EU Data Processing Addendum

EU Data Processing Addendum (Sub-Processing)

THIS EU DATA PROCESSING ADDENDUM (“ADDENDUM”) SHALL APPLY TO THE EXTENT THAT SCALE LABS, INC. (“PROCESSOR”) PROVIDES YOU (“SUB-PROCESSOR”) WITH ANY PERSONAL DATA (DEFINED BELOW) FROM DATA SUBJECTS LOCATED IN THE EUROPEAN ECONOMIC AREA. SUB-PROCESSOR REPRESENTS AND AGREES THAT IT ACCEPTS THE TERMS IN THIS ADDENDUM, WHICH SUPPLEMENT ANY AGREEMENT BETWEEN PROCESSOR AND SUB-PROCESSOR (COLLECTIVELY, THE “AGREEMENT”). IF YOU ARE ACCESSING THE PERSONAL DATA ON BEHALF OF YOUR EMPLOYER, YOU REPRESENT AND WARRANT THAT YOU HAVE THE AUTHORITY TO AGREE TO ENTER INTO THIS ADDENDUM ON YOUR EMPLOYER’S BEHALF AND THE RIGHT TO BIND YOUR EMPLOYER THERETO. THE EVENT OF A CONFLICT BETWEEN THE TERMS AND CONDITIONS OF THIS ADDENDUM AND THE AGREEMENT, THE TERMS AND CONDITIONS OF THIS ADDENDUM SHALL SUPERSEDE AND CONTROL.

  1. Definitions

    1. "Applicable Law (s)" means any state, federal or foreign law(s), rule(s) or regulation(s)applicable to the Addendum, the Agreement, or the Processing, as well as applicable Industry Standards, including those concerning privacy, data protection, confidentiality, information security, availability and integrity, or the handling or processing of Personal Data. Applicable Laws expressly include, if applicable, the United Kingdom Data Protection Act 1998 (the “UK Data Protection Act”), including any superseding regulation, the EU-US and Swiss-US Privacy Shield Framework and Principles issued by the U.S. Department of Commerce, both available at https://www.privacyshield.gov/EU-US-Framework (collectively the “Privacy Shield Framework and Principles”), EU Directive 95/46/EC (the “Data Directive”), and, when effective, the General Data Protection Regulation (Regulation (EU) 2016/679) (the;“GDPR”), EU Directive 2002/58/EC (the “ePrivacy Directive”), and, when effective, any regulation expressly superseding the ePrivacy Directive, as well as the laws, rules, and regulations of each nation in the European Economic Area (“Member State Law(s)”).
    2. "Authorized Employee" means an employee of Sub-Processor or a Sub-Processor Affiliate who has a need to know or otherwise access Personal Data in order to enable Sub-Processor to perform its obligations under this Addendum or the Agreement and who has undergone appropriate background screening and training by Sub-Processor.
    3. "Authorized Person" means an Authorized Employee or Authorized Subcontractor.
    4. "Authorized Subcontractor" means a third-party subcontractor, agent, reseller, or auditor engaged by Sub-Processor, or employee of same, that has a need to know or otherwise access Personal Data to enable Sub-Processor to perform its obligations under this Addendum or the Agreement and that has been previously approved by Processor in writing to do so, and who is bound in writing by a data processing agreement pursuant to which their duties and obligations to protect Personal Data are in strict accordance with the terms hereof.
    5. "Processor Affiliate" means any entity that owns or controls, is owned or controlled by, or is under common control or ownership with Processor (where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether by contract, exercise of voting rights, common management, or otherwise).
    6. "Data Subject" means an identified or identifiable person to whom Personal Data relates.
    7. "Data Subject Rights" means the rights recognized and granted to Data Subjects with respect to their Personal Data under Applicable Laws, including, when effective, the GDPR (as set forth in Articles 12 through 22 thereof).
    8. "Data Protection Impact Assessment" means an assessment, conducted pursuant to Processor’s Instructions, of the impact of one or more Processing operations on the protection of Personal Data and the privacy of Data Subjects that takes into account the nature, scope, context, and purposes of such Processing and includes, without limitation, an analysis of the necessity and proportionality of such Processing as well as the appropriateness of the Technical and Organizational Measures used in connection with such Processing.
    9. "Incident" means a situation whereby Personal Data in either Sub-Processor’s or any Authorized Person’s systems, backups, networks, servers, databases, computers, or other hardware or technical infrastructure, was lost with a low risk of potential harm or damage to Data Subjects.
    10. "Including" and its derivatives (such as “include” and “includes”) (whether or not capitalized) means “including, without limitation” unless expressly indicated otherwise.
    11. "Industry Standards" means the then-current industry best data protection and data processing practices relating to the Processing of the Personal Data.
    12. "Instruction" means a direction issued by Processor to Sub-Processor and/or any Authorized Person, documented either in textual form (including without limitation by e-mail) or by using a software or online tool, regarding the Processing of Personal Data.
    13. "Personal Data" means any information relating to a Data Subject which Sub-Processor receives from or on behalf of Processor for Processing in connection with the Services, and includes Sensitive Personal Information.
    14. "Personal Data Breach" means the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
    15. "Privacy Shield Principles" means the privacy and data protection principles outlined in the Privacy Shield Framework and Principles, available at https://www.privacyshield.gov/servlet/servlet.FileDownload?file=015t00000004qAg.
    16. "Process" or “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, transfer, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure, or destruction.
    17. "Sub-Processor Affiliate" means any entity that owns or controls, is owned or controlled by, or is under common control or ownership with Sub-Processor (where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether by contract, exercise of voting rights, common management, or otherwise) and that assists or enables Sub-Processor to fulfill its obligations under the Agreement and Addendum.
    18. "Restricted Transfer" means a transfer of Personal Data from the European Economic Area or Switzerland to any country or recipient: (i) not deemed by the European Commission as providing an adequate level of protection for Personal Data, and (ii) not covered by or a suitable framework or certification recognized by the relevant Supervisory Authority as providing an adequate level of protection for Personal Data, such as the Privacy Shield Framework and Principles.
    19. "Sensitive Personal Information" means a Data Subject’s (including without limitation a Processor employee’s, where applicable) (i) government-issued identification number (including social security number, driver’s license number or state-issued identification number) or email address; (ii) financial account number, credit card number, debit card number, credit report information, with or without any required security code, access code, personal identification number or password, that would permit access to an individual’s financial account; (iii) genetic, biometric or health data; (iv) Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, sexual orientation or sexual activity, or trade union membership; (iv) Personal Data relating to criminal convictions and offences (including commission of or proceedings for any offense committed or alleged to have been committed) and (v) any other Personal Data designated as sensitive or deserving of heightened protection under applicable individual Member State Law.
    20. "Services" shall have the meaning set forth in the Agreement.
    21. "Standard Contractual Clauses" means the standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (an example of which is detailed in Exhibit B).
    22. "Supervisory Authority" means any other court, tribunal, or governmental or quasi-governmental entity or agency that has jurisdiction, under Applicable Law, over the Agreement or Addendum, the Personal Data or Processing, and/or Processor or Sub-Processor, including the United States Department of Commerce and the data protection authorities of the nations of the European Economic Area and of Switzerland.
    23. "Suspected Incident" means an interruption in either Sub-Processor’s or any Authorized Person’s systems, backups, networks, servers, databases, computers, or other hardware or technical infrastructure, whether or not connected to the Internet, whereby an Incident is suspected.
    24. "Technical and Organizational Security Measures" means measures taken by Sub-Processor and Authorized Persons aimed at (i) ensuring the confidentiality, security, integrity, and availability of Personal Data, including protecting against an Incident, a Personal Data Breach, or other accidental, unlawful, or unauthorized destruction, loss, alteration, disclosure or access to Personal Data (in particular where Processing involves the transmission of Personal Data over a network) and other unlawful forms of Processing and/or (ii) assisting and enabling Processor to comply with its obligations to respond to requests by Data Subjects to exercise their Data Subject Rights.
  2. Processing of Data

    1. Sub-Processor agrees to comply with this Addendum, at no additional cost to Processor, at all times during the term of the Agreement. Any failure by Sub-Processor to comply with the obligations set forth in this Addendum, or any Personal Data Breach, will be considered a material breach of the Agreement, and Processor will have the right, without limiting any of the rights or remedies under this Addendum or the Agreement, or at law or in equity, to immediately terminate the Agreement for cause. Sub-Processor acknowledges that Processor may be the controller of the Personal Data or may be a processor of the Personal Data on behalf of another controller.
    2. The rights and obligations of the Processor with respect to Processing are described herein and in the Agreement. The subject matter, nature, purpose, and duration of this Processing, as well as the types of Personal Data collected and categories of Data Subjects involved, are described in Exhibit A to this Addendum.
    3. Sub-Processor acknowledges and agrees that it shall only Process Personal Data for the limited and specified purposes described in Exhibit A and in strict compliance with the terms and conditions set forth in this Addendum and in any Instructions.
    4. Sub-Processor represents and warrants that its Processing of Personal Data does and will comply with all Applicable Laws.
    5. To the extent that any Personal Data is transmitted, transferred, shared or otherwise disclosed to Sub-Processor from any Member State, Sub-Processor represents, warrants, and covenants that it shall comply with the Directive and, when effective, the GDPR, with respect to any Processing, including in particular any transfer, of such Personal Data.
  3. Security of Data

    1. At a minimum, and without limiting the foregoing, Sub-Processor represents and warrants that it shall maintain all Personal Data in strict confidence, using a degree of care and Technical and Organizational Security Measures that meet or exceed applicable Industry Standards and that ensure a level of security appropriate to the particular risks of accidental, unlawful, or unauthorized destruction, loss, alteration, disclosure or access of Personal Data presented by the Processing and the Personal Data (collectively, “Risks”), including (i) limiting access to Personal Data to Authorized Persons only; (ii) ensuring that all Authorized Persons are made aware of the confidential nature of Personal Data before they may access such data; (iii) securing its physical, technical, and administrative infrastructure, including all relevant business facilities, data centers, paper files, servers, networks, platforms, databases, cloud computing resources, back-up systems, passwords and credentials, hardware, and mobile devices; (iv) implementing authentication and access controls within all relevant media, applications, networks, operating systems and equipment; (v) encrypting Sensitive Personal Information at all times and Personal Data when transmitted over public or wireless networks or where otherwise appropriate in light of the Risks; (vi) strictly segregating Personal Data from information of Sub-Processor or its employees or other customers; (vii) maintaining appropriate personnel security and integrity procedures and practices, as set forth in Section 4; (viii) maintaining and regularly testing processes for restoring the availability and access to Personal Data in a timely manner in the event of an Incident or Suspected Incident; (ix) regularly testing, assessing, and evaluating the effectiveness of all Technical and Organizational Security Measures; and (x) any other measures necessary to ensure the ongoing confidentiality, integrity, and availability of Personal Data and the ongoing security and resilience of systems and services used for Processing.
    2. Upon Processor’s written request, or, upon the termination or expiration of the Agreement for any reason, Sub-Processor shall, and shall ensure that all Authorized Persons, (i) promptly and securely dispose of or return to Processor in an encrypted format, at Processor’s choice, all copies of Personal Data, including backup or archival copies, and (ii) promptly certify in writing to Processor when the measures described in subsection (i) hereof have been completed. Sub-Processor shall, and shall ensure that all Authorized Persons, comply with all Instructions provided by Processor with respect to the return or disposal of Personal Data. Any disposal of Personal Data must ensure that such data is rendered permanently unreadable and unrecoverable. Sub-Processor and/or Authorized Persons shall be excused from performing the foregoing obligations only if, and solely to the extent that, Applicable Law(s) explicitly prevent them from doing so.
  4. Authorized Persons

    1. Sub-Processor represents, warrants, and covenants that it has previously informed Processor and obtained its prior written consent to any Processing of Personal Data by third parties other than Sub-Processor and its Authorized Employees. Sub-Processor shall promptly send Processor a copy of any Authorized Subcontractor agreement relevant to this Addendum.
    2. Sub-Processor shall perform appropriate screening of all Authorized Persons, including without limitation background checks in accordance with Applicable Laws, and shall ensure the reliability and appropriate training of all Authorized Persons.
    3. Sub-Processor represents, warrants, and covenants that it has executed written agreements with each Authorized Subcontractor that bind them to all obligations set forth in this Addendum with respect to the Processing of the Personal Data.
    4. Sub-Processor represents, warrants, and covenants that it has executed confidentiality agreements with each Authorized Person that prevents them from disclosing or otherwise Processing, both during and after their engagement by Sub-Processor, any Personal Data except in accordance with their obligations in connection with the Services.
    5. Sub-Processor shall be fully responsible for the acts and omissions of Authorized Subcontractors and any other of its subcontractors, independent contractors, and other service providers to the same extent that Sub-Processor would itself be liable under this Addendum had it conducted such acts or omissions, and shall fully indemnify Processor for all losses arising from or related to such acts and omissions.
  5. Suspected Incident, Incident, and Personal Data Breach Notification

    1. Sub-Processor shall notify Processor of a Suspected Incident as soon as reasonably practicable, but in any event, not less than forty-eight (48) hours after becoming aware of such Suspected Incident. If such Suspected Incident becomes an Incident or a Personal Data Breach, Sub-Processor shall notify Processor pursuant to Section 5.2.
    2. Sub-Processor shall notify Processor immediately upon becoming aware of an Incident or a Personal Data Breach and shall, in a written report, provide sufficient information to enable Processor to comply with its obligations under Applicable Laws with respect to such Incident or Personal Data Breach, including any obligation to report or notify such Incident or Personal Data Breach to Supervisory Authorities and/or Data Subjects, as applicable. Such report will include (i) a description of the nature of the Incident or Personal Data Breach, (ii) the categories and approximate number of Data Subjects and Personal Data sets affected or alleged to be affected, (iii) the likely consequences of the Incident or Personal Data Breach, and (iv) any measures that have been or may be taken to address and mitigate the Incident or Personal Data Breach.
    3. As soon as reasonably practicable after providing the report described in Section 5.2, Sub-Processor shall provide Processor with a comprehensive report on its initial findings regarding the Incident or Personal Data Breach, and thereafter shall provide regular updates describing subsequent findings with respect to such Incident or Personal Data Breach. As soon as reasonably practicable after Sub-Processor has concluded its examination of the Incident or Personal Data Breach, it shall provide Processor with a comprehensive final report regarding the Incident or Personal Data Breach.
    4. Sub-Processor and/or any relevant Authorized Subcontractor shall use its best efforts to immediately mitigate and remedy any Incident or Personal Data Breach, and prevent any further Personal Data Breach or recurrence thereof, at Sub-Processor’s own expense and in accordance with Applicable Laws.
    5. Neither Sub-Processor nor any Authorized Subcontractor shall publicly disclose any information regarding any Suspected Incident, Incident or Personal Data Breach without Processor’s prior written consent, except that Sub-Processor and any relevant Authorized Subcontractor may disclose any Suspected Incident, Incident or Personal Data Breach to (i) its own employees, customers, advisors, agents, or contractors, or (ii) where and to the extent explicitly compelled to do so by Applicable Laws, to applicable Supervisory Authorities and/or Data Subjects without Processor’s prior written consent.
    6. Sub-Processor and/or any relevant Authorized Subcontractor shall, at Sub-Processor’s expense, fully cooperate with Processor and provide any assistance necessary for Processor to comply with any obligations under Applicable Laws with respect to an Incident or Personal Data Breach, including obligations to report or notify an Incident or Personal Data Breach to Supervisory Authorities and/or Data Subjects. Such assistance may include drafting disclosures, press releases and/or other communications for Processor with respect to such Incident or Personal Data Breach.
  6. Rights of Data Subjects

    1. Sub-Processor shall, to the extent permitted by Applicable Laws, provide all necessary assistance to Processor in responding to requests by Data Subjects to exercise Data Subject Rights, including, as applicable, a Data Subject’s right to: (a) confirm whether his or her Personal Data has been or is being Processed; (b) access a copy of all Personal Data of his or hers that has been or is being Processed; (c​) rectify or supplement his or her Personal Data; (d) transfer his or her Personal Data to another Processor; (e) confirm that his or her Personal Data has been or is being subject to Processing that constitutes automated decision-making; (f) restrict or cease the Processing of his or her Personal Data; and (g) withdraw consent to the Processing of his or her Personal Data held by Sub-Processor. Such assistance shall also include (x) maintaining records sufficient to demonstrate Sub-Processor’s performance of its obligations under Applicable Laws with respect to Data Subject Rights, (y) promptly notifying Processor if Sub-Processor or an Authorized Subcontractor receives a request from a Data Subject to exercise a Data Subject Right and refraining from responding to such requests (and ensuring that Authorized Subcontractors refrain from responding to such requests) except upon receipt of, and in accordance with, Instructions from Processor, and (z) informing Processor in the event that Applicable Laws or any judicial, law enforcement, or Supervisory Authority operate to prevent Sub-Processor (or any Authorized Subcontractor) from performing the obligations described in this Section 6.1, before Sub-Processor (or an Authorized Subcontractor) responds to a request to exercise a Data Subject Right.
  7. Transfers of Personal Data

    1. The Parties hereby acknowledge and agree that the Standard Contractual Clauses shall apply to any Restricted Transfers made in connection with the Services where Processor shall adhere to the obligations of the “data exporter” and Sub-Processor shall adhere to the obligations of the “data importer”.
    2. Sub-Processor represents, warrants, and covenants that no Authorized Subcontractor will be permitted to undertake or receive a Restricted Transfer before executing an Agreement no less protective than the Standard Contractual Clauses.
    3. Sub-Processor represents and warrants that every Restricted Transfer made by Sub-Processor or any Authorized Subcontractor shall be undertaken in accordance with the Standard Contractual Clauses.
  8. Actions and Access Requests

    1. Upon Processor’s request, Sub-Processor shall make available to Processor all information available to Sub-Processor and to Authorized Subcontractors that Processor reasonably deems necessary to demonstrate compliance by Processor with its obligations under Applicable Laws (including in particular the GDPR, when effective) relating to the Personal Data and the Processing conducted by Sub-Processor and Authorized Subcontractors.
    2. Upon Processor’s request, Sub-Processor shall provide all necessary assistance to Processor in connection with any data protection impact assessments (“DPIA(s)”) that Processor determines (in its sole discretion) it must conduct or cause to be conducted in order to comply with Applicable Laws, to the extent that such DPIA(s) relate to the Processing.
    3. Upon Processor’s request, Processor shall provide all necessary assistance to Processor in connection with any consultation with a Supervisory Authority that Processor determines (in its sole discretion) it must undertake as a result of a DPIA, to the extent that such DPIA relates to the Processing.
    4. Upon Processor’s request, Sub-Processor shall provide all necessary assistance to Processor in the event of any investigation, action, or request made by a Supervisory Authority, to the extent that such investigation, action, or request relates to the Personal Data or the Processing.
    5. Upon Processor’s request, Sub-Processor shall provide Processor, and any Supervisory Authority with whom Processor is consulting or cooperating, with a designated contact for all queries and requests relating to the Processing of Personal Data.
    6. In the event Sub-Processor determines that any Processing violates Applicable Laws (including the valid exercise of a Data Subject Right) or this Addendum, it shall immediately inform Processor and follow Instructions for stopping such Processing and/or remediating the violation.
    7. Without limiting the foregoing, in the event of a change in Applicable Laws affecting this Addendum, Sub-Processor agrees to work in good faith with Processor to make any amendments to this Addendum pursuant to Section 11.2, and further agrees to make any changes to its Technical and Organizational Security Measures as are reasonably necessary to ensure continued compliance with Applicable Laws.
  9. Audit Rights

    1. Sub-Processor shall maintain complete and accurate records in connection with Sub-Processor’s performance under this Addendum, and shall retain such records for a period of three (3) years after the termination or expiration of the Agreement.
    2. Processor shall have reasonable access during regular business hours upon reasonable notice to review, audit and copy such records relevant to Sub-Processor’s provision of Services and discharge of obligations under this Addendum.
    3. Processor also reserves the right to actively test Sub-Processor’s compliance with Processor’s security requirements, including without limitation security configuration (e.g., server parameters, security settings and control environment) and network perimeter controls; provided that such tests are not unreasonably disruptive to Sub-Processor’s business. Sub-Processor agrees, at its cost, to make any changes requested by Processor to correct inadequacies discovered in such audits or tests.
  10. Indemnity

    1. Sub-Processor shall, at its own expense, protect, defend, indemnify and hold harmless Processor and its officers, directors, employees, successors, assigns, distributors, contractors, agents, affiliates and customers, from all claims or actions, damages, liabilities, assessments, losses, costs, and other expenses (including, without limitation, reasonable attorneys’ fees and legal expenses and breach notification expenses) arising out of or resulting from (a) any breach by Sub-Processor of its warranties or representations in this Addendum, (b) any acts and omissions of any Authorized Subcontractors with respect to the Processing of any Personal Data; or (c​) any Incident or Personal Data Breach (collectively, “Claims”).
    2. Processor shall provide Sub-Processor with prompt written notice of any Claim. Upon receipt of any such notice, Sub-Processor must immediately take all necessary and appropriate action to protect Processor’s interests with regard to any Claims. Processor shall provide reasonable cooperation, information, and assistance in connection with any Claim (except that failure to do so shall only excuse Sub-Processor from its obligations to the extent such failure materially prejudiced the defense of the Claim). Sub-Processor shall have sole control and authority to defend, settle or compromise any Claim, provided that Sub-Processor shall not make any settlement that requires a materially adverse act or admission by Processor without Processor’s written consent (such consent not to be unreasonably delayed, conditioned or withheld). If Sub-Processor provides counsel for the defense of any Claim and Processor, in its sole discretion, determines that such counsel is unacceptable or that a conflict of interest exists between Processor and such counsel, Processor may request Sub-Processor replace the counsel. If Sub-Processor fails to timely replace counsel, the Sub-Processor agrees that its counsel shall work in good faith with Processor’s counsel until the Claim is resolved.
  11. Miscellaneous

    1. This Addendum and the Standard Contractual Clauses will terminate simultaneously and automatically with the termination of the Agreement, except that all provisions intending to survive shall survive, including specifically, Sections 1, 3.2, 4.5, 5, 8.3, 8.4, 9.1, 9.2, 10, and 11.
    2. This Addendum may be amended or modified only by a writing signed by both Parties. Sub-Processor acknowledges and agrees that the Processor (whether it is acting as a controller or a processor on behalf of another controller) may disclose this Addendum to third parties (including other controllers, data subjects and regulators) for purposes of demonstrating compliance with Applicable Laws.
    3. The Parties hereby acknowledge and agree that any remedies arising from any Personal Data Breach or any breach by Sub-Processor or any Authorized Person of the terms of this Addendum are not and shall not be subject to any limitation of liability provision that applies to Sub-Processor under the Agreement.
    4. This Addendum shall be governed by the law of the same jurisdiction as the Agreement, except where and to the extent that Applicable Laws require that the Addendum be governed by the law of another jurisdiction.

EXHIBIT A

Details of Processing

Nature and Purpose of Processing: The nature and purpose of the intended processing are set out in the Agreement between the Parties.

Duration of Processing: The processing operations will be carried out by the Sub-processor from the Effective Date until the termination of this Agreement by agreement between the parties.

Categories of Data Subjects:

  • Images, videos, and sensor data that may contain Data Subject faces
  • Images, videos and sensor data that may contact Data Subject location
  • Images, videos and sensor data that may include Data Subject vehicle information

Type of Personal Data:

  • Personal data about members of the public that may be captured by Processor’s customers through cameras, videos and sensors, such as facial imagery, vehicle information, and location information

EXHIBIT B

Standard Contractual Clauses

For the purposes of Article 26(2) of Directive 95/46/EC 1 for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection.

Name of the data exporting organisation:

Address:

Tel.:[insert]; fax:[insert]; e-mail: [insert]

Other information needed to identify the organisation: not applicable

……………………………………………………………
(the data exporter )

And

Name of the data importing organisation:

Address:

Tel.:[insert]; fax:[insert]; e-mail: [insert]

Other information needed to identify the organisation: not applicable

…………………………………………………………………
(the data importer )

each a “party”; together “the parties”,

HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.

1 Note to Draft: The relevant authorities have not yet promulgated Standard Contractual Clauses under the GDPR. When this occurs, the Standard Contractual Clauses used herein, which are currently promulgated under the Directive, should be replaced.

Clause 1

Definitions

For the purposes of the Clauses:

(a) ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;

(b) ‘the data exporter’ means Processor;

(c​) ‘the data importer’ means Sub-Processor;

(d) ‘the subprocessor’ means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;

(e) ‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;

(f) ‘technical and organisational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

Clause 2

Details of the transfer

The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.

Clause 3

Third-party beneficiary clause

  1. The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.

  2. The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.

  3. The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.

  4. The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.

Clause 4

Obligations of the data exporter

The data exporter agrees and warrants:

(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;

(b) that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;

(c​) that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;

(d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;

(e) that it will ensure compliance with the security measures;

(f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;

(g) to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;

(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;

(i) that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and

(j) that it will ensure compliance with Clause 4(a) to (i).

Clause 5

Obligations of the data importer

The data importer agrees and warrants:

(a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(c​) that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;

(d) that it will promptly notify the data exporter about:

(i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,

(ii) any accidental or unauthorised access, and

(iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;

(e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;

(f) at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;

(g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;

(h) that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;

(i) that theprocessing services by the subprocessor will be carried out in accordance with Clause 11;

(j) to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.

Clause 6

Liability

  1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.

  2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.

The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.

  1. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessorwith regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.

Clause 7

Mediation and jurisdiction

  1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:

(a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;

(b) to refer the dispute to the courts in the Member State in which the data exporter is established.

  1. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

Clause 8

Cooperation with supervisory authorities

  1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.

  2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.

  3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).

Clause 9

Governing Law

The Clauses shall be governed by the law of the Member State in which the data exporter is established, namely INSERT COUNTRY.

Clause 10

Variation of the contract

The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.

Clause 11

Subprocessing

  1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses 2. Where the subprocessor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor’s obligations under such agreement.

  2. The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.

  3. The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established, namely INSERT COUNTRY.

  4. The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.

2: This requirement may be satisfied by the subprocessor co-signing the contract entered into between the data exporter and the data importer under this Decision.

Clause 12

Obligation after the termination of personal data processing services

  1. The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.

  2. The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.

On behalf of the data exporter:

Name (written out in full): [insert name]

Position: [insert]

Address:

Other information necessary in order for the contract to be binding (if any): not applicable

Signature……………………………………….

    (stamp of organisation)

On behalf of the data importer:

Name (written out in full): [insert name]

Position: [insert]

Address:

Other information necessary in order for the contract to be binding (if any): not applicable

Signature……………………………………….

    (stamp of organisation)

Appendix 1 to the Standard Contractual Clauses

This Appendix forms part of the Clauses and must be completed and signed by the parties.

The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.

Data exporter

The data exporter is (please specify briefly your activities relevant to the transfer):

………………………………………………………………………………………………………………………………………………………………………………………………

Data importer

The data importer is (please specify briefly activities relevant to the transfer):

………………………………………………………………………………………………………………………………………………………………………………………………

Data subjects

The personal data transferred concern the following categories of data subjects (please specify):

………………………………………………………………………………………………………………………………………………………………………………………………

Categories of data

The personal data transferred concern the following categories of data (please specify):

………………………………………………………………………………………………………………………………………………………………………………………………

Special categories of data (if appropriate)

The personal data transferred concern the following special categories of data (please specify):

………………………………………………………………………………………………………………………………………………………………………………………………

Processing operations

The personal data transferred will be subject to the following basic processing activities (please specify):

………………………………………………………………………………………………………………………………………………………………………………………………

DATA EXPORTER

Name:

Authorised Signature ……………………

DATA IMPORTER

Name:

Authorised Signature ……………………

Appendix 2 to the Standard Contractual Clauses

This Appendix forms part of the Clauses and must be completed and signed by the parties.

Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c​) (or document/legislation attached):

…………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………