a copy, but shall provide a meaningful summary where the data  subject would otherwise not be able to understand the its content or exercise his/her rights. On  request, the Parties shall provide the data subject with the reasons for the redactions, to the  extent possible without revealing the redacted information. This Clause is without prejudice to  the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.

8.4 Accuracy 

If the data importer becomes aware that the personal data it has received is inaccurate, or has  become outdated, it shall inform the data exporter without undue delay. In this case, the data  importer shall cooperate with the data exporter to erase or rectify the data.

8.5 Duration of processing and erasure or return of data 

Processing by the data importer shall only take place for the duration specified in Annex I.B.  After the end of the provision of the processing services, the data importer shall, at the choice  of the data exporter, delete all personal data processed on behalf of the data exporter and  certify to the data exporter that it has done so, or return to the data exporter all personal data  processed on its behalf and delete existing copies. Until the data is deleted or returned, the  data importer shall continue to ensure compliance with these Clauses. In case of local laws  applicable to the data importer that prohibit return or deletion of the personal data, the data  importer warrants that it will continue to ensure compliance with these Clauses and will only  process it to the extent and for as long as required under that local law. This is without  prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e)  to notify the data exporter throughout the duration of the contract if it has reason to believe  that it is or has become subject to laws or practices not in line with the requirements under  Clause 14(a).

8.6 Security of processing 

(a) The data importer and, during transmission, also the data exporter shall implement  appropriate technical and organisational measures to ensure the security of the data,  including protection against a breach of security leading to accidental or unlawful  destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter  “personal data breach”). In assessing the appropriate level of security, the Parties  shall take due account of the state of the art, the costs of implementation, the nature,  scope, context and purpose(s) of processing and the risks involved in the processing  for the data subjects. The Parties shall in particular consider having recourse to  encryption or pseudonymisation, including during transmission, where the purpose of  processing can be fulfilled in that manner. In case of pseudonymisation, the  additional information for attributing the personal data to a specific data subject  shall, where possible, remain under the exclusive control of the data exporter. In  complying with its obligations under this paragraph, the data importer shall at least  implement the technical and organisational measures specified in Annex II. The data  importer shall carry out regular checks to ensure that these measures continue to  provide an appropriate level of security.

(b) The data importer shall grant access to the personal data to members of its personnel  only to the extent strictly necessary for the implementation, management and  monitoring of the contract. It shall ensure that persons authorised to process the  personal data have committed themselves to confidentiality or are under an  appropriate statutory obligation of confidentiality.

(c) In the event of a personal data breach concerning personal data processed by the data  importer under these Clauses, the data importer shall take appropriate measures to  address the breach, including measures to mitigate its adverse effects. The data  importer shall also notify the data exporter without undue delay after having become  aware of the breach. Such notification shall contain the details of a contact point  where more information can be obtained, a description of the nature of the breach  (including, where possible, categories and approximate number of data subjects and  personal data records concerned), its likely consequences and the measures taken or  proposed to address the breach including, where appropriate, measures to mitigate its  possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information  then available and further information shall, as it becomes available, subsequently be  provided without undue delay.

(d) The data importer shall cooperate with and assist the data exporter to enable the data  exporter to comply with its obligations under Regulation (EU) 2016/679, in  particular to notify the competent supervisory authority and the affected data  subjects, taking into account the nature of processing and the information available to  the data importer.

8.7 Sensitive data 

Where the transfer involves personal data revealing racial or ethnic origin, political opinions,  religious or philosophical beliefs, or trade union membership, genetic data, or biometric data  for the purpose of uniquely identifying a natural person, data concerning health or a person’s  sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter  “sensitive data”), the data importer shall apply the specific restrictions and/or additional  safeguards described in Annex I.B.

8.8 Onward transfers 

The data importer shall only disclose the personal data to a third party on documented  instructions from the data exporter. In addition, the data may only be disclosed to a third party  located outside the European Union4(in the same country as the data importer or in another  third country, hereinafter “onward transfer”) if the third party is or agrees to be bound by  these Clauses, under the appropriate Module, or if:

(i) the onward transfer is to a country benefitting from an adequacy decision  pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward  transfer;

(ii) the third party otherwise ensures appropriate safeguards pursuant to Articles 46  or 47 Regulation of (EU) 2016/679 with respect to the processing in question;

(iii) the onward transfer is necessary for the establishment, exercise or defence of  legal claims in the context of specific administrative, regulatory or judicial  proceedings; or

(iv) the onward transfer is necessary in order to protect the vital interests of the data  subject or of another natural person.

Any onward transfer is subject to compliance by the data importer with all the other  safeguards under these Clauses, in particular purpose limitation.

8.9 Documentation and compliance 

(a) The data importer shall promptly and adequately deal with enquiries from the data  exporter that relate to the processing under these Clauses.

(b) The Parties shall be able to demonstrate compliance with these Clauses. In particular,  the data importer shall keep appropriate documentation on the processing activities  carried out on behalf of the data exporter.

(c) The data importer shall make available to the data exporter all information necessary  to demonstrate compliance with the obligations set out in these Clauses and at the  data exporter’s request, allow for and contribute to audits of the processing activities  covered by these Clauses, at reasonable intervals or if there are indications of non

compliance. In deciding on a review or audit, the data exporter may take into account  relevant certifications held by the data importer.

(d) The data exporter may choose to conduct the audit by itself or mandate an  independent auditor. Audits may include inspections at the premises or physical  facilities of the data importer and shall, where appropriate, be carried out with  reasonable notice.

(e) The Parties shall make the information referred to in paragraphs (b) and (c),  including the results of any audits, available to the competent supervisory authority  on request.

Clause 9 

Use of sub-processors 

(a) The data importer has the  data exporter’s general authorisation for the engagement of sub-processor(s) from an  agreed list. The data importer shall specifically inform the data exporter in writing of  any intended changes to that list through the addition or replacement of sub

processors at least thirty (30) days in advance, thereby giving the data exporter  sufficient time to be able to object to such changes prior to the engagement of the  sub-processor(s). The data importer shall provide the data exporter with the  information necessary to enable the data exporter to exercise its right to object.

(b) Where the data importer engages a sub-processor to carry out specific processing  activities (on behalf of the data exporter), it shall do so by way of a written contract  that provides for, in substance, the same data protection obligations as those binding  the data importer under these Clauses, including in terms of third-party beneficiary  rights for data subjects. The Parties agree that, by complying with this Clause, the  data importer fulfils its obligations under Clause 8.8. The data importer shall ensure  that the sub-processor complies with the obligations to which the data importer is  subject pursuant to these Clauses.

(c) The data importer shall provide, at the data exporter’s request, a copy of such a sub processor agreement and any subsequent amendments to the data exporter. To the  extent necessary to protect business secrets or other confidential information,  including personal data, the data importer may redact the text of the agreement prior to sharing a copy.

(d) The data importer shall remain fully responsible to the data exporter for the  performance of the sub-processor’s obligations under its contract with the data  importer. The data importer shall notify the data exporter of any failure by the sub processor to fulfil its obligations under that contract.

(e) The data importer shall agree a third-party beneficiary clause with the sub-processor  whereby – in the event the data importer has factually disappeared, ceased to exist in law or has become insolvent – the data exporter shall have the right to terminate the  sub-processor contract and to instruct the sub-processor to erase or return the  personal data.

Clause 10 

Data subject rights 

(a) The data importer shall promptly notify the data exporter of any request it has  received from a data subject. It shall not respond to that request itself unless it has  been authorised to do so by the data exporter.

(b) The data importer shall assist the data exporter in fulfilling its obligations to respond  to data subjects’ requests for the exercise of their rights under Regulation (EU)  2016/679. In this regard, the Parties shall set out in Annex II the appropriate  technical and organisational measures, taking into account the nature of the  processing, by which the assistance shall be provided, as well as the scope and the  extent of the assistance required.

(c) In fulfilling its obligations under paragraphs (a) and (b), the data importer shall  comply with the instructions from the data exporter.

Clause 11 

Redress 

(a) The data importer shall inform data subjects in a transparent and easily accessible  format, through individual notice or on its website, of a contact point authorised to  handle complaints. It shall deal promptly with any complaints it receives from a data  subject.

(b) In case of a dispute between a data subject and one of the Parties as regards  compliance with these Clauses, that Party shall use its best efforts to resolve the issue  amicably in a timely fashion. The Parties shall keep each other informed about such  disputes and, where appropriate, cooperate in resolving them.

(c) Where the data subject invokes a third-party beneficiary right pursuant to Clause 3,  the data importer shall accept the decision of the data subject to:

(i) lodge a complaint with the supervisory authority in the Member State of his/her  habitual residence or place of work, or the competent supervisory authority  pursuant to Clause 13;

(ii) refer the dispute to the competent courts within the meaning of Clause 18.

(d) The Parties accept that the data subject may be represented by a not-for-profit body,  organisation or association under the conditions set out in Article 80(1) of Regulation  (EU) 2016/679.

(e) The data importer shall abide by a decision that is binding under the applicable EU or  Member State law.

(f) The data importer agrees that the choice made by the data subject will not prejudice  his/her substantive and procedural rights to seek remedies in accordance with  applicable laws.

Clause 12 

Liability 

(a) Each Party shall be liable to the other Party/ies for any damages it causes the other  Party/ies by any breach of these Clauses.

(b) The data importer shall be liable to the data subject, and the data subject shall be  entitled to receive compensation, for any material or non-material damages the data  importer or its sub-processor causes the data subject by breaching the third-party  beneficiary rights under these Clauses.

(c) Notwithstanding paragraph (b), the data exporter shall be liable to the data subject,  and the data subject shall be entitled to receive compensation, for any material or  non-material damages the data exporter or the data importer (or its sub-processor)  causes the data subject by breaching the third-party beneficiary rights under these  Clauses. This is without prejudice to the liability of the data exporter and, where the data exporter is a processor acting on behalf of a controller, to the liability of the  controller under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as  applicable.

(d) The Parties agree that if the data exporter is held liable under paragraph (c) for  damages caused by the data importer (or its sub-processor), it shall be entitled to  claim back from the data importer that part of the compensation corresponding to the  data importer’s responsibility for the damage.

(e) Where more than one Party is responsible for any damage caused to the data subject  as a result of a breach of these Clauses, all responsible Parties shall be jointly and  severally liable and the data subject is entitled to bring an action in court against any  of these Parties.

(f) The Parties agree that if one Party is held liable under paragraph (e), it shall be  entitled to claim back from the other Party/ies that part of the compensation  corresponding to its / their responsibility for the damage.

(g) The data importer may not invoke the conduct of a sub-processor to avoid its own  liability.

Clause 13 

Supervision 

(a) Where the data exporter is established in an EU Member State: The supervisory  authority with responsibility for ensuring compliance by the data exporter with  Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C,  shall act as competent supervisory authority.

Where the data exporter is not established in an EU Member State, but falls within  the territorial scope of application of Regulation (EU) 2016/679 in accordance with  its Article 3(2) and has appointed a representative pursuant to Article 27(1) of  Regulation (EU) 2016/679: The supervisory authority of the Member State in which  the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679  is established, as indicated in Annex I.C, shall act as competent supervisory  authority.

Where the data exporter is not established in an EU Member State, but falls within  the territorial scope of application of Regulation (EU) 2016/679 in accordance with  its Article 3(2) without however having to appoint a representative pursuant to  Article 27(2) of Regulation (EU) 2016/679: The supervisory authority of one of the  Member States in which the data subjects whose personal data is transferred under  these Clauses in relation to the offering of goods or services to them, or whose  behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent  supervisory authority.

(b) The data importer agrees to submit itself to the jurisdiction of and cooperate with the  competent supervisory authority in any procedures aimed at ensuring compliance  with these Clauses. In particular, the data importer agrees to respond to enquiries, submit to audits and comply with the measures adopted by the supervisory authority,  including remedial and compensatory measures. It shall provide the supervisory  authority with written confirmation that the necessary actions have been taken.

 

SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY  PUBLIC AUTHORITIES 

Clause 14 

Local laws and practices affecting compliance with the Clauses 

(a) The Parties warrant that they have no reason to believe that the laws and practices in  the third country of destination applicable to the processing of the personal data by  the data importer, including any requirements to disclose personal data or measures  authorising access by public authorities, prevent the data importer from fulfilling its  obligations under these Clauses. This is based on the understanding that laws and  practices that respect the essence of the fundamental rights and freedoms and do not  exceed what is necessary and proportionate in a democratic society to safeguard one  of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in  contradiction with these Clauses.

(b) The Parties declare that in providing the warranty in paragraph (a), they have taken  due account in particular of the following elements:

(i) the specific circumstances of the transfer, including the length of the  processing chain, the number of actors involved and the transmission channels  used; intended onward transfers; the type of recipient; the purpose of  processing; the categories and format of the transferred personal data; the  economic sector in which the transfer occurs; the storage location of the data  transferred;

(ii) the laws and practices of the third country of destination– including those  requiring the disclosure of data to public authorities or authorising access by  such authorities – relevant in light of the specific circumstances of the transfer,  and the applicable limitations and safeguards;

(iii) any relevant contractual, technical or organisational safeguards put in place to  supplement the safeguards under these Clauses, including measures applied  during transmission and to the processing of the personal data in the country of  destination.

(c) The data importer warrants that, in carrying out the assessment under paragraph (b),  it has made its best efforts to provide the data exporter with relevant information and  agrees that it will continue to cooperate with the data exporter in ensuring  compliance with these Clauses.

(d) The Parties agree to document the assessment under paragraph (b) and make it  available to the competent supervisory authority on request.

(e) The data importer agrees to notify the data exporter promptly if, after having agreed  to these Clauses and for the duration of the contract, it has reason to believe that it is  or has become subject to laws or practices not in line with the requirements under  paragraph (a), including following a change in the laws of the third country or a  measure (such as a disclosure request) indicating an application of such laws in  practice that is not in line with the requirements in paragraph (a).

(f) Following a notification pursuant to paragraph (e), or if the data exporter otherwise  has reason to believe that the data importer can no longer fulfil its obligations under  these Clauses, the data exporter shall promptly identify appropriate measures (e.g.  technical or organisational measures to ensure security and confidentiality) to be  adopted by the data exporter and/or data importer to address the situation. The data exporter  shall suspend the data transfer if it considers that no appropriate safeguards for such  transfer can be ensured, or if instructed by the  competent supervisory authority to do so. In this case, the data exporter shall be  entitled to terminate the contract, insofar as it concerns the processing of personal  data under these Clauses. If the contract involves more than two Parties, the data  exporter may exercise this right to termination only with respect to the relevant  Party, unless the Parties have agreed otherwise. Where the contract is terminated  pursuant to this Clause, Clause 16(d) and (e) shall apply.

Clause 15 

Obligations of the data importer in case of access by public authorities 

15.1 Notification 

(a) The data importer agrees to notify the data exporter and, where possible, the data  subject promptly (if necessary with the help of the data exporter) if it:

(i) receives a legally binding request from a public authority, including judicial  authorities, under the laws of the country of destination for the disclosure of  personal data transferred pursuant to these Clauses; such notification shall  include information about the personal data requested, the requesting authority,  the legal basis for the request and the response provided; or

(ii) becomes aware of any direct access by public authorities to personal data  transferred pursuant to these Clauses in accordance with the laws of the  country of destination; such notification shall include all information available  to the importer.

(b) If the data importer is prohibited from notifying the data exporter and/or the data  subject under the laws of the country of destination, the data importer agrees to use  its best efforts to obtain a waiver of the prohibition, with a view to communicating as  much information as possible, as soon as possible. The data importer agrees to  document its best efforts in order to be able to demonstrate them on request of the  data exporter.

(c) Where permissible under the laws of the country of destination, the data importer  agrees to provide the data exporter, at regular intervals for the duration of the  contract, with as much relevant information as possible on the requests received (in  particular, number of requests, type of data requested, requesting authority/ies,  whether requests have been challenged and the outcome of such challenges, etc.).

(d) The data importer agrees to preserve the information pursuant to paragraphs (a) to (c)  for the duration of the contract and make it available to the competent supervisory  authority on request.

(e) Paragraphs (a) to (c) are without prejudice to the obligation of the data importer  pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it  is unable to comply with these Clauses.

15.2 Review of legality and data minimisation 

(a) The data importer agrees to review the legality of the request for disclosure, in  particular whether it remains within the powers granted to the requesting public  authority, and to challenge the request if, after careful assessment, it concludes that  there are reasonable grounds to consider that the request is unlawful under the laws  of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same  conditions, pursue possibilities of appeal. When challenging a request, the data  importer shall seek interim measures with a view to suspending the effects of the  request until the competent judicial authority has decided on its merits. It shall not  disclose the personal data requested until required to do so under the applicable  procedural rules. These requirements are without prejudice to the obligations of the  data importer under Clause 14(e).

(b) The data importer agrees to document its legal assessment and any challenge to the  request for disclosure and, to the extent permissible under the laws of the country of  destination, make the documentation available to the data exporter. It shall also make  it available to the competent supervisory authority on request.

(c) The data importer agrees to provide the minimum amount of information permissible  when responding to a request for disclosure, based on a reasonable interpretation of  the request.

SECTION IV – FINAL PROVISIONS 

Clause 16 

Non-compliance with the Clauses and termination 

(a) The data importer shall promptly inform the data exporter if it is unable to comply  with these Clauses, for whatever reason.

(b) In the event that the data importer is in breach of these Clauses or unable to comply  with these Clauses, the data exporter shall suspend the transfer of personal data to the  data importer until compliance is again ensured or the contract is terminated. This is  without prejudice to Clause 14(f).

(c) The data exporter shall be entitled to terminate the contract, insofar as it concerns the  processing of personal data under these Clauses, where:

(i) the data exporter has suspended the transfer of personal data to the data  importer pursuant to paragraph (b) and compliance with these Clauses is not  restored within a reasonable time and in any event within one month of  suspension;

(ii) the data importer is in substantial or persistent breach of these Clauses; or

(iii) the data importer fails to comply with a binding decision of a competent court  or supervisory authority regarding its obligations under these Clauses.

In these cases, it shall inform the competent supervisory authority of such non-compliance. Where the contract involves more  than two Parties, the data exporter may exercise this right to termination only with  respect to the relevant Party, unless the Parties have agreed otherwise.

(d) Personal data that has been transferred prior to  the termination of the contract pursuant to paragraph (c) shall at the choice of the  data exporter immediately be returned to the data exporter or deleted in its entirety.  The same shall apply to any copies of the data.The data importer shall certify the deletion  of the data to the data exporter. Until the data is deleted or returned, the data importer  shall continue to ensure compliance with these Clauses. In case of local laws  applicable to the data importer that prohibit the return or deletion of the transferred  personal data, the data importer warrants that it will continue to ensure compliance  with these Clauses and will only process the data to the extent and for as long as  required under that local law.

(e) Either Party may revoke its agreement to be bound by these Clauses where (i) the  European Commission adopts a decision pursuant to Article 45(3) of Regulation  (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply;  or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country  to which the personal data is transferred. This is without prejudice to other  obligations applying to the processing in question under Regulation (EU) 2016/679.

Clause 17 

Governing law 

These Clauses shall be governed by the law of one of the EU Member States,  provided such law allows for third-party beneficiary rights. The Parties agree that this shall be  the law of Luxembourg.

Clause 18 

Choice of forum and jurisdiction 

(a) Any dispute arising from these Clauses shall be resolved by the courts of an EU  Member State.

(b) The Parties agree that those shall be the courts of Luxembourg.

(c) A data subject may also bring legal proceedings against the data exporter and/or data  importer before the courts of the Member State in which he/she has his/her habitual  residence.

(d) The Parties agree to submit themselves to the jurisdiction of such courts.

MODULE 3 

Processor to processor

This Module 3 of the SCCs is applicable to the Restricted Transfers of Customer Personal Data whereby Customer acts as a processor and Supplier also acts as a processor.

SECTION I 

Clause 1 

Purpose and scope  

(a) The purpose of these standard contractual clauses is to ensure compliance with the  requirements of Regulation (EU) 2016/679 of the European Parliament and of the  Council of 27 April 2016 on the protection of natural persons with regard to the  processing of personal data and on the free movement of such data (General Data  Protection Regulation)1for the transfer of personal data to a third country.

(b) The Parties:

(i) the natural or legal person(s), public authority/ies, agency/ies or other body/ies  (hereinafter “entity/ies”) transferring the personal data, as listed in Annex I.A.  (hereinafter each “data exporter”), and

(ii) the entity/ies in a third country receiving the personal data from the data  exporter, directly or indirectly via another entity also Party to these Clauses, as  listed in Annex I.A. (hereinafter each “data importer”)

have agreed to these standard contractual clauses (hereinafter: “Clauses”).

(c) These Clauses apply with respect to the transfer of personal data as specified in  Annex I.B.

(d) The Appendix to these Clauses containing the Annexes referred to therein forms an  integral part of these Clauses.

Clause 2 

Effect and invariability of the Clauses 

(a) These Clauses set out appropriate safeguards, including enforceable data subject  rights and effective legal remedies, pursuant to Article 46(1) and Article 46 (2)(c) of  Regulation (EU) 2016/679 and, with respect to data transfers from controllers to  processors and/or processors to processors, standard contractual clauses pursuant to  Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix.  This does not prevent the Parties from including the standard contractual clauses laid  down in these Clauses in a wider contract and/or to add other clauses or additional  safeguards, provided that they do not contradict, directly or indirectly, these Clauses  or prejudice the fundamental rights or freedoms of data subjects.

(b) These Clauses are without prejudice to obligations to which the data exporter is  subject by virtue of Regulation (EU) 2016/679.

Clause 3 

Third-party beneficiaries 

(a) Data subjects may invoke and enforce these Clauses, as third-party beneficiaries,  against the data exporter and/or data importer, with the following exceptions:

(i) Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;

(ii) Clause 8.1(a), (c) and (d) and  Clause 8.9(a), (c), (d), (e), (f) and (g);

(iii) Clause  9(a), (c), (d) and (e);

(iv) Clause 12(a), (d) and (f);

(v) Clause 13;

(vi) Clause 15.1(c), (d) and (e);

(vii) Clause 16(e);

(viii) Clause 18(a) and (b).

(b) Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU)  2016/679.

Clause 4 

Interpretation 

(a) Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those  terms shall have the same meaning as in that Regulation.

(b) These Clauses shall be read and interpreted in the light of the provisions of  Regulation (EU) 2016/679.

(c) These Clauses shall not be interpreted in a way that conflicts with rights and  obligations provided for in Regulation (EU) 2016/679.

Clause 5 

Hierarchy 

In the event of a contradiction between these Clauses and the provisions of related agreements  between the Parties, existing at the time these Clauses are agreed or entered into thereafter,  these Clauses shall prevail.

Clause 6 

Description of the transfer(s) 

The details of the transfer(s), and in particular the categories of personal data that are  transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.

Clause 7

Docking clause 

(a) An entity that is not a Party to these Clauses may, with the agreement of the Parties,  accede to these Clauses at any time, either as a data exporter or as a data importer, by  completing the Appendix and signing Annex I.A.

(b) Once it has completed the Appendix and signed Annex I.A, the acceding entity shall  become a Party to these Clauses and have the rights and obligations of a data  exporter or data importer in accordance with its designation in Annex I.A.

(c) The acceding entity shall have no rights or obligations arising under these Clauses  from the period prior to becoming a Party.

SECTION II – OBLIGATIONS OF THE PARTIES 

Clause 8 

Data protection safeguards 

The data exporter warrants that it has used reasonable efforts to determine that the data  importer is able, through the implementation of appropriate technical and organisational  measures, to satisfy its obligations under these Clauses.

8.1 Instructions 

(a) The data exporter has informed the data importer that it acts as processor under the  instructions of its controller(s), which the data exporter shall make available to the  data importer prior to processing.

(b) The data importer shall process the personal data only on documented instructions  from the controller, as communicated to the data importer by the data exporter, and  any additional documented instructions from the data exporter. Such additional  instructions shall not conflict with the instructions from the controller. The controller  or data exporter may give further documented instructions regarding the data  processing throughout the duration of the contract.

(c) The data importer shall immediately inform the data exporter if it is unable to follow  those instructions. Where the data importer is unable to follow the instructions from  the controller, the data exporter shall immediately notify the controller.

(d) The data exporter warrants that it has imposed the same data protection obligations  on the data importer as set out in the contract or other legal act under Union or  Member State law between the controller and the data exporter.

8.2 Purpose limitation 

The data importer shall process the personal data only for the specific purpose(s) of the  transfer, as set out in Annex I.B., unless on further instructions from the controller, as  communicated to the data importer by the data exporter, or from the data exporter.

8.3 Transparency  

On request, the data exporter shall make a copy of these Clauses, including the Appendix as  completed by the Parties, available to the data subject free of charge. To the extent necessary  to protect business secrets or other confidential information, including personal data, the data  exporter may redact part of the text of the Appendix prior to sharing a copy, but shall provide  a meaningful summary where the data subject would otherwise not be able to understand its  content or exercise his/her rights. On request, the Parties shall provide the data subject with  the reasons for the redactions, to the extent possible without revealing the redacted  information.

8.4 Accuracy 

If the data importer becomes aware that the personal data it has received is inaccurate, or has  become outdated, it shall inform the data exporter without undue delay. In this case, the data  importer shall cooperate with the data exporter to rectify or erase the data.

8.5 Duration of processing and erasure or return of data 

Processing by the data importer shall only take place for the duration specified in Annex I.B.  After the end of the provision of the processing services, the data importer shall, at the choice  of the data exporter, delete all personal data processed on behalf of the controller and certify to the data exporter that it has done so, or return to the data exporter all personal data  processed on its behalf and delete existing copies. Until the data is deleted or returned, the  data importer shall continue to ensure compliance with these Clauses. In case of local laws  applicable to the data importer that prohibit return or deletion of the personal data, the data  importer warrants that it will continue to ensure compliance with these Clauses and will only  process it to the extent and for as long as required under that local law. This is without  prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e)  to notify the data exporter throughout the duration of the contract if it has reason to believe  that it is or has become subject to laws or practices not in line with the requirements under  Clause 14(a).

8.6 Security of processing 

(a) The data importer and, during transmission, also the data exporter shall implement  appropriate technical and organisational measures to ensure the security of the data,  including protection against a breach of security leading to accidental or unlawful  destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter  “personal data breach”). In assessing the appropriate level of security, they shall take  due account of the state of the art, the costs of implementation, the nature, scope,  context and purpose(s) of processing and the risks involved in the processing for the  data subject. The Parties shall in particular consider having recourse to encryption or  pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymisation, the additional  information for attributing the personal data to a specific data subject shall, where  possible, remain under the exclusive control of the data exporter or the controller. In  complying with its obligations under this paragraph, the data importer shall at least  implement the technical and organisational measures specified in Annex II. The data  importer shall carry out regular checks to ensure that these measures continue to  provide an appropriate level of security.

(b) The data importer shall grant access to the data to members of its personnel only to  the extent strictly necessary for the implementation, management and monitoring of  the contract. It shall ensure that persons authorised to process the personal data have  committed themselves to confidentiality or are under an appropriate statutory  obligation of confidentiality.

(c) In the event of a personal data breach concerning personal data processed by the data  importer under these Clauses, the data importer shall take appropriate measures to  address the breach, including measures to mitigate its adverse effects. The data  importer shall also notify, without undue delay, the data exporter and, where  appropriate and feasible, the controller after having become aware of the breach.  Such notification shall contain the details of a contact point where more information  can be obtained, a description of the nature of the breach (including, where possible,  categories and approximate number of data subjects and personal data records  concerned), its likely consequences and the measures taken or proposed to address  the data breach, including measures to mitigate its possible adverse effects. Where,  and in so far as, it is not possible to provide all information at the same time, the  initial notification shall contain the information then available and further  information shall, as it becomes available, subsequently be provided without undue  delay.

(d) The data importer shall cooperate with and assist the data exporter to enable the data  exporter to comply with its obligations under Regulation (EU) 2016/679, in  particular to notify its controller so that the latter may in turn notify the competent  supervisory authority and the affected data subjects, taking into account the nature of  processing and the information available to the data importer.

8.7 Sensitive data 

Where the transfer involves personal data revealing racial or ethnic origin, political opinions,  religious or philosophical beliefs, or trade union membership, genetic data, or biometric data  for the purpose of uniquely identifying a natural person, data concerning health or a person’s  sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter  “sensitive data”), the data importer shall apply the specific restrictions and/or additional  safeguards set out in Annex I.B.

8.8 Onward transfers 

The data importer shall only disclose the personal data to a third party on documented  instructions from the controller, as communicated to the data importer by the data exporter. In  addition, the data may only be disclosed to a third party located outside the European Union (in the same country as the data importer or in another third country, hereinafter “onward  transfer”) if the third party is or agrees to be bound by these Clauses, under the appropriate  Module, or if:

(i) the onward transfer is to a country benefitting from an adequacy decision  pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward  transfer;

(ii) the third party otherwise ensures appropriate safeguards pursuant to Articles 46  or 47 of Regulation (EU) 2016/679;

(iii) the onward transfer is necessary for the establishment, exercise or defence of  legal claims in the context of specific administrative, regulatory or judicial  proceedings; or

(iv) the onward transfer is necessary in order to protect the vital interests of the data  subject or of another natural person.

Any onward transfer is subject to compliance by the data importer with all the other  safeguards under these Clauses, in particular purpose limitation.

8.9 Documentation and compliance 

(a) The data importer shall promptly and adequately deal with enquiries from the data  exporter or the controller that relate to the processing under these Clauses.

(b) The Parties shall be able to demonstrate compliance with these Clauses. In particular,  the data importer shall keep appropriate documentation on the processing activities  carried out on behalf of the controller.

(c) The data importer shall make all information necessary to demonstrate compliance  with the obligations set out in these Clauses available to the data exporter, which  shall provide it to the controller.

(d) The data importer shall allow for and contribute to audits by the data exporter of the  processing activities covered by these Clauses, at reasonable intervals or if there are  indications of non-compliance. The same shall apply where the data exporter  requests an audit on instructions of the controller. In deciding on an audit, the data  exporter may take into account relevant certifications held by the data importer.

(e) Where the audit is carried out on the instructions of the controller, the data exporter  shall make the results available to the controller.

(f) The data exporter may choose to conduct the audit by itself or mandate an  independent auditor. Audits may include inspections at the premises or physical  facilities of the data importer and shall, where appropriate, be carried out with  reasonable notice.

(g) The Parties shall make the information referred to in paragraphs (b) and (c),  including the results of any audits, available to the competent supervisory authority  on request.

Clause 9 

Use of sub-processors 

(a) The data importer has the  controller’s general authorisation for the engagement of sub-processor(s) from an  agreed list. The data importer shall specifically inform the controller in writing of  any intended changes to that list through the addition or replacement of subprocessors at least thirty (30) days in advance, thereby giving the controller  sufficient time to be able to object to such changes prior to the engagement of the  sub-processor(s). The data importer shall provide the controller with the information  necessary to enable the controller to exercise its right to object. The data importer  shall inform the data exporter of the engagement of the sub-processor(s).

(b) Where the data importer engages a sub-processor to carry out specific processing  activities (on behalf of the controller), it shall do so by way of a written contract that  provides for, in substance, the same data protection obligations as those binding the  data importer under these Clauses, including in terms of third-party beneficiary rights  for data subjects. The Parties agree that, by complying with this Clause, the data  importer fulfils its obligations under Clause 8.8. The data importer shall ensure that  the sub-processor complies with the obligations to which the data importer is subject  pursuant to these Clauses.

(c) The data importer shall provide, at the data exporter’s or controller’s request, a copy  of such a sub-processor agreement and any subsequent amendments. To the extent  necessary to protect business secrets or other confidential information, including  personal data, the data importer may redact the text of the agreement prior to sharing  a copy.

(d) The data importer shall remain fully responsible to the data exporter for the  performance of the sub-processor’s obligations under its contract with the data  importer. The data importer shall notify the data exporter of any failure by the sub processor to fulfil its obligations under that contract.

(e) The data importer shall agree a third-party beneficiary clause with the sub-processor  whereby – in the event the data importer has factually disappeared, ceased to exist in  law or has become insolvent – the data exporter shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the  personal data.

Clause 10 

Data subject rights 

(a) The data importer shall promptly notify the data exporter and, where appropriate, the  controller of any request it has received from a data subject, without responding to  that request unless it has been authorised to do so by the controller.

(b) The data importer shall assist, where appropriate in cooperation with the data  exporter, the controller in fulfilling its obligations to respond to data subjects’  requests for the exercise of their rights under Regulation (EU) 2016/679 or  Regulation (EU) 2018/1725, as applicable. In this regard, the Parties shall set out in  Annex II the appropriate technical and organisational measures, taking into account  the nature of the processing, by which the assistance shall be provided, as well as the  scope and the extent of the assistance required.

(c) In fulfilling its obligations under paragraphs (a) and (b), the data importer shall  comply with the instructions from the controller, as communicated by the data  exporter.

Clause 11 

Redress 

(a) The data importer shall inform data subjects in a transparent and easily accessible  format, through individual notice or on its website, of a contact point authorised to  handle complaints. It shall deal promptly with any complaints it receives from a data  subject.

(b) In case of a dispute between a data subject and one of the Parties as regards  compliance with these Clauses, that Party shall use its best efforts to resolve the issue  amicably in a timely fashion. The Parties shall keep each other informed about such  disputes and, where appropriate, cooperate in resolving them.

(c) Where the data subject invokes a third-party beneficiary right pursuant to Clause 3,  the data importer shall accept the decision of the data subject to:

(i) lodge a complaint with the supervisory authority in the Member State of his/her  habitual residence or place of work, or the competent supervisory authority  pursuant to Clause 13;

(ii) refer the dispute to the competent courts within the meaning of Clause 18.

(d) The Parties accept that the data subject may be represented by a not-for-profit body,  organisation or association under the conditions set out in Article 80(1) of Regulation  (EU) 2016/679.

(e) The data importer shall abide by a decision that is binding under the applicable EU or  Member State law.

(f) The data importer agrees that the choice made by the data subject will not prejudice  his/her substantive and procedural rights to seek remedies in accordance with  applicable laws.

Clause 12 

Liability 

(a) Each Party shall be liable to the other Party/ies for any damages it causes the other  Party/ies by any breach of these Clauses.

(b) The data importer shall be liable to the data subject, and the data subject shall be  entitled to receive compensation, for any material or non-material damages the data  importer or its sub-processor causes the data subject by breaching the third-party  beneficiary rights under these Clauses.

(c) Notwithstanding paragraph (b), the data exporter shall be liable to the data subject,  and the data subject shall be entitled to receive compensation, for any material or  non-material damages the data exporter or the data importer (or its sub-processor)  causes the data subject by breaching the third-party beneficiary rights under these  Clauses. This is without prejudice to the liability of the data exporter and, where the data exporter is a processor acting on behalf of a controller, to the liability of the  controller under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as  applicable.

(d) The Parties agree that if the data exporter is held liable under paragraph (c) for  damages caused by the data importer (or its sub-processor), it shall be entitled to  claim back from the data importer that part of the compensation corresponding to the  data importer’s responsibility for the damage.

(e) Where more than one Party is responsible for any damage caused to the data subject  as a result of a breach of these Clauses, all responsible Parties shall be jointly and  severally liable and the data subject is entitled to bring an action in court against any  of these Parties.

(f) The Parties agree that if one Party is held liable under paragraph (e), it shall be  entitled to claim back from the other Party/ies that part of the compensation  corresponding to its / their responsibility for the damage.

(g) The data importer may not invoke the conduct of a sub-processor to avoid its own  liability.

Clause 13 

Supervision 

(a) Where the data exporter is established in an EU Member State: The supervisory  authority with responsibility for ensuring compliance by the data exporter with  Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C,  shall act as competent supervisory authority.

Where the data exporter is not established in an EU Member State, but falls within  the territorial scope of application of Regulation (EU) 2016/679 in accordance with  its Article 3(2) and has appointed a representative pursuant to Article 27(1) of  Regulation (EU) 2016/679: The supervisory authority of the Member State in which  the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679  is established, as indicated in Annex I.C, shall act as competent supervisory  authority.

Where the data exporter is not established in an EU Member State, but falls within  the territorial scope of application of Regulation (EU) 2016/679 in accordance with  its Article 3(2) without however having to appoint a representative pursuant to  Article 27(2) of Regulation (EU) 2016/679: The supervisory authority of one of the  Member States in which the data subjects whose personal data is transferred under  these Clauses in relation to the offering of goods or services to them, or whose  behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent  supervisory authority.

(b) The data importer agrees to submit itself to the jurisdiction of and cooperate with the  competent supervisory authority in any procedures aimed at ensuring compliance  with these Clauses. In particular, the data importer agrees to respond to enquiries, submit to audits and comply with the measures adopted by the supervisory authority,  including remedial and compensatory measures. It shall provide the supervisory  authority with written confirmation that the necessary actions have been taken.

SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY  PUBLIC AUTHORITIES 

Clause 14 

Local laws and practices affecting compliance with the Clauses 

(a) The Parties warrant that they have no reason to believe that the laws and practices in  the third country of destination applicable to the processing of the personal data by  the data importer, including any requirements to disclose personal data or measures  authorising access by public authorities, prevent the data importer from fulfilling its  obligations under these Clauses. This is based on the understanding that laws and  practices that respect the essence of the fundamental rights and freedoms and do not  exceed what is necessary and proportionate in a democratic society to safeguard one  of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in  contradiction with these Clauses.

(b) The Parties declare that in providing the warranty in paragraph (a), they have taken  due account in particular of the following elements:

(i) the specific circumstances of the transfer, including the length of the  processing chain, the number of actors involved and the transmission channels  used; intended onward transfers; the type of recipient; the purpose of  processing; the categories and format of the transferred personal data; the  economic sector in which the transfer occurs; the storage location of the data  transferred;

(ii) the laws and practices of the third country of destination– including those  requiring the disclosure of data to public authorities or authorising access by  such authorities – relevant in light of the specific circumstances of the transfer,  and the applicable limitations and safeguards;

(iii) any relevant contractual, technical or organisational safeguards put in place to  supplement the safeguards under these Clauses, including measures applied  during transmission and to the processing of the personal data in the country of  destination.

(c) The data importer warrants that, in carrying out the assessment under paragraph (b),  it has made its best efforts to provide the data exporter with relevant information and  agrees that it will continue to cooperate with the data exporter in ensuring  compliance with these Clauses.

(d) The Parties agree to document the assessment under paragraph (b) and make it  available to the competent supervisory authority on request.

(e) The data importer agrees to notify the data exporter promptly if, after having agreed  to these Clauses and for the duration of the contract, it has reason to believe that it is  or has become subject to laws or practices not in line with the requirements under  paragraph (a), including following a change in the laws of the third country or a  measure (such as a disclosure request) indicating an application of such laws in  practice that is not in line with the requirements in paragraph (a). The data exporter shall forward the notification to the controller.

(f) Following a notification pursuant to paragraph (e), or if the data exporter otherwise  has reason to believe that the data importer can no longer fulfil its obligations under  these Clauses, the data exporter shall promptly identify appropriate measures (e.g.  technical or organisational measures to ensure security and confidentiality) to be  adopted by the data exporter and/or data importer to address the situation, if appropriate in consultation with the controller. The data exporter  shall suspend the data transfer if it considers that no appropriate safeguards for such  transfer can be ensured, or if instructed by the controller or the  competent supervisory authority to do so. In this case, the data exporter shall be  entitled to terminate the contract, insofar as it concerns the processing of personal  data under these Clauses. If the contract involves more than two Parties, the data  exporter may exercise this right to termination only with respect to the relevant  Party, unless the Parties have agreed otherwise. Where the contract is terminated  pursuant to this Clause, Clause 16(d) and (e) shall apply.

Clause 15 

Obligations of the data importer in case of access by public authorities 

15.1 Notification 

(a) The data importer agrees to notify the data exporter and, where possible, the data  subject promptly (if necessary with the help of the data exporter) if it:

(i) receives a legally binding request from a public authority, including judicial  authorities, under the laws of the country of destination for the disclosure of  personal data transferred pursuant to these Clauses; such notification shall  include information about the personal data requested, the requesting authority,  the legal basis for the request and the response provided; or

(ii) becomes aware of any direct access by public authorities to personal data  transferred pursuant to these Clauses in accordance with the laws of the  country of destination; such notification shall include all information available  to the importer. The data exporter shall forward the notification to the  controller.

(b) If the data importer is prohibited from notifying the data exporter and/or the data  subject under the laws of the country of destination, the data importer agrees to use  its best efforts to obtain a waiver of the prohibition, with a view to communicating as  much information as possible, as soon as possible. The data importer agrees to  document its best efforts in order to be able to demonstrate them on request of the  data exporter.

(c) Where permissible under the laws of the country of destination, the data importer  agrees to provide the data exporter, at regular intervals for the duration of the  contract, with as much relevant information as possible on the requests received (in  particular, number of requests, type of data requested, requesting authority/ies,  whether requests have been challenged and the outcome of such challenges, etc.).  The data exporter shall forward the information to the  controller.

(d) The data importer agrees to preserve the information pursuant to paragraphs (a) to (c)  for the duration of the contract and make it available to the competent supervisory  authority on request.

(e) Paragraphs (a) to (c) are without prejudice to the obligation of the data importer  pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it  is unable to comply with these Clauses.

15.2 Review of legality and data minimisation 

(a) The data importer agrees to review the legality of the request for disclosure, in  particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that  there are reasonable grounds to consider that the request is unlawful under the laws  of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same  conditions, pursue possibilities of appeal. When challenging a request, the data  importer shall seek interim measures with a view to suspending the effects of the  request until the competent judicial authority has decided on its merits. It shall not  disclose the personal data requested until required to do so under the applicable  procedural rules. These requirements are without prejudice to the obligations of the  data importer under Clause 14(e).

(b) The data importer agrees to document its legal assessment and any challenge to the  request for disclosure and, to the extent permissible under the laws of the country of  destination, make the documentation available to the data exporter. It shall also make  it available to the competent supervisory authority on request. The data exporter shall make the assessment available to the controller.

(c) The data importer agrees to provide the minimum amount of information permissible  when responding to a request for disclosure, based on a reasonable interpretation of  the request.

SECTION IV – FINAL PROVISIONS 

Clause 16 

Non-compliance with the Clauses and termination 

(a) The data importer shall promptly inform the data exporter if it is unable to comply  with these Clauses, for whatever reason.

(b) In the event that the data importer is in breach of these Clauses or unable to comply  with these Clauses, the data exporter shall suspend the transfer of personal data to the  data importer until compliance is again ensured or the contract is terminated. This is  without prejudice to Clause 14(f).

(c) The data exporter shall be entitled to terminate the contract, insofar as it concerns the  processing of personal data under these Clauses, where:

(i) the data exporter has suspended the transfer of personal data to the data  importer pursuant to paragraph (b) and compliance with these Clauses is not  restored within a reasonable time and in any event within one month of  suspension;

(ii) the data importer is in substantial or persistent breach of these Clauses; or

(iii) the data importer fails to comply with a binding decision of a competent court  or supervisory authority regarding its obligations under these Clauses.

In these cases, it shall inform the competent supervisory authority and the controller of such non-compliance. Where the contract involves more  than two Parties, the data exporter may exercise this right to termination only with  respect to the relevant Party, unless the Parties have agreed otherwise.

(d) Personal data that has been transferred prior to  the termination of the contract pursuant to paragraph (c) shall at the choice of the  data exporter immediately be returned to the data exporter or deleted in its entirety.  The same shall apply to any copies of the data. The data importer shall certify the deletion  of the data to the data exporter. Until the data is deleted or returned, the data importer  shall continue to ensure compliance with these Clauses. In case of local laws  applicable to the data importer that prohibit the return or deletion of the transferred  personal data, the data importer warrants that it will continue to ensure compliance  with these Clauses and will only process the data to the extent and for as long as  required under that local law.

(e) Either Party may revoke its agreement to be bound by these Clauses where (i) the  European Commission adopts a decision pursuant to Article 45(3) of Regulation  (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply;  or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country  to which the personal data is transferred. This is without prejudice to other  obligations applying to the processing in question under Regulation (EU) 2016/679.

Clause 17 

Governing law 

These Clauses shall be governed by the law of one of the EU Member States,  provided such law allows for third-party beneficiary rights. The Parties agree that this shall be  the law of Luxembourg.

Clause 18 

Choice of forum and jurisdiction 

(a) Any dispute arising from these Clauses shall be resolved by the courts of an EU  Member State.

(b) The Parties agree that those shall be the courts of Luxembourg.

(c) A data subject may also bring legal proceedings against the data exporter and/or data  importer before the courts of the Member State in which he/she has his/her habitual  residence.

(d) The Parties agree to submit themselves to the jurisdiction of such courts.

ANNEX I (applicable to MODULE 2 and MODULE 3)

A. LIST OF PARTIES 

Data exporter: 

Customer as data exporter (MODULE 2)

Name: Customer, as defined in the Agreement

Address: Customer’s address, as defined in the Agreement

Activities relevant to the data transferred under these Clauses: Services as described in the Data Processing Agreement

Role: Controller

Customer as data exporter (MODULE 3)

Name: Customer, as defined in the Agreement

Address: Customer’s address, as defined in the Agreement

Activities relevant to the data transferred under these Clauses: Services as described in the Data Processing Agreement

Role: Processor

Data importer (MODULE 2 and MODULE 3): 

Name: Altirnao, Inc (D/B/A AODocs)

Address: 1175 Peachtree St NE, Suite 1000, Atlanta, GA, 30361, USA

Contact person’s name, position and contact details: Emeline Cuchot, DPO, legal@aodocs.com

Activities relevant to the data transferred under these Clauses: Services as described in the Data Processing Agreement

Role: Processor

B. DESCRIPTION OF TRANSFER 

Categories of data subjects whose personal data is transferred 

See Appendix 1 (“Customer Personal Data Processing Details”) of the Data Processing Agreement. 

Categories of personal data transferred 

See Appendix 1 (“Customer Personal Data Processing Details”) of the Data Processing Agreement.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take  into consideration the nature of the data and the risks involved, such as for instance strict  purpose limitation, access restrictions (including access only for staff having followed  specialised training), keeping a record of access to the data, restrictions for onward transfers  or additional security measures. 

See Appendix 1 (“Customer Personal Data Processing Details”) of the Data Processing Agreement 

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous  basis).

Transfer is made on a continuous basis. 

Nature of the processing 

All kind of processings as defined in article 4(2) of the GDPR, meaning any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. 

Purpose(s) of the data transfer and further processing 

Transfer and processing of Customer Personal Data by importer for the provision of Services in accordance with Appendix 1 (“Customer Personal Data Processing Details”) of the Data Processing Agreement.

Purpose(s) for which the personal data is processed on behalf of the controller 

Processing of Customer Personal Data by importer for the provision of Services in accordance with Appendix 1 (“Customer Personal Data Processing Details”) of the Data Processing Agreement.

The period for which the personal data will be retained, or, if that is not possible, the criteria  used to determine that period  

See Appendix 1 (“Customer Personal Data Processing Details”) of the Data Processing Agreement.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the  processing 

See Appendix 3 (“Subprocessors”) of the DPA and ANNEX III of the SCCs (“LIST OF SUB-PROCESSORS”)

Processing will take place during the applicable Term, as defined in the Data Processing Agreement, plus the period from expiry of such Term until deletion of all Customer Personal Data by Supplier in accordance with the Data Processing Agreement.

C. COMPETENT SUPERVISORY AUTHORITY 

CNPD (Luxembourg)

ANNEX II – TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING  TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY  OF THE DATA (applicable to MODULE 2 and MODULE 3)

Technical and organisational measures including technical and organisational measures to ensure the security of the data are detailed in Appendix 2 (Security Measures) of the Data Processing Agreement.

ANNEX III – LIST OF SUB-PROCESSORS (applicable to MODULE 2 and MODULE 3)

The controller has authorised the use of the following sub-processors:

1. Name: Google LLC or any of its affiliates

Address: 1600 Amphitheatre Parkway Mountain View, CA 94043

Contact person’s name, position and contact details: Privacy Officer privacy@google.com

Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): data hosting, analyzing and extracting, and Generative AI

2. Name: SendGrid, Inc.

Address: 375 Beale Street, Suite 300, San Francisco, CA 94105, USA

Contact person’s name, position and contact details: Data Protection Officer dpo@sendgrid.com

Description of processing (including a clear delimitation of responsibilities in case several  sub-processors are authorised): workflow automatic email notification

3. Name: Aliz Tech Kft 

Address: 1143 Budapest, Gizella út 42-44, HUNGARY

Contact person’s name, position and contact details: hello@aliz.ai

Description of processing (including a clear delimitation of responsibilities in case several  sub-processors are authorised): support

4. Name: Accusoft Corporation 

Address: 4001 N. Riverside Drive – Tampa, FL 33603 USA

Contact person’s name, position and contact details: Privacy Officer privacy@accusoft.com

Description of processing (including a clear delimitation of responsibilities in case several  sub-processors are authorised): integrated document viewer

5. Name: Zendesk, Inc.

Address: 989 Market St, San Francisco, CA 94103 USA

Contact person’s name, position and contact details: DPO,  privacy@zendesk.com

Description of processing (including a clear delimitation of responsibilities in case several  sub-processors are authorised): support

6. Name: Mailgun Technologies Inc.

Address: 112 E Pecan St, #1135 San Antonio, TX, 78205, USA

Contact person’s name, position and contact details: privacy@mailgun.com

Description of processing (including a clear delimitation of responsibilities in case several  sub-processors are authorised): workflow automatic email notification

7. Name: OpenAI OpCo, LLC or any of its affiliates

Address: 3180 18th St., San Francisco, CA 94110, USA

Contact person’s name, position and contact details: Sheila Dunning, Head of Commercial Legal,  privacy@openai.com

Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): Generative AI (OpenAI API)

Appendix 5 – Transfers from the United-Kingdom (UK Addendum)

This appendix is applicable when personal data is transferred from the United Kingdom to a third country which does not ensure an adequate level of data protection pursuant to UK GDPR.

Part 1: Tables

Table 1: Parties

Start dateThe date on which Exporter and Importer agreed to the DPA (i.e. the Effective Date).
The PartiesExporter (who sends the Restricted Transfer)Importer (who receives the Restricted Transfer)
Parties’ details

Full legal name: Customer, as defined in the Agreement

Trading name (if different):

Main address (if a company registered address): Customer’s address, as defined in the Agreement

Official registration number (if any) (company number or similar identifier): Customer’s official registration number, as defined in the Agreement

Full legal name: Altirnao, Inc.

Trading name (if different): AODocs

Main address (if a company registered address): 1175 Peachtree St NE, Suite 1000, Atlanta, GA, 30361, USA

Official registration number (if any) (company number or similar identifier):

Key Contact 

Full Name (optional): As provided by the Customer by email to legal@aodocs.com

Job Title: As provided by the Customer by email to legal@aodocs.com

Contact details including email: As provided by the Customer by email to legal@aodocs.com

Full Name (optional):

Job Title: DPO

Contact details including email: legal@aodocs.com

Table 2: Selected SCCs, Modules and Selected Clauses

Addendum EU SCCs

☐ The version of the Approved EU SCCs which this Addendum is appended to, detailed below, including the Appendix Information:

Date:

Reference (if any):

Other identifier (if any):

Or

☒ the Approved EU SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum:

ModuleModule in operationClause 7 (Docking Clause)Clause 11 (Option)Clause 9a (Prior Authorisation or General Authorisation)Clause 9a (Time period)Is personal data received from the Importer combined with personal data collected by the Exporter?
1      
2XXXGeneral Authorisation30 days 
3XXXGeneral Authorisation30 days 
4      

Table 3: Appendix Information

“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:

Annex 1A: List of Parties: See Appendix 4, Annex I, A. of the DPA
Annex 1B: Description of Transfer: See Appendix 4, Annex I, B. of the DPA
Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: See Appendix 4, Annex II of the DPA
Annex III: List of Sub processors (Modules 2 and 3 only): See Appendix 4, Annex III of the DPA

Table 4: Ending this Addendum when the Approved Addendum Changes

Ending this Addendum when the Approved Addendum changes

Which Parties may end this Addendum as set out in Section ‎19:

☒ Importer

☒ Exporter

☐ neither Party

Part 2: Mandatory Clauses

Entering into this Addendum

1. Each Party agrees to be bound by the terms and conditions set out in this Addendum, in exchange for the other Party also agreeing to be bound by this Addendum.

2. Although Annex 1A and Clause 7 of the Approved EU SCCs require signature by the Parties, for the purpose of making Restricted Transfers, the Parties may enter into this Addendum in any way that makes them legally binding on the Parties and allows data subjects to enforce their rights as set out in this Addendum. Entering into this Addendum will have the same effect as signing the Approved EU SCCs and any part of the Approved EU SCCs.

Interpretation of this Addendum

3. Where this Addendum uses terms that are defined in the Approved EU SCCs those terms shall have the same meaning as in the Approved EU SCCs. In addition, the following terms have the following meanings:

AddendumThis International Data Transfer Addendum which is made up of this Addendum incorporating the Addendum EU SCCs.
Addendum EU SCCsThe version(s) of the Approved EU SCCs which this Addendum is appended to, as set out in Table 2, including the Appendix Information.
Appendix InformationAs set out in Table ‎3.
Appropriate SafeguardsThe standard of protection over the personal data and of data subjects’ rights, which is required by UK Data Protection Laws when you are making a Restricted Transfer relying on standard data protection clauses under Article 46(2)(d) UK GDPR.
Approved AddendumThe template Addendum issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section ‎18.
Approved EU SCCsThe Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
ICOThe Information Commissioner.
Restricted TransferA transfer which is covered by Chapter V of the UK GDPR.
UKThe United Kingdom of Great Britain and Northern Ireland.
UK Data Protection LawsAll laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018.
UK GDPRAs defined in section 3 of the Data Protection Act 2018.

4. This Addendum must always be interpreted in a manner that is consistent with UK Data Protection Laws and so that it fulfils the Parties’ obligation to provide the Appropriate Safeguards.

5. If the provisions included in the Addendum EU SCCs amend the Approved SCCs in any way which is not permitted under the Approved EU SCCs or the Approved Addendum, such amendment(s) will not be incorporated in this Addendum and the equivalent provision of the Approved EU SCCs will take their place.

6. If there is any inconsistency or conflict between UK Data Protection Laws and this Addendum, UK Data Protection Laws applies.

7. If the meaning of this Addendum is unclear or there is more than one meaning, the meaning which most closely aligns with UK Data Protection Laws applies.

8. Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Addendum has been entered into.

Hierarchy

9. Although Clause 5 of the Approved EU SCCs sets out that the Approved EU SCCs prevail over all related agreements between the parties, the parties agree that, for Restricted Transfers, the hierarchy in Section ‎10 will prevail.

10. Where there is any inconsistency or conflict between the Approved Addendum and the Addendum EU SCCs (as applicable), the Approved Addendum overrides the Addendum EU SCCs, except where (and in so far as) the inconsistent or conflicting terms of the Addendum EU SCCs provides greater protection for data subjects, in which case those terms will override the Approved Addendum.

11. Where this Addendum incorporates Addendum EU SCCs which have been entered into to protect transfers subject to the General Data Protection Regulation (EU) 2016/679 then the Parties acknowledge that nothing in this Addendum impacts those Addendum EU SCCs.

Incorporation of and changes to the EU SCCs

12. This Addendum incorporates the Addendum EU SCCs which are amended to the extent necessary so that:

a. together they operate for data transfers made by the data exporter to the data importer, to the extent that UK Data Protection Laws apply to the data exporter’s processing when making that data transfer, and they provide Appropriate Safeguards for those data transfers;

b. Sections ‎9 to ‎11 override Clause 5 (Hierarchy) of the Addendum EU SCCs; and

c. this Addendum (including the Addendum EU SCCs incorporated into it) is (1) governed by the laws of England and Wales and (2) any dispute arising from it is resolved by the courts of England and Wales, in each case unless the laws and/or courts of Scotland or Northern Ireland have been expressly selected by the Parties.

13. Unless the Parties have agreed alternative amendments which meet the requirements of Section ‎12, the provisions of Section ‎15 will apply.

14. No amendments to the Approved EU SCCs other than to meet the requirements of Section ‎12 may be made.

15. The following amendments to the Addendum EU SCCs (for the purpose of Section ‎12) are made:

a. References to the “Clauses” means this Addendum, incorporating the Addendum EU SCCs;

b. In Clause 2, delete the words: “and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679”;

c. Clause 6 (Description of the transfer(s)) is replaced with: “The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.”;

d. Clause 8.7(i) of Module 1 is replaced with: “it is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer”;

e. Clause 8.8(i) of Modules 2 and 3 is replaced with: “the onward transfer is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer;”

f. References to “Regulation (EU) 2016/679”, “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)” and “that Regulation” are all replaced by “UK Data Protection Laws”.

g. References to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK Data Protection Laws;

h. References to Regulation (EU) 2018/1725 are removed; References to the “European Union”, “Union”, “EU”, “EU Member State”, “Member State” and “EU or Member State” are all replaced with the “UK”;

i. The reference to “Clause 12(c)(i)” at Clause 10(b)(i) of Module one, is replaced with “Clause 11(c)(i)”;

j. Clause 13(a) and Part C of Annex I are not used;

k. The “competent supervisory authority” and “supervisory authority” are both replaced with the “Information Commissioner”;

l. In Clause 16(e), subsection (i) is replaced with: “the Secretary of State makes regulations pursuant to Section 17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply;”;

m. Clause 17 is replaced with: “These Clauses are governed by the laws of England and Wales.”;

n. Clause 18 is replaced with: “Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”; and

o. The footnotes to the Approved EU SCCs do not form part of the Addendum, except for footnotes 8, 9, 10 and 11.

Amendments to this Addendum

16. The Parties may agree to change Clauses 17 and/or 18 of the Addendum EU SCCs to refer to the laws and/or courts of Scotland or Northern Ireland.

17. If the Parties wish to change the format of the information included in Part 1: Tables of the Approved Addendum, they may do so by agreeing to the change in writing, provided that the change does not reduce the Appropriate Safeguards.

18. From time to time, the ICO may issue a revised Approved Addendum which:

a. makes reasonable and proportionate changes to the Approved Addendum, including correcting errors in the Approved Addendum; and/or

b. reflects changes to UK Data Protection Laws;

The revised Approved Addendum will specify the start date from which the changes to the Approved Addendum are effective and whether the Parties need to review this Addendum including the Appendix Information. This Addendum is automatically amended as set out in the revised Approved Addendum from the start date specified.

19. If the ICO issues a revised Approved Addendum under Section ‎18, if any Party selected in Table 4 “Ending the Addendum when the Approved Addendum changes”, will as a direct result of the changes in the Approved Addendum have a substantial, disproportionate and demonstrable increase in:

a. its direct costs of performing its obligations under the Addendum; and/or

b. its risk under the Addendum,

and in either case it has first taken reasonable steps to reduce those costs or risks so that it is not substantial and disproportionate, then that Party may end this Addendum at the end of a reasonable notice period, by providing written notice for that period to the other Party before the start date of the revised Approved Addendum.

20. The Parties do not need the consent of any third party to make changes to this Addendum, but any changes must be made in accordance with its terms.