EMERGENETICS DATA PROCESSING ADDENDUM
THIS EMERGENETICS DATA PROCESSING ADDENDUM
("Addendum"), including its three exhibits, "is made and entered
into by and between The Browning Group International, Inc. dba Emergenetics
International and its relevant affiliates, including, without limitation, STEP,
LLC, Emergenetics Europe Limited, Emergenetics Caelan & Sage PTE Ltd, and
Emergenetics Asia, Pte. Ltd. (collectively, "Emergenetics," "we," "us," "our") and you (the "Client"
or "Partner", as applicable, each as
defined below) (each a "Party" and
collectively the "Parties"). This
Addendum governs your Processing of Personal Data on the Emergenetics Platform.
If you are accepting the terms of this Addendum on behalf of an entity, you
represent and warrant to Emergenetics that you have the authority to bind that
entity and its affiliates, where applicable, to the terms and conditions of
this Addendum. This Addendum is effective as of the date on which you agree to
it by accepting the Emergenetics User Agreement (the "Addendum Date").
RECITALS
WHEREAS, Emergenetics and you have executed an
agreement for services (the "Services Agreement")
involving the Processing of Personal Data (as defined below) of Data Subjects
(as defined below) that the Parties now desire to amend as provided herein;
WHEREAS, in the course of providing services
under the Services Agreement, you, as a Data Controller, Process certain
Personal Data of Data Subjects;
WHEREAS, Emergenetics, as a Data Controller,
requires that you and any subsequent Personal Data recipients who, in the
course of your work with Emergenetics, may Process Personal Data, take all necessary
measures to handle such information in compliance with the General Data
Protection Regulation of the EU ("GDPR")
and other Applicable Laws and regulations;
WHEREAS, whenever both Parties jointly determine
the purposes and means of Processing, they shall act as Joint Controllers; and
WHEREAS, the Parties enter into this Addendum
wishing to comply with the principles and standards for data protection as
required by Applicable Laws, with respect to the Processing of Personal Data
under the Services Agreement.
NOW, THEREFORE, in consideration of the mutual
agreements set forth in this Addendum and for other good and valuable
consideration, the receipt and sufficiency of which the Parties both
acknowledge, the Parties agree as follows:
DEFINITIONS
Capitalized
terms used but not defined in this Addendum shall have the meanings assigned to
them in the Services Agreement.
For
purposes of this Addendum, the following capitalized terms shall have the
meanings ascribed to them as set forth below wherever they appear within the
provisions of this Addendum:
a) "Applicable Laws" means all laws applicable to the Processing of Personal Data under this Addendum and the Services Agreement, including, as applicable, the GDPR, laws implementing or supplementing the GDPR, the domestic legislation of each Member State, other laws of the European Union or any Member State thereof, and the privacy and Personal Data Processing laws of any other country;
b)
"Client" means a legal
entity with whom Emergenetics has executed the Services Agreement who uses the
Platform for the benefit of its own employees, prospective employees, or other
organizational team members, such as contractors;
c)
"Data Controller" means
the natural or legal person, public authority, agency, or other body which,
alone or jointly with others, determines the purposes and means of the
Processing of Personal Data; where the purposes and means of such Processing
are determined by Union or Member State law, the Data Controller or the specific
criteria for its nomination may be provided for by Union or Member State law.
For the purposes of this Addendum, Data Controller or Data Controllers also
refers specifically to a Party or the Parties to this Addendum;
d)
"Data Processor" means
a natural or legal person, public authority, agency, or other body which
Processes Personal Data on Behalf of a Data Controller;
e)
"GDPR" means Regulation
(EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on
the protection of natural persons with regard to the Processing of Personal
Data and on the free movement of such data, and repealing Directive 95/46/EC,
commonly referred to as the General Data Protection Regulation;
f) "Joint Controllers" means two or more Data Controllers that jointly determine the purposes and means of Processing;
g) "Partner" means a third-party contractor filling a role as an Emergenetics Associate, Domain Administrator, Country Representative, or other applicable role on the Platform as a member of Emergenetics" network of licensed resellers of Emergenetics products and services;
h) "Personal Data" means any information relating to an identified or identifiable natural person within the scope of this Addendum ("Data Subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person;
i)
"Personal Data Breach"
means a breach of security leading to the accidental or unlawful destruction,
loss, alteration, unauthorized disclosure of, or access to, Personal Data
transmitted, stored, or otherwise Processed;
j)
"Platform" means the
Emergenetics web application(s), including Emergenetics+, ESP, or STEP, as
applicable;
k)
"Processing" (and any
iterations, such as "Processed," "Process," etc.) means any operation or set of
operations which is performed on Personal Data or on sets of Personal Data,
whether or not by automated means, such as collection, recording, organization,
structuring, storage, adaptation or alteration, retrieval, consultation, use,
disclosure by transmission, dissemination or otherwise making available,
alignment or combination, restriction, erasure, or destruction.
TERMS
The Parties agree as follows:
a)
with respect to the Processing of Personal Data under the Services
Agreement, it is a Data Controller within the meaning of this Addendum and the
GDPR;
b)
all Personal Data has been and will be collected, transferred, and
otherwise Processed in accordance with the Applicable Laws;
c)
it will only conduct transfers of Personal Data, where such
transfers would be subject to mandatory requirements under the Applicable Laws
(and no lawful exemption or derogation applies), in compliance with all
applicable conditions, as laid down in the Applicable Laws; and
d)
it will, upon request of the respective other Party, provide that
other Party with copies of all Applicable Laws or references to such laws (where
relevant, and not including legal advice).
a)
it will determine its respective responsibilities for compliance
with its obligations under the Applicable Laws;
b)
it will determine its respective responsibilities vis-a-vis Data Subjects, taking into
account the circumstances of each specific Processing situation, and, where
necessary, duly communicate such information to the respective other Data
Controller in the Joint Controllership context;
c)
in consideration of the fact that Data Subjects may exercise their
rights under the GDPR in respect of and against each of the Data Controllers
irrespective of the terms of the arrangement between the Parties, each Data
Controller in the Joint Controllership context will proactively, without having
been requested to do so, provide all due assistance and information to the
respective other Data Controller in the Joint Controllership context, including
but not limited to forwarding requests lodged by Data Subjects to exercise
their rights under Chapter III GDPR. Where a Data Controller has not fulfilled
its obligation under this provision, it shall be fully liable with regard to
the response, or lack thereof, to the respective request by the Data Subject to
exercise his rights; and
d)
where a conflict of competence occurs with regard to a specific
set of Processing operations in the Joint Controllership context, each Data
Controller shall act in good faith to communicate and resolve said conflict
with the other respective Data Controller in an amicable manner, by taking into
account and respecting, firstly, the interests and rights of the respective
Data Subject(s), and, secondly, the mutual interest of both Parties, so as to
avoid joint and several liability, where the Parties fail to respect the rights
of a Data Subject(s) because of an unresolved conflict of competence.
a)
Processing is limited to those services and tasks outlined in the
Services Agreement for services and any subsequent orders, statements of work,
or work orders executed between the Parties.
b)
Each Data Controller shall ensure that the Processing of the
Personal Data for the purposes set out in the Services Agreement is performed
only on lawful grounds, as provided by Article 6 GDPR and as further limited by
Article 9 GDPR, or the equivalent provisions of any Applicable Laws, as the case
may be.
c)
The respective Data Controllers must ensure that persons they
authorize to Process the Personal Data have committed themselves to
confidentiality or are under an appropriate statutory obligation of
confidentiality.
a)
Each Party will be responsible for responding to requests for the exercise
of a Data Subject"s rights under Chapter III GDPR or the equivalent provisions
of other Applicable Laws, with regard to the Personal Data Processed by that
Party.
"
b)
Each Party will designate an appropriate point of contact for Data
Subject requests within its respective organization. Each Party will maintain a
record of Data Subjects" requests to exercise their rights, the decisions made,
the timeline of the request and response, and any information that was
exchanged.
c)
In situations where the Parties are operating as Joint
Controllers, the Parties will provide notice to each other of all such Data
Subject requests they receive. Before deleting Personal Data or restricting
Processing in response to a Data Subject request, each Party will obtain the
approval of the other Party, which shall not be unreasonably withheld by that
other Party, so as to avoid the possibility of one Party"s actions causing the
other Party to be in breach of this Addendum or Applicable Laws.
d)
The Parties agree to
provide prompt and reasonable assistance to each other, if required, to enable
them to comply with Data Subject requests. Each Party will ensure that its
relevant privacy notices, where applicable, are published in accordance with
the requirements of the GDPR and other Applicable Laws and that no conflicts
exist among the Parties" privacy notices that would create confusion or mislead
Data Subjects. In particular, each Party will ensure that its relevant privacy
notices, where applicable, contain accurate contact information to which Data
Subjects can submit requests to the respective Party to exercise their rights
under the GDPR and other Applicable Laws, as the case may be.
a)
Each Party shall provide timely notification of a Personal Data
Breach to the competent supervisory authority or the affected Data Subject(s),
as required by Articles 33 and 34 GDPR, or the equivalent provisions of other
Applicable Laws, as the case may be. The Parties will also notify one another
of a Personal Data Breach in a timely manner, if appropriate and if the other
Party or its users may be affected.
b)
Each Party shall cooperate with the other respective Party and
take all reasonable commercial steps to assist each other in the investigation,
mitigation, and remediation of each such Personal Data Breach.
a)
Each Party shall only engage a Data Processor to Process the
Personal Data on its behalf if that Data Processor provides sufficient
guarantees, by way of a written contract or other legal act under European
Union or Member State law, that it will implement the same data protection
obligations as this Addendum and the requirements of the GDPR or relevant
provisions of any Applicable Laws.
b)
Where that Data Processor fails to fulfill its data protection
obligations, the respective Party shall remain fully liable to Data Subjects
for the performance of that Data Processor's obligations.
a) International transfers of
Personal Data within the scope of this Addendum shall be conducted in
accordance with the applicable terms and requirements of Exhibit B.
b) Where the Standard Contractual
Clauses are the applicable data transfer mechanism according to the terms and
requirements set out in Exhibit B, the applicable Standard Contractual
Clauses will be the clauses applicable to the role of the Parties as described
in Sections 4 and 5.
c)
Emergenetics may update Exhibits A and C from time
to time to reflect changes or additions necessary to conclude the Standard
Contractual Clauses. Without limiting the generality of the foregoing, if the
execution of a new version of the Standard Contractual Clauses adopted by the
European Commission is later required in order for the Parties to rely on such
instrument as a lawful mechanism for Restricted Transfers, the Parties are
deemed to have agreed to the new version of the Standard Contractual Clauses by
signing this Addendum, and, if necessary, Emergenetics shall be entitled to
update Exhibits A and C accordingly.
d)
Emergenetics may update Exhibit C from time to time
to provide for additional safeguards to Personal Data subject to Restricted
Transfers. If Emergenetics updates Exhibit C, it will provide the
updated Exhibit C to the Client. If the Client does not object to
the updated Exhibit C within fourteen (14) days of receipt, the
Client will be deemed to have consented to the updated Exhibit C.
Emergenetics" Data Protection Officer ("DPO")
Steven Douglas
privacy@emergenetics.com
2 Inverness Dr East, Suite 189,
Centennial, CO 80112, USA
The Client shall provide the
details of its contact point for data protection enquiries in the form located
at: https://plus.emergenetics.com and https://esp.emergenetics.com (available upon login).
The Client warrants that it
will promptly update, when necessary, all such information, and keep all such
information complete and up to date.
VeraSafe
Czech Republic s.r.o.
Klimentsk"
46
Prague
1, 11002
Czech
Republic
VeraSafe
Ireland Ltd
Unit
3D North Point House,
North
Point Business Park,
New
Mallow Road, Cork T23AT2P, Ireland
Contact form: https://www.verasafe.com/privacy-services/contact-article-27-representative/
Exhibit A
Details of Processing
The
subject matter of the Processing of Personal Data pertains to the provision of
the Emergenetics services under the Services Agreement.
The
duration of the Processing of Personal Data is generally determined by the
Services Agreement and is further subject to the terms of Section 1 of this
Addendum.
The
nature and purpose of the Processing of Personal Data pertains to the provision
of the Emergenetics services under the Services Agreement.
The Personal Data transferred
concern the following categories of Data Subjects:
The Personal Data transferred
typically concern the individuals being evaluated or assessed via the
Emergenetics Platform.
The Personal Data transferred
typically concern the following categories of data:
Personal Data typically include
biographical data, contact data, professional data, and learning/management and
personality styles preferences.
No special categories of Personal
Data are Processed.
The Processing activities to
which the Personal Data will be subject:
Collection, recording,
organization, storage, adaptation or alteration, retrieval, consultation, use,
disclosure by transmission, dissemination or otherwise making available,
alignment or combination, blocking, erasure, or destruction for the purpose of
providing the Emergenetics services in accordance with the terms of the
Services Agreement.
The Parties shall not carry out
further Processing on Personal Data.
The frequency of the transfer
of Personal Data is outlined in the Services Agreement between the Parties.
The retention period of Personal Data is outlined in this Addendum and the Services Agreement between the Parties.
Exhibit B
Jurisdiction Specific Terms
1.
European Economic
Area
1.1. Definitions.
a) "2021 EU Standard Contractual Clauses"
means the contractual clauses adopted by the Commission Implementing Decision
(EU) 2021/679 of 4 June 2021 on standard contractual clauses for the transfer
of personal data to third countries pursuant to Regulation (EU) 2016/679 of the
European Parliament and of the Council.
b) "European Economic Area" ("EEA") means the EU Member States, and
Iceland, Liechtenstein, and Norway.
c) "Restricted Transfer of EEA Personal Data"
(as used in this Section) means any transfer of Personal Data subject to the
GDPR which is undergoing Processing or is intended for Processing after
transfer to a Third Country (as defined below) or an international organization
(including data storage on foreign servers).
d) "Standard Contractual Clauses" (as used
in the Addendum) includes the 2021 EU Standard Contractual Clauses.
e) "Third Country" means a country outside
of the EEA.
1.2. Restricted
Transfers of EEA Personal Data.
a) With regard to
any Restricted Transfer of EEA Personal Data from one Party to the other, within
the scope of this Addendum, one of the following transfer mechanisms shall
apply, in the following order of precedence:
(i) A valid adequacy decision
adopted by the European Commission on the basis of Article 45 of the GDPR that
provides that the Third Country, a territory, or one or more specified sectors
within that Third Country, or the international organization in question to
which Personal Data is to be transferred ensures an adequate level of data
protection.
(ii) Emergenetics"s
certification to any successor to the EU-U.S. Privacy Shield Framework (only to
the extent that such self-certification constitutes an "appropriate safeguard"
pursuant to the GDPR), provided that the Services are covered by the
certification.
(iii)
The EU
20201 Standard Contractual Clauses (insofar as their use constitutes an
"appropriate safeguard" under Article 46 of the GDPR).
(iv)
Any other lawful data transfer mechanism, as laid down in the GDPR, as the case
may be.
b) This
Addendum hereby incorporates by reference the 2021 EU Standard Contractual Clauses
(which may be updated from time to time if required by law or at the choice of Emergenetics
to reflect the latest version adopted by the European Commission), provided
that the content of the annexes of the 2021 EU Standard Contractual Clauses is
set forth in Exhibit A to
this Addendum. The Parties are deemed to have accepted, executed, and signed
the 2021 EU Standard Contractual Clauses where necessary in their entirety
(including the annexes thereto). For the purpose of the 2021 EU Standard
Contractual Clauses and this Section 1:
(i) When Emergenetics is the "data
importer" the Client shall be the "data exporter" and when Emergenetics is the
"data exporter" the Client shall be the "data importer".
(ii) The Parties agree to apply
module one of the 2021 EU Standard Contractual Clauses.
(iii) The Parties elect not to
include Clause 7 of the 2021 EU Standard Contractual Clauses.
(iv) With respect to Clause 11,
the Parties agree not to provide the right to lodge a complaint with an
independent dispute resolution body.
(vi) With respect to Clause 13 and
Annex I.C, the competent supervisory authority is the Data Protection
Commission (Ireland).
(vii) With respect to Clause 17 of
the 2021 EU Standard Contractual Clauses, the Parties select, under Option 1,
the law of the Republic of Ireland.
(viii) With respect to Clause 18
of the 2021 EU Standard Contractual Clauses, the Parties agree that any dispute
arising from the Standard Contractual Clauses shall be resolved by the courts
of the Republic of Ireland.
(ix) The additional safeguards
identified in Exhibit C
supplement the 2021 EU Standard Contractual Clauses.
(x)
In cases where the 2021 EU Standard Contractual Clauses apply and there is a
conflict between the terms of the Addendum and the terms of the 2021 EU
Standard Contractual Clauses, the terms of the Standard Contractual Clauses
shall prevail.
2.
Switzerland
2.1. Definitions
a) "2004 EU Standard
Contractual Clauses" (as used in the Addendum and this Section) means the contractual clauses adopted by Decision
of the European Commission C(2004)5721 for the purpose of adducing adequate
protection of Personal Data transferred from a Data Controller to a Data
Controller established in a Third Country, where the legislation in such third
country has not been deemed to provide an adequate level of data protection.
b) "Applicable Laws" (as used in the
Addendum) includes the Federal Act on Data Protection of 19 June 1992 ("FADP") and the Ordinance to the Federal
Act on Data Protection ("OFADP"), as
may be amended from time to time.
c) "Data Controller" (as used in the Addendum)
includes "Controller of the Data File"
as defined under the FADP.
d) "Personal Data" (as used in the
Addendum) includes "Personal Data"
as defined under the FADP.
e) "Processing" (as used in the Addendum)
includes "Processing" as defined
under the FADP.
f) "Restricted Transfer of Swiss Personal Data"
(as used in this Section) means any transfer of Personal Data (including data
storage in foreign servers) subject to the FADP to a Third Country or an
international organization.
g) "Standard Contractual Clauses" (as used
in the Addendum) includes the 2004 EU Standard Contractual Clauses.
h) "Supervisory Authority" (as used in the
Addendum) includes the Federal Data Protection and Information Commissioner.
i)
"Third Country"
means a country outside of the Swiss Confederation.
2.2. Restricted
Transfer of Swiss Personal Data.
a) With regard to
any Restricted Transfer of Swiss Personal Data from one Party to the other
within the scope of this Addendum, one of the following transfer mechanisms
shall apply, in the following order of precedence:
(i) The
inclusion of the Third Country, a territory, or one or more specified sectors
within that Third Country, or the international organization in question to
which Personal Data is to be transferred in the list published by the Swiss
Federal Data Protection and Information Commissioner of states that provide an
adequate level of protection for Personal Data within the meaning of the FADP.
(ii) Emergenetics"
certification to any successor to the Swiss-U.S. Privacy Shield Framework (only
to the extent that such self-certification constitutes an "appropriate
safeguard" pursuant to the FADP and the OFADP, as the case may be), provided
that the Services are covered by the self-certification.
(iii) The 2021 EU
Standard Contractual Clauses (insofar as their use constitutes an "appropriate
safeguard" under Article 6.2 (a) of the FADP).
(iv) Any other lawful
transfer mechanism, as laid down in the Applicable Data Protection Laws, as the
case may be.
b) This
Addendum hereby incorporates by reference the 2004 EU Standard Contractual
Clauses (updated from time to time if required by law or at the choice of Emergenetics
to reflect the latest version adopted by the European Commission). The Parties
are deemed to have accepted, executed, and signed the EU 2004 Controller
Standard Contractual Clauses where necessary in their entirety. Each Party
acting as a data importer, elects Clause II(h)(iii) as its choice pursuant to
Clause II(h) of the EU 2004 Controller Standard Contractual Clauses.
c)"" In cases where the 2004 EU Standard
Contractual Clauses apply and there is a conflict between the terms of the
Addendum and the terms of the 2004 EU Standard Contractual Clauses, the terms
of the 2004 EU Standard Contractual Clauses shall prevail.
d) Where the 2004 EU Standard Contractual Clauses apply, the
Client shall inform the Federal Data Protection and Information Commissioner
about the use of the Standard Contractual Clauses.
3.
United
Kingdom
3.1. Definitions.
a) "2004 EU Standard
Contractual Clauses" (as used in the Addendum and this Section) means the
contractual clauses adopted by Decision of the European Commission C(2004)5721
for the purpose of adducing adequate protection of Personal Data transferred
from a Data Controller to a Data Controller established in a Third Country,
where the legislation in such third country has not been deemed to provide an
adequate level of data protection.
b) "Applicable Laws" (as used in the
Addendum) includes the Data Protection Act 2018 and, when in full force and
effect, the UK GDPR (as defined below).
c) "Standard Contractual Clauses" (as used
in the Addendum) includes the 2004 EU Standard Contractual Clauses.
d) "Third Country" (as used in this
Section) means a country outside of the UK.
e) "UK GDPR" (as
used in this Section) means Regulation (EU) 2016/679 of the European
Parliament and of the Council of 27 April 2016 "on the Protection of Natural
Persons with Regard to the Processing of Personal Data and on the Free Movement
of Such Data (General Data Protection Regulation)" as has been amended,
adopted, and forming part of the law of England, Wales, Scotland, and Northern
Ireland by virtue of Section 3 of the European Union (Withdraw) Act 2020.
f) "UK Restricted Transfer" (as used in this Section) includes any transfer of
Personal Data (including data storage in foreign servers) subject to the UK
GDPR to a Third Country or an international organization.
a) With
regard to any UK Restricted Transfer from one Party to the other within the scope of this Addendum, one of the following
transfer mechanisms shall apply, in the following order of precedence:
(i) A valid adequacy decision
pursuant to the requirements under the UK GDPR and the Data Protection Act 2018
that provides that the Third Country, a territory, or one or more specified
sectors within that Third Country, or the international organization in
question to which Personal Data is to be transferred, ensures an adequate level
of data protection.
(ii) Emergenetics"s certification
to any successor to the EU-U.S. Privacy Shield Framework (only to the extent
that such self-certification constitutes an "appropriate safeguard" pursuant to
the UK GDPR and the Data Protection Act 2018, as the case may be), provided
that the Services are covered by the self-certification.
(iii) The 2004 EU Standard
Contractual Clauses (insofar as their use constitutes an "appropriate
safeguard" under the UK GDPR and the Data Protection Act 2018).
(iv) Any other lawful basis, as
laid down in the UK GDPR and the Data Protection Act 2018, as the case may be.
b) This
Addendum hereby incorporates by reference the 2004 EU Standard Contractual
Clauses (updated from time to time if required by law or at the choice of
Emergenetics to reflect the latest version adopted by the European Commission).
The Parties are deemed to have accepted, executed, and signed the EU 2004
Controller Standard Contractual Clauses where necessary in their entirety. Each
Party acting as a data importer, elects Clause II(h)(iii) as its choice
pursuant to Clause II(h) of the EU 2004 Controller Standard Contractual
Clauses.
In
cases where the 2004 EU Standard Contractual Clauses apply and there is a
conflict between the terms of the Addendum and the terms of the 2004 EU
Standard Contractual Clauses, the terms of the 2004 EU Standard Contractual Clauses
shall prevail.
Exhibit C
Supplemental Clauses to the
Standard Contractual Clauses
a)
"Data Importer" and "Data
Exporter" shall have the same meaning assigned to them in the Standard
Contractual Clauses concluded by the Parties.
b)
"EO 12333" means U.S.
Executive Order 12333.
c)
"FISA" means the U.S. Foreign Intelligence Surveillance Act.
d)
"Schrems II Judgment" means the judgment of the European Court of
Justice in Case C-311/18, Data Protection Commissioner v Facebook Ireland
Limited and Maximilian Schrems.
a) The Data Importer represents and warrants
that, as of the date of this Addendum , it has not received any national
security orders of the type described in Paragraphs 150-202 of the Schrems II
judgment.
b) Data Importer
represents that it reasonably believes that it is not eligible to be required
to provide information, facilities, or assistance of any type under FISA
Section 702 because:
i. No
court has found Data Importer to be an entity eligible to receive process
issued under FISA Section 702: (i) an "electronic communication service
provider" within the meaning of 50 U.S.C. " 1881(b)(4); or (ii) a member of any of
the categories of entities described within that definition.
ii. If Data Importer were to be found
eligible for FISA Section 702, which it believes it is not, it is nevertheless
also not the type of provider that is eligible to be subject to UPSTREAM
collection pursuant to FISA Section 702, as described in paragraphs 62 and 179
of the Schrems II judgment.
c) EO
12333 does not provide the U.S. government the ability to order or demand that
Data Importer provide assistance for the bulk collection of information, and
Data Importer shall take no action pursuant to EO 12333.
d) Data Importer commits to provide upon
request information about the laws and regulation in the destination countries
of the transferred data applicable to Data Importer and the Data Processors
directly contracted by Data Importer that would permit access by public
authorities to the transferred Personal Data, in particular in the areas of
intelligence, law enforcement, and administrative and regulatory supervision
applicable to the transferred data. In the absence of laws governing the public
authorities" access to data, Data Importer shall provide Data Exporter with
information and statistics based on the experience of the Data Importer or
reports from various sources (such as partners, open sources, national case
law, and decisions from oversight bodies) on access by public authorities to
Personal Data in situations similar to the kind of the data transfer at hand.
Data Importer providing the information referred to in this Section 5(d) may
choose the means to provide the information.
e) Data Importer shall monitor any legal or
policy developments that might lead to its inability to comply with its
obligations under the Standard Contractual Clauses and this Exhibit, and
promptly inform Data Exporter of any such changes and developments. When
possible, Data Importer shall inform Data Exporter of any such changes and
developments ahead of their implementation.
a) Promptly notify the Data Exporter, unless
prohibited by law, or, if prohibited from notifying the Data Exporter, use all
lawful efforts to obtain the right to waive the prohibition in order to
communicate information relating to the order to the Data Exporter as soon as
possible. This includes, but is not limited to, informing the requesting public
authority of the incompatibility of the order with the safeguards contained in
the Standard Contractual Clauses and the resulting conflict of obligations for
Data Importer and documenting this communication.
b) Use all lawful efforts to challenge the
order for disclosure on the basis of any legal deficiencies under the laws of
the requesting party or any relevant conflicts with the law of the European
Union or applicable EEA Member State law or any other Applicable Laws. For the
purpose of this Exhibit, lawful efforts do not include actions that would
result in civil or criminal penalty, such as contempt of court under the laws
of the relevant jurisdiction.
c) Seek interim measures with a view to
suspend the effects of the order until the competent court has decided on the
merits.
d) Not disclose the requested Personal Data
until required to do so under the applicable procedural rules.
e) Provide the minimum amount of information
permissible when responding to the request, based on a reasonable
interpretation of the request.
a) Data Importer certifies that:
i. It has not purposefully created back
doors or similar programming that could be used to access Personal Data subject
to the Standard Contractual Clauses;
ii. It has not purposefully created or
changed its business processes in a manner that facilitates access to Personal
Data; and
iii. That
national law or government policy does not require Data Importer to create or
maintain back doors or to facilitate access to Personal Data or systems.
iv. Data
Exporter will be entitled to terminate the contract on short notice in those
cases in which Data Importer does not reveal the existence of a back door or
similar programming or manipulated business processes or any requirement to
implement any of these or fails to promptly inform Data Exporter once their
existence comes to its knowledge.
a) Encryption
of the transferred Personal Data in transit using the Transport Layer Security
(TLS) protocol version 1.2 or higher with a minimum of 128-bit encryption;
b) Encryption
at rest within the Data Importer"s software applications using a minimum of
AES-256;
c) Active
monitoring and logging of network and database activity for potential security
events, including intrusion;
d) Regular
scanning and monitoring of any unauthorized software applications and IT
systems for vulnerabilities of Data Importer;
e) Restriction
of physical and logical access to IT systems that Process transferred Personal
Data to those officially authorized persons with an identified need for such
access;
f)
Firewall protection of external
points of connectivity in Data Importer"s network architecture;
g) Expedited
patching of known exploitable vulnerabilities in the software applications and
IT systems used by Data Importer; [RV1] and
h) Internal
policies establishing that:
i. Where
Data Importer is prohibited by law from notifying Data
Exporter of an order from a public authority for transferred Personal Data, the
Data Importer shall take into account the laws of other jurisdictions and use
best efforts to request that any confidentiality requirements be waived to
enable it to notify the competent supervisory authorities;
ii. Data Importer must require an
official, signed document issued pursuant to the Applicable Laws of the
requesting third party before it will consider a request for access to transferred
Personal Data;
iii. Data
Importer"s compliance team shall scrutinize every request for
legal validity and, as part of that procedure, will reject any request Data
Importer considers to be invalid; and
iv. If
Data Importer is legally required to comply with an order,
it will respond as narrowly as possible to the specific request.
a) Data Importer
shall promptly inform Data Exporter of its inability to comply with the
Standard Contractual Clauses and this Exhibit.
b) If Data Importer
determines that it is no longer able to comply with its contractual commitments
under this Exhibit, Data Exporter can swiftly suspend the transfer of data
and/or terminate the Services Agreement.
c) If Data Importer
determines that it is no longer able to comply with the Standard Contractual
Clauses or this Exhibit, Data Importer shall return or delete the Personal Data
received in reliance on the Standard Contractual Clauses. If returning or
deleting the Personal Data received is not possible, Data Importer must
securely encrypt the data without necessarily waiting for Data Exporter"s
instructions.
d) Data Importer
shall provide the Data Exporter with sufficient indications to exercise its
duty to suspend or end the transfer and/or terminate the contract.