THIS DATA PROCESSING ADDENDUM (“DPA”) is entered into as of the Addendum Effective Date by and between: (1) Comparative, Inc., a Delaware corporation with its principal business address at 440 N Barranca Ave #7603, Covina, CA 91723 (“Vendor”); and (2) the entity or other person who is a counterparty to the Agreement (as defined below) into which this DPA is incorporated and forms a part (“Customer”), together the “Parties” and each a “Party”.
In this DPA the following terms shall have the meanings set out in this Section 1, unless expressly stated otherwise:
“Addendum Effective Date” means the effective date of the Agreement.
“Agreement” means the Comparative Terms of Service entered into by and between the Parties.
“Applicable Data Protection Laws” means the privacy, data protection and data security laws and regulations of any jurisdiction applicable to the Processing of Customer Personal Data under the Agreement, including, without limitation, GDPR, PIPEDA, and the CCPA (as and where applicable).
“CCPA” means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (the "CPRA"), and any binding regulations promulgated thereunder.
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
“Customer Personal Data” means any Personal Data Processed by Vendor or its Sub-Processor on behalf of Customer to perform the Services under the Agreement (including, for the avoidance of doubt, any such Personal Data comprised within Customer Data).
“Data Subject Request” means the exercise by a Data Subject of its rights in accordance with Applicable Data Protection Laws in respect of Customer Personal Data and the Processing thereof.
“Data Subject” means the identified or identifiable natural person to whom Customer Personal Data relates.
“EEA” means the European Economic Area.
“GDPR” means, as and where applicable to Processing concerned: (i) the General Data Protection Regulation (Regulation (EU) 2016/679) (“EU GDPR”); and/or (ii) the EU GDPR as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018 (as amended, including by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019) (“UK GDPR”), including, in each case (i) and (ii) any applicable national implementing or supplementary legislation (e.g., the UK Data Protection Act 2018), and any successor, amendment or re-enactment, to or of the foregoing. References to “Articles” and “Chapters” of, and other relevant defined terms in, the GDPR shall be construed accordingly.
“Mandatory Clauses” means the mandatory clauses of the UK Transfer Addendum, as shown in Part Four of the document presently published at https://ico.org.uk/media/for-organisations/documents/4019538/international-data-transfer-agreement.pdf.
“Personal Data” means “personal data,” “personal information,” “personally identifiable information” or similar term defined in Applicable Data Protection Laws.
“Personal Data Breach” means a breach of Vendor’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized use or disclosure of, or access to, Customer Personal Data in Vendor’s possession, custody or control. For clarity, Personal Data Breach does not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data (such as unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems).
“Personnel” means a person’s employees, agents, consultants or contractors.
“Process” and inflection thereof means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Processor” means a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Controller.
“Restricted Transfer” means the disclosure, grant of access or other transfer of Customer Personal Data to any person located in: (i) in the context of the EEA, any country or territory outside the EEA which does not benefit from an adequacy decision from the European Commission (an “EU Restricted Transfer”); and (ii) in the context of the UK, any country or territory outside the UK, which does not benefit from an adequacy decision from the UK Government (a “UK Restricted Transfer”), which would be prohibited without a legal basis under Chapter V of the GDPR.
“SCCs” means the standard contractual clauses approved by the European Commission pursuant to implementing Decision (EU) 2021/914, as populated in accordance with Part 1 of Attachment 1 to Annex 2 (European Annex) (“SCCs”).
“Service Data” means any data relating to the use, support and/or operation of the Services, which is collected directly by Vendor from and/or about users of the Services and/or Customer’s use of the Service for use for its own purposes (certain of which may constitute Personal Data).
“Services” means those services and activities to be supplied to or carried out by or on behalf of Vendor for Customer pursuant to the Agreement, including the Comparative Offering.
“Sub-Processor” means any third party appointed by or on behalf of Vendor to Process Customer Personal Data.
“Supervisory Authority”: (i) in the context of the EEA and the EU GDPR, shall have the meaning given to that term in the EU GDPR; (ii) in the context of the UK and the UK GDPR, means the UK Information Commissioner’s Office; and (iii) in the context of PIPEDA and/or Provincial Privacy Laws, means the Office of the Privacy Commission or Commissioner overseeing the relevant law as applicable.
“UK Transfer Addendum” means the template addendum B1.0 issued by the ICO under s119A(1) of the Data Protection Act 2018, in force from 21 March 2022, as set out in Part 2 of Attachment 1 to Annex 2 (European Annex).
Unless otherwise defined in this DPA, all capitalized terms in this DPA shall have the meaning given to them in the Agreement.
SCOPE OF THIS DATA PROCESSING ADDENDUM
The front-end of this DPA applies generally to Vendor’s Processing of Customer Personal Data under the Agreement.
Annex 2 (European Annex) to this DPA applies only if and to the extent Vendor’s Processing of Customer Personal Data under the Agreement is subject to the GDPR.
Annex 3 (California Annex) to this DPA applies only if and to the extent Vendor’s Processing of Customer Personal Data under the Agreement is subject to the CCPA.
Sections 10 and 11 of this DPA apply to Vendor’s Processing of Customer Personal Data under the Agreement only to the extent they must be included in this DPA for Vendor to qualify as a Processor under Applicable Data Protection Laws or for the parties to comply with their obligations thereunder in respect of the required terms of contracts, and in such cases, only in respect of Processing subject to such laws.
PROCESSING OF CUSTOMER PERSONAL DATA
Vendor shall not Process Customer Personal Data other than on Customer’s instructions or as required by applicable laws. Where Vendor receives an instruction from Customer that, in its reasonable opinion, infringes Applicable Data Protection Laws, Vendor shall inform Customer. Unless otherwise expressly provided for, as between the Parties, Customer controls Customer Personal Data.
Customer instructs Vendor to Process Customer Personal Data as necessary to provide the Services to Customer under and in accordance with the Agreement. Customer acknowledges and agrees that instructions issued by Customer with regards to the Processing of Customer Personal Data by or on behalf of Vendor pursuant to or in connection with the Agreement shall be in strict compliance with Applicable Data Protection Laws. The Parties acknowledge and agree that the details of Vendor’s Processing of Personal Data under this DPA and the Agreement (including the respective roles of the Parties relating to such Processing) are as set out in Annex 1 (Data Processing Details) to the DPA.
Customer acknowledges and agrees that Vendor may create and derive from Processing related to the Agreement, deidentified, anonymized and/or aggregated data that does not identify Customer or any natural person and use, publicize, or share with third parties such data to improve Vendor’s products and services and for its other legitimate business purposes.
Customer generally authorizes Vendor to appoint Sub-Processors in accordance with this Section 4.
Vendor may continue to use those Sub-Processors already engaged by Vendor as at the date of this DPA (as those Sub-Processors are shown, together with their respective functions and locations, in Annex 5 (Authorized Sub-Processors) (the “Sub-Processor List”).
Vendor shall give Customer prior written notice of the appointment of any proposed Sub-Processor, including reasonable details of the Processing to be undertaken by the Sub-Processor, for example by providing Customer with an updated copy of the Sub-Processor List via a ‘mailshot’ or similar bulk distribution mechanism sent via email to Customer’s contact point as set out in Annex 1 (Data Processing Details). If, within fourteen (14) days of receipt of that notice, Customer notifies Vendor in writing of any objections (on reasonable grounds) to the proposed appointment:
Vendor shall use reasonable efforts to make available a commercially reasonable change in the provision of the Services, which avoids the use of that proposed Sub-Processor; and
where: (i) such a change cannot be made within fourteen (14) days from Vendor’s receipt of Customer’s notice; (ii) no commercially reasonable change is available; and/or (iii) Customer declines to bear the cost of the proposed change, then either Party may by written notice to the other Party with immediate effect terminate the Agreement, either in whole or to the extent that it relates to the Services which require the use of the proposed Sub-Processor, as its sole and exclusive remedy.
If Customer does not object to Vendor’s appointment of a Sub-Processor during the objection period referred to in Section 4.3, Customer shall be deemed to have approved the engagement and ongoing use of that Sub-Processor.
With respect to each Sub-Processor, Vendor shall maintain a written contract between Vendor and the Sub-Processor that includes terms which offer at least an equivalent level of protection for Customer Personal Data as those set out in this DPA (including the Security Measures). Vendor shall remain liable for any breach of this DPA caused by a Sub-Processor.
Operational clarifications: Any approval by Customer of Vendor’s appointment of a Sub-Processor that is given expressly or deemed given pursuant to Section 4.3 constitutes (i) Customer’s documented instructions to effect disclosures and onward transfers to any relevant Sub-Processors if and as required under Clause 8.8 of the SCCs; and (ii) satisfaction of Vendor’s obligation under the CCPA to give notice of such appointments.
DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION
If and to the extent expressly required by Applicable Data Protection Laws, Vendor, taking into account the nature of the Processing and the information available to Vendor, shall provide reasonable assistance to Customer, at Customer’s cost, with any (i) data protection impact assessments and (ii) prior consultations with Supervisory Authorities which Customer reasonably considers to be required of it by Article 35 or Article 36 of the GDPR, or Provincial Privacy Laws, in each case solely in relation to Processing of Customer Personal Data by Vendor.
Operational clarification: Except to the extent prohibited by applicable law, Customer shall be fully responsible for all time spent by Vendor (at Vendor’s then-current professional services rates) in Vendor’s provision of any cooperation and assistance provided to Customer under Section 5.1 and shall on demand reimburse Vendor any such costs incurred by Vendor.
Vendor shall take commercially reasonable steps to ascertain the reliability of any Vendor Personnel who Process Customer Personal Data and shall enter into written confidentiality agreements with all Vendor Personnel who Process Customer Personal Data that are not subject to professional or statutory obligations of confidentiality.
Vendor shall implement and maintain technical and organizational measures in relation to Customer Personal Data designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access as described in Annex 4 (Security Measures) (the “Security Measures”).
Vendor may update the Security Measures from time to time, provided the updated measures do not materially decrease the overall protection of Customer Personal Data.
DATA SUBJECT RIGHTS
Vendor, taking into account the nature of the Processing of Customer Personal Data, shall provide Customer with such assistance as may be reasonably necessary and technically feasible to assist Customer in fulfilling its obligations to respond to Data Subject Requests. If Vendor receives a Data Subject Request, Customer will be responsible for responding to any such request.
promptly notify Customer if it receives a Data Subject Request; and
not respond to any Data Subject Request, other than to advise the Data Subject to submit the request to Customer, except on the written instructions of Customer or as required by Applicable Data Protection Laws.
When complying with its transparency obligations under Clause 8.3 of the SCCs, Customer agrees that it shall not provide or otherwise make available, and shall take all appropriate steps to protect, Vendor’s and its licensors’ trade secrets, business secrets, confidential information and/or other commercially sensitive information.
Where applicable, for the purposes of Clause 10(a) of Module Three of the SCCs, Customer acknowledges and agrees that there are no circumstances in which it would be appropriate for Vendor to notify any third-party controller of any Data Subject Request and that any such notification shall be the sole responsibility of Customer.
For the purposes of Clause 15.1(a) of the SCCs, except to the extent prohibited by applicable law and/or the relevant public authority, as between the Parties, Customer agrees that it shall be solely responsible for making any notifications to relevant Data Subject(s) if and as required.
Except to the extent prohibited by applicable law, Customer shall be fully responsible for all time spent by Vendor (at Vendor’s then-current professional services rates) in Vendor’s cooperation and assistance provided to Customer under this Section 8, and shall on demand reimburse Vendor any such costs incurred by Vendor.
PERSONAL DATA BREACH
Breach notification and assistance
Vendor shall notify Customer without undue delay upon Vendor’s discovering a Personal Data Breach affecting Customer Personal Data. Vendor shall provide Customer with information (insofar as such information is within Vendor’s possession and knowledge and does not otherwise compromise the security of any Personal Data Processed by Vendor) to allow Customer to meet its obligations under the Applicable Data Protection Laws to report the Personal Data Breach. Vendor’s notification of or response to a Personal Data Breach shall not be construed as Vendor’s acknowledgement of any fault or liability with respect to the Personal Data Breach.
Vendor shall reasonably co-operate with Customer and take such commercially reasonable steps as may be directed by Customer to assist in the investigation of any such Personal Data Breach.
Customer is solely responsible for complying with notification laws applicable to Customer and fulfilling any third-party notification obligations related to any Personal Data Breaches.
Notification to Vendor
If Customer determines that a Personal Data Breach must be notified to any Supervisory Authority, any Data Subject(s), the public or others under Applicable Data Protection Laws, to the extent such notice directly or indirectly refers to or identifies Vendor, where permitted by applicable laws, Customer agrees to:
notify Vendor in advance; and
in good faith, consult with Vendor and consider any clarifications or corrections Vendor may reasonably recommend or request to any such notification, which: (i) relate to Vendor’s involvement in or relevance to such Personal Data Breach; and (ii) are consistent with applicable laws.
Vendor, taking into account the nature of the Processing and the information available to Vendor, shall provide such information and assistance as Customer may reasonably request (insofar as such information is available to Vendor and the sharing thereof does not compromise the security of any Personal Data Processed by Vendor) to help Customer meet its obligations under Applicable Data Protection Laws, including in relation to the security of Customer Personal Data.
Vendor shall make available to Customer on request, such information as Vendor (acting reasonably) considers appropriate in the circumstances to demonstrate its compliance with this DPA.
(i) In the event that Customer (acting reasonably) is able to provide documentary evidence that the information made available by Vendor pursuant to Section 11.1 is not sufficient in the circumstances to demonstrate Vendor’s compliance with this DPA, or (ii) if and to the extent expressly required by Applicable Data Protection Laws, subject to Section 11.3 to 11.8: Vendor shall allow for and contribute to audits, including on-premise inspections, by Customer or an auditor mandated by Customer in relation to the Processing of Customer Personal Data by Vendor.
Customer shall give Vendor reasonable notice of any audit or inspection to be conducted under Section 11.3 (which shall in no event be less than fourteen (14) days’ notice) and shall use its best efforts (and ensure that each of its mandated auditors uses its best efforts) to avoid causing any destruction, damage, injury or disruption to Vendor’s premises, equipment, Personnel, data, and business (including any interference with the confidentiality or security of the data of Vendor’s other customers or the availability of Vendor’s services to such other customers).
Prior to conducting any audit, Customer must submit a detailed proposed audit plan providing for the confidential treatment of all information exchanged in connection with the audit and any reports regarding the results or findings thereof. The proposed audit plan must describe the proposed scope, duration, and start date of the audit. Vendor will review the proposed audit plan and provide Customer with any concerns or questions (for example, any request for information that could compromise Vendor security, privacy, employment or other relevant policies). Vendor will work cooperatively with Customer to agree on a final audit plan.
If the controls or measures to be assessed in the requested audit are addressed in a SOC 2 Type 2, ISO, NIST or similar audit report performed by a qualified third-party auditor within twelve (12) months of Customer’s audit request (“Audit Report”) and Vendor has confirmed in writing that there are no known material changes in the controls audited and covered by such Audit Report(s), Customer agrees to accept provision of such Audit Report(s) in lieu of requesting an audit of such controls or measures.
Vendor need not give access to its premises for the purposes of such an audit or inspection:
where an Audit Report is accepted in lieu of such controls or measures in accordance with Section 11.5;
to any individual unless they produce reasonable evidence of their identity;
to any auditor whom Vendor has not approved in advance (acting reasonably);
to any individual who has not entered into a non-disclosure agreement with Vendor on terms acceptable to Vendor;
outside normal business hours at those premises; or
on more than one occasion in any calendar year during the term of the Agreement, except for any audits or inspections which Customer is required to carry out under the GDPR or by a Supervisory Authority.
Nothing in this DPA shall require Vendor to furnish more information about its Sub-Processors in connection with such audits than such Sub-Processors make generally available to their customers.
Except to the extent prohibited by applicable law, Customer shall be fully responsible for all time spent by Vendor (at Vendor’s then-current professional services rates) in Vendor’s provision of any cooperation and assistance provided to Customer under this Section 11 (excluding any costs incurred in the procurement, preparation or delivery of Audit Reports to Customer pursuant to Section 11.5) and shall on demand reimburse Vendor any such costs incurred by Vendor.
The audits described in Clauses 8.9(c) and 8.9(d) of the SCCs, shall be subject to any relevant terms and conditions detailed in this Section 11.
Customer agrees that, without limiting Vendor’s obligations under Section 7 (Security), Customer is solely responsible for its use of the Services, including (a) making appropriate use of the Services to maintain a level of security appropriate to the risk in respect of the Customer Personal Data; (b) securing the account authentication credentials, systems and devices Customer uses to access the Services; (c) securing Customer’s systems and devices that Vendor uses to provide the Services; and (d) backing up Customer Personal Data.
Customer shall ensure:
that there is, and will be throughout the term of the Agreement, a valid legal basis for the Processing by Vendor of Customer Personal Data in accordance with this DPA and the Agreement (including, any and all instructions issued by Customer from time to time in respect of such Processing) for the purposes of all Applicable Data Protection Laws (including Article 6, Article 9(2) and/or Article 10 of the GDPR (where applicable)); and
that all Data Subjects have (i) been presented with all required notices and statements (including as required by Article 12-14 of the GDPR (where applicable)); and (ii) provided all required consents, in each case (i) and (ii) relating to the Processing by Vendor of Customer Personal Data.
Customer agrees that the Service, the Security Measures, and Vendor’s commitments under this DPA are adequate to meet Customer’s needs, including with respect to any security obligations of Customer under Applicable Data Protection Laws, and provide a level of security appropriate to the risk in respect of the Customer Personal Data.
Customer shall not provide or otherwise make available to Vendor any Customer Personal Data that contains any (a) Social Security numbers or other government-issued identification numbers; (b) protected health information subject to the Health Insurance Portability and Accountability Act (HIPAA) or other information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; (c) health insurance information; (d) biometric information; (e) passwords to any online accounts; (f) credentials to any financial accounts; (g) tax return data; (h) any payment card information subject to the Payment Card Industry Data Security Standard; (i) Personal Data of children under 13 years of age; (j) information subject to the Gramm-Leach-Bliley Act, Fair Credit Reporting Act or the regulations promulgated under either such law; or (k) any other information that falls within any special categories of personal data (as defined in GDPR or Provincial Privacy Laws) and/or data relating to criminal convictions and offences or related security measures (together, “Restricted Content”).
The total aggregate liability of either Party towards the other Party, howsoever arising, under or in connection with this DPA and the SCCs (if and as they apply) will under no circumstances exceed any limitations or caps on, and shall be subject to any exclusions of, liability and loss agreed by the Parties in the Agreement; provided that, nothing in this Section 13 will affect any person’s liability to Data Subjects under the third-party beneficiary provisions of the SCCs (if and as they apply).
Customer acknowledges that Vendor may collect, use and disclose Service Data for its own business purposes, such as:
for accounting, tax, billing, audit, and compliance purposes;
to provide, improve, develop, optimize and maintain the Services;
to investigate fraud, spam, wrongful or unlawful use of the Services; and/or
as otherwise permitted or required by applicable law.
In respect of any such Processing described in Section 14.1, Vendor:
independently determines the purposes and means of such Processing;
shall comply with Applicable Data Protection Laws (if and as applicable in the context);
shall Process such Service Data as consistent with its relevant privacy notices, as updated from time to time); and
where possible, shall apply technical and organizational safeguards to any relevant Personal Data that are no less protective than the Security Measures.
For the avoidance of doubt, this DPA shall not apply to Vendor collection, use, disclosure or other Processing of Service Data, and Service Data does not constitute Customer Personal Data.
RETURN AND DELETION
Subject to Section 15.2 and 15.3, upon the date of cessation of any Services involving the Processing of Customer Personal Data (the “Cessation Date”), Vendor shall promptly cease all Processing of Customer Personal Data for any purpose other than for storage or as otherwise permitted or required under this DPA.
Subject to Section 15.4, to the extent technically possible in the circumstances (as determined in Vendor’s sole discretion), on written request to Vendor (to be made no later than fourteen (14) days after the Cessation Date (“Post-cessation Storage Period”)), Vendor shall within fourteen (14) days of such request either (at its option) delete or irreversibly anonymize all Customer Personal Data within Vendor’s possession.
In the event that during the Post-cessation Storage Period, Customer does not instruct Vendor in writing to either delete or return Customer Personal Data pursuant to Section 15.2, Vendor shall promptly after the expiry of the Post-cessation Storage Period either (at its option) delete; or irreversibly render anonymous, all Customer Personal Data then within Vendor possession to the fullest extent technically possible in the circumstances.
Vendor may retain Customer Personal Data where permitted or required by applicable law, for such period as may be required by such applicable law, provided that Vendor shall:
maintain the confidentiality of all such Customer Personal Data; and
Process the Customer Personal Data only as necessary for the purpose(s) specified in the applicable law permitting or requiring such retention
Operational clarification: Certification of deletion of Customer Personal Data as described in Clauses 8.5 and 16(d) of the SCCs, shall be provided only upon Customer’s written request.
CHANGE IN LAWS
Vendor may on notice vary this DPA to the extent that (acting reasonably) it considers necessary to address the requirements of Applicable Data Protection Laws from time to time, including by varying or replacing the SCCs in the manner described in Section 1.3 of Annex 2 (European Annex).
INCORPORATION AND PRECEDENCE
This DPA shall be incorporated into and form part of the Agreement with effect from the Addendum Effective Date.
In the event of any conflict or inconsistency among the following documents, the order of precedence will be: (1) any SCCs and/or the UK Transfer Addendum (as applicable) entered into pursuant to Section 1 of Annex 2 (European Annex) or Annex 3 (California Annex); (2) this DPA; and (3) the Agreement.
This Annex 1 (Data Processing Details) includes certain details of the Processing of Personal Data as required:
VENDOR / 'DATA IMPORTER' DETAILS
CUSTOMER / 'DATA EXPORTER' DETAILS
DETAILS OF PROCESSING
EU Restricted Transfers
To the extent that any Processing of Customer Personal Data under this DPA involves an EU Restricted Transfer from Customer to Vendor, the Parties shall comply with their respective obligations set out in the SCCs, which are hereby deemed to be:
populated in accordance with Part 1 of Attachment 1 to Annex 2 (European Annex); and
entered into by the Parties and incorporated by reference into this DPA.
UK Restricted Transfers
To the extent that any Processing of Customer Personal Data under this DPA involves a UK Restricted Transfer from Customer to Vendor, the Parties shall comply with their respective obligations set out in the SCCs, which are hereby deemed to be:
varied to address the requirements of the UK GDPR in accordance with UK Transfer Addendum and populated in accordance with Part 2 of Attachment 1 to Annex 2 (European Annex); and
entered into by the Parties and incorporated by reference into this DPA.
Adoption of new transfer mechanism
Vendor may on notice vary this DPA and replace the relevant SCCs with:
any new form of the relevant SCCs or any replacement therefor prepared and populated accordingly (e.g., standard data protection clauses adopted by the European Commission for use specifically in respect of transfers to data importers subject to Article 3(2) of the EU GDPR); or
another transfer mechanism, other than the SCCs,
that enables the lawful transfer of Customer Personal Data to Vendor under this DPA in compliance with Chapter V of the GDPR.
Provision of full-form SCCs
In respect of any given Restricted Transfer, if requested of Customer by a Supervisory Authority, Data Subject or further Controller (where applicable) – on specific written request (made to the contact details set out in Annex 1 (Data Processing Details) and accompanied by suitable supporting evidence of the relevant request), Vendor shall provide Customer with an executed version of the relevant set(s) of SCCs responsive to the request made of Customer (amended and populated in accordance with Attachment 1 to Annex 2 (European Annex) in respect of the relevant Restricted Transfer) for countersignature by Customer, onward provision to the relevant requestor and/or storage to evidence Customer’s compliance with Applicable Data Protection Laws.
SIGNATURE OF THE SCCs:
Where the SCCs apply in accordance with Section 1.1 of Annex 2 (European Annex) to the DPA:
each of the Parties is hereby deemed to have signed the SCCs at the relevant signature block in Annex I to the Appendix to the SCCs; and
those SCCs are entered into by and between the Parties with effect from (i) the Addendum Effective Date; or (ii) the date of the first EU Restricted Transfer to which they apply in accordance with Sections 1.1 and 1.2 of Annex 2 (European Annex) to the DPA, whichever is the later.
The following modules of the SCCs apply in the manner set out below (having regard to the role(s) of Customer set out in Annex 1 (Data Processing Details) to the DPA):
Module Two of the SCCs applies to any EU Restricted Transfer involving Processing of Customer Personal Data in respect of which Customer is a Controller in its own right; and/or
Module Three of the SCCs applies to any EU Restricted Transfer involving Processing of Customer Personal Data in respect of which Customer is itself acting as a Processor on behalf of any other person.
POPULATION OF THE BODY OF THE SCCs
For each Module of the SCCs, the following applies as and where applicable to that Module and the Clauses thereof:
The optional ‘Docking Clause’ in Clause 7 is not used and the body of that Clause 7 is left intentionally blank.
In Clause 9:
OPTION 2: GENERAL WRITTEN AUTHORISATION applies, and the minimum time period for advance notice of the addition or replacement of Sub-Processors shall be the advance notice period set out in Section 4.3 of the DPA; and
OPTION 1: SPECIFIC PRIOR AUTHORISATION is not used and that optional language is deleted; as is, therefore, Annex III to the Appendix to the SCCs.
In Clause 11, the optional language is not used and is deleted.
In Clause 13, all square brackets are removed and all text therein is retained.
In Clause 17:
OPTION 1 applies, and the Parties agree that the SCCs shall be governed by the law of Ireland in relation to any EU Restricted Transfer; and
OPTION 2 is not used and that optional language is deleted.
For the purposes of Clause 18, the Parties agree that any dispute arising from the SCCs in relation to any EU Restricted Transfer shall be resolved by the courts of Ireland, and Clause 18(b) is populated accordingly.
In this Section 3, references to “Clauses” are references to the Clauses of the SCCs.
POPULATION OF ANNEXES TO THE APPENDIX TO THE SCCs
Annex I to the Appendix to the SCCs is populated with the corresponding information detailed in Annex 1 (Data Processing Details) to the DPA, with:
Customer being ‘data exporter’; and
Vendor being ‘data importer’.
Part C of Annex I to the Appendix to the SCCs is populated as below:
The competent supervisory authority shall be determined as follows:
Annex II to the Appendix to the SCCs is populated as below:
Sub-Processors: When Vendor engages a Sub-Processor under these Clauses, Vendor shall enter into a binding contractual arrangement with such Sub-Processor that imposes upon them data protection obligations which, in substance, meet or exceed the relevant standards required under these Clauses and the DPA – including in respect of:
engagement of further Sub-Processors.
UK TRANSFER ADDENDUM
Where relevant in accordance with Section 1.2 of Annex 2 (European Annex) to the DPA, the SCCs also apply in the context of UK Restricted Transfers as varied by the UK Transfer Addendum in the manner described below –
Part 1 to the UK Transfer Addendum. As permitted by Section 17 of the UK Transfer Addendum, the Parties agree:
Tables 1, 2 and 3 to the UK Transfer Addendum are deemed populated with the corresponding details set out in Annex 1 (Data Processing Details) to the DPA and the foregoing provisions of this Annex 2 (European Annex). (subject to the variations effected by the Mandatory Clauses described in (b) below); and
Table 4 to the UK Transfer Addendum is completed by the box labelled ‘Data Importer’ being deemed to have been ticked.
Part 2 to the UK Transfer Addendum. The Parties agreed to be bound by the Mandatory Clauses of the UK Transfer Addendum.
In relation to any UK Restricted Transfer to which they apply, where the context permits and requires, any reference in the DPA to the SCCs, shall be read as a reference to those SCCs as varied in the manner set out in Section 1.1 of this Part 2.
For purposes of this Annex 3, capitalized terms that are not defined in the Agreement shall have the meanings set forth in the CCPA. “Personal Information” means Customer Personal Data that constitutes Personal Information as defined by the CCPA.
The Business Purposes and services for which Vendor is Processing Personal Information are for Vendor to provide the services to and on behalf of Customer as set forth in the Agreement, as described in more detail in Annex 1 (Data Processing Details).
Vendor (a) acknowledges that Personal Information is disclosed by Customer only for the limited and specified purposes as described in this DPA; (b) shall comply with applicable obligations under the CCPA and shall provide the same level of privacy protection to Personal Information as may be required by the CCPA; (c) acknowledges that Customer may take reasonable and appropriate steps to ensure that Vendor’s use of Personal Information is consistent with Customer’s obligations under the CCPA; (d) shall notify Customer in writing within five business days of any determination made by Vendor that it can no longer meet its obligations under the CCPA; and (e) acknowledges that Customer may, upon notice, take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Information.
Vendor shall not (a) Sell or Share any Personal Information; (b) retain, use or disclose any Personal Information for any purpose other than for the Business Purposes specified in the Agreement, including retaining, using, or disclosing the Personal Information for Commercial Purposes other than the Business Purposes specified in the Agreement or as otherwise permitted by the CCPA; (c) retain, use or disclose the Personal Information outside of the direct business relationship between Vendor and Customer, unless expressly permitted by the CCPA; or (d) combine the Personal Information received from Customer with Personal Information (i) received from or on behalf of another person, or (ii) collected from Vendor’s own interaction with any Consumer to whom such Personal Information pertains, except as otherwise permitted by the CCPA.
Vendor shall cooperate with Customer in responding to and complying with Consumers’ requests for their Personal Information made pursuant to the CCPA.
Vendor shall implement reasonable security procedures and practices appropriate to the nature of the Personal Information received from, or on behalf of, Customer to protect the Personal Information from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with California Civil Code Section 1798.81.5.
When Vendor engages any Sub-Processor, Vendor shall (i) notify Customer of the engagement, and (ii) enter into a written agreement with such Sub-Processor that complies with the CCPA and containing privacy and security obligations not less protective than those in this Annex. Vendor shall be liable for all obligations under the Agreement subcontracted to the Sub-Processor and its actions and omissions related thereto. Giving Customer notice of Sub-Processor engagements in accordance with Section 4.3 of the DPA shall satisfy Vendor’s obligation under the CCPA to give notice of such engagements.
Vendor’s creation and/or use aggregated, anonymized or deidentified Personal Information shall be permitted only to the extent any such data constitutes “Aggregate Consumer Information” or has been “Deidentified”.
Vendor hereby certifies that it understands the obligations under this Section and will comply with them.
Obligations under this Annex that are not required to be imposed on Vendor for Vendor to qualify as a Service Provider under the CCPA before the CPRA takes effect on January 1, 2023, shall apply to Vendor only on and after January 1, 2023.
Vendor’s access to Personal Information does not form part of the consideration exchanged between the Parties in respect of the Agreement or any other business dealings.
As from the Addendum Effective Date, Vendor will implement and maintain the Security Measures as set out in this Annex 4.
Organizational management and dedicated staff responsible for the development, implementation and maintenance of Vendor’s information security program.
Data security controls which include at a minimum logical segregation of data, restricted (e.g. role-based) access and monitoring, and utilisation of commercially available and industry standard encryption technologies for Customer Personal Data.
Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions.
Password controls designed to manage and control password strength, expiration and usage.
System audit or event logging and related monitoring procedures to proactively record user access and system activity.
Incident management procedures designed to allow Vendor to investigate, respond to, mitigate and notify of events related to Vendor’s technology and information assets.
Network security controls that provide for the use of enterprise firewalls and intrusion detection systems designed to protect systems from intrusion and limit the scope of any successful attack.